diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-09 08:09:54 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-09 08:09:54 +0000 |
| commit | b8064f4099997a9e2179f3ad4ace605f5ccac3a1 (patch) | |
| tree | 81778e976b476374c48b4fe83d084b986b890421 /src | |
| parent | 1ac70afcc1f7d6d2738a34308810719b0976d29f (diff) | |
| download | vyos-strongswan-b8064f4099997a9e2179f3ad4ace605f5ccac3a1.tar.gz vyos-strongswan-b8064f4099997a9e2179f3ad4ace605f5ccac3a1.zip | |
[svn-upgrade] new version strongswan (4.4.1)
Diffstat (limited to 'src')
420 files changed, 21583 insertions, 7482 deletions
diff --git a/src/Makefile.in b/src/Makefile.in index 2a04c8b19..0bd728397 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -317,7 +317,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -342,7 +342,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index d4e1c157b..eb52fc52e 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index cf153461d..73ecf1abb 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 2cc311665..430a0cff6 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -115,6 +115,19 @@ # is the UDP/TCP port to which the IPsec SA is # restricted on the peer side. # +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# # define a minimum PATH environment in case it is not set PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index a4379b44c..10ea4312f 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark index 74de0722d..42cd3607b 100644 --- a/src/_updown_espmark/_updown_espmark +++ b/src/_updown_espmark/_updown_espmark @@ -115,6 +115,19 @@ # is the UDP/TCP port to which the IPsec SA is # restricted on the peer side. # +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# # logging of VPN connections # diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 66690a37a..72abca97e 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/charon/charon.c b/src/charon/charon.c index 9b552fb62..84cd54615 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -38,12 +38,22 @@ #include <utils/backtrace.h> #include <threading/thread.h> +#ifdef ANDROID +#include <private/android_filesystem_config.h> +#endif + + /** * PID file, in which charon stores its process id */ #define PID_FILE IPSEC_PIDDIR "/charon.pid" /** + * Global reference to PID file (required to truncate, if undeletable) + */ +static FILE *pidfile = NULL; + +/** * hook in library for debugging messages */ extern void (*dbg) (debug_t group, level_t level, char *fmt, ...); @@ -178,6 +188,9 @@ static bool lookup_uid_gid() charon->gid = grp->gr_gid; } #endif +#ifdef ANDROID + charon->uid = AID_VPN; +#endif return TRUE; } @@ -190,7 +203,7 @@ static void segv_handler(int signal) DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal); backtrace = backtrace_create(2); - backtrace->log(backtrace, stderr); + backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); DBG1(DBG_DMN, "killing ourself, received critical signal"); @@ -203,22 +216,21 @@ static void segv_handler(int signal) static bool check_pidfile() { struct stat stb; - FILE *file; if (stat(PID_FILE, &stb) == 0) { - file = fopen(PID_FILE, "r"); - if (file) + pidfile = fopen(PID_FILE, "r"); + if (pidfile) { char buf[64]; pid_t pid = 0; memset(buf, 0, sizeof(buf)); - if (fread(buf, 1, sizeof(buf), file)) + if (fread(buf, 1, sizeof(buf), pidfile)) { pid = atoi(buf); } - fclose(file); + fclose(pidfile); if (pid && kill(pid, 0) == 0) { /* such a process is running */ return TRUE; @@ -229,17 +241,35 @@ static bool check_pidfile() } /* create new pidfile */ - file = fopen(PID_FILE, "w"); - if (file) + pidfile = fopen(PID_FILE, "w"); + if (pidfile) { - fprintf(file, "%d\n", getpid()); - ignore_result(fchown(fileno(file), charon->uid, charon->gid)); - fclose(file); + ignore_result(fchown(fileno(pidfile), charon->uid, charon->gid)); + fprintf(pidfile, "%d\n", getpid()); + fflush(pidfile); } return FALSE; } /** + * Delete/truncate the PID file + */ +static void unlink_pidfile() +{ + /* because unlinking the PID file may fail, we truncate it to ensure the + * daemon can be properly restarted. one probable cause for this is the + * combination of not running as root and the effective user lacking + * permissions on the parent dir(s) of the PID file */ + if (pidfile) + { + ignore_result(ftruncate(fileno(pidfile), 0)); + fclose(pidfile); + } + unlink(PID_FILE); +} + + +/** * print command line usage and exit */ static void usage(const char *msg) @@ -258,7 +288,6 @@ static void usage(const char *msg) " 2 = controlmore, 3 = raw, 4 = private)\n" "\n" ); - exit(msg == NULL? 0 : 1); } /** @@ -337,7 +366,8 @@ int main(int argc, char *argv[]) break; case 'h': usage(NULL); - break; + status = 0; + goto deinit; case 'v': printf("Linux strongSwan %s\n", VERSION); status = 0; @@ -351,7 +381,8 @@ int main(int argc, char *argv[]) continue; default: usage(""); - break; + status = 1; + goto deinit; } break; } @@ -405,7 +436,7 @@ int main(int argc, char *argv[]) run(); /* normal termination, cleanup and exit */ - unlink(PID_FILE); + unlink_pidfile(); status = 0; deinit: diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 27d615dab..ad2923799 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -19,6 +19,7 @@ AM_CFLAGS = -rdynamic libs = $(shell find $(top_builddir)/src/libstrongswan \ $(top_builddir)/src/libcharon \ $(top_builddir)/src/libhydra \ + $(top_builddir)/src/pluto \ -name 'libstrongswan*.so') if USE_LIBHYDRA diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 3e0ab1e69..05e90a9a1 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -288,8 +288,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic libs = $(shell find $(top_builddir)/src/libstrongswan \ $(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \ - -name 'libstrongswan*.so') $(am__append_1) $(am__append_2) \ - $(am__append_3) $(am__append_4) $(am__append_5) + $(top_builddir)/src/pluto -name 'libstrongswan*.so') \ + $(am__append_1) $(am__append_2) $(am__append_3) \ + $(am__append_4) $(am__append_5) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c index b68a25a19..2db68054e 100644 --- a/src/checksum/checksum_builder.c +++ b/src/checksum/checksum_builder.c @@ -20,6 +20,9 @@ #include <library.h> +/* we need to fake the pluto symbol to dlopen() the xauth plugin */ +void *pluto; + int main(int argc, char* argv[]) { int i; diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 36fdbff28..37751b856 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 720ba3a11..c47e6e451 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h index d28e85310..b971e3848 100644 --- a/src/include/linux/xfrm.h +++ b/src/include/linux/xfrm.h @@ -10,8 +10,7 @@ /* Structure to encapsulate addresses. I do not want to use * "standard" structure. My apologies. */ -typedef union -{ +typedef union { __be32 a4; __be32 a6[4]; } xfrm_address_t; @@ -20,8 +19,7 @@ typedef union * the state by (spi,daddr,ah/esp) or to store information about * spi, protocol and tunnel address on output. */ -struct xfrm_id -{ +struct xfrm_id { xfrm_address_t daddr; __be32 spi; __u8 proto; @@ -45,8 +43,7 @@ struct xfrm_sec_ctx { /* Selector, used as selector both on policy rules (SPD) and SAs. */ -struct xfrm_selector -{ +struct xfrm_selector { xfrm_address_t daddr; xfrm_address_t saddr; __be16 dport; @@ -63,8 +60,7 @@ struct xfrm_selector #define XFRM_INF (~(__u64)0) -struct xfrm_lifetime_cfg -{ +struct xfrm_lifetime_cfg { __u64 soft_byte_limit; __u64 hard_byte_limit; __u64 soft_packet_limit; @@ -75,16 +71,14 @@ struct xfrm_lifetime_cfg __u64 hard_use_expires_seconds; }; -struct xfrm_lifetime_cur -{ +struct xfrm_lifetime_cur { __u64 bytes; __u64 packets; __u64 add_time; __u64 use_time; }; -struct xfrm_replay_state -{ +struct xfrm_replay_state { __u32 oseq; __u32 seq; __u32 bitmap; @@ -116,16 +110,14 @@ struct xfrm_stats { __u32 integrity_failed; }; -enum -{ +enum { XFRM_POLICY_TYPE_MAIN = 0, XFRM_POLICY_TYPE_SUB = 1, XFRM_POLICY_TYPE_MAX = 2, XFRM_POLICY_TYPE_ANY = 255 }; -enum -{ +enum { XFRM_POLICY_IN = 0, XFRM_POLICY_OUT = 1, XFRM_POLICY_FWD = 2, @@ -133,8 +125,7 @@ enum XFRM_POLICY_MAX = 3 }; -enum -{ +enum { XFRM_SHARE_ANY, /* No limitations */ XFRM_SHARE_SESSION, /* For this session only */ XFRM_SHARE_USER, /* For this user only */ @@ -276,8 +267,8 @@ enum xfrm_attr_type_t { XFRMA_ALG_COMP, /* struct xfrm_algo */ XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ - XFRMA_SA, - XFRMA_POLICY, + XFRMA_SA, /* struct xfrm_usersa_info */ + XFRMA_POLICY, /*struct xfrm_userpolicy_info */ XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ XFRMA_LTIME_VAL, XFRMA_REPLAY_VAL, @@ -285,17 +276,23 @@ enum xfrm_attr_type_t { XFRMA_ETIMER_THRESH, XFRMA_SRCADDR, /* xfrm_address_t */ XFRMA_COADDR, /* xfrm_address_t */ - XFRMA_LASTUSED, + XFRMA_LASTUSED, /* unsigned long */ XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ XFRMA_MIGRATE, XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ + XFRMA_MARK, /* struct xfrm_mark */ __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) }; +struct xfrm_mark { + __u32 v; /* value */ + __u32 m; /* mask */ +}; + enum xfrm_sadattr_type_t { XFRMA_SAD_UNSPEC, XFRMA_SAD_CNT, diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am index f3ca1ca06..510f1021a 100644 --- a/src/ipsec/Makefile.am +++ b/src/ipsec/Makefile.am @@ -1,7 +1,12 @@ sbin_SCRIPTS = ipsec -CLEANFILES = ipsec +CLEANFILES = ipsec ipsec.8 dist_man8_MANS = ipsec.8 -EXTRA_DIST = ipsec.in +EXTRA_DIST = ipsec.in ipsec.8.in + +ipsec.8 : ipsec.8.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ ipsec : ipsec.in sed \ @@ -10,7 +15,7 @@ ipsec : ipsec.in -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ - -e "s:@IPSEC_CONFDIR@:$(confdir):" \ + -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ $(srcdir)/$@.in > $@ chmod +x $@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 3834b672a..2b4b14b49 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -236,9 +236,9 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ sbin_SCRIPTS = ipsec -CLEANFILES = ipsec +CLEANFILES = ipsec ipsec.8 dist_man8_MANS = ipsec.8 -EXTRA_DIST = ipsec.in +EXTRA_DIST = ipsec.in ipsec.8.in all: all-am .SUFFIXES: @@ -513,6 +513,11 @@ uninstall-man: uninstall-man8 uninstall-sbinSCRIPTS +ipsec.8 : ipsec.8.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + ipsec : ipsec.in sed \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ @@ -520,7 +525,7 @@ ipsec : ipsec.in -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ - -e "s:@IPSEC_CONFDIR@:$(confdir):" \ + -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ $(srcdir)/$@.in > $@ chmod +x $@ diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 index 0cd9914cc..150fefc12 100644 --- a/src/ipsec/ipsec.8 +++ b/src/ipsec/ipsec.8 @@ -1,128 +1,23 @@ -.TH IPSEC 8 "9 February 2006" +.TH IPSEC 8 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS .B ipsec -command [ argument ...] -.sp -.B ipsec start|update|reload|restart|stop -.sp -.B ipsec up|down|route|unroute -\fIconnectionname\fP -.sp -.B ipsec status|statusall -[ -\fIconnectionname\fP -] -.sp -.B ipsec listalgs|listpubkeys|listcerts -[ -.B \-\-utc -] -.br -.B ipsec listcacerts|listaacerts|listocspcerts -[ -.B \-\-utc -] -.br -.B ipsec listacerts|listgroups|listcainfos -[ -.B \-\-utc -] -.br -.B ipsec listcrls|listocsp|listcards|listall -[ -.B \-\-utc -] -.sp -.B ipsec rereadsecrets|rereadgroups -.br -.B ipsec rereadcacerts|rereadaacerts|rereadocspcerts -.br -.B ipsec rereadacerts|rereadcrls|rereadall -.sp -.B ipsec purgeocsp -.sp -.B ipsec -[ -.B \-\-help -] [ -.B \-\-version -] [ -.B \-\-versioncode -] [ -.B \-\-copyright -] -.br -.B ipsec -[ -.B \-\-directory -] [ -.B \-\-confdir -] +\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] +.PP .SH DESCRIPTION -.I Ipsec -invokes any of several utilities involved in controlling the IPsec -encryption/authentication system, -running the specified -.I command -with the specified -.IR argument s -as if it had been invoked directly. -This largely eliminates possible name collisions with other software, +The +.B ipsec +utility invokes any of several utilities involved in controlling and monitoring +the IPsec encryption/authentication system, running the specified \fIcommand\fP +with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked +directly. This largely eliminates possible name collisions with other software, and also permits some centralized services. .PP -The commands -.BR start , -.BR update , -.BR reload , -.BR restart , -and -.BR stop -are built-in and are used to control the -.BR "ipsec starter" -utility, an extremely fast replacement for the traditional -.BR ipsec -.BR setup -script. -.PP -The commands -.BR up, -.BR down, -.BR route, -.BR unroute, -.BR status, -.BR statusall, -.BR listalgs, -.BR listpubkeys, -.BR listcerts, -.BR listcacerts, -.BR listaacerts, -.BR listocspcerts, -.BR listacerts, -.BR listgroups, -.BR listcainfos, -.BR listcrls, -.BR listocsp, -.BR listcards, -.BR listall, -.BR rereadsecrets, -.BR rereadgroups, -.BR rereadcacerts, -.BR rereadaacerts, -.BR rereadocspcerts, -.BR rereadacerts, -.BR rereadcrls, -and -.BR rereadall -are also built-in and completely replace the corresponding -.BR "ipsec auto" -\-\-\fIoperation\fP" -commands. Communication with the pluto daemon happens via the -.BR "ipsec whack" -socket interface. -.PP -In particular, +All the commands described in this manual page are built-in and are used to +control and monitor IPsec connections as well as the IKE daemons. +.PP +For other commands .I ipsec supplies the invoked .I command @@ -134,173 +29,243 @@ the full pathname of the directory where the IPsec utilities are stored, the full pathname of the directory where the configuration files live, and the IPsec version number. .PP -.B "ipsec start" +.SS CONTROL COMMANDS +.TP +.B "ipsec start [ starter options ]" calls .BR "ipsec starter" -which in turn starts \fIpluto\fR. +which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and +IKEv2 \fIcharon\fR daemons. .PP +.TP .B "ipsec update" sends a \fIHUP\fR signal to .BR "ipsec starter" which in turn determines any changes in \fIipsec.conf\fR -and updates the configuration on the running \fIpluto\fR daemon, correspondingly. +and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons, correspondingly. .PP +.TP .B "ipsec reload" sends a \fIUSR1\fR signal to .BR "ipsec starter" -which in turn reloads the whole configuration on the running \fIpluto\fR daemon -based on the actual \fIipsec.conf\fR. +which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR +and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR. .PP +.TP .B "ipsec restart" -executes +is equivalent to .B "ipsec stop" followed by -.BR "ipsec start". +.B "ipsec start" +after a guard of 2 seconds. .PP +.TP .B "ipsec stop" -stops \fIipsec\fR by sending a \fITERM\fR signal to +terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons by sending a \fITERM\fR signal to .BR "ipsec starter". .PP -.B "ipsec up" -\fIname\fP tells the \fIpluto\fP daemon to start up connection \fIname\fP. +.TP +.B "ipsec up \fIname\fP" +tells the responsible IKE daemon to start up connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname\fP" +tells the responsible IKE daemon to terminate connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname{n}\fP" +terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP. .PP -.B "ipsec down" -\fIname\fP tells the \fIpluto\fP daemon to take down connection \fIname\fP. +.TP +.B "ipsec down \fIname{*}\fP" +terminates all IKEv2 CHILD SA instances of connection \fIname\fP. .PP -.B "ipsec route" -\fIname\fP tells the \fIpluto\fP daemon to install a route for connection -\fIname\fP. +.TP +.B "ipsec down \fIname[n]\fP" +terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP. .PP -.B "ipsec unroute" -\fIname\fP tells the \fIpluto\fP daemon to take down the route for connection -\fIname\fP. +.TP +.B "ipsec down \fIname[*]\fP" +terminates all IKEv2 IKE SA instances of connection \fIname\fP. .PP -.B "ipsec status" -[ \fIname\fP ] gives concise status information either on connection -\fIname\fP or if the \fIname\fP argument is lacking, on all connections. +.TP +.B "ipsec route \fIname\fP" +tells the responsible IKE daemon to insert an IPsec policy in the kernel +for connection \fIname\fP. The first payload packet matching the IPsec policy +will automatically trigger an IKE connection setup. .PP -.B "ipsec statusall" -[ \fIname\fP ] gives detailed status information either on connection -\fIname\fP or if the \fIname\fP argument is lacking, on all connections. +.TP +.B "ipsec unroute \fIname\fP" +remove the IPsec policy in the kernel for connection \fIname\fP. .PP +.TP +.B "ipsec status [ \fIname\fP ]" +returns concise status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.TP +.B "ipsec statusall [ \fIname\fP ]" +returns detailed status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.SS LIST COMMANDS +.TP .B "ipsec listalgs" returns a list all supported IKE encryption and hash algorithms, the available -Diffie-Hellman groups, as well as all supported ESP encryption and authentication -algorithms. +Diffie-Hellman groups, as well as all supported ESP encryption and +authentication algorithms registered via the Linux kernel's Crypto API. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listpubkeys" +.TP +.B "ipsec listpubkeys [ --utc ]" returns a list of RSA public keys that were either loaded in raw key format or extracted from X.509 and|or OpenPGP certificates. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listcerts" -returns a list of X.509 and|or OpenPGP certificates that were loaded locally -by the \fIpluto\fP daemon. +.TP +.B "ipsec listcerts [ --utc ]" +returns a list of X.509 and|or OpenPGP certificates that were either loaded +locally by the IKE daemon or received via the IKEv2 protocol. .PP -.B "ipsec listcacerts" +.TP +.B "ipsec listcacerts [ --utc ]" returns a list of X.509 Certification Authority (CA) certificates that were -loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/cacerts/\fP -directory or received in PKCS#7-wrapped certificate payloads via the IKE +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received in PKCS#7-wrapped certificate payloads via the IKE protocol. .PP -.B "ipsec listaacerts" +.TP +.B "ipsec listaacerts [ --utc ]" returns a list of X.509 Authorization Authority (AA) certificates that were -loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/aacerts/\fP +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP directory. .PP -.B "ipsec listocspcerts" +.TP +.B "ipsec listocspcerts [ --utc ]" returns a list of X.509 OCSP Signer certificates that were either loaded -locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP directory or were sent by an OCSP server. .PP -.B "ipsec listacerts" +.TP +.B "ipsec listacerts [ --utc ]" returns a list of X.509 Attribute certificates that were loaded locally by -the \fIpluto\fP daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. .PP -.B "ipsec listgroups" +.TP +.B "ipsec listgroups [ --utc ]" returns a list of groups that are used to define user authorization profiles. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listcainfos" +.TP +.B "ipsec listcainfos [ --utc ]" returns certification authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by .BR ca sections in \fIipsec.conf\fP. .PP -.B "ipsec listcrls" -returns a list of Certificate Revocation Lists (CRLs). +.TP +.B "ipsec listcrls [ --utc ]" +returns a list of Certificate Revocation Lists (CRLs) that were either loaded +by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +an HTTP- or LDAP-based CRL distribution point. .PP -.B "ipsec listocsp" +.TP +.B "ipsec listocsp [ --utc ]" returns revocation information fetched from OCSP servers. .PP -.B "ipsec listcards" -returns a list of certificates residing on smartcards. +.TP +.B "ipsec listcards [ --utc ]" +list all certificates found on attached smart cards. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listall" +.TP +.B "ipsec listall [ --utc ]" returns all information generated by the list commands above. Each list command can be called with the -\-\-url +\fB\-\-utc\fP option which displays all dates in UTC instead of local time. .PP +.SS REREAD COMMANDS +.TP .B "ipsec rereadsecrets" -flushes and rereads all secrets defined in \fIipsec.conf\fP. +flushes and rereads all secrets defined in \fIipsec.secrets\fP. .PP +.TP .B "ipsec rereadcacerts" reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP -directory and adds them to \fIpluto\fP's list of Certification Authority (CA) certificates. +directory and adds them to the list of Certification Authority (CA) +certificates. .PP +.TP .B "ipsec rereadaacerts" reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP -directory and adds them to \fIpluto\fP's list of Authorization Authority (AA) certificates. +directory and adds them to the list of Authorization Authority (AA) +certificates. .PP +.TP .B "ipsec rereadocspcerts" reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP -directory and adds them to \fIpluto\fP's list of OCSP signer certificates. +directory and adds them to the list of OCSP signer certificates. .PP +.TP .B "ipsec rereadacerts" -operation reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP -directory and adds them to \fIpluto\fP's list of attribute certificates. +reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to the list of attribute certificates. .PP +.TP .B "ipsec rereadcrls" reads all Certificate Revocation Lists (CRLs) contained in the -\fI/etc/ipsec.d/crls/\fP directory and adds them to \fIpluto\fP's list of CRLs. +\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. .PP +.TP .B "ipsec rereadall" -is equivalent to the execution of \fBrereadsecrets\fP, -\fBrereadcacerts\fP, \fBrereadaacerts\fP, \fBrereadocspcerts\fP, -\fBrereadacerts\fP, and \fBrereadcrls\fP. +executes all reread commands listed above. +.PP +.SS PURGE COMMANDS +.TP +.B "ipsec purgeike" +purges IKEv2 SAs that don't have a CHILD SA. .PP +.TP +.B "ipsec purgeocsp" +purges all cached OCSP information records. +.PP +.SS INFO COMMANDS +.TP .B "ipsec \-\-help" -lists the available commands. -Most have their own manual pages, e.g. -.IR ipsec_auto (8) -for -.IR auto . +returns the usage information for the ipsec command. .PP +.TP .B "ipsec \-\-version" -outputs version information about Linux strongSwan. -A version code of the form ``U\fIxxx\fR/K\fIyyy\fR'' -indicates that the user-level utilities are version \fIxxx\fR -but the kernel portion appears to be version \fIyyy\fR -(this form is used only if the two disagree). +returns the version in the form of +.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version> +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. .PP +.TP .B "ipsec \-\-versioncode" -outputs \fIjust\fR the version code, -with none of -.BR \-\-version 's -supporting information, -for use by scripts. +returns the version number in the form of +.B U<strongSwan userland version>/K<Linux kernel version> +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. .PP +.TP .B "ipsec \-\-copyright" -supplies boring copyright details. +returns the copyright information. .PP +.TP .B "ipsec \-\-directory" -reports where -.I ipsec -thinks the IPsec utilities are stored. +returns the \fILIBEXECDIR\fP directory as defined by the configure options. .PP +.TP .B "ipsec \-\-confdir" -reports where -.I ipsec -thinks the IPsec configuration files are stored. +returns the \fISYSCONFDIR\fP directory as defined by the configure options. .SH FILES /usr/local/lib/ipsec usual utilities directory .SH ENVIRONMENT @@ -327,15 +292,11 @@ IPSEC_CHARON_PID PID file for IKEv2 keying daemon .SH SEE ALSO .hy 0 .na -ipsec.conf(5), ipsec.secrets(5), -ipsec_barf(8), +ipsec.conf(5), ipsec.secrets(5) .ad .hy .PP .SH HISTORY -Written for Linux FreeS/WAN -<http://www.freeswan.org> -by Henry Spencer. -Updated and extended for Linux strongSwan -<http://www.strongswan.org> -by Andreas Steffen. +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project <http://www.strongswan.org> by +Tobias Brunner and Andreas Steffen. diff --git a/src/ipsec/ipsec.8.in b/src/ipsec/ipsec.8.in new file mode 100644 index 000000000..24a796392 --- /dev/null +++ b/src/ipsec/ipsec.8.in @@ -0,0 +1,302 @@ +.TH IPSEC 8 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec \- invoke IPsec utilities +.SH SYNOPSIS +.B ipsec +\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] +.PP +.SH DESCRIPTION +The +.B ipsec +utility invokes any of several utilities involved in controlling and monitoring +the IPsec encryption/authentication system, running the specified \fIcommand\fP +with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked +directly. This largely eliminates possible name collisions with other software, +and also permits some centralized services. +.PP +All the commands described in this manual page are built-in and are used to +control and monitor IPsec connections as well as the IKE daemons. +.PP +For other commands +.I ipsec +supplies the invoked +.I command +with a suitable PATH environment variable, +and also provides IPSEC_DIR, +IPSEC_CONFS, and IPSEC_VERSION environment variables, +containing respectively +the full pathname of the directory where the IPsec utilities are stored, +the full pathname of the directory where the configuration files live, +and the IPsec version number. +.PP +.SS CONTROL COMMANDS +.TP +.B "ipsec start [ starter options ]" +calls +.BR "ipsec starter" +which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and +IKEv2 \fIcharon\fR daemons. +.PP +.TP +.B "ipsec update" +sends a \fIHUP\fR signal to +.BR "ipsec starter" +which in turn determines any changes in \fIipsec.conf\fR +and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons, correspondingly. +.PP +.TP +.B "ipsec reload" +sends a \fIUSR1\fR signal to +.BR "ipsec starter" +which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR +and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR. +.PP +.TP +.B "ipsec restart" +is equivalent to +.B "ipsec stop" +followed by +.B "ipsec start" +after a guard of 2 seconds. +.PP +.TP +.B "ipsec stop" +terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons by sending a \fITERM\fR signal to +.BR "ipsec starter". +.PP +.TP +.B "ipsec up \fIname\fP" +tells the responsible IKE daemon to start up connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname\fP" +tells the responsible IKE daemon to terminate connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname{n}\fP" +terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname{*}\fP" +terminates all IKEv2 CHILD SA instances of connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname[n]\fP" +terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname[*]\fP" +terminates all IKEv2 IKE SA instances of connection \fIname\fP. +.PP +.TP +.B "ipsec route \fIname\fP" +tells the responsible IKE daemon to insert an IPsec policy in the kernel +for connection \fIname\fP. The first payload packet matching the IPsec policy +will automatically trigger an IKE connection setup. +.PP +.TP +.B "ipsec unroute \fIname\fP" +remove the IPsec policy in the kernel for connection \fIname\fP. +.PP +.TP +.B "ipsec status [ \fIname\fP ]" +returns concise status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.TP +.B "ipsec statusall [ \fIname\fP ]" +returns detailed status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.SS LIST COMMANDS +.TP +.B "ipsec listalgs" +returns a list all supported IKE encryption and hash algorithms, the available +Diffie-Hellman groups, as well as all supported ESP encryption and +authentication algorithms registered via the Linux kernel's Crypto API. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listpubkeys [ --utc ]" +returns a list of RSA public keys that were either loaded in raw key format +or extracted from X.509 and|or OpenPGP certificates. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listcerts [ --utc ]" +returns a list of X.509 and|or OpenPGP certificates that were either loaded +locally by the IKE daemon or received via the IKEv2 protocol. +.PP +.TP +.B "ipsec listcacerts [ --utc ]" +returns a list of X.509 Certification Authority (CA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received in PKCS#7-wrapped certificate payloads via the IKE +protocol. +.PP +.TP +.B "ipsec listaacerts [ --utc ]" +returns a list of X.509 Authorization Authority (AA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP +directory. +.PP +.TP +.B "ipsec listocspcerts [ --utc ]" +returns a list of X.509 OCSP Signer certificates that were either loaded +locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +directory or were sent by an OCSP server. +.PP +.TP +.B "ipsec listacerts [ --utc ]" +returns a list of X.509 Attribute certificates that were loaded locally by +the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +.PP +.TP +.B "ipsec listgroups [ --utc ]" +returns a list of groups that are used to define user authorization profiles. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listcainfos [ --utc ]" +returns certification authority information (CRL distribution points, OCSP URIs, +LDAP servers) that were defined by +.BR ca +sections in \fIipsec.conf\fP. +.PP +.TP +.B "ipsec listcrls [ --utc ]" +returns a list of Certificate Revocation Lists (CRLs) that were either loaded +by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +an HTTP- or LDAP-based CRL distribution point. +.PP +.TP +.B "ipsec listocsp [ --utc ]" +returns revocation information fetched from OCSP servers. +.PP +.TP +.B "ipsec listcards [ --utc ]" +list all certificates found on attached smart cards. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listall [ --utc ]" +returns all information generated by the list commands above. Each list command +can be called with the +\fB\-\-utc\fP +option which displays all dates in UTC instead of local time. +.PP +.SS REREAD COMMANDS +.TP +.B "ipsec rereadsecrets" +flushes and rereads all secrets defined in \fIipsec.secrets\fP. +.PP +.TP +.B "ipsec rereadcacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP +directory and adds them to the list of Certification Authority (CA) +certificates. +.PP +.TP +.B "ipsec rereadaacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP +directory and adds them to the list of Authorization Authority (AA) +certificates. +.PP +.TP +.B "ipsec rereadocspcerts" +reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP +directory and adds them to the list of OCSP signer certificates. +.PP +.TP +.B "ipsec rereadacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to the list of attribute certificates. +.PP +.TP +.B "ipsec rereadcrls" +reads all Certificate Revocation Lists (CRLs) contained in the +\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. +.PP +.TP +.B "ipsec rereadall" +executes all reread commands listed above. +.PP +.SS PURGE COMMANDS +.TP +.B "ipsec purgeike" +purges IKEv2 SAs that don't have a CHILD SA. +.PP +.TP +.B "ipsec purgeocsp" +purges all cached OCSP information records. +.PP +.SS INFO COMMANDS +.TP +.B "ipsec \-\-help" +returns the usage information for the ipsec command. +.PP +.TP +.B "ipsec \-\-version" +returns the version in the form of +.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version> +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "ipsec \-\-versioncode" +returns the version number in the form of +.B U<strongSwan userland version>/K<Linux kernel version> +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "ipsec \-\-copyright" +returns the copyright information. +.PP +.TP +.B "ipsec \-\-directory" +returns the \fILIBEXECDIR\fP directory as defined by the configure options. +.PP +.TP +.B "ipsec \-\-confdir" +returns the \fISYSCONFDIR\fP directory as defined by the configure options. +.SH FILES +/usr/local/lib/ipsec usual utilities directory +.SH ENVIRONMENT +.PP +The following environment variables control where strongSwan finds its +components. +The +.B ipsec +command sets them if they are not already set. +.nf +.na + +IPSEC_DIR directory containing ipsec programs and utilities +IPSEC_SBINDIR directory containing \fBipsec\fP command +IPSEC_CONFDIR directory containing configuration files +IPSEC_PIDDIR directory containing PID files +IPSEC_NAME name of ipsec distribution +IPSEC_VERSION version numer of ipsec userland and kernel +IPSEC_STARTER_PID PID file for ipsec starter +IPSEC_PLUTO_PID PID file for IKEv1 keying daemon +IPSEC_CHARON_PID PID file for IKEv2 keying daemon +.ad +.fi +.SH SEE ALSO +.hy 0 +.na +ipsec.conf(5), ipsec.secrets(5) +.ad +.hy +.PP +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project <http://www.strongswan.org> by +Tobias Brunner and Andreas Steffen. diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index d473b455e..3297654e9 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -12,7 +12,6 @@ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ config/proposal.c config/proposal.h \ -config/auth_cfg.c config/auth_cfg.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ @@ -95,17 +94,13 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ -sa/tasks/task.c sa/tasks/task.h \ -credentials/credential_manager.c credentials/credential_manager.h \ -credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ -credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ -credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ -credentials/credential_set.h +sa/tasks/task.c sa/tasks/task.h # adding the plugin source files LOCAL_SRC_FILES += $(call add_plugin, android) -ifneq ($(call plugin_enabled, android)),) +ifneq ($(call plugin_enabled, android),) +LOCAL_C_INCLUDES += frameworks/base/cmds/keystore LOCAL_SHARED_LIBRARIES += libcutils endif @@ -114,7 +109,7 @@ LOCAL_SRC_FILES += $(call add_plugin, attr) LOCAL_SRC_FILES += $(call add_plugin, eap-aka) LOCAL_SRC_FILES += $(call add_plugin, eap-aka-3gpp2) -ifneq ($(call plugin_enabled, eap-aka-3gpp2)),) +ifneq ($(call plugin_enabled, eap-aka-3gpp2),) LOCAL_C_INCLUDES += $(libgmp_PATH) LOCAL_SHARED_LIBRARIES += libgmp endif @@ -129,6 +124,8 @@ LOCAL_SRC_FILES += $(call add_plugin, eap-mschapv2) LOCAL_SRC_FILES += $(call add_plugin, eap-sim) +LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-sql) + LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-pseudonym) LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-reauth) @@ -146,6 +143,8 @@ endif LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) +LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey) + LOCAL_SRC_FILES += $(call add_plugin, load-tester) LOCAL_SRC_FILES += $(call add_plugin, socket-default) diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 0eaccf7a0..44501c0d0 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -10,7 +10,6 @@ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ config/proposal.c config/proposal.h \ -config/auth_cfg.c config/auth_cfg.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ @@ -93,12 +92,7 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ -sa/tasks/task.c sa/tasks/task.h \ -credentials/credential_manager.c credentials/credential_manager.h \ -credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ -credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ -credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ -credentials/credential_set.h +sa/tasks/task.c sa/tasks/task.h daemon.lo : $(top_builddir)/config.status @@ -128,7 +122,7 @@ if USE_ME sa/tasks/ike_me.c sa/tasks/ike_me.h endif -if USE_CAPABILITIES +if USE_LIBCAP libcharon_la_LIBADD += -lcap endif @@ -271,6 +265,14 @@ if MONOLITHIC endif endif +if USE_EAP_SIMAKA_SQL + SUBDIRS += plugins/eap_simaka_sql + PLUGINS += eap-simaka-sql +if MONOLITHIC + libcharon_la_LIBADD += plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +endif +endif + if USE_EAP_SIMAKA_PSEUDONYM SUBDIRS += plugins/eap_simaka_pseudonym PLUGINS += eap-simaka-pseudonym @@ -374,14 +376,6 @@ if MONOLITHIC endif endif -if USE_RESOLVE - SUBDIRS += plugins/resolve - PLUGINS += resolve -if MONOLITHIC - libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la -endif -endif - if USE_ANDROID SUBDIRS += plugins/android PLUGINS += android @@ -406,6 +400,14 @@ if MONOLITHIC endif endif +if USE_ADDRBLOCK + SUBDIRS += plugins/addrblock + PLUGINS += addrblock +if MONOLITHIC + libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la +endif +endif + if USE_UNIT_TESTS SUBDIRS += plugins/unit_tester PLUGINS += unit-tester diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 0eb6f36f4..8e58b0e2e 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -44,7 +44,7 @@ host_triplet = @host@ @USE_ME_TRUE@ sa/mediation_manager.c sa/mediation_manager.h \ @USE_ME_TRUE@ sa/tasks/ike_me.c sa/tasks/ike_me.h -@USE_CAPABILITIES_TRUE@am__append_2 = -lcap +@USE_LIBCAP_TRUE@am__append_2 = -lcap @USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester @USE_LOAD_TESTER_TRUE@am__append_4 = load-tester @MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la @@ -93,46 +93,46 @@ host_triplet = @host@ @USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file @USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file @MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = eap-simaka-pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = eap-simaka-reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_56 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka -@USE_EAP_AKA_TRUE@am__append_58 = eap-aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_59 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2 -@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = eap-aka-3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_62 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_63 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5 -@USE_EAP_MD5_TRUE@am__append_65 = eap-md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_66 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_67 = plugins/eap_gtc -@USE_EAP_GTC_TRUE@am__append_68 = eap-gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_69 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_70 = plugins/eap_mschapv2 -@USE_EAP_MSCHAPV2_TRUE@am__append_71 = eap-mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_72 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_RADIUS_TRUE@am__append_73 = plugins/eap_radius -@USE_EAP_RADIUS_TRUE@am__append_74 = eap-radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_75 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv -@USE_MEDSRV_TRUE@am__append_77 = medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_78 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli -@USE_MEDCLI_TRUE@am__append_80 = medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la -@USE_NM_TRUE@am__append_82 = plugins/nm -@USE_NM_TRUE@am__append_83 = nm -@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_84 = plugins/nm/libstrongswan-nm.la -@USE_DHCP_TRUE@am__append_85 = plugins/dhcp -@USE_DHCP_TRUE@am__append_86 = dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_87 = plugins/dhcp/libstrongswan-dhcp.la -@USE_RESOLVE_TRUE@am__append_88 = plugins/resolve -@USE_RESOLVE_TRUE@am__append_89 = resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_90 = plugins/resolve/libstrongswan-resolve.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql +@USE_EAP_SIMAKA_SQL_TRUE@am__append_52 = eap-simaka-sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_53 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_54 = plugins/eap_simaka_pseudonym +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_55 = eap-simaka-pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_56 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_57 = plugins/eap_simaka_reauth +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_58 = eap-simaka-reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_59 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_60 = plugins/eap_aka +@USE_EAP_AKA_TRUE@am__append_61 = eap-aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_62 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_63 = plugins/eap_aka_3gpp2 +@USE_EAP_AKA_3GPP2_TRUE@am__append_64 = eap-aka-3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_65 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_66 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_67 = plugins/eap_md5 +@USE_EAP_MD5_TRUE@am__append_68 = eap-md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_69 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_70 = plugins/eap_gtc +@USE_EAP_GTC_TRUE@am__append_71 = eap-gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_72 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_73 = plugins/eap_mschapv2 +@USE_EAP_MSCHAPV2_TRUE@am__append_74 = eap-mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_75 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_RADIUS_TRUE@am__append_76 = plugins/eap_radius +@USE_EAP_RADIUS_TRUE@am__append_77 = eap-radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_78 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv +@USE_MEDSRV_TRUE@am__append_80 = medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli +@USE_MEDCLI_TRUE@am__append_83 = medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_84 = plugins/medcli/libstrongswan-medcli.la +@USE_NM_TRUE@am__append_85 = plugins/nm +@USE_NM_TRUE@am__append_86 = nm +@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_87 = plugins/nm/libstrongswan-nm.la +@USE_DHCP_TRUE@am__append_88 = plugins/dhcp +@USE_DHCP_TRUE@am__append_89 = dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_90 = plugins/dhcp/libstrongswan-dhcp.la @USE_ANDROID_TRUE@am__append_91 = plugins/android @USE_ANDROID_TRUE@am__append_92 = android @MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la @@ -142,9 +142,12 @@ host_triplet = @host@ @USE_UCI_TRUE@am__append_97 = plugins/uci @USE_UCI_TRUE@am__append_98 = uci @MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la -@USE_UNIT_TESTS_TRUE@am__append_100 = plugins/unit_tester -@USE_UNIT_TESTS_TRUE@am__append_101 = unit-tester -@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_102 = plugins/unit_tester/libstrongswan-unit-tester.la +@USE_ADDRBLOCK_TRUE@am__append_100 = plugins/addrblock +@USE_ADDRBLOCK_TRUE@am__append_101 = addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_102 = plugins/uci/libstrongswan-addrblock.la +@USE_UNIT_TESTS_TRUE@am__append_103 = plugins/unit_tester +@USE_UNIT_TESTS_TRUE@am__append_104 = unit-tester +@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester/libstrongswan-unit-tester.la subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -194,11 +197,11 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_38) $(am__append_41) $(am__append_44) \ $(am__append_47) $(am__append_50) $(am__append_53) \ $(am__append_56) $(am__append_59) $(am__append_62) \ - $(am__append_63) $(am__append_66) $(am__append_69) \ + $(am__append_65) $(am__append_66) $(am__append_69) \ $(am__append_72) $(am__append_75) $(am__append_78) \ $(am__append_81) $(am__append_84) $(am__append_87) \ $(am__append_90) $(am__append_93) $(am__append_96) \ - $(am__append_99) $(am__append_102) + $(am__append_99) $(am__append_102) $(am__append_105) am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/file_logger.c \ bus/listeners/file_logger.h bus/listeners/sys_logger.c \ @@ -206,11 +209,10 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ config/backend_manager.h config/backend.h config/child_cfg.c \ config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h config/auth_cfg.c config/auth_cfg.h \ - control/controller.c control/controller.h daemon.c daemon.h \ - encoding/generator.c encoding/generator.h encoding/message.c \ - encoding/message.h encoding/parser.c encoding/parser.h \ - encoding/payloads/auth_payload.c \ + config/proposal.h control/controller.c control/controller.h \ + daemon.c daemon.h encoding/generator.c encoding/generator.h \ + encoding/message.c encoding/message.h encoding/parser.c \ + encoding/parser.h encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -311,14 +313,6 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - credentials/credential_manager.c \ - credentials/credential_manager.h \ - credentials/sets/auth_cfg_wrapper.c \ - credentials/sets/auth_cfg_wrapper.h \ - credentials/sets/ocsp_response_wrapper.c \ - credentials/sets/ocsp_response_wrapper.h \ - credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ - credentials/credential_set.h \ encoding/payloads/endpoint_notify.c \ encoding/payloads/endpoint_notify.h \ processing/jobs/initiate_mediation_job.c \ @@ -332,32 +326,31 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ @USE_ME_TRUE@ connect_manager.lo mediation_manager.lo ike_me.lo am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ backend_manager.lo child_cfg.lo ike_cfg.lo peer_cfg.lo \ - proposal.lo auth_cfg.lo controller.lo daemon.lo generator.lo \ - message.lo parser.lo auth_payload.lo cert_payload.lo \ - certreq_payload.lo configuration_attribute.lo cp_payload.lo \ - delete_payload.lo eap_payload.lo encodings.lo \ - encryption_payload.lo id_payload.lo ike_header.lo \ - ke_payload.lo nonce_payload.lo notify_payload.lo payload.lo \ - proposal_substructure.lo sa_payload.lo \ - traffic_selector_substructure.lo transform_attribute.lo \ - transform_substructure.lo ts_payload.lo unknown_payload.lo \ - vendor_id_payload.lo kernel_interface.lo kernel_ipsec.lo \ - packet.lo receiver.lo sender.lo socket_manager.lo \ - acquire_job.lo callback_job.lo delete_child_sa_job.lo \ - delete_ike_sa_job.lo migrate_job.lo process_message_job.lo \ - rekey_child_sa_job.lo rekey_ike_sa_job.lo retransmit_job.lo \ - send_dpd_job.lo send_keepalive_job.lo roam_job.lo \ - update_sa_job.lo inactivity_job.lo scheduler.lo processor.lo \ - authenticator.lo eap_authenticator.lo eap_method.lo \ - eap_manager.lo sim_manager.lo psk_authenticator.lo \ - pubkey_authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo \ - ike_sa_manager.lo task_manager.lo keymat.lo trap_manager.lo \ - child_create.lo child_delete.lo child_rekey.lo ike_auth.lo \ - ike_cert_pre.lo ike_cert_post.lo ike_config.lo ike_delete.lo \ - ike_dpd.lo ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ + proposal.lo controller.lo daemon.lo generator.lo message.lo \ + parser.lo auth_payload.lo cert_payload.lo certreq_payload.lo \ + configuration_attribute.lo cp_payload.lo delete_payload.lo \ + eap_payload.lo encodings.lo encryption_payload.lo \ + id_payload.lo ike_header.lo ke_payload.lo nonce_payload.lo \ + notify_payload.lo payload.lo proposal_substructure.lo \ + sa_payload.lo traffic_selector_substructure.lo \ + transform_attribute.lo transform_substructure.lo ts_payload.lo \ + unknown_payload.lo vendor_id_payload.lo kernel_interface.lo \ + kernel_ipsec.lo packet.lo receiver.lo sender.lo \ + socket_manager.lo acquire_job.lo callback_job.lo \ + delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \ + process_message_job.lo rekey_child_sa_job.lo \ + rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \ + send_keepalive_job.lo roam_job.lo update_sa_job.lo \ + inactivity_job.lo scheduler.lo processor.lo authenticator.lo \ + eap_authenticator.lo eap_method.lo eap_manager.lo \ + sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \ + child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \ + task_manager.lo keymat.lo trap_manager.lo child_create.lo \ + child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \ + ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \ + ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \ - credential_manager.lo auth_cfg_wrapper.lo \ - ocsp_response_wrapper.lo cert_cache.lo $(am__objects_1) + $(am__objects_1) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -394,12 +387,12 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \ plugins/socket_raw plugins/socket_dynamic plugins/farp \ plugins/stroke plugins/smp plugins/sql plugins/updown \ plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \ - plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \ - plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \ - plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_radius \ - plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \ - plugins/resolve plugins/android plugins/ha plugins/uci \ - plugins/unit_tester + plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ + plugins/eap_simaka_reauth plugins/eap_aka \ + plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \ + plugins/eap_mschapv2 plugins/eap_radius plugins/medsrv \ + plugins/medcli plugins/nm plugins/dhcp plugins/android \ + plugins/ha plugins/uci plugins/addrblock plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -589,10 +582,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ config/backend.h config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \ config/peer_cfg.h config/proposal.c config/proposal.h \ - config/auth_cfg.c config/auth_cfg.h control/controller.c \ - control/controller.h daemon.c daemon.h encoding/generator.c \ - encoding/generator.h encoding/message.c encoding/message.h \ - encoding/parser.c encoding/parser.h \ + control/controller.c control/controller.h daemon.c daemon.h \ + encoding/generator.c encoding/generator.h encoding/message.c \ + encoding/message.h encoding/parser.c encoding/parser.h \ encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ @@ -694,14 +686,7 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - credentials/credential_manager.c \ - credentials/credential_manager.h \ - credentials/sets/auth_cfg_wrapper.c \ - credentials/sets/auth_cfg_wrapper.h \ - credentials/sets/ocsp_response_wrapper.c \ - credentials/sets/ocsp_response_wrapper.h \ - credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ - credentials/credential_set.h $(am__append_1) + $(am__append_1) INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ @@ -718,11 +703,11 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \ $(am__append_38) $(am__append_41) $(am__append_44) \ $(am__append_47) $(am__append_50) $(am__append_53) \ $(am__append_56) $(am__append_59) $(am__append_62) \ - $(am__append_63) $(am__append_66) $(am__append_69) \ + $(am__append_65) $(am__append_66) $(am__append_69) \ $(am__append_72) $(am__append_75) $(am__append_78) \ $(am__append_81) $(am__append_84) $(am__append_87) \ $(am__append_90) $(am__append_93) $(am__append_96) \ - $(am__append_99) $(am__append_102) + $(am__append_99) $(am__append_102) $(am__append_105) EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \ @MONOLITHIC_FALSE@ $(am__append_9) $(am__append_12) \ @@ -734,13 +719,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_45) $(am__append_48) \ @MONOLITHIC_FALSE@ $(am__append_51) $(am__append_54) \ @MONOLITHIC_FALSE@ $(am__append_57) $(am__append_60) \ -@MONOLITHIC_FALSE@ $(am__append_64) $(am__append_67) \ +@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_67) \ @MONOLITHIC_FALSE@ $(am__append_70) $(am__append_73) \ @MONOLITHIC_FALSE@ $(am__append_76) $(am__append_79) \ @MONOLITHIC_FALSE@ $(am__append_82) $(am__append_85) \ @MONOLITHIC_FALSE@ $(am__append_88) $(am__append_91) \ @MONOLITHIC_FALSE@ $(am__append_94) $(am__append_97) \ -@MONOLITHIC_FALSE@ $(am__append_100) +@MONOLITHIC_FALSE@ $(am__append_100) $(am__append_103) # build optional plugins ######################## @@ -754,13 +739,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_45) $(am__append_48) \ @MONOLITHIC_TRUE@ $(am__append_51) $(am__append_54) \ @MONOLITHIC_TRUE@ $(am__append_57) $(am__append_60) \ -@MONOLITHIC_TRUE@ $(am__append_64) $(am__append_67) \ +@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_67) \ @MONOLITHIC_TRUE@ $(am__append_70) $(am__append_73) \ @MONOLITHIC_TRUE@ $(am__append_76) $(am__append_79) \ @MONOLITHIC_TRUE@ $(am__append_82) $(am__append_85) \ @MONOLITHIC_TRUE@ $(am__append_88) $(am__append_91) \ @MONOLITHIC_TRUE@ $(am__append_94) $(am__append_97) \ -@MONOLITHIC_TRUE@ $(am__append_100) +@MONOLITHIC_TRUE@ $(am__append_100) $(am__append_103) PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \ $(am__append_7) $(am__append_10) $(am__append_13) \ $(am__append_16) $(am__append_19) $(am__append_22) \ @@ -768,11 +753,11 @@ PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \ $(am__append_34) $(am__append_37) $(am__append_40) \ $(am__append_43) $(am__append_46) $(am__append_49) \ $(am__append_52) $(am__append_55) $(am__append_58) \ - $(am__append_61) $(am__append_65) $(am__append_68) \ + $(am__append_61) $(am__append_64) $(am__append_68) \ $(am__append_71) $(am__append_74) $(am__append_77) \ $(am__append_80) $(am__append_83) $(am__append_86) \ $(am__append_89) $(am__append_92) $(am__append_95) \ - $(am__append_98) $(am__append_101) + $(am__append_98) $(am__append_101) $(am__append_104) all: all-recursive .SUFFIXES: @@ -848,14 +833,11 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@ @@ -867,7 +849,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connect_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/controller.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Plo@am__quote@ @@ -913,7 +894,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@ @@ -1025,13 +1005,6 @@ proposal.lo: config/proposal.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c -auth_cfg.lo: config/auth_cfg.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c - controller.lo: control/controller.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo @@ -1592,34 +1565,6 @@ task.lo: sa/tasks/task.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c -credential_manager.lo: credentials/credential_manager.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c - -auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c - -ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c - -cert_cache.lo: credentials/sets/cert_cache.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c - endpoint_notify.lo: encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo @@ -1675,7 +1620,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -1700,7 +1645,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index 764744a41..441009e5e 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -102,20 +102,16 @@ static void entry_destroy(entry_t *entry) free(entry); } -/** - * Implementation of bus_t.add_listener. - */ -static void add_listener(private_bus_t *this, listener_t *listener) +METHOD(bus_t, add_listener, void, + private_bus_t *this, listener_t *listener) { this->mutex->lock(this->mutex); this->listeners->insert_last(this->listeners, entry_create(listener, FALSE)); this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.remove_listener. - */ -static void remove_listener(private_bus_t *this, listener_t *listener) +METHOD(bus_t, remove_listener, void, + private_bus_t *this, listener_t *listener) { enumerator_t *enumerator; entry_t *entry; @@ -156,10 +152,8 @@ static void listener_cleanup(cleanup_data_t *data) entry_destroy(data->entry); } -/** - * Implementation of bus_t.listen. - */ -static void listen_(private_bus_t *this, listener_t *listener, job_t *job) +METHOD(bus_t, listen_, void, + private_bus_t *this, listener_t *listener, job_t *job) { bool old; cleanup_data_t data; @@ -184,18 +178,14 @@ static void listen_(private_bus_t *this, listener_t *listener, job_t *job) entry_destroy(data.entry); } -/** - * Implementation of bus_t.set_sa. - */ -static void set_sa(private_bus_t *this, ike_sa_t *ike_sa) +METHOD(bus_t, set_sa, void, + private_bus_t *this, ike_sa_t *ike_sa) { this->thread_sa->set(this->thread_sa, ike_sa); } -/** - * Implementation of bus_t.get_sa - */ -static ike_sa_t* get_sa(private_bus_t *this) +METHOD(bus_t, get_sa, ike_sa_t*, + private_bus_t *this) { return this->thread_sa->get(this->thread_sa); } @@ -252,11 +242,9 @@ static bool log_cb(entry_t *entry, log_data_t *data) return FALSE; } -/** - * Implementation of bus_t.vlog. - */ -static void vlog(private_bus_t *this, debug_t group, level_t level, - char* format, va_list args) +METHOD(bus_t, vlog, void, + private_bus_t *this, debug_t group, level_t level, + char* format, va_list args) { log_data_t data; @@ -276,11 +264,8 @@ static void vlog(private_bus_t *this, debug_t group, level_t level, va_end(data.args); } -/** - * Implementation of bus_t.log. - */ -static void log_(private_bus_t *this, debug_t group, level_t level, - char* format, ...) +METHOD(bus_t, log_, void, + private_bus_t *this, debug_t group, level_t level, char* format, ...) { va_list args; @@ -307,10 +292,8 @@ static void unregister_listener(private_bus_t *this, entry_t *entry, this->listeners->remove_at(this->listeners, enumerator); } -/** - * Implementation of bus_t.alert - */ -static void alert(private_bus_t *this, alert_t alert, ...) +METHOD(bus_t, alert, void, + private_bus_t *this, alert_t alert, ...) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -342,11 +325,8 @@ static void alert(private_bus_t *this, alert_t alert, ...) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.ike_state_change - */ -static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, - ike_sa_state_t state) +METHOD(bus_t, ike_state_change, void, + private_bus_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) { enumerator_t *enumerator; entry_t *entry; @@ -372,11 +352,8 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_state_change - */ -static void child_state_change(private_bus_t *this, child_sa_t *child_sa, - child_sa_state_t state) +METHOD(bus_t, child_state_change, void, + private_bus_t *this, child_sa_t *child_sa, child_sa_state_t state) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -406,10 +383,8 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.message - */ -static void message(private_bus_t *this, message_t *message, bool incoming) +METHOD(bus_t, message, void, + private_bus_t *this, message_t *message, bool incoming) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -439,12 +414,9 @@ static void message(private_bus_t *this, message_t *message, bool incoming) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.ike_keys - */ -static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey) +METHOD(bus_t, ike_keys, void, + private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey) { enumerator_t *enumerator; entry_t *entry; @@ -471,11 +443,9 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_keys - */ -static void child_keys(private_bus_t *this, child_sa_t *child_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r) +METHOD(bus_t, child_keys, void, + private_bus_t *this, child_sa_t *child_sa, bool initiator, + diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -494,7 +464,7 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa, } entry->calling++; keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa, - dh, nonce_i, nonce_r); + initiator, dh, nonce_i, nonce_r); entry->calling--; if (!keep) { @@ -505,10 +475,8 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_updown - */ -static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up) +METHOD(bus_t, child_updown, void, + private_bus_t *this, child_sa_t *child_sa, bool up) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -538,10 +506,8 @@ static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_rekey - */ -static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new) +METHOD(bus_t, child_rekey, void, + private_bus_t *this, child_sa_t *old, child_sa_t *new) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -570,10 +536,8 @@ static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.ike_updown - */ -static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up) +METHOD(bus_t, ike_updown, void, + private_bus_t *this, ike_sa_t *ike_sa, bool up) { enumerator_t *enumerator; entry_t *entry; @@ -613,10 +577,8 @@ static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up) } } -/** - * Implementation of bus_t.ike_rekey - */ -static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new) +METHOD(bus_t, ike_rekey, void, + private_bus_t *this, ike_sa_t *old, ike_sa_t *new) { enumerator_t *enumerator; entry_t *entry; @@ -642,10 +604,8 @@ static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.authorize - */ -static bool authorize(private_bus_t *this, bool final) +METHOD(bus_t, authorize, bool, + private_bus_t *this, bool final) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -680,10 +640,40 @@ static bool authorize(private_bus_t *this, bool final) return success; } -/** - * Implementation of bus_t.destroy. - */ -static void destroy(private_bus_t *this) +METHOD(bus_t, narrow, void, + private_bus_t *this, child_sa_t *child_sa, narrow_hook_t type, + linked_list_t *local, linked_list_t *remote) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = this->thread_sa->get(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->narrow) + { + continue; + } + entry->calling++; + keep = entry->listener->narrow(entry->listener, ike_sa, child_sa, + type, local, remote); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(bus_t, destroy, void, + private_bus_t *this) { this->thread_sa->destroy(this->thread_sa); this->mutex->destroy(this->mutex); @@ -696,31 +686,35 @@ static void destroy(private_bus_t *this) */ bus_t *bus_create() { - private_bus_t *this = malloc_thing(private_bus_t); - - this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener; - this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener; - this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_; - this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa; - this->public.get_sa = (ike_sa_t*(*)(bus_t*))get_sa; - this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_; - this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog; - this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert; - this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change; - this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change; - this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message; - this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys; - this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys; - this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown; - this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey; - this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown; - this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey; - this->public.authorize = (bool(*)(bus_t*, bool final))authorize; - this->public.destroy = (void(*)(bus_t*)) destroy; - - this->listeners = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->thread_sa = thread_value_create(NULL); + private_bus_t *this; + + INIT(this, + .public = { + .add_listener = _add_listener, + .remove_listener = _remove_listener, + .listen = _listen_, + .set_sa = _set_sa, + .get_sa = _get_sa, + .log = _log_, + .vlog = _vlog, + .alert = _alert, + .ike_state_change = _ike_state_change, + .child_state_change = _child_state_change, + .message = _message, + .ike_keys = _ike_keys, + .child_keys = _child_keys, + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .child_updown = _child_updown, + .child_rekey = _child_rekey, + .authorize = _authorize, + .narrow = _narrow, + .destroy = _destroy, + }, + .listeners = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + .thread_sa = thread_value_create(NULL), + ); return &this->public; } diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 8cf392eae..6a306afcc 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -22,6 +22,7 @@ #define BUS_H_ typedef enum alert_t alert_t; +typedef enum narrow_hook_t narrow_hook_t; typedef struct bus_t bus_t; #include <stdarg.h> @@ -86,6 +87,31 @@ enum alert_t { }; /** + * Kind of narrow hook. + * + * There is a non-authenticated (IKE_AUTH) and a authenticated + * (CREATE_CHILD_SA) narrowing hook for the initiator. Only one of these + * hooks is invoked before the exchange. + * To verify the traffic selectors negotiated, each PRE hook has a POST + * counterpart that follows. POST hooks are invoked with an authenticated peer. + * It is usually not a good idea to narrow in the POST hooks, + * as the resulting traffic selector is not negotiated and results + * in non-matching policies. + */ +enum narrow_hook_t { + /** invoked as initiator before exchange, peer is not yet authenticated */ + NARROW_INITIATOR_PRE_NOAUTH, + /** invoked as initiator before exchange, peer is authenticated */ + NARROW_INITIATOR_PRE_AUTH, + /** invoked as responder during exchange, peer is authenticated */ + NARROW_RESPONDER, + /** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */ + NARROW_INITIATOR_POST_NOAUTH, + /** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */ + NARROW_INITIATOR_POST_AUTH, +}; + +/** * The bus receives events and sends them to all registered listeners. * * Any events sent to are delivered to all registered listeners. Threads @@ -217,6 +243,17 @@ struct bus_t { bool (*authorize)(bus_t *this, bool final); /** + * CHILD_SA traffic selector narrowing hook. + * + * @param child_sa CHILD_SA set up with these traffic selectors + * @param type type of hook getting invoked + * @param local list of local traffic selectors to narrow + * @param remote list of remote traffic selectors to narrow + */ + void (*narrow)(bus_t *this, child_sa_t *child_sa, narrow_hook_t type, + linked_list_t *local, linked_list_t *remote); + + /** * IKE_SA keymat hook. * * @param ike_sa IKE_SA this keymat belongs to @@ -231,12 +268,13 @@ struct bus_t { * CHILD_SA keymat hook. * * @param child_sa CHILD_SA this keymat is used for + * @param initiator initiator of the CREATE_CHILD_SA exchange * @param dh diffie hellman shared secret * @param nonce_i initiators nonce * @param nonce_r responders nonce */ - void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r); + void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator, + diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); /** * IKE_SA up/down hook. diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c index 12587deaf..87db532f5 100644 --- a/src/libcharon/bus/listeners/file_logger.c +++ b/src/libcharon/bus/listeners/file_logger.c @@ -15,6 +15,7 @@ #include <stdio.h> #include <string.h> +#include <time.h> #include "file_logger.h" @@ -40,6 +41,11 @@ struct private_file_logger_t { * Maximum level to log, for each group */ level_t levels[DBG_MAX]; + + /** + * strftime() format of time prefix, if any + */ + char *time_format; }; /** @@ -50,8 +56,17 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, { if (level <= this->levels[group]) { - char buffer[8192]; + char buffer[8192], timestr[128]; char *current = buffer, *next; + struct tm tm; + time_t t; + + if (this->time_format) + { + t = time(NULL); + localtime_r(&t, &tm); + strftime(timestr, sizeof(timestr), this->time_format, &tm); + } /* write in memory buffer first */ vsnprintf(buffer, sizeof(buffer), format, args); @@ -64,8 +79,16 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, { *(next++) = '\0'; } - fprintf(this->out, "%.2d[%N] %s\n", - thread, debug_names, group, current); + if (this->time_format) + { + fprintf(this->out, "%s %.2d[%N] %s\n", + timestr, thread, debug_names, group, current); + } + else + { + fprintf(this->out, "%.2d[%N] %s\n", + thread, debug_names, group, current); + } current = next; } } @@ -106,7 +129,7 @@ static void destroy(private_file_logger_t *this) /* * Described in header. */ -file_logger_t *file_logger_create(FILE *out) +file_logger_t *file_logger_create(FILE *out, char *time_format) { private_file_logger_t *this = malloc_thing(private_file_logger_t); @@ -118,6 +141,7 @@ file_logger_t *file_logger_create(FILE *out) /* private variables */ this->out = out; + this->time_format = time_format; set_level(this, DBG_ANY, LEVEL_SILENT); return &this->public; diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h index bd443fdb8..e02a12c0c 100644 --- a/src/libcharon/bus/listeners/file_logger.h +++ b/src/libcharon/bus/listeners/file_logger.h @@ -52,9 +52,10 @@ struct file_logger_t { /** * Constructor to create a file_logger_t object. * - * @param out FILE to write to - * @return file_logger_t object + * @param out FILE to write to + * @param time_format format of timestamp prefix, as in strftime() + * @return file_logger_t object */ -file_logger_t *file_logger_create(FILE *out); +file_logger_t *file_logger_create(FILE *out, char *time_format); #endif /** FILE_LOGGER_H_ @}*/ diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 9a51a2ef4..e7873ee8c 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -110,13 +110,15 @@ struct listener_t { * * @param ike_sa IKE_SA the child sa belongs to * @param child_sa CHILD_SA this keymat is used for + * @param initiator initiator of the CREATE_CHILD_SA exchange * @param dh diffie hellman shared secret * @param nonce_i initiators nonce * @param nonce_r responders nonce * @return TRUE to stay registered, FALSE to unregister */ bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); + bool initiator, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r); /** * Hook called if an IKE_SA gets up or down. @@ -173,6 +175,21 @@ struct listener_t { */ bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, bool final, bool *success); + + /** + * CHILD_SA traffic selector narrowing hook. + * + * This hook is invoked for each CHILD_SA and allows plugins to modify + * the traffic selector list negotiated for this CHILD_SA. + * + * @param ike_sa IKE_SA the created CHILD_SA is created in + * @param child_sa CHILD_SA set up with these traffic selectors + * @param type type of hook getting invoked + * @param local list of local traffic selectors to narrow + * @param remote list of remote traffic selectors to narrow + */ + bool (*narrow)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + narrow_hook_t type, linked_list_t *local, linked_list_t *remote); }; #endif /** LISTENER_H_ @}*/ diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c index 11421ad05..5bc1d581a 100644 --- a/src/libcharon/bus/listeners/sys_logger.c +++ b/src/libcharon/bus/listeners/sys_logger.c @@ -15,6 +15,7 @@ #include <stdio.h> #include <string.h> +#include <syslog.h> #include "sys_logger.h" diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h index 730890d68..58d4de529 100644 --- a/src/libcharon/bus/listeners/sys_logger.h +++ b/src/libcharon/bus/listeners/sys_logger.h @@ -21,8 +21,6 @@ #ifndef SYS_LOGGER_H_ #define SYS_LOGGER_H_ -#include <syslog.h> - #include <bus/listeners/listener.h> typedef struct sys_logger_t sys_logger_t; diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 8410b3fe5..70f38b285 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -17,6 +17,8 @@ #include "child_cfg.h" +#include <stdint.h> + #include <daemon.h> ENUM(action_names, ACTION_NONE, ACTION_RESTART, @@ -112,6 +114,20 @@ struct private_child_cfg_t { u_int32_t inactivity; /** + * Reqid to install CHILD_SA with + */ + u_int32_t reqid; + + /** + * Optional mark to install inbound CHILD_SA with + */ + mark_t mark_in; + + /** + * Optional mark to install outbound CHILD_SA with + */ + mark_t mark_out; + /** * set up IPsec transport SA in MIPv6 proxy mode */ bool proxy_mode; @@ -446,6 +462,22 @@ static u_int32_t get_inactivity(private_child_cfg_t *this) } /** + * Implementation of child_cfg_t.get_reqid. + */ +static u_int32_t get_reqid(private_child_cfg_t *this) +{ + return this->reqid; +} + +/** + * Implementation of child_cfg_t.get_mark. + */ +static mark_t get_mark(private_child_cfg_t *this, bool inbound) +{ + return inbound ? this->mark_in : this->mark_out; +} + +/** * Implementation of child_cfg_t.set_mipv6_options. */ static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode, @@ -506,7 +538,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp, - u_int32_t inactivity) + u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out) { private_child_cfg_t *this = malloc_thing(private_child_cfg_t); @@ -526,6 +559,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity; + this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid; + this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark; this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode; this->public.install_policy = (bool (*) (child_cfg_t *))install_policy; this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref; @@ -539,6 +574,27 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, this->close_action = close_action; this->use_ipcomp = ipcomp; this->inactivity = inactivity; + this->reqid = reqid; + + if (mark_in) + { + this->mark_in = *mark_in; + } + else + { + this->mark_in.value = 0; + this->mark_in.mask = 0; + } + if (mark_out) + { + this->mark_out = *mark_out; + } + else + { + this->mark_out.value = 0; + this->mark_out.mask = 0; + } + this->proxy_mode = FALSE; this->install_policy = TRUE; this->refcount = 1; diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index c6186ea36..d34835ead 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -26,6 +26,7 @@ typedef enum action_t action_t; typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct lifetime_cfg_t lifetime_cfg_t; +typedef struct mark_t mark_t; typedef struct child_cfg_t child_cfg_t; #include <library.h> @@ -83,6 +84,16 @@ struct lifetime_cfg_t { }; /** + * A mark_t defines an optional mark in a CHILD_SA. + */ +struct mark_t { + /** Mark value */ + u_int32_t value; + /** Mark mask */ + u_int32_t mask; +}; + +/** * A child_cfg_t defines the config template for a CHILD_SA. * * After creation, proposals and traffic selectors may be added to the config. @@ -239,6 +250,21 @@ struct child_cfg_t { u_int32_t (*get_inactivity)(child_cfg_t *this); /** + * Specific reqid to use for CHILD_SA + * + * @return reqid + */ + u_int32_t (*get_reqid)(child_cfg_t *this); + + /** + * Optional mark for CHILD_SA + * + * @param inbound TRUE for inbound, FALSE for outbound + * @return mark + */ + mark_t (*get_mark)(child_cfg_t *this, bool inbound); + + /** * Sets two options needed for Mobile IPv6 interoperability * * @param proxy_mode use IPsec transport proxy mode (default FALSE) @@ -299,12 +325,16 @@ struct child_cfg_t { * @param close_action close action * @param ipcomp use IPComp, if peer supports it * @param inactivity inactivity timeout in s before closing a CHILD_SA - * @return child_cfg_t object + * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign + * @param mark_in optional inbound mark (can be NULL) + * @param mark_out optional outbound mark (can be NULL) + * @return child_cfg_t object */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp, - u_int32_t inactivity); + u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out); #endif /** CHILD_CFG_H_ @}*/ diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index 6855276f8..723435cbb 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -36,7 +36,7 @@ typedef struct peer_cfg_t peer_cfg_t; #include <config/child_cfg.h> #include <sa/authenticators/authenticator.h> #include <sa/authenticators/eap/eap_method.h> -#include <config/auth_cfg.h> +#include <credentials/auth_cfg.h> /** * Certificate sending policy. This is also used for certificate diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c deleted file mode 100644 index adea0b4be..000000000 --- a/src/libcharon/credentials/credential_manager.c +++ /dev/null @@ -1,1681 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "credential_manager.h" - -#include <daemon.h> -#include <threading/thread_value.h> -#include <threading/mutex.h> -#include <threading/rwlock.h> -#include <utils/linked_list.h> -#include <credentials/sets/cert_cache.h> -#include <credentials/sets/auth_cfg_wrapper.h> -#include <credentials/sets/ocsp_response_wrapper.h> -#include <credentials/certificates/x509.h> -#include <credentials/certificates/crl.h> -#include <credentials/certificates/ocsp_request.h> -#include <credentials/certificates/ocsp_response.h> - -typedef struct private_credential_manager_t private_credential_manager_t; - -/** - * private data of credential_manager - */ -struct private_credential_manager_t { - - /** - * public functions - */ - credential_manager_t public; - - /** - * list of credential sets - */ - linked_list_t *sets; - - /** - * thread local set of credentials, linked_list_t with credential_set_t's - */ - thread_value_t *local_sets; - - /** - * trust relationship and certificate cache - */ - cert_cache_t *cache; - - /** - * certificates queued for persistent caching - */ - linked_list_t *cache_queue; - - /** - * read-write lock to sets list - */ - rwlock_t *lock; - - /** - * mutex for cache queue - */ - mutex_t *queue_mutex; -}; - -/** data to pass to create_private_enumerator */ -typedef struct { - private_credential_manager_t *this; - key_type_t type; - identification_t* keyid; -} private_data_t; - -/** data to pass to create_cert_enumerator */ -typedef struct { - private_credential_manager_t *this; - certificate_type_t cert; - key_type_t key; - identification_t *id; - bool trusted; -} cert_data_t; - -/** data to pass to create_cdp_enumerator */ -typedef struct { - private_credential_manager_t *this; - certificate_type_t type; - identification_t *id; -} cdp_data_t; - -/** data to pass to create_shared_enumerator */ -typedef struct { - private_credential_manager_t *this; - shared_key_type_t type; - identification_t *me; - identification_t *other; -} shared_data_t; - -/** enumerator over local and global sets */ -typedef struct { - /** implements enumerator_t */ - enumerator_t public; - /** enumerator over global sets */ - enumerator_t *global; - /** enumerator over local sets */ - enumerator_t *local; -} sets_enumerator_t; - -/** - * destroy a sets_enumerator_t - */ -static void sets_enumerator_destroy(sets_enumerator_t *this) -{ - DESTROY_IF(this->global); - DESTROY_IF(this->local); - free(this); -} - -/** - * sets_enumerator_t.enumerate - */ -static bool sets_enumerator_enumerate(sets_enumerator_t *this, - credential_set_t **set) -{ - if (this->global) - { - if (this->global->enumerate(this->global, set)) - { - return TRUE; - } - /* end of global sets, look for local */ - this->global->destroy(this->global); - this->global = NULL; - } - if (this->local) - { - return this->local->enumerate(this->local, set); - } - return FALSE; -} - -/** - * create an enumerator over both, global and local sets - */ -static enumerator_t *create_sets_enumerator(private_credential_manager_t *this) -{ - linked_list_t *local; - sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t); - - enumerator->public.enumerate = (void*)sets_enumerator_enumerate; - enumerator->public.destroy = (void*)sets_enumerator_destroy; - enumerator->global = this->sets->create_enumerator(this->sets); - enumerator->local = NULL; - local = this->local_sets->get(this->local_sets); - if (local) - { - enumerator->local = local->create_enumerator(local); - } - return &enumerator->public; -} - -/** - * cleanup function for cert data - */ -static void destroy_cert_data(cert_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for certificates - */ -static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data) -{ - return set->create_cert_enumerator(set, data->cert, data->key, - data->id, data->trusted); -} - -/** - * Implementation of credential_manager_t.create_cert_enumerator. - */ -static enumerator_t *create_cert_enumerator(private_credential_manager_t *this, - certificate_type_t certificate, key_type_t key, - identification_t *id, bool trusted) -{ - cert_data_t *data = malloc_thing(cert_data_t); - data->this = this; - data->cert = certificate; - data->key = key; - data->id = id; - data->trusted = trusted; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_cert, data, - (void*)destroy_cert_data); -} - -/** - * Implementation of credential_manager_t.get_cert. - */ -static certificate_t *get_cert(private_credential_manager_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - certificate_t *current, *found = NULL; - enumerator_t *enumerator; - - enumerator = create_cert_enumerator(this, cert, key, id, trusted); - if (enumerator->enumerate(enumerator, ¤t)) - { - /* TODO: best match? order by keyid, subject, sualtname */ - found = current->get_ref(current); - } - enumerator->destroy(enumerator); - return found; -} - - -/** - * cleanup function for cdp data - */ -static void destroy_cdp_data(cdp_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for CDPs - */ -static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data) -{ - return set->create_cdp_enumerator(set, data->type, data->id); -} -/** - * Implementation of credential_manager_t.create_cdp_enumerator. - */ -static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this, - certificate_type_t type, identification_t *id) -{ - cdp_data_t *data = malloc_thing(cdp_data_t); - data->this = this; - data->type = type; - data->id = id; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_cdp, data, - (void*)destroy_cdp_data); -} - -/** - * cleanup function for private data - */ -static void destroy_private_data(private_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for private keys - */ -static enumerator_t *create_private(credential_set_t *set, private_data_t *data) -{ - return set->create_private_enumerator(set, data->type, data->keyid); -} - -/** - * Implementation of credential_manager_t.create_private_enumerator. - */ -static enumerator_t* create_private_enumerator( - private_credential_manager_t *this, - key_type_t key, identification_t *keyid) -{ - private_data_t *data; - - data = malloc_thing(private_data_t); - data->this = this; - data->type = key; - data->keyid = keyid; - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_private, data, - (void*)destroy_private_data); -} - -/** - * Implementation of credential_manager_t.get_private_by_keyid. - */ -static private_key_t *get_private_by_keyid(private_credential_manager_t *this, - key_type_t key, identification_t *keyid) -{ - private_key_t *found = NULL; - enumerator_t *enumerator; - - enumerator = create_private_enumerator(this, key, keyid); - if (enumerator->enumerate(enumerator, &found)) - { - found->get_ref(found); - } - enumerator->destroy(enumerator); - return found; -} - -/** - * cleanup function for shared data - */ -static void destroy_shared_data(shared_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for shared keys - */ -static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data) -{ - return set->create_shared_enumerator(set, data->type, data->me, data->other); -} - -/** - * Implementation of credential_manager_t.create_shared_enumerator. - */ -static enumerator_t *create_shared_enumerator(private_credential_manager_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other) -{ - shared_data_t *data = malloc_thing(shared_data_t); - data->this = this; - data->type = type; - data->me = me; - data->other = other; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_shared, data, - (void*)destroy_shared_data); -} - -/** - * Implementation of credential_manager_t.get_shared. - */ -static shared_key_t *get_shared(private_credential_manager_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) -{ - shared_key_t *current, *found = NULL; - id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE; - id_match_t *match_me, *match_other; - enumerator_t *enumerator; - - enumerator = create_shared_enumerator(this, type, me, other); - while (enumerator->enumerate(enumerator, ¤t, &match_me, &match_other)) - { - if (match_other > best_other || - (match_other == best_other && match_me > best_me)) - { - DESTROY_IF(found); - found = current->get_ref(current); - best_me = match_me; - best_other = match_other; - } - } - enumerator->destroy(enumerator); - return found; -} - -/** - * add a credential set to the thread local list - */ -static void add_local_set(private_credential_manager_t *this, - credential_set_t *set) -{ - linked_list_t *sets; - - sets = this->local_sets->get(this->local_sets); - if (!sets) - { /* first invocation */ - sets = linked_list_create(); - this->local_sets->set(this->local_sets, sets); - } - sets->insert_last(sets, set); -} - -/** - * remove a credential set from the thread local list - */ -static void remove_local_set(private_credential_manager_t *this, - credential_set_t *set) -{ - linked_list_t *sets; - - sets = this->local_sets->get(this->local_sets); - sets->remove(sets, set, NULL); -} - -/** - * Implementation of credential_manager_t.cache_cert. - */ -static void cache_cert(private_credential_manager_t *this, certificate_t *cert) -{ - credential_set_t *set; - enumerator_t *enumerator; - - if (this->lock->try_write_lock(this->lock)) - { - enumerator = this->sets->create_enumerator(this->sets); - while (enumerator->enumerate(enumerator, &set)) - { - set->cache_cert(set, cert); - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - } - else - { /* we can't cache now as other threads are active, queue for later */ - this->queue_mutex->lock(this->queue_mutex); - this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert)); - this->queue_mutex->unlock(this->queue_mutex); - } -} - -/** - * Try to cache certificates queued for caching - */ -static void cache_queue(private_credential_manager_t *this) -{ - credential_set_t *set; - certificate_t *cert; - enumerator_t *enumerator; - - this->queue_mutex->lock(this->queue_mutex); - if (this->cache_queue->get_count(this->cache_queue) > 0 && - this->lock->try_write_lock(this->lock)) - { - while (this->cache_queue->remove_last(this->cache_queue, - (void**)&cert) == SUCCESS) - { - enumerator = this->sets->create_enumerator(this->sets); - while (enumerator->enumerate(enumerator, &set)) - { - set->cache_cert(set, cert); - } - enumerator->destroy(enumerator); - cert->destroy(cert); - } - this->lock->unlock(this->lock); - } - this->queue_mutex->unlock(this->queue_mutex); -} - -/** - * forward declaration - */ -static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this, - key_type_t type, identification_t *id, bool crl, bool ocsp); - -/** - * Do an OCSP request - */ -static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, - certificate_t *subject, certificate_t *issuer) -{ - certificate_t *request, *response; - chunk_t send, receive; - - /* TODO: requestor name, signature */ - request = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, - BUILD_CA_CERT, issuer, - BUILD_CERT, subject, BUILD_END); - if (!request) - { - DBG1(DBG_CFG, "generating ocsp request failed"); - return NULL; - } - - send = request->get_encoding(request); - request->destroy(request); - - DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url); - if (lib->fetcher->fetch(lib->fetcher, url, &receive, - FETCH_REQUEST_DATA, send, - FETCH_REQUEST_TYPE, "application/ocsp-request", - FETCH_END) != SUCCESS) - { - DBG1(DBG_CFG, "ocsp request to %s failed", url); - chunk_free(&send); - return NULL; - } - chunk_free(&send); - - response = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, - BUILD_BLOB_ASN1_DER, receive, BUILD_END); - chunk_free(&receive); - if (!response) - { - DBG1(DBG_CFG, "parsing ocsp response failed"); - return NULL; - } - return response; -} - -/** - * check the signature of an OCSP response - */ -static bool verify_ocsp(private_credential_manager_t *this, - ocsp_response_t *response) -{ - certificate_t *issuer, *subject; - identification_t *responder; - ocsp_response_wrapper_t *wrapper; - enumerator_t *enumerator; - bool verified = FALSE; - - wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); - add_local_set(this, &wrapper->set); - - subject = &response->certificate; - responder = subject->get_issuer(subject); - enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) - { - if (this->cache->issued_by(this->cache, subject, issuer)) - { - DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", - issuer->get_subject(issuer)); - verified = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - remove_local_set(this, &wrapper->set); - wrapper->destroy(wrapper); - return verified; -} - -/** - * Get the better of two OCSP responses, and check for usable OCSP info - */ -static certificate_t *get_better_ocsp(private_credential_manager_t *this, - certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, - cert_validation_t *valid, bool cache) -{ - ocsp_response_t *response; - time_t revocation, this_update, next_update, valid_until; - crl_reason_t reason; - bool revoked = FALSE; - - response = (ocsp_response_t*)cand; - - /* check ocsp signature */ - if (!verify_ocsp(this, response)) - { - DBG1(DBG_CFG, "ocsp response verification failed"); - cand->destroy(cand); - return best; - } - /* check if response contains our certificate */ - switch (response->get_status(response, subject, issuer, &revocation, &reason, - &this_update, &next_update)) - { - case VALIDATION_REVOKED: - /* subject has been revoked by a valid OCSP response */ - DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", - &revocation, TRUE, crl_reason_names, reason); - revoked = TRUE; - break; - case VALIDATION_GOOD: - /* results in either good or stale */ - break; - default: - case VALIDATION_FAILED: - /* candidate unusable, does not contain our cert */ - DBG1(DBG_CFG, " ocsp response contains no status on our certificate"); - cand->destroy(cand); - return best; - } - - /* select the better of the two responses */ - if (best == NULL || cand->is_newer(cand, best)) - { - DESTROY_IF(best); - best = cand; - if (best->get_validity(best, NULL, NULL, &valid_until)) - { - DBG1(DBG_CFG, " ocsp response is valid: until %T", - &valid_until, FALSE); - *valid = VALIDATION_GOOD; - if (cache) - { /* cache non-stale only, stale certs get refetched */ - cache_cert(this, best); - } - } - else - { - DBG1(DBG_CFG, " ocsp response is stale: since %T", - &valid_until, FALSE); - *valid = VALIDATION_STALE; - } - } - else - { - *valid = VALIDATION_STALE; - cand->destroy(cand); - } - if (revoked) - { /* revoked always counts, even if stale */ - *valid = VALIDATION_REVOKED; - } - return best; -} - -/** - * validate a x509 certificate using OCSP - */ -static cert_validation_t check_ocsp(private_credential_manager_t *this, - x509_t *subject, x509_t *issuer, - auth_cfg_t *auth) -{ - enumerator_t *enumerator; - cert_validation_t valid = VALIDATION_SKIPPED; - certificate_t *best = NULL, *current; - identification_t *keyid = NULL; - public_key_t *public; - chunk_t chunk; - char *uri = NULL; - - /** lookup cache for valid OCSP responses */ - enumerator = create_cert_enumerator(this, CERT_X509_OCSP_RESPONSE, - KEY_ANY, NULL, FALSE); - while (enumerator->enumerate(enumerator, ¤t)) - { - current->get_ref(current); - best = get_better_ocsp(this, current, best, subject, issuer, - &valid, FALSE); - if (best && valid != VALIDATION_STALE) - { - DBG1(DBG_CFG, " using cached ocsp response"); - break; - } - } - enumerator->destroy(enumerator); - - /* derive the authorityKeyIdentifier from the issuer's public key */ - current = &issuer->interface; - public = current->get_public_key(current); - if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); - } - /** fetch from configured OCSP responder URLs */ - if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = create_cdp_enumerator(this, CERT_X509_OCSP_RESPONSE, keyid); - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_ocsp(this, uri, &subject->interface, - &issuer->interface); - if (current) - { - best = get_better_ocsp(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - DESTROY_IF(public); - DESTROY_IF(keyid); - - /* fallback to URL fetching from subject certificate's URIs */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = subject->create_ocsp_uri_enumerator(subject); - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_ocsp(this, uri, &subject->interface, - &issuer->interface); - if (current) - { - best = get_better_ocsp(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - /* an uri was found, but no result. switch validation state to failed */ - if (valid == VALIDATION_SKIPPED && uri) - { - valid = VALIDATION_FAILED; - } - if (auth) - { - auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid); - if (valid == VALIDATION_GOOD) - { /* successful OCSP check fulfills also CRL constraint */ - auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); - } - } - DESTROY_IF(best); - return valid; -} - -/** - * fetch a CRL from an URL - */ -static certificate_t* fetch_crl(private_credential_manager_t *this, char *url) -{ - certificate_t *crl; - chunk_t chunk; - - DBG1(DBG_CFG, " fetching crl from '%s' ...", url); - if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS) - { - DBG1(DBG_CFG, "crl fetching failed"); - return NULL; - } - crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_BLOB_ASN1_DER, chunk, BUILD_END); - chunk_free(&chunk); - if (!crl) - { - DBG1(DBG_CFG, "crl fetched successfully but parsing failed"); - return NULL; - } - return crl; -} - -/** - * check the signature of an CRL - */ -static bool verify_crl(private_credential_manager_t *this, certificate_t *crl) -{ - certificate_t *issuer; - enumerator_t *enumerator; - bool verified = FALSE; - - enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl), - FALSE, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) - { - if (this->cache->issued_by(this->cache, crl, issuer)) - { - DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", - issuer->get_subject(issuer)); - verified = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - return verified; -} - -/** - * Get the better of two CRLs, and check for usable CRL info - */ -static certificate_t *get_better_crl(private_credential_manager_t *this, - certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, - cert_validation_t *valid, bool cache) -{ - enumerator_t *enumerator; - time_t revocation, valid_until; - crl_reason_t reason; - chunk_t serial; - crl_t *crl; - - /* check CRL signature */ - if (!verify_crl(this, cand)) - { - DBG1(DBG_CFG, "crl response verification failed"); - cand->destroy(cand); - return best; - } - - crl = (crl_t*)cand; - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) - { - if (chunk_equals(serial, subject->get_serial(subject))) - { - DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", - &revocation, TRUE, crl_reason_names, reason); - *valid = VALIDATION_REVOKED; - enumerator->destroy(enumerator); - DESTROY_IF(best); - return cand; - } - } - enumerator->destroy(enumerator); - - /* select the better of the two CRLs */ - if (best == NULL || cand->is_newer(cand, best)) - { - DESTROY_IF(best); - best = cand; - if (best->get_validity(best, NULL, NULL, &valid_until)) - { - DBG1(DBG_CFG, " crl is valid: until %T", &valid_until, FALSE); - *valid = VALIDATION_GOOD; - if (cache) - { /* we cache non-stale crls only, as a stale crls are refetched */ - cache_cert(this, best); - } - } - else - { - DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE); - *valid = VALIDATION_STALE; - } - } - else - { - *valid = VALIDATION_STALE; - cand->destroy(cand); - } - return best; -} - -/** - * validate a x509 certificate using CRL - */ -static cert_validation_t check_crl(private_credential_manager_t *this, - x509_t *subject, x509_t *issuer, - auth_cfg_t *auth) -{ - cert_validation_t valid = VALIDATION_SKIPPED; - identification_t *keyid = NULL; - certificate_t *best = NULL; - certificate_t *current; - public_key_t *public; - enumerator_t *enumerator; - chunk_t chunk; - char *uri = NULL; - - /* derive the authorityKeyIdentifier from the issuer's public key */ - current = &issuer->interface; - public = current->get_public_key(current); - if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); - - /* find a cached crl by authorityKeyIdentifier */ - enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY, - keyid, FALSE); - while (enumerator->enumerate(enumerator, ¤t)) - { - current->get_ref(current); - best = get_better_crl(this, current, best, subject, issuer, - &valid, FALSE); - if (best && valid != VALIDATION_STALE) - { - DBG1(DBG_CFG, " using cached crl"); - break; - } - } - enumerator->destroy(enumerator); - - /* fallback to fetching crls from credential sets cdps */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid); - - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_crl(this, uri); - if (current) - { - best = get_better_crl(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - keyid->destroy(keyid); - } - DESTROY_IF(public); - - /* fallback to fetching crls from cdps from subject's certificate */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = subject->create_crl_uri_enumerator(subject); - - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_crl(this, uri); - if (current) - { - best = get_better_crl(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - - /* an uri was found, but no result. switch validation state to failed */ - if (valid == VALIDATION_SKIPPED && uri) - { - valid = VALIDATION_FAILED; - } - if (auth) - { - if (valid == VALIDATION_SKIPPED) - { /* if we skipped CRL validation, we use the result of OCSP for - * constraint checking */ - auth->add(auth, AUTH_RULE_CRL_VALIDATION, - auth->get(auth, AUTH_RULE_OCSP_VALIDATION)); - } - else - { - auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid); - } - } - DESTROY_IF(best); - return valid; -} - -/** - * check a certificate for optional IP address block constraints - */ -static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) -{ - bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; - bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; - bool contained = TRUE; - - enumerator_t *subject_enumerator, *issuer_enumerator; - traffic_selector_t *subject_ts, *issuer_ts; - - if (!subject_constraint && !issuer_constraint) - { - return TRUE; - } - if (!subject_constraint) - { - DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); - return FALSE; - } - if (!issuer_constraint) - { - DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); - return FALSE; - } - subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); - while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) - { - contained = FALSE; - - issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); - while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) - { - if (subject_ts->is_contained_in(subject_ts, issuer_ts)) - { - DBG2(DBG_CFG, " subject address block %R is contained in " - "issuer address block %R", subject_ts, issuer_ts); - contained = TRUE; - break; - } - } - issuer_enumerator->destroy(issuer_enumerator); - if (!contained) - { - DBG1(DBG_CFG, "subject address block %R is not contained in any " - "issuer address block", subject_ts); - break; - } - } - subject_enumerator->destroy(subject_enumerator); - return contained; -} - -/** - * check a certificate for its lifetime - */ -static bool check_certificate(private_credential_manager_t *this, - certificate_t *subject, certificate_t *issuer, - bool crl, bool ocsp, auth_cfg_t *auth) -{ - time_t not_before, not_after; - - if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) - { - DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); - return FALSE; - } - if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) - { - DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); - return FALSE; - } - if (issuer->get_type(issuer) == CERT_X509 && - subject->get_type(subject) == CERT_X509) - { - if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer)) - { - return FALSE; - } - if (ocsp || crl) - { - DBG1(DBG_CFG, "checking certificate status of \"%Y\"", - subject->get_subject(subject)); - } - if (ocsp) - { - switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth)) - { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - /* has already been logged */ - return FALSE; - case VALIDATION_SKIPPED: - DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); - break; - case VALIDATION_FAILED: - DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); - break; - } - } - if (crl) - { - switch (check_crl(this, (x509_t*)subject, (x509_t*)issuer, auth)) - { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - /* has already been logged */ - return FALSE; - case VALIDATION_FAILED: - case VALIDATION_SKIPPED: - DBG1(DBG_CFG, "certificate status is not available"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); - break; - } - } - } - return TRUE; -} - -/** - * Get a trusted certificate from a credential set - */ -static certificate_t *get_pretrusted_cert(private_credential_manager_t *this, - key_type_t type, identification_t *id) -{ - certificate_t *subject; - public_key_t *public; - - subject = get_cert(this, CERT_ANY, type, id, TRUE); - if (!subject) - { - return NULL; - } - public = subject->get_public_key(subject); - if (!public) - { - subject->destroy(subject); - return NULL; - } - public->destroy(public); - return subject; -} - -/** - * Get the issuing certificate of a subject certificate - */ -static certificate_t *get_issuer_cert(private_credential_manager_t *this, - certificate_t *subject, bool trusted) -{ - enumerator_t *enumerator; - certificate_t *issuer = NULL, *candidate; - - enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY, - subject->get_issuer(subject), trusted); - while (enumerator->enumerate(enumerator, &candidate)) - { - if (this->cache->issued_by(this->cache, subject, candidate)) - { - issuer = candidate->get_ref(candidate); - break; - } - } - enumerator->destroy(enumerator); - return issuer; -} - -/** - * try to verify the trust chain of subject, return TRUE if trusted - */ -static bool verify_trust_chain(private_credential_manager_t *this, - certificate_t *subject, auth_cfg_t *result, - bool trusted, bool crl, bool ocsp) -{ - certificate_t *current, *issuer; - x509_t *x509; - auth_cfg_t *auth; - int pathlen, pathlen_constraint; - - auth = auth_cfg_create(); - current = subject->get_ref(subject); - - for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++) - { - issuer = get_issuer_cert(this, current, TRUE); - if (issuer) - { - /* accept only self-signed CAs as trust anchor */ - if (this->cache->issued_by(this->cache, issuer, issuer)) - { - auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", - issuer->get_subject(issuer)); - trusted = TRUE; - } - else - { - auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using trusted intermediate ca certificate " - "\"%Y\"", issuer->get_subject(issuer)); - } - } - else - { - issuer = get_issuer_cert(this, current, FALSE); - if (issuer) - { - if (current->equals(current, issuer)) - { - DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted", - current->get_subject(current)); - issuer->destroy(issuer); - break; - } - auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using untrusted intermediate certificate " - "\"%Y\"", issuer->get_subject(issuer)); - } - else - { - DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", - current->get_subject(current)); - break; - } - } - if (!check_certificate(this, current, issuer, crl, ocsp, - current == subject ? auth : NULL)) - { - trusted = FALSE; - issuer->destroy(issuer); - break; - } - - /* check path length constraint */ - x509 = (x509_t*)issuer; - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && - pathlen > pathlen_constraint) - { - DBG1(DBG_CFG, "path length of %d violates constraint of %d", - pathlen, pathlen_constraint); - trusted = FALSE; - issuer->destroy(issuer); - break; - } - current->destroy(current); - current = issuer; - if (trusted) - { - DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d", - pathlen); - break; - } - } - current->destroy(current); - if (pathlen > X509_MAX_PATH_LEN) - { - DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN); - } - if (trusted) - { - result->merge(result, auth, FALSE); - } - auth->destroy(auth); - return trusted; -} - -/** - * enumerator for trusted certificates - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** enumerator over candidate peer certificates */ - enumerator_t *candidates; - /** reference to the credential_manager */ - private_credential_manager_t *this; - /** type of the requested key */ - key_type_t type; - /** identity the requested key belongs to */ - identification_t *id; - /** TRUE to do CRL checking */ - bool crl; - /** TRUE to do OCSP checking */ - bool ocsp; - /** pretrusted certificate we have served at first invocation */ - certificate_t *pretrusted; - /** currently enumerating auth config */ - auth_cfg_t *auth; -} trusted_enumerator_t; - -/** - * Implements trusted_enumerator_t.enumerate - */ -static bool trusted_enumerate(trusted_enumerator_t *this, - certificate_t **cert, auth_cfg_t **auth) -{ - certificate_t *current; - - DESTROY_IF(this->auth); - this->auth = auth_cfg_create(); - - if (!this->candidates) - { - /* first invocation, build enumerator for next one */ - this->candidates = create_cert_enumerator(this->this, CERT_ANY, - this->type, this->id, FALSE); - /* check if we have a trusted certificate for that peer */ - this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id); - if (this->pretrusted) - { - /* if we find a trusted self signed certificate, we just accept it. - * However, in order to fulfill authorization rules, we try to build - * the trust chain if it is not self signed */ - if (this->this->cache->issued_by(this->this->cache, - this->pretrusted, this->pretrusted) || - verify_trust_chain(this->this, this->pretrusted, this->auth, - TRUE, this->crl, this->ocsp)) - { - this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, - this->pretrusted->get_ref(this->pretrusted)); - DBG1(DBG_CFG, " using trusted certificate \"%Y\"", - this->pretrusted->get_subject(this->pretrusted)); - *cert = this->pretrusted; - if (auth) - { - *auth = this->auth; - } - return TRUE; - } - } - } - /* try to verify the trust chain for each certificate found */ - while (this->candidates->enumerate(this->candidates, ¤t)) - { - if (this->pretrusted && - this->pretrusted->equals(this->pretrusted, current)) - { /* skip pretrusted certificate we already served */ - continue; - } - - DBG1(DBG_CFG, " using certificate \"%Y\"", - current->get_subject(current)); - if (verify_trust_chain(this->this, current, this->auth, FALSE, - this->crl, this->ocsp)) - { - *cert = current; - if (auth) - { - *auth = this->auth; - } - return TRUE; - } - } - return FALSE; -} - -/** - * Implements trusted_enumerator_t.destroy - */ -static void trusted_destroy(trusted_enumerator_t *this) -{ - DESTROY_IF(this->pretrusted); - DESTROY_IF(this->auth); - DESTROY_IF(this->candidates); - free(this); -} - -/** - * create an enumerator over trusted certificates and their trustchain - */ -static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this, - key_type_t type, identification_t *id, bool crl, bool ocsp) -{ - trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t); - - enumerator->public.enumerate = (void*)trusted_enumerate; - enumerator->public.destroy = (void*)trusted_destroy; - - enumerator->candidates = NULL; - enumerator->this = this; - enumerator->type = type; - enumerator->id = id; - enumerator->crl = crl; - enumerator->ocsp = ocsp; - enumerator->pretrusted = NULL; - enumerator->auth = NULL; - - return &enumerator->public; -} - -/** - * enumerator for public keys - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** enumerator over candidate peer certificates */ - enumerator_t *inner; - /** reference to the credential_manager */ - private_credential_manager_t *this; - /** currently enumerating key */ - public_key_t *current; - /** credset wrapper around auth config */ - auth_cfg_wrapper_t *wrapper; -} public_enumerator_t; - -/** - * Implements public_enumerator_t.enumerate - */ -static bool public_enumerate(public_enumerator_t *this, - public_key_t **key, auth_cfg_t **auth) -{ - certificate_t *cert; - - while (this->inner->enumerate(this->inner, &cert, auth)) - { - DESTROY_IF(this->current); - this->current = cert->get_public_key(cert); - if (this->current) - { - *key = this->current; - return TRUE; - } - } - return FALSE; -} - -/** - * Implements public_enumerator_t.destroy - */ -static void public_destroy(public_enumerator_t *this) -{ - DESTROY_IF(this->current); - this->inner->destroy(this->inner); - if (this->wrapper) - { - remove_local_set(this->this, &this->wrapper->set); - this->wrapper->destroy(this->wrapper); - } - this->this->lock->unlock(this->this->lock); - - /* check for delayed certificate cache queue */ - cache_queue(this->this); - free(this); -} - -/** - * Implementation of credential_manager_t.create_public_enumerator. - */ -static enumerator_t* create_public_enumerator(private_credential_manager_t *this, - key_type_t type, identification_t *id, auth_cfg_t *auth) -{ - public_enumerator_t *enumerator = malloc_thing(public_enumerator_t); - - enumerator->public.enumerate = (void*)public_enumerate; - enumerator->public.destroy = (void*)public_destroy; - enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE); - enumerator->this = this; - enumerator->current = NULL; - enumerator->wrapper = NULL; - if (auth) - { - enumerator->wrapper = auth_cfg_wrapper_create(auth); - add_local_set(this, &enumerator->wrapper->set); - } - this->lock->read_lock(this->lock); - return &enumerator->public; -} - -/** - * Check if a certificate's keyid is contained in the auth helper - */ -static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) -{ - enumerator_t *enumerator; - identification_t *value; - auth_rule_t type; - bool found = FALSE; - - enumerator = auth->create_enumerator(auth); - while (enumerator->enumerate(enumerator, &type, &value)) - { - if (type == AUTH_RULE_CA_CERT && - cert->equals(cert, (certificate_t*)value)) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - return found; -} - -/** - * build a trustchain from subject up to a trust anchor in trusted - */ -static auth_cfg_t *build_trustchain(private_credential_manager_t *this, - certificate_t *subject, auth_cfg_t *auth) -{ - certificate_t *issuer, *current; - auth_cfg_t *trustchain; - int pathlen = 0; - - trustchain = auth_cfg_create(); - - current = auth->get(auth, AUTH_RULE_CA_CERT); - if (!current) - { - /* no trust anchor specified, return this cert only */ - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, - subject->get_ref(subject)); - return trustchain; - } - current = subject->get_ref(subject); - while (TRUE) - { - if (auth_contains_cacert(auth, current)) - { - trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); - return trustchain; - } - if (subject == current) - { - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current); - } - else - { - trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); - } - issuer = get_issuer_cert(this, current, FALSE); - if (!issuer || issuer->equals(issuer, current) || - pathlen > X509_MAX_PATH_LEN) - { - DESTROY_IF(issuer); - break; - } - current = issuer; - pathlen++; - } - trustchain->destroy(trustchain); - return NULL; -} - -/** - * find a private key of a give certificate - */ -static private_key_t *get_private_by_cert(private_credential_manager_t *this, - certificate_t *cert, key_type_t type) -{ - private_key_t *private = NULL; - identification_t *keyid; - chunk_t chunk; - public_key_t *public; - - public = cert->get_public_key(cert); - if (public) - { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); - private = get_private_by_keyid(this, type, keyid); - keyid->destroy(keyid); - } - public->destroy(public); - } - return private; -} - -/** - * Implementation of credential_manager_t.get_private. - */ -static private_key_t *get_private(private_credential_manager_t *this, - key_type_t type, identification_t *id, - auth_cfg_t *auth) -{ - enumerator_t *enumerator; - certificate_t *cert; - private_key_t *private = NULL; - auth_cfg_t *trustchain; - - /* check if this is a lookup by key ID, and do it if so */ - if (id && id->get_type(id) == ID_KEY_ID) - { - private = get_private_by_keyid(this, type, id); - if (private) - { - return private; - } - } - - /* if a specific certificate is preferred, check for a matching key */ - cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (cert) - { - private = get_private_by_cert(this, cert, type); - if (private) - { - trustchain = build_trustchain(this, cert, auth); - if (trustchain) - { - auth->merge(auth, trustchain, FALSE); - trustchain->destroy(trustchain); - } - return private; - } - } - - /* try to build a trust chain for each certificate found */ - enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); - while (enumerator->enumerate(enumerator, &cert)) - { - private = get_private_by_cert(this, cert, type); - if (private) - { - trustchain = build_trustchain(this, cert, auth); - if (trustchain) - { - auth->merge(auth, trustchain, FALSE); - trustchain->destroy(trustchain); - break; - } - private->destroy(private); - private = NULL; - } - } - enumerator->destroy(enumerator); - - /* if no valid trustchain was found, fall back to the first usable cert */ - if (!private) - { - enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); - while (enumerator->enumerate(enumerator, &cert)) - { - private = get_private_by_cert(this, cert, type); - if (private) - { - auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert)); - break; - } - } - enumerator->destroy(enumerator); - } - return private; -} - -/** - * Implementation of credential_manager_t.flush_cache. - */ -static void flush_cache(private_credential_manager_t *this, - certificate_type_t type) -{ - this->cache->flush(this->cache, type); -} - -/** - * Implementation of credential_manager_t.add_set. - */ -static void add_set(private_credential_manager_t *this, - credential_set_t *set) -{ - this->lock->write_lock(this->lock); - this->sets->insert_last(this->sets, set); - this->lock->unlock(this->lock); -} - -/** - * Implementation of credential_manager_t.remove_set. - */ -static void remove_set(private_credential_manager_t *this, credential_set_t *set) -{ - this->lock->write_lock(this->lock); - this->sets->remove(this->sets, set, NULL); - this->lock->unlock(this->lock); -} - -/** - * Implementation of credential_manager_t.destroy - */ -static void destroy(private_credential_manager_t *this) -{ - cache_queue(this); - this->cache_queue->destroy(this->cache_queue); - this->sets->remove(this->sets, this->cache, NULL); - this->sets->destroy(this->sets); - this->local_sets->destroy(this->local_sets); - this->cache->destroy(this->cache); - this->lock->destroy(this->lock); - this->queue_mutex->destroy(this->queue_mutex); - free(this); -} - -/* - * see header file - */ -credential_manager_t *credential_manager_create() -{ - private_credential_manager_t *this = malloc_thing(private_credential_manager_t); - - this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator; - this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator; - this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator; - this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert; - this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared; - this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private; - this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator; - this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache; - this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert; - this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set; - this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set; - this->public.destroy = (void(*)(credential_manager_t*))destroy; - - this->sets = linked_list_create(); - this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); - this->cache = cert_cache_create(); - this->cache_queue = linked_list_create(); - this->sets->insert_first(this->sets, this->cache); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - this->queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT); - - return &this->public; -} - diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 11c94beb9..c0227027c 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -19,16 +19,19 @@ #include <stdio.h> #include <sys/types.h> #include <unistd.h> +#include <syslog.h> #include <time.h> #include <errno.h> + #ifdef CAPABILITIES +#ifdef HAVE_SYS_CAPABILITY_H #include <sys/capability.h> +#endif /* HAVE_SYS_CAPABILITY_H */ #endif /* CAPABILITIES */ #include "daemon.h" #include <library.h> -#include <selectors/traffic_selector.h> #include <config/proposal.h> #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ @@ -46,12 +49,16 @@ struct private_daemon_t { */ daemon_t public; -#ifdef CAPABILITIES /** * capabilities to keep */ +#ifdef CAPABILITIES_LIBCAP cap_t caps; -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + struct __user_cap_data_struct caps; +#endif /* CAPABILITIES_NATIVE */ + }; /** @@ -97,11 +104,12 @@ static void destroy(private_daemon_t *this) this->public.ike_sa_manager->flush(this->public.ike_sa_manager); } DESTROY_IF(this->public.receiver); + DESTROY_IF(this->public.sender); /* unload plugins to release threads */ lib->plugins->unload(lib->plugins); -#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP cap_free(this->caps); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ DESTROY_IF(this->public.traps); DESTROY_IF(this->public.ike_sa_manager); DESTROY_IF(this->public.kernel_interface); @@ -114,8 +122,6 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->public.mediation_manager); #endif /* ME */ DESTROY_IF(this->public.backends); - DESTROY_IF(this->public.credentials); - DESTROY_IF(this->public.sender); DESTROY_IF(this->public.socket); /* wait until all threads are gone */ DESTROY_IF(this->public.processor); @@ -133,22 +139,36 @@ static void destroy(private_daemon_t *this) METHOD(daemon_t, keep_cap, void, private_daemon_t *this, u_int cap) { -#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET); cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET); cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + this->caps.effective |= 1 << cap; + this->caps.permitted |= 1 << cap; + this->caps.inheritable |= 1 << cap; +#endif /* CAPABILITIES_NATIVE */ } METHOD(daemon_t, drop_capabilities, bool, private_daemon_t *this) { -#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP if (cap_set_proc(this->caps) != 0) { return FALSE; } -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION, + }; + if (capset(&header, &this->caps) != 0) + { + return FALSE; + } +#endif /* CAPABILITIES_NATIVE */ return TRUE; } @@ -254,8 +274,15 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, filename, strerror(errno)); continue; } + if (lib->settings->get_bool(lib->settings, + "charon.filelog.%s.flush_line", FALSE, filename)) + { + setlinebuf(file); + } } - file_logger = file_logger_create(file); + file_logger = file_logger_create(file, + lib->settings->get_str(lib->settings, + "charon.filelog.%s.time_format", NULL, filename)); def = lib->settings->get_int(lib->settings, "charon.filelog.%s.default", 1, filename); for (group = 0; group < DBG_MAX; group++) @@ -276,7 +303,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, if (!loggers_defined) { /* set up default stdout file_logger */ - file_logger = file_logger_create(stdout); + file_logger = file_logger_create(stdout, NULL); this->public.bus->add_listener(this->public.bus, &file_logger->listener); this->public.file_loggers->insert_last(this->public.file_loggers, file_logger); @@ -331,7 +358,6 @@ METHOD(daemon_t, initialize, bool, /* load secrets, ca certificates and crls */ this->public.processor = processor_create(); this->public.scheduler = scheduler_create(); - this->public.credentials = credential_manager_create(); this->public.controller = controller_create(); this->public.eap = eap_manager_create(); this->public.sim = sim_manager_create(); @@ -392,7 +418,9 @@ private_daemon_t *daemon_create() ); #ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP this->caps = cap_init(); +#endif /* CAPABILITIES_LIBCAP */ keep_cap(this, CAP_NET_ADMIN); if (lib->leak_detective) { @@ -423,10 +451,6 @@ bool libcharon_init() this = daemon_create(); charon = &this->public; - lib->printf_hook->add_handler(lib->printf_hook, 'R', - traffic_selector_printf_hook, - PRINTF_HOOK_ARGTYPE_POINTER, - PRINTF_HOOK_ARGTYPE_END); lib->printf_hook->add_handler(lib->printf_hook, 'P', proposal_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 9b6d97060..38f0256e7 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -31,12 +31,6 @@ * @defgroup control control * @ingroup libcharon * - * @defgroup ccredentials credentials - * @ingroup libcharon - * - * @defgroup sets sets - * @ingroup ccredentials - * * @defgroup encoding encoding * @ingroup libcharon * @@ -156,7 +150,6 @@ typedef struct daemon_t daemon_t; #include <sa/ike_sa_manager.h> #include <sa/trap_manager.h> #include <config/backend_manager.h> -#include <credentials/credential_manager.h> #include <sa/authenticators/eap/eap_manager.h> #include <sa/authenticators/eap/sim_manager.h> @@ -206,11 +199,6 @@ struct daemon_t { backend_manager_t *backends; /** - * Manager for the credential backends - */ - credential_manager_t *credentials; - - /** * The Sender-Thread. */ sender_t *sender; diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index acfc0fd44..ee49a6686 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -31,6 +31,7 @@ #include <encoding/payloads/payload.h> #include <encoding/payloads/encryption_payload.h> #include <encoding/payloads/unknown_payload.h> +#include <encoding/payloads/cp_payload.h> /** * Max number of notify payloads per IKEv2 Message @@ -975,6 +976,39 @@ static char* get_string(private_message_t *this, char *buf, int len) pos += written; len -= written; } + if (payload->get_type(payload) == CONFIGURATION) + { + cp_payload_t *cp = (cp_payload_t*)payload; + enumerator_t *attributes; + configuration_attribute_t *attribute; + bool first = TRUE; + + attributes = cp->create_attribute_enumerator(cp); + while (attributes->enumerate(attributes, &attribute)) + { + written = snprintf(pos, len, "%s%N", first ? "(" : " ", + configuration_attribute_type_short_names, + attribute->get_type(attribute)); + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + first = FALSE; + } + attributes->destroy(attributes); + if (!first) + { + written = snprintf(pos, len, ")"); + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + } + } } enumerator->destroy(enumerator); diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c index 6dd3141f0..80239f654 100644 --- a/src/libcharon/encoding/payloads/cert_payload.c +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -320,7 +320,12 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert) free(this); return NULL; } - this->data = cert->get_encoding(cert); + if (!cert->get_encoding(cert, CERT_ASN1_DER, &this->data)) + { + DBG1(DBG_ENC, "encoding certificate for cert payload failed"); + free(this); + return NULL; + } this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; return &this->public; } diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c index 64a43a7fc..837e628bc 100644 --- a/src/libcharon/kernel/kernel_interface.c +++ b/src/libcharon/kernel/kernel_interface.c @@ -67,8 +67,8 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { @@ -77,82 +77,84 @@ METHOD(kernel_interface_t, add_sa, status_t, return NOT_SUPPORTED; } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, - lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi, - encap, inbound, src_ts, dst_ts); + mark, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, + cpi, encap, inbound, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) + bool encap, bool new_encap, mark_t mark) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst, - new_src, new_dst, encap, new_encap); + new_src, new_dst, encap, new_encap, mark); } METHOD(kernel_interface_t, query_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes); + return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes); } METHOD(kernel_interface_t, del_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi) + protocol_id_t protocol, u_int16_t cpi, mark_t mark) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi); + return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark); } METHOD(kernel_interface_t, add_policy, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts, - direction, spi, protocol, reqid, mode, ipcomp, cpi, routed); + direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed); } METHOD(kernel_interface_t, query_policy, status_t, private_kernel_interface_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, - direction, use_time); + direction, mark, use_time); } METHOD(kernel_interface_t, del_policy, status_t, private_kernel_interface_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, - direction, unrouted); + direction, mark, unrouted); } METHOD(kernel_interface_t, get_source_addr, host_t*, diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h index 4a62e76b8..92d85f9c9 100644 --- a/src/libcharon/kernel/kernel_interface.h +++ b/src/libcharon/kernel/kernel_interface.h @@ -90,6 +90,7 @@ struct kernel_interface_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA + * @param mark optional mark for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -106,7 +107,7 @@ struct kernel_interface_t { */ status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, + protocol_id_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, @@ -131,6 +132,7 @@ struct kernel_interface_t { * @param new_dst new destination address * @param encap current use of UDP encapsulation * @param new_encap new use of UDP encapsulation + * @param mark optional mark for this SA * @return SUCCESS if operation completed, NOT_SUPPORTED if * the kernel interface can't update the SA */ @@ -138,7 +140,7 @@ struct kernel_interface_t { u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap); + bool encap, bool new_encap, mark_t mark); /** * Query the number of bytes processed by an SA from the SAD. @@ -147,11 +149,13 @@ struct kernel_interface_t { * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) + * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int64_t *bytes); /** * Delete a previously installed SA from the SAD. @@ -161,10 +165,12 @@ struct kernel_interface_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 + * @param mark optional mark for this SA * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + mark_t mark); /** * Add a policy to the SPD. @@ -180,6 +186,7 @@ struct kernel_interface_t { * @param spi SPI of SA * @param protocol protocol to use to protect traffic (AH/ESP) * @param reqid unique ID of an SA to use to enforce policy + * @param mark mark for this policy * @param mode mode of SA (tunnel, transport) * @param ipcomp the IPComp transform used * @param cpi CPI for IPComp @@ -192,8 +199,8 @@ struct kernel_interface_t { traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed); + mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed); /** * Query the use time of a policy. @@ -204,13 +211,15 @@ struct kernel_interface_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param[out] use_time the time of this SA's last use * @return SUCCESS if operation completed */ status_t (*query_policy) (kernel_interface_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time); + policy_dir_t direction, mark_t mark, + u_int32_t *use_time); /** * Remove a policy from the SPD. @@ -223,13 +232,14 @@ struct kernel_interface_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param unrouted TRUE, if this policy is unrouted from the kernel * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_interface_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, + policy_dir_t direction, mark_t mark, bool unrouted); /** diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index 300464cf6..d09265cc9 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -121,6 +121,7 @@ struct kernel_ipsec_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA + * @param mark mark for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -138,7 +139,7 @@ struct kernel_ipsec_t { status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - lifetime_cfg_t *lifetime, + mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, @@ -162,6 +163,7 @@ struct kernel_ipsec_t { * @param new_dst new destination address * @param encap current use of UDP encapsulation * @param new_encap new use of UDP encapsulation + * @param mark optional mark for this SA * @return SUCCESS if operation completed, NOT_SUPPORTED if * the kernel interface can't update the SA */ @@ -169,7 +171,7 @@ struct kernel_ipsec_t { u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap); + bool encap, bool new_encap, mark_t mark); /** * Query the number of bytes processed by an SA from the SAD. @@ -178,11 +180,13 @@ struct kernel_ipsec_t { * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) + * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int64_t *bytes); /** * Delete a previusly installed SA from the SAD. @@ -192,10 +196,12 @@ struct kernel_ipsec_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 + * @param mark optional mark for this SA * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + mark_t mark); /** * Add a policy to the SPD. @@ -211,6 +217,7 @@ struct kernel_ipsec_t { * @param spi SPI of SA * @param protocol protocol to use to protect traffic (AH/ESP) * @param reqid unique ID of an SA to use to enforce policy + * @param mark mark for this policy * @param mode mode of SA (tunnel, transport) * @param ipcomp the IPComp transform used * @param cpi CPI for IPComp @@ -223,8 +230,8 @@ struct kernel_ipsec_t { traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed); + mark_t mark, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, bool routed); /** * Query the use time of a policy. @@ -236,13 +243,15 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param[out] use_time the monotonic timestamp of this SA's last use * @return SUCCESS if operation completed */ status_t (*query_policy) (kernel_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time); + policy_dir_t direction, mark_t mark, + u_int32_t *use_time); /** * Remove a policy from the SPD. @@ -255,13 +264,14 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param unrouted TRUE, if this policy is unrouted from the kernel * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, + policy_dir_t direction, mark_t mark, bool unrouted); /** diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index df897021a..63a8cab58 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -103,7 +103,22 @@ struct private_receiver_t { /** * Delay for receiving incoming packets, to simulate larger RTT */ - u_int receive_delay; + int receive_delay; + + /** + * Specific message type to delay, 0 for any + */ + int receive_delay_type; + + /** + * Delay request messages? + */ + bool receive_delay_request; + + /** + * Delay response messages? + */ + bool receive_delay_response; }; /** @@ -242,7 +257,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message) /** * check if peer has to many half open IKE_SAs */ -static bool peer_to_aggressive(private_receiver_t *this, message_t *message) +static bool peer_too_aggressive(private_receiver_t *this, message_t *message) { if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, message->get_source(message)) >= this->block_threshold) @@ -259,7 +274,6 @@ static job_requeue_t receive_packets(private_receiver_t *this) { packet_t *packet; message_t *message; - job_t *job; /* read in a packet */ if (charon->socket->receive(charon->socket, &packet) != SUCCESS) @@ -321,7 +335,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) } /* check if peer has not too many IKE_SAs half open */ - if (this->block_threshold && peer_to_aggressive(this, message)) + if (this->block_threshold && peer_too_aggressive(this, message)) { DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " "peer too aggressive", message->get_source(message)); @@ -329,16 +343,25 @@ static job_requeue_t receive_packets(private_receiver_t *this) return JOB_REQUEUE_DIRECT; } } - job = (job_t*)process_message_job_create(message); if (this->receive_delay) { - charon->scheduler->schedule_job_ms(charon->scheduler, - job, this->receive_delay); - } - else - { - charon->processor->queue_job(charon->processor, job); + if (this->receive_delay_type == 0 || + this->receive_delay_type == message->get_exchange_type(message)) + { + if ((message->get_request(message) && this->receive_delay_request) || + (!message->get_request(message) && this->receive_delay_response)) + { + DBG1(DBG_NET, "using receive delay: %dms", + this->receive_delay); + charon->scheduler->schedule_job_ms(charon->scheduler, + (job_t*)process_message_job_create(message), + this->receive_delay); + return JOB_REQUEUE_DIRECT; + } + } } + charon->processor->queue_job(charon->processor, + (job_t*)process_message_job_create(message)); return JOB_REQUEUE_DIRECT; } @@ -374,6 +397,12 @@ receiver_t *receiver_create() } this->receive_delay = lib->settings->get_int(lib->settings, "charon.receive_delay", 0); + this->receive_delay_type = lib->settings->get_int(lib->settings, + "charon.receive_delay_type", 0), + this->receive_delay_request = lib->settings->get_bool(lib->settings, + "charon.receive_delay_request", TRUE), + this->receive_delay_response = lib->settings->get_int(lib->settings, + "charon.receive_delay_response", TRUE), this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (this->hasher == NULL) diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c index c18f1138e..bb6d50605 100644 --- a/src/libcharon/network/sender.c +++ b/src/libcharon/network/sender.c @@ -67,6 +67,21 @@ struct private_sender_t { * Delay for sending outgoing packets, to simulate larger RTT */ int send_delay; + + /** + * Specific message type to delay, 0 for any + */ + int send_delay_type; + + /** + * Delay request messages? + */ + bool send_delay_request; + + /** + * Delay response messages? + */ + bool send_delay_response; }; METHOD(sender_t, send_, void, @@ -80,7 +95,23 @@ METHOD(sender_t, send_, void, if (this->send_delay) { - usleep(this->send_delay * 1000); + message_t *message; + + message = message_create_from_packet(packet->clone(packet)); + if (message->parse_header(message) == SUCCESS) + { + if (this->send_delay_type == 0 || + this->send_delay_type == message->get_exchange_type(message)) + { + if ((message->get_request(message) && this->send_delay_request) || + (!message->get_request(message) && this->send_delay_response)) + { + DBG1(DBG_NET, "using send delay: %dms", this->send_delay); + usleep(this->send_delay * 1000); + } + } + } + message->destroy(message); } this->mutex->lock(this->mutex); @@ -155,7 +186,13 @@ sender_t * sender_create() .job = callback_job_create((callback_job_cb_t)send_packets, this, NULL, NULL), .send_delay = lib->settings->get_int(lib->settings, - "charon.send_delay", 0), + "charon.send_delay", 0), + .send_delay_type = lib->settings->get_int(lib->settings, + "charon.send_delay_type", 0), + .send_delay_request = lib->settings->get_bool(lib->settings, + "charon.send_delay_request", TRUE), + .send_delay_response = lib->settings->get_int(lib->settings, + "charon.send_delay_response", TRUE), ); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am new file mode 100644 index 000000000..50d0457f8 --- /dev/null +++ b/src/libcharon/plugins/addrblock/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-addrblock.la +else +plugin_LTLIBRARIES = libstrongswan-addrblock.la +endif + +libstrongswan_addrblock_la_SOURCES = \ + addrblock_plugin.h addrblock_plugin.c \ + addrblock_narrow.h addrblock_narrow.c \ + addrblock_validator.h addrblock_validator.c + +libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in new file mode 100644 index 000000000..4cb047929 --- /dev/null +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -0,0 +1,592 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/addrblock +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_addrblock_la_LIBADD = +am_libstrongswan_addrblock_la_OBJECTS = addrblock_plugin.lo \ + addrblock_narrow.lo addrblock_validator.lo +libstrongswan_addrblock_la_OBJECTS = \ + $(am_libstrongswan_addrblock_la_OBJECTS) +libstrongswan_addrblock_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_addrblock_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_addrblock_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_addrblock_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_addrblock_la_SOURCES) +DIST_SOURCES = $(libstrongswan_addrblock_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-addrblock.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-addrblock.la +libstrongswan_addrblock_la_SOURCES = \ + addrblock_plugin.h addrblock_plugin.c \ + addrblock_narrow.h addrblock_narrow.c \ + addrblock_validator.h addrblock_validator.c + +libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) + $(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_narrow.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_validator.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c new file mode 100644 index 000000000..f85fa78d6 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_narrow.h" + +#include <daemon.h> +#include <credentials/certificates/x509.h> + +typedef struct private_addrblock_narrow_t private_addrblock_narrow_t; + +/** + * Private data of an addrblock_narrow_t object. + */ +struct private_addrblock_narrow_t { + + /** + * Public addrblock_narrow_t interface. + */ + addrblock_narrow_t public; +}; + +/** + * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints + */ +static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) +{ + auth_cfg_t *auth; + enumerator_t *auth_enum; + certificate_t *cert = NULL; + + auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); + while (auth_enum->enumerate(auth_enum, &auth)) + { + cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { + break; + } + } + auth_enum->destroy(auth_enum); + + if (cert && cert->get_type(cert) == CERT_X509) + { + x509_t *x509 = (x509_t*)cert; + + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + enumerator_t *enumerator, *block_enum; + traffic_selector_t *ts, *block_ts; + + DBG1(DBG_IKE, "checking certificate-based traffic selector " + "constraints [RFC 3779]"); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &ts)) + { + bool contained = FALSE; + + block_enum = x509->create_ipAddrBlock_enumerator(x509); + while (block_enum->enumerate(block_enum, &block_ts)) + { + if (ts->is_contained_in(ts, block_ts)) + { + DBG1(DBG_IKE, " TS %R is contained in address block" + " constraint %R", ts, block_ts); + contained = TRUE; + break; + } + } + block_enum->destroy(block_enum); + + if (!contained) + { + DBG1(DBG_IKE, " TS %R is not contained in any" + " address block constraint", ts); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + } + } + return TRUE; +} + +/** + * Delete all traffic selectors in a list + */ +static void flush_ts_list(linked_list_t *list) +{ + traffic_selector_t *ts; + + while (list->remove_last(list, (void**)&ts) == SUCCESS) + { + ts->destroy(ts); + } +} + +METHOD(listener_t, narrow, bool, + private_addrblock_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + narrow_hook_t type, linked_list_t *local, linked_list_t *remote) +{ + switch (type) + { + case NARROW_RESPONDER: + case NARROW_INITIATOR_POST_AUTH: + case NARROW_INITIATOR_POST_NOAUTH: + if (!check_constraints(ike_sa, remote)) + { + flush_ts_list(local); + flush_ts_list(remote); + } + break; + default: + break; + } + return TRUE; +} + +METHOD(addrblock_narrow_t, destroy, void, + private_addrblock_narrow_t *this) +{ + free(this); +} + +/** + * See header + */ +addrblock_narrow_t *addrblock_narrow_create() +{ + private_addrblock_narrow_t *this; + + INIT(this, + .public = { + .listener.narrow = _narrow, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.h b/src/libcharon/plugins/addrblock/addrblock_narrow.h new file mode 100644 index 000000000..9ab32e671 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock_narrow addrblock_narrow + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_NARROW_H_ +#define ADDRBLOCK_NARROW_H_ + +#include <bus/listeners/listener.h> + +typedef struct addrblock_narrow_t addrblock_narrow_t; + +/** + * Listener that checks traffic selectors against addrblock constraints. + */ +struct addrblock_narrow_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a addrblock_narrow_t. + */ + void (*destroy)(addrblock_narrow_t *this); +}; + +/** + * Create a addrblock_narrow instance. + */ +addrblock_narrow_t *addrblock_narrow_create(); + +#endif /** ADDRBLOCK_NARROW_H_ @}*/ diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c new file mode 100644 index 000000000..1c407035d --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_plugin.h" + +#include <daemon.h> + +#include "addrblock_validator.h" +#include "addrblock_narrow.h" + +typedef struct private_addrblock_plugin_t private_addrblock_plugin_t; + +/** + * private data of addrblock_plugin + */ +struct private_addrblock_plugin_t { + + /** + * public functions + */ + addrblock_plugin_t public; + + /** + * Validator implementation instance. + */ + addrblock_validator_t *validator; + + /** + * Listener to check TS list + */ + addrblock_narrow_t *narrower; +}; + +METHOD(plugin_t, destroy, void, + private_addrblock_plugin_t *this) +{ + charon->bus->remove_listener(charon->bus, &this->narrower->listener); + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->narrower->destroy(this->narrower); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *addrblock_plugin_create() +{ + private_addrblock_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .validator = addrblock_validator_create(), + .narrower = addrblock_narrow_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + charon->bus->add_listener(charon->bus, &this->narrower->listener); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.h b/src/libcharon/plugins/addrblock/addrblock_plugin.h new file mode 100644 index 000000000..87bd516f9 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock addrblock + * @ingroup cplugins + * + * @defgroup addrblock_plugin addrblock_plugin + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_PLUGIN_H_ +#define ADDRBLOCK_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct addrblock_plugin_t addrblock_plugin_t; + +/** + * RFC 3779 address block checking. + */ +struct addrblock_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** ADDRBLOCK_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c new file mode 100644 index 000000000..44ef38d85 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_validator.h" + +#include <debug.h> +#include <credentials/certificates/x509.h> +#include <selectors/traffic_selector.h> + +typedef struct private_addrblock_validator_t private_addrblock_validator_t; + +/** + * Private data of an addrblock_validator_t object. + */ +struct private_addrblock_validator_t { + + /** + * Public addrblock_validator_t interface. + */ + addrblock_validator_t public; +}; + +/** + * Do the addrblock check for two x509 plugins + */ +static bool check_addrblock(x509_t *subject, x509_t *issuer) +{ + bool subject_const, issuer_const, contained = TRUE; + enumerator_t *subject_enumerator, *issuer_enumerator; + traffic_selector_t *subject_ts, *issuer_ts; + + subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; + issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; + + if (!subject_const && !issuer_const) + { + return TRUE; + } + if (!subject_const) + { + DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); + return FALSE; + } + if (!issuer_const) + { + DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); + return FALSE; + } + subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); + while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) + { + contained = FALSE; + + issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); + while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) + { + if (subject_ts->is_contained_in(subject_ts, issuer_ts)) + { + DBG2(DBG_CFG, " subject address block %R is contained in " + "issuer address block %R", subject_ts, issuer_ts); + contained = TRUE; + break; + } + } + issuer_enumerator->destroy(issuer_enumerator); + if (!contained) + { + DBG1(DBG_CFG, "subject address block %R is not contained in any " + "issuer address block", subject_ts); + break; + } + } + subject_enumerator->destroy(subject_enumerator); + return contained; +} + +METHOD(cert_validator_t, validate, bool, + private_addrblock_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +{ + if (subject->get_type(subject) == CERT_X509 && + issuer->get_type(issuer) == CERT_X509) + { + return check_addrblock((x509_t*)subject, (x509_t*)issuer); + } + return TRUE; +} + +METHOD(addrblock_validator_t, destroy, void, + private_addrblock_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +addrblock_validator_t *addrblock_validator_create() +{ + private_addrblock_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.h b/src/libcharon/plugins/addrblock/addrblock_validator.h new file mode 100644 index 000000000..423f0d41a --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock_validator addrblock_validator + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_VALIDATOR_H_ +#define ADDRBLOCK_VALIDATOR_H_ + +#include <credentials/cert_validator.h> + +typedef struct addrblock_validator_t addrblock_validator_t; + +/** + * RFC 3779 address block X509 certificate validator. + */ +struct addrblock_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a addrblock_validator_t. + */ + void (*destroy)(addrblock_validator_t *this); +}; + +/** + * Create a addrblock_validator instance. + */ +addrblock_validator_t *addrblock_validator_create(); + +#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/ diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am index e8423589c..b922ef4af 100644 --- a/src/libcharon/plugins/android/Makefile.am +++ b/src/libcharon/plugins/android/Makefile.am @@ -12,7 +12,10 @@ endif libstrongswan_android_la_SOURCES = \ android_plugin.c android_plugin.h \ - android_handler.c android_handler.h + android_service.c android_service.h \ + android_handler.c android_handler.h \ + android_logger.c android_logger.h \ + android_creds.c android_creds.h libstrongswan_android_la_LDFLAGS = -module -avoid-version libstrongswan_android_la_LIBADD = -lcutils diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index 9f12a9c75..6e4903ee1 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -75,7 +75,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_android_la_DEPENDENCIES = am_libstrongswan_android_la_OBJECTS = android_plugin.lo \ - android_handler.lo + android_service.lo android_handler.lo android_logger.lo \ + android_creds.lo libstrongswan_android_la_OBJECTS = \ $(am_libstrongswan_android_la_OBJECTS) libstrongswan_android_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -265,7 +266,10 @@ AM_CFLAGS = -rdynamic @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android.la libstrongswan_android_la_SOURCES = \ android_plugin.c android_plugin.h \ - android_handler.c android_handler.h + android_service.c android_service.h \ + android_handler.c android_handler.h \ + android_logger.c android_logger.h \ + android_creds.c android_creds.h libstrongswan_android_la_LDFLAGS = -module -avoid-version libstrongswan_android_la_LIBADD = -lcutils @@ -352,8 +356,11 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_creds.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_handler.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_service.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c new file mode 100644 index 000000000..aa7fc6f92 --- /dev/null +++ b/src/libcharon/plugins/android/android_creds.c @@ -0,0 +1,294 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <keystore_get.h> + +#include "android_creds.h" + +#include <daemon.h> +#include <threading/rwlock.h> + +typedef struct private_android_creds_t private_android_creds_t; + +/** + * Private data of an android_creds_t object + */ +struct private_android_creds_t { + + /** + * Public interface + */ + android_creds_t public; + + /** + * List of trusted certificates, certificate_t* + */ + linked_list_t *certs; + + /** + * User name (ID) + */ + identification_t *user; + + /** + * User password + */ + char *pass; + + /** + * read/write lock + */ + rwlock_t *lock; + +}; + +/** + * Certificate enumerator data + */ +typedef struct { + private_android_creds_t *this; + key_type_t key; + identification_t *id; +} cert_data_t; + +/** + * Filter function for certificates enumerator + */ +static bool cert_filter(cert_data_t *data, certificate_t **in, + certificate_t **out) +{ + certificate_t *cert = *in; + public_key_t *public; + + public = cert->get_public_key(cert); + if (!public) + { + return FALSE; + } + if (data->key != KEY_ANY && public->get_type(public) != data->key) + { + public->destroy(public); + return FALSE; + } + if (data->id && data->id->get_type(data->id) == ID_KEY_ID && + public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = cert; + return TRUE; + } + public->destroy(public); + if (data->id && !cert->has_subject(cert, data->id)) + { + return FALSE; + } + *out = cert; + return TRUE; +} + +/** + * Destroy certificate enumerator data + */ +static void cert_data_destroy(cert_data_t *this) +{ + this->this->lock->unlock(this->this->lock); + free(this); +} + +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_android_creds_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + if (cert == CERT_X509 || cert == CERT_ANY) + { + cert_data_t *data; + this->lock->read_lock(this->lock); + INIT(data, .this = this, .id = id, .key = key); + return enumerator_create_filter( + this->certs->create_enumerator(this->certs), + (void*)cert_filter, data, (void*)cert_data_destroy); + } + return NULL; +} + +/** + * Shared key enumerator implementation + */ +typedef struct { + enumerator_t public; + private_android_creds_t *this; + shared_key_t *key; + bool done; +} shared_enumerator_t; + +METHOD(enumerator_t, shared_enumerate, bool, + shared_enumerator_t *this, shared_key_t **key, id_match_t *me, + id_match_t *other) +{ + if (this->done) + { + return FALSE; + } + *key = this->key; + *me = ID_MATCH_PERFECT; + *other = ID_MATCH_ANY; + this->done = TRUE; + return TRUE; +} + +METHOD(enumerator_t, shared_destroy, void, + shared_enumerator_t *this) +{ + this->key->destroy(this->key); + this->this->lock->unlock(this->this->lock); + free(this); +} + +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_android_creds_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_enumerator_t *enumerator; + + this->lock->read_lock(this->lock); + + if (!this->user || !this->pass) + { + this->lock->unlock(this->lock); + return NULL; + } + if (type != SHARED_EAP && type != SHARED_IKE) + { + this->lock->unlock(this->lock); + return NULL; + } + if (me && !me->equals(me, this->user)) + { + this->lock->unlock(this->lock); + return NULL; + } + + INIT(enumerator, + .public = { + .enumerate = (void*)_shared_enumerate, + .destroy = _shared_destroy, + }, + .this = this, + .done = FALSE, + .key = shared_key_create(type, chunk_clone(chunk_create(this->pass, + strlen(this->pass)))), + ); + return &enumerator->public; +} + +METHOD(android_creds_t, add_certificate, bool, + private_android_creds_t *this, char *name) +{ + certificate_t *cert = NULL; + bool status = FALSE; + chunk_t chunk; +#ifdef KEYSTORE_MESSAGE_SIZE + /* most current interface, the eclair interface (without key length) is + * currently not supported */ + char value[KEYSTORE_MESSAGE_SIZE]; + chunk.ptr = value; + chunk.len = keystore_get(name, strlen(name), chunk.ptr); + if (chunk.len > 0) +#else + /* 1.6 interface, allocates memory */ + chunk.ptr = keystore_get(name, &chunk.len); + if (chunk.ptr) +#endif /* KEYSTORE_MESSAGE_SIZE */ + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_PEM, chunk, BUILD_END); + if (cert) + { + this->lock->write_lock(this->lock); + this->certs->insert_last(this->certs, cert); + this->lock->unlock(this->lock); + status = TRUE; + } +#ifndef KEYSTORE_MESSAGE_SIZE + free(chunk.ptr); +#endif /* KEYSTORE_MESSAGE_SIZE */ + } + return status; +} + +METHOD(android_creds_t, set_username_password, void, + private_android_creds_t *this, identification_t *id, char *password) +{ + this->lock->write_lock(this->lock); + DESTROY_IF(this->user); + this->user = id->clone(id); + free(this->pass); + this->pass = password ? strdup(password) : NULL; + this->lock->unlock(this->lock); +} + +METHOD(android_creds_t, clear, void, + private_android_creds_t *this) +{ + certificate_t *cert; + this->lock->write_lock(this->lock); + while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS) + { + cert->destroy(cert); + } + DESTROY_IF(this->user); + free(this->pass); + this->user = NULL; + this->pass = NULL; + this->lock->unlock(this->lock); +} + +METHOD(android_creds_t, destroy, void, + private_android_creds_t *this) +{ + clear(this); + this->certs->destroy(this->certs); + this->lock->destroy(this->lock); + free(this); +} + +/** + * Described in header. + */ +android_creds_t *android_creds_create() +{ + private_android_creds_t *this; + + INIT(this, + .public = { + .set = { + .create_cert_enumerator = _create_cert_enumerator, + .create_shared_enumerator = _create_shared_enumerator, + .create_private_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .add_certificate = _add_certificate, + .set_username_password = _set_username_password, + .clear = _clear, + .destroy = _destroy, + }, + .certs = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h new file mode 100644 index 000000000..0f7b8e0ea --- /dev/null +++ b/src/libcharon/plugins/android/android_creds.h @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android_creds android_creds + * @{ @ingroup android + */ + +#ifndef ANDROID_CREDS_H_ +#define ANDROID_CREDS_H_ + +#include <credentials/credential_set.h> + +typedef struct android_creds_t android_creds_t; + +/** + * Android credentials helper. + */ +struct android_creds_t { + + /** + * Implements credential_set_t + */ + credential_set_t set; + + /** + * Add a trusted CA certificate from the Android keystore to serve by + * this set. + * + * @param name name/ID of the certificate in the keystore + * @return FALSE if the certificate does not exist or is invalid + */ + bool (*add_certificate)(android_creds_t *this, char *name); + + /** + * Set the username and password for authentication. + * + * @param id ID of the user + * @param password password to use for authentication + */ + void (*set_username_password)(android_creds_t *this, identification_t *id, + char *password); + + /** + * Clear the stored credentials. + */ + void (*clear)(android_creds_t *this); + + /** + * Destroy a android_creds instance. + */ + void (*destroy)(android_creds_t *this); + +}; + +/** + * Create an android_creds instance. + */ +android_creds_t *android_creds_create(); + +#endif /** ANDROID_CREDS_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c index a475eeaab..ec3ff7a51 100644 --- a/src/libcharon/plugins/android/android_handler.c +++ b/src/libcharon/plugins/android/android_handler.c @@ -75,7 +75,7 @@ host_t *get_dns_server(int index) host_t *dns = NULL; char key[10], value[PROPERTY_VALUE_MAX]; - if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key)) + if (snprintf(key, sizeof(key), "vpn.dns%d", index) >= sizeof(key)) { return NULL; } @@ -94,7 +94,7 @@ bool set_dns_server(int index, host_t *dns) { char key[10], value[PROPERTY_VALUE_MAX]; - if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key)) + if (snprintf(key, sizeof(key), "vpn.dns%d", index) >= sizeof(key)) { return FALSE; } diff --git a/src/libcharon/plugins/android/android_logger.c b/src/libcharon/plugins/android/android_logger.c new file mode 100644 index 000000000..43c56e656 --- /dev/null +++ b/src/libcharon/plugins/android/android_logger.c @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> +#include <android/log.h> + +#include "android_logger.h" + +#include <library.h> +#include <daemon.h> + +typedef struct private_android_logger_t private_android_logger_t; + +/** + * Private data of an android_logger_t object + */ +struct private_android_logger_t { + + /** + * Public interface + */ + android_logger_t public; + + /** + * logging level + */ + int level; + +}; + + +METHOD(listener_t, log_, bool, + private_android_logger_t *this, debug_t group, level_t level, + int thread, ike_sa_t* ike_sa, char *format, va_list args) +{ + if (level <= this->level) + { + char sgroup[16], buffer[8192]; + char *current = buffer, *next; + snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group); + vsnprintf(buffer, sizeof(buffer), format, args); + while (current) + { /* log each line seperately */ + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + __android_log_print(ANDROID_LOG_INFO, "charon", "%.2d[%s] %s\n", + thread, sgroup, current); + current = next; + } + } + /* always stay registered */ + return TRUE; +} + +METHOD(android_logger_t, destroy, void, + private_android_logger_t *this) +{ + free(this); +} + +/** + * Described in header. + */ +android_logger_t *android_logger_create() +{ + private_android_logger_t *this; + + INIT(this, + .public = { + .listener = { + .log = _log_, + }, + .destroy = _destroy, + }, + .level = lib->settings->get_int(lib->settings, + "charon.plugins.android.loglevel", 1), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/android/android_logger.h b/src/libcharon/plugins/android/android_logger.h new file mode 100644 index 000000000..c6fe5aff3 --- /dev/null +++ b/src/libcharon/plugins/android/android_logger.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android_logger android_logger + * @{ @ingroup android + */ + +#ifndef ANDROID_LOGGER_H_ +#define ANDROID_LOGGER_H_ + +#include <bus/bus.h> + +typedef struct android_logger_t android_logger_t; + +/** + * Android specific logger. + */ +struct android_logger_t { + + /** + * Implements bus_listener_t interface + */ + listener_t listener; + + /** + * Destroy the logger. + */ + void (*destroy)(android_logger_t *this); + +}; + +/** + * Create an Android specific logger instance. + * + * @return logger instance + */ +android_logger_t *android_logger_create(); + +#endif /** ANDROID_LOGGER_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c index 9a558f53b..e2c8572ef 100644 --- a/src/libcharon/plugins/android/android_plugin.c +++ b/src/libcharon/plugins/android/android_plugin.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2010 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -14,7 +15,10 @@ */ #include "android_plugin.h" +#include "android_logger.h" #include "android_handler.h" +#include "android_creds.h" +#include "android_service.h" #include <hydra.h> #include <daemon.h> @@ -32,16 +36,38 @@ struct private_android_plugin_t { android_plugin_t public; /** + * Android specific logger + */ + android_logger_t *logger; + + /** * Android specific DNS handler */ android_handler_t *handler; + + /** + * Android specific credential set + */ + android_creds_t *creds; + + /** + * Service that interacts with the Android Settings frontend + */ + android_service_t *service; + }; METHOD(plugin_t, destroy, void, - private_android_plugin_t *this) + private_android_plugin_t *this) { - hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); + hydra->attributes->remove_handler(hydra->attributes, + &this->handler->handler); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + charon->bus->remove_listener(charon->bus, &this->logger->listener); + this->creds->destroy(this->creds); this->handler->destroy(this->handler); + this->logger->destroy(this->logger); + DESTROY_IF(this->service); free(this); } @@ -56,11 +82,22 @@ plugin_t *android_plugin_create() .public.plugin = { .destroy = _destroy, }, + .logger = android_logger_create(), .handler = android_handler_create(), + .creds = android_creds_create(), ); + charon->bus->add_listener(charon->bus, &this->logger->listener); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); + this->service = android_service_create(this->creds); + if (!this->service) + { + destroy(this); + return NULL; + } + return &this->public.plugin; } diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c new file mode 100644 index 000000000..538c4a9a2 --- /dev/null +++ b/src/libcharon/plugins/android/android_service.c @@ -0,0 +1,385 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <unistd.h> +#include <cutils/sockets.h> +#include <cutils/properties.h> +#include <signal.h> + +#include "android_service.h" + +#include <daemon.h> +#include <threading/thread.h> +#include <processing/jobs/callback_job.h> + +typedef struct private_android_service_t private_android_service_t; + +/** + * private data of Android service + */ +struct private_android_service_t { + + /** + * public interface + */ + android_service_t public; + + /** + * current IKE_SA + */ + ike_sa_t *ike_sa; + + /** + * job that handles requests from the Android control socket + */ + callback_job_t *job; + + /** + * android credentials + */ + android_creds_t *creds; + + /** + * android control socket + */ + int control; + +}; + +/** + * Some of the error codes defined in VpnManager.java + */ +typedef enum { + /** Error code to indicate an error from authentication. */ + VPN_ERROR_AUTH = 51, + /** Error code to indicate the connection attempt failed. */ + VPN_ERROR_CONNECTION_FAILED = 101, + /** Error code to indicate an error of remote server hanging up. */ + VPN_ERROR_REMOTE_HUNG_UP = 7, + /** Error code to indicate an error of losing connectivity. */ + VPN_ERROR_CONNECTION_LOST = 103, +} android_vpn_errors_t; + +/** + * send a status code back to the Android app + */ +static void send_status(private_android_service_t *this, u_char code) +{ + DBG1(DBG_CFG, "status of Android plugin changed: %d", code); + send(this->control, &code, 1, 0); +} + +METHOD(listener_t, ike_updown, bool, + private_android_service_t *this, ike_sa_t *ike_sa, bool up) +{ + /* this callback is only registered during initiation, so if the IKE_SA + * goes down we assume an authentication error */ + if (this->ike_sa == ike_sa && !up) + { + send_status(this, VPN_ERROR_AUTH); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_state_change, bool, + private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + child_sa_state_t state) +{ + /* this callback is only registered during initiation, so we still have + * the control socket open */ + if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + send_status(this, VPN_ERROR_CONNECTION_FAILED); + return FALSE; + } + return TRUE; +} + +/** + * Callback used to shutdown the daemon + */ +static job_requeue_t shutdown_callback(void *data) +{ + kill(0, SIGTERM); + return JOB_REQUEUE_NONE; +} + +METHOD(listener_t, child_updown, bool, + private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (this->ike_sa == ike_sa) + { + if (up) + { + /* disable the hooks registered to catch initiation failures */ + this->public.listener.ike_updown = NULL; + this->public.listener.child_state_change = NULL; + property_set("vpn.status", "ok"); + } + else + { + callback_job_t *job; + /* the control socket is closed as soon as vpn.status is set to "ok" + * and the daemon proxy then only checks for terminated daemons to + * detect lost connections, so... */ + DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM"); + /* to avoid any conflicts we send the SIGTERM not directly from this + * callback, but from a different thread. we also delay it to avoid + * a race condition during a regular shutdown */ + job = callback_job_create(shutdown_callback, NULL, NULL, NULL); + charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1); + return FALSE; + } + } + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_android_service_t *this, ike_sa_t *old, ike_sa_t *new) +{ + if (this->ike_sa == old) + { + this->ike_sa = new; + } + return TRUE; +} + +/** + * Read a string argument from the Android control socket + */ +static char *read_argument(int fd, u_char length) +{ + int offset = 0; + char *data = malloc(length + 1); + while (offset < length) + { + int n = recv(fd, &data[offset], length - offset, 0); + if (n < 0) + { + DBG1(DBG_CFG, "failed to read argument from Android" + " control socket: %s", strerror(errno)); + free(data); + return NULL; + } + offset += n; + } + data[length] = '\0'; + DBG3(DBG_CFG, "received argument from Android control socket: %s", data); + return data; +} + +/** + * handle the request received from the Android control socket + */ +static job_requeue_t initiate(private_android_service_t *this) +{ + bool oldstate; + int fd, i = 0; + char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL; + identification_t *gateway = NULL, *user = NULL; + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + traffic_selector_t *ts; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + lifetime_cfg_t lifetime = { + .time = { + .life = 10800, /* 3h */ + .rekey = 10200, /* 2h50min */ + .jitter = 300 /* 5min */ + } + }; + + fd = accept(this->control, NULL, 0); + if (fd < 0) + { + DBG1(DBG_CFG, "accept on Android control socket failed: %s", + strerror(errno)); + return JOB_REQUEUE_NONE; + } + /* the original control socket is not used anymore */ + close(this->control); + this->control = fd; + + while (TRUE) + { + u_char length; + if (recv(fd, &length, 1, 0) != 1) + { + DBG1(DBG_CFG, "failed to read from Android control socket: %s", + strerror(errno)); + return JOB_REQUEUE_NONE; + } + + if (length == 0xFF) + { /* last argument */ + break; + } + else + { + switch (i++) + { + case 0: /* gateway */ + hostname = read_argument(fd, length); + break; + case 1: /* CA certificate name */ + cacert = read_argument(fd, length); + break; + case 2: /* username */ + username = read_argument(fd, length); + break; + case 3: /* password */ + password = read_argument(fd, length); + break; + } + } + } + + if (cacert) + { + if (!this->creds->add_certificate(this->creds, cacert)) + { + DBG1(DBG_CFG, "failed to load CA certificate"); + } + /* if this is a server cert we could use the cert subject as id + * but we have to test first if that possible to configure */ + } + + gateway = identification_create_from_string(hostname); + DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway); + + if (username) + { + user = identification_create_from_string(username); + this->creds->set_username_password(this->creds, user, password); + } + + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, + hostname, IKEV2_UDP_PORT); + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + + peer_cfg = peer_cfg_create("android", 2, ike_cfg, CERT_SEND_IF_ASKED, + UNIQUE_REPLACE, 1, /* keyingtries */ + 36000, 0, /* rekey 10h, reauth none */ + 600, 600, /* jitter, over 10min */ + TRUE, 0, /* mobike, DPD */ + host_create_from_string("0.0.0.0", 0) /* virt */, + NULL, FALSE, NULL, NULL); /* pool, mediation */ + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_IDENTITY, user); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + auth->add(auth, AUTH_RULE_IDENTITY, gateway); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", + 0, "255.255.255.255", 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + /* get an additional reference because initiate consumes one */ + child_cfg->get_ref(child_cfg); + + /* get us an IKE_SA */ + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); + if (!ike_sa->get_peer_cfg(ike_sa)) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + peer_cfg->destroy(peer_cfg); + + /* store the IKE_SA so we can track its progress */ + this->ike_sa = ike_sa; + + /* confirm that we received the request */ + send_status(this, i); + + if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) + { + DBG1(DBG_CFG, "failed to initiate tunnel"); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + send_status(this, VPN_ERROR_CONNECTION_FAILED); + return JOB_REQUEUE_NONE; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return JOB_REQUEUE_NONE; +} + +METHOD(android_service_t, destroy, void, + private_android_service_t *this) +{ + charon->bus->remove_listener(charon->bus, &this->public.listener); + close(this->control); + free(this); +} + +/** + * See header + */ +android_service_t *android_service_create(android_creds_t *creds) +{ + private_android_service_t *this; + + INIT(this, + .public = { + .listener = { + .ike_updown = _ike_updown, + .child_state_change = _child_state_change, + .child_updown = _child_updown, + .ike_rekey = _ike_rekey, + }, + .destroy = _destroy, + }, + .creds = creds, + ); + + this->control = android_get_control_socket("charon"); + if (this->control == -1) + { + DBG1(DBG_CFG, "failed to get Android control socket"); + free(this); + return NULL; + } + + if (listen(this->control, 1) < 0) + { + DBG1(DBG_CFG, "failed to listen on Android control socket: %s", + strerror(errno)); + close(this->control); + free(this); + return NULL; + } + + charon->bus->add_listener(charon->bus, &this->public.listener); + this->job = callback_job_create((callback_job_cb_t)initiate, this, + NULL, NULL); + charon->processor->queue_job(charon->processor, (job_t*)this->job); + + return &this->public; +} + diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h new file mode 100644 index 000000000..d096d6cd5 --- /dev/null +++ b/src/libcharon/plugins/android/android_service.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android_service android_service + * @{ @ingroup android + */ + +#ifndef ANDROID_SERVICE_H_ +#define ANDROID_SERVICE_H_ + +typedef struct android_service_t android_service_t; + +#include <bus/listeners/listener.h> + +#include "android_creds.h" + +/** + * Service that interacts with the Android Settings frontend. + */ +struct android_service_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a android_service_t. + */ + void (*destroy)(android_service_t *this); + +}; + +/** + * Create an Android service instance. + * + * @param creds Android credentials + */ +android_service_t *android_service_create(android_creds_t *creds); + +#endif /** ANDROID_SERVICE_H_ @}*/ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index 7606b963c..b34654fb7 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c index dbcceb6ce..a6a887780 100644 --- a/src/libcharon/plugins/dhcp/dhcp_provider.c +++ b/src/libcharon/plugins/dhcp/dhcp_provider.c @@ -129,7 +129,8 @@ METHOD(attribute_provider_t, release_address, bool, } METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, - private_dhcp_provider_t *this, identification_t *id, host_t *vip) + private_dhcp_provider_t *this, char *pool, identification_t *id, + host_t *vip) { dhcp_transaction_t *transaction; diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 1cea81a9b..14bf3f15d 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c index 26546809d..dfcc69710 100644 --- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c +++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c @@ -421,7 +421,6 @@ static status_t process_notification(private_eap_aka_peer_t *this, /* test success bit */ if (!(data.ptr[0] & 0x80)) { - success = FALSE; DBG1(DBG_IKE, "received EAP-AKA notification error '%N'", simaka_notification_names, code); } diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index d0b0f5601..b41b59616 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c index 9817fff8f..a9767ad91 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c @@ -52,8 +52,7 @@ bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]) shared_key_t *shared; chunk_t key; - shared = charon->credentials->get_shared(charon->credentials, - SHARED_EAP, id, NULL); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); if (shared == NULL) { return FALSE; diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 110e1528b..57952f621 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c index c7f55fa70..f641ad13a 100644 --- a/src/libcharon/plugins/eap_gtc/eap_gtc.c +++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c @@ -168,8 +168,8 @@ static status_t process_peer(private_eap_gtc_t *this, chunk_t key; size_t len; - shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, - this->peer, this->server); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, + this->peer, this->server); if (shared == NULL) { DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'", diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index bbb987dd6..d78957438 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 943811604..5bfc59fa4 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index 0eda8f755..3554ae12e 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -85,8 +85,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response, chunk_t concat; hasher_t *hasher; - shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, - me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other); if (shared == NULL) { DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other); diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 2f6c65df4..d61cc9e5d 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index c1ccf72eb..3cd8d994c 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -614,8 +614,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, chunk_t password; /* try to find a stored NT_HASH first */ - shared = charon->credentials->get_shared(charon->credentials, - SHARED_NT_HASH, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other); if (shared ) { *nt_hash = chunk_clone(shared->get_key(shared)); @@ -624,8 +623,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, } /* fallback to plaintext password */ - shared = charon->credentials->get_shared(charon->credentials, - SHARED_EAP, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other); if (shared) { password = ascii_to_unicode(shared->get_key(shared)); @@ -820,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, eap_mschapv2_header_t *eap; chunk_t data; char *message, *token, *msg = NULL; - int message_len, error, retryable; + int message_len, error = 0, retryable; chunk_t challenge = chunk_empty; data = in->get_data(in); diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am index a3abd4124..afc50bced 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.am +++ b/src/libcharon/plugins/eap_radius/Makefile.am @@ -13,6 +13,8 @@ endif libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ + radius_server.h radius_server.c \ + radius_socket.h radius_socket.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 18427adef..bb372d13c 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -75,7 +75,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_eap_radius_la_LIBADD = am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \ - eap_radius.lo radius_client.lo radius_message.lo + eap_radius.lo radius_server.lo radius_socket.lo \ + radius_client.lo radius_message.lo libstrongswan_eap_radius_la_OBJECTS = \ $(am_libstrongswan_eap_radius_la_OBJECTS) libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \ @@ -267,6 +268,8 @@ AM_CFLAGS = -rdynamic libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ + radius_server.h radius_server.c \ + radius_socket.h radius_socket.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c @@ -358,6 +361,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_client.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_message.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_socket.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index f041fda54..65b868bc6 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -53,11 +53,6 @@ struct private_eap_radius_t { u_int32_t vendor; /** - * EAP MSK, if method established one - */ - chunk_t msk; - - /** * RADIUS client instance */ radius_client_t *client; @@ -71,6 +66,11 @@ struct private_eap_radius_t { * Prefix to prepend to EAP identity */ char *id_prefix; + + /** + * Handle the Class attribute as group membership information? + */ + bool class_group; }; /** @@ -140,10 +140,8 @@ static bool radius2ike(private_eap_radius_t *this, return FALSE; } -/** - * Implementation of eap_method_t.initiate - */ -static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate, status_t, + private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; @@ -177,10 +175,44 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) } /** - * Implementation of eap_method_t.process + * Handle the Class attribute as group membership information */ -static status_t process(private_eap_radius_t *this, - eap_payload_t *in, eap_payload_t **out) +static void process_class(private_eap_radius_t *this, radius_message_t *msg) +{ + enumerator_t *enumerator; + chunk_t data; + int type; + + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == RAT_CLASS) + { + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + if (data.len >= 44) + { /* quirk: ignore long class attributes, these are used for + * other purposes by some RADIUS servers (such as NPS). */ + continue; + } + + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_data(data); + DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id); + auth->add(auth, AUTH_RULE_GROUP, id); + } + } + } + enumerator->destroy(enumerator); +} + +METHOD(eap_method_t, process, status_t, + private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; @@ -211,8 +243,10 @@ static status_t process(private_eap_radius_t *this, status = FAILED; break; case RMC_ACCESS_ACCEPT: - this->msk = this->client->decrypt_msk(this->client, - response, request); + if (this->class_group) + { + process_class(this, response); + } status = SUCCESS; break; case RMC_ACCESS_REJECT: @@ -228,32 +262,29 @@ static status_t process(private_eap_radius_t *this, return status; } -/** - * Implementation of eap_method_t.get_type. - */ -static eap_type_t get_type(private_eap_radius_t *this, u_int32_t *vendor) +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_radius_t *this, u_int32_t *vendor) { *vendor = this->vendor; return this->type; } -/** - * Implementation of eap_method_t.get_msk. - */ -static status_t get_msk(private_eap_radius_t *this, chunk_t *msk) +METHOD(eap_method_t, get_msk, status_t, + private_eap_radius_t *this, chunk_t *out) { - if (this->msk.ptr) + chunk_t msk; + + msk = this->client->get_msk(this->client); + if (msk.len) { - *msk = this->msk; + *out = msk; return SUCCESS; } return FAILED; } -/** - * Implementation of eap_method_t.is_mutual. - */ -static bool is_mutual(private_eap_radius_t *this) +METHOD(eap_method_t, is_mutual, bool, + private_eap_radius_t *this) { switch (this->type) { @@ -265,15 +296,12 @@ static bool is_mutual(private_eap_radius_t *this) } } -/** - * Implementation of eap_method_t.destroy. - */ -static void destroy(private_eap_radius_t *this) +METHOD(eap_method_t, destroy, void, + private_eap_radius_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); this->client->destroy(this->client); - chunk_clear(&this->msk); free(this); } @@ -282,15 +310,26 @@ static void destroy(private_eap_radius_t *this) */ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer) { - private_eap_radius_t *this = malloc_thing(private_eap_radius_t); - - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process; - this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; - this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; - this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; - this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - + private_eap_radius_t *this; + + INIT(this, + .public.eap_method_interface = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ + .type = EAP_RADIUS, + .eap_start = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-radius.eap_start", FALSE), + .id_prefix = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.id_prefix", ""), + .class_group = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-radius.class_group", FALSE), + ); this->client = radius_client_create(); if (!this->client) { @@ -299,14 +338,6 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer } this->peer = peer->clone(peer); this->server = server->clone(server); - /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ - this->type = EAP_RADIUS; - this->vendor = 0; - this->msk = chunk_empty; - this->eap_start = lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.eap_start", FALSE); - this->id_prefix = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.id_prefix", ""); return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 7d2788c3e..91aae2f62 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -17,17 +17,130 @@ #include "eap_radius.h" #include "radius_client.h" +#include "radius_server.h" #include <daemon.h> /** - * Implementation of plugin_t.destroy + * Default RADIUS server port, when not configured */ -static void destroy(eap_radius_plugin_t *this) +#define RADIUS_PORT 1812 + +typedef struct private_eap_radius_plugin_t private_eap_radius_plugin_t; + +/** + * Private data of an eap_radius_plugin_t object. + */ +struct private_eap_radius_plugin_t { + + /** + * Public radius_plugin_t interface. + */ + eap_radius_plugin_t public; + + /** + * List of RADIUS servers + */ + linked_list_t *servers; +}; + +/** + * Instance of the EAP plugin + */ +static private_eap_radius_plugin_t *instance = NULL; + +METHOD(plugin_t, destroy, void, + private_eap_radius_plugin_t *this) { charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create); - radius_client_cleanup(); + this->servers->destroy_offset(this->servers, + offsetof(radius_server_t, destroy)); free(this); + instance = NULL; +} + +/** + * Load RADIUS servers from configuration + */ +static bool load_servers(private_eap_radius_plugin_t *this) +{ + enumerator_t *enumerator; + radius_server_t *server; + char *nas_identifier, *secret, *address, *section; + int port, sockets, preference; + + address = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.server", NULL); + if (address) + { /* legacy configuration */ + secret = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.secret", NULL); + if (!secret) + { + DBG1(DBG_CFG, "no RADUIS secret defined"); + return FALSE; + } + nas_identifier = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.nas_identifier", "strongSwan"); + port = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.port", RADIUS_PORT); + sockets = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.sockets", 1); + server = radius_server_create(address, port, nas_identifier, + secret, sockets, 0); + if (!server) + { + DBG1(DBG_CFG, "no RADUIS server defined"); + return FALSE; + } + this->servers->insert_last(this->servers, server); + return TRUE; + } + + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.plugins.eap-radius.servers"); + while (enumerator->enumerate(enumerator, §ion)) + { + address = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.servers.%s.address", NULL, section); + if (!address) + { + DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section); + continue; + } + secret = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.servers.%s.secret", NULL, section); + if (!secret) + { + DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section); + continue; + } + nas_identifier = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.servers.%s.nas_identifier", + "strongSwan", section); + port = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.servers.%s.port", RADIUS_PORT, section); + sockets = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.servers.%s.sockets", 1, section); + preference = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.servers.%s.preference", 0, section); + server = radius_server_create(address, port, nas_identifier, + secret, sockets, preference); + if (!server) + { + DBG1(DBG_CFG, "loading RADIUS server '%s' failed, skipped", section); + continue; + } + this->servers->insert_last(this->servers, server); + } + enumerator->destroy(enumerator); + + if (this->servers->get_count(this->servers) == 0) + { + DBG1(DBG_CFG, "no valid RADIUS server configuration found"); + return FALSE; + } + return TRUE; } /* @@ -35,20 +148,35 @@ static void destroy(eap_radius_plugin_t *this) */ plugin_t *eap_radius_plugin_create() { - eap_radius_plugin_t *this; + private_eap_radius_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .servers = linked_list_create(), + ); - if (!radius_client_init()) + if (!load_servers(this)) { - DBG1(DBG_CFG, "RADIUS plugin initialization failed"); + destroy(this); return NULL; } - - this = malloc_thing(eap_radius_plugin_t); - this->plugin.destroy = (void(*)(plugin_t*))destroy; - charon->eap->add_method(charon->eap, EAP_RADIUS, 0, EAP_SERVER, (eap_constructor_t)eap_radius_create); - return &this->plugin; + instance = this; + + return &this->public.plugin; +} + +/** + * See header + */ +enumerator_t *eap_radius_create_server_enumerator() +{ + if (instance) + { + return instance->servers->create_enumerator(instance->servers); + } + return enumerator_create_empty(); } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h index f2b8b5082..cb724364a 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h @@ -25,6 +25,7 @@ #define EAP_RADIUS_PLUGIN_H_ #include <plugins/plugin.h> +#include <utils/enumerator.h> typedef struct eap_radius_plugin_t eap_radius_plugin_t; @@ -42,4 +43,11 @@ struct eap_radius_plugin_t { plugin_t plugin; }; +/** + * Create an enumerator over all loaded RADIUS servers. + * + * @return enumerator over radius_server_t + */ +enumerator_t *eap_radius_create_server_enumerator(); + #endif /** EAP_RADIUS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/radius_client.c b/src/libcharon/plugins/eap_radius/radius_client.c index 1d1f21742..232b9135e 100644 --- a/src/libcharon/plugins/eap_radius/radius_client.c +++ b/src/libcharon/plugins/eap_radius/radius_client.c @@ -15,6 +15,9 @@ #include "radius_client.h" +#include "eap_radius_plugin.h" +#include "radius_server.h" + #include <unistd.h> #include <errno.h> @@ -24,42 +27,8 @@ #include <threading/condvar.h> #include <threading/mutex.h> -/** - * Default RADIUS server port, when not configured - */ -#define RADIUS_PORT 1812 - -/** - * Vendor-Id of Microsoft specific attributes - */ -#define VENDOR_ID_MICROSOFT 311 - -/** - * Microsoft specific vendor attributes - */ -#define MS_MPPE_SEND_KEY 16 -#define MS_MPPE_RECV_KEY 17 - typedef struct private_radius_client_t private_radius_client_t; -typedef struct entry_t entry_t; - -/** - * A socket pool entry. - */ -struct entry_t { - /** socket file descriptor */ - int fd; - /** current RADIUS identifier */ - u_int8_t identifier; - /** hasher to use for response verification */ - hasher_t *hasher; - /** HMAC-MD5 signer to build Message-Authenticator attribute */ - signer_t *signer; - /** random number generator for RADIUS request authenticator */ - rng_t *rng; -}; - /** * Private data of an radius_client_t object. */ @@ -71,170 +40,20 @@ struct private_radius_client_t { radius_client_t public; /** + * Selected RADIUS server + */ + radius_server_t *server; + + /** * RADIUS servers State attribute */ chunk_t state; -}; -/** - * Global list of radius sockets, contains entry_t's - */ -static linked_list_t *sockets; - -/** - * mutex to lock sockets list - */ -static mutex_t *mutex; - -/** - * condvar to wait for sockets - */ -static condvar_t *condvar; - -/** - * RADIUS secret - */ -static chunk_t secret; - -/** - * NAS-Identifier - */ -static chunk_t nas_identifier; - -/** - * Clean up socket list - */ -void radius_client_cleanup() -{ - entry_t *entry; - - mutex->destroy(mutex); - condvar->destroy(condvar); - while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS) - { - entry->rng->destroy(entry->rng); - entry->hasher->destroy(entry->hasher); - entry->signer->destroy(entry->signer); - close(entry->fd); - free(entry); - } - sockets->destroy(sockets); -} - -/** - * Initialize the socket list - */ -bool radius_client_init() -{ - int i, count, fd; - u_int16_t port; - entry_t *entry; - host_t *host; - char *server; - - nas_identifier.ptr = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.nas_identifier", "strongSwan"); - nas_identifier.len = strlen(nas_identifier.ptr); - - secret.ptr = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.secret", NULL); - if (!secret.ptr) - { - DBG1(DBG_CFG, "no RADUIS secret defined"); - return FALSE; - } - secret.len = strlen(secret.ptr); - server = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.server", NULL); - if (!server) - { - DBG1(DBG_CFG, "no RADUIS server defined"); - return FALSE; - } - port = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.port", RADIUS_PORT); - host = host_create_from_dns(server, 0, port); - if (!host) - { - return FALSE; - } - count = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.sockets", 1); - - sockets = linked_list_create(); - mutex = mutex_create(MUTEX_TYPE_DEFAULT); - condvar = condvar_create(CONDVAR_TYPE_DEFAULT); - for (i = 0; i < count; i++) - { - fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); - if (fd < 0) - { - DBG1(DBG_CFG, "opening RADIUS socket failed"); - host->destroy(host); - radius_client_cleanup(); - return FALSE; - } - if (connect(fd, host->get_sockaddr(host), - *host->get_sockaddr_len(host)) < 0) - { - DBG1(DBG_CFG, "connecting RADIUS socket failed"); - host->destroy(host); - radius_client_cleanup(); - return FALSE; - } - entry = malloc_thing(entry_t); - entry->fd = fd; - /* we use per-socket crypto elements: this reduces overhead, but - * is still thread-save. */ - entry->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - entry->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128); - entry->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!entry->hasher || !entry->signer || !entry->rng) - { - DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required"); - DESTROY_IF(entry->hasher); - DESTROY_IF(entry->signer); - DESTROY_IF(entry->rng); - free(entry); - host->destroy(host); - radius_client_cleanup(); - return FALSE; - } - entry->signer->set_key(entry->signer, secret); - /* we use a random identifier, helps if we restart often (testing) */ - entry->identifier = random(); - sockets->insert_last(sockets, entry); - } - host->destroy(host); - return TRUE; -} - -/** - * Get a socket from the pool, block if none available - */ -static entry_t* get_socket() -{ - entry_t *entry; - - mutex->lock(mutex); - while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS) - { - condvar->wait(condvar, mutex); - } - mutex->unlock(mutex); - return entry; -} - -/** - * Release a socket to the pool - */ -static void put_socket(entry_t *entry) -{ - mutex->lock(mutex); - sockets->insert_last(sockets, entry); - mutex->unlock(mutex); - condvar->signal(condvar); -} + /** + * EAP MSK, from MPPE keys + */ + chunk_t msk; +}; /** * Save the state attribute to include in further request @@ -261,234 +80,103 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg) chunk_free(&this->state); } -/** - * Implementation of radius_client_t.request - */ -static radius_message_t* request(private_radius_client_t *this, - radius_message_t *req) +METHOD(radius_client_t, request, radius_message_t*, + private_radius_client_t *this, radius_message_t *req) { char virtual[] = {0x00,0x00,0x00,0x05}; - entry_t *socket; - chunk_t data; - int i; + radius_socket_t *socket; + radius_message_t *res; - socket = get_socket(); - - /* set Message Identifier */ - req->set_identifier(req, socket->identifier++); /* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */ req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual))); /* add our NAS-Identifier */ - req->add(req, RAT_NAS_IDENTIFIER, nas_identifier); + req->add(req, RAT_NAS_IDENTIFIER, + this->server->get_nas_identifier(this->server)); /* add State attribute, if server sent one */ if (this->state.ptr) { req->add(req, RAT_STATE, this->state); } - /* sign the request */ - req->sign(req, socket->rng, socket->signer); - - data = req->get_encoding(req); - /* timeout after 2, 3, 4, 5 seconds */ - for (i = 2; i <= 5; i++) + socket = this->server->get_socket(this->server); + DBG1(DBG_CFG, "sending RADIUS %N to %#H", radius_message_code_names, + req->get_code(req), this->server->get_address(this->server)); + res = socket->request(socket, req); + if (res) { - radius_message_t *response; - bool retransmit = FALSE; - struct timeval tv; - char buf[4096]; - fd_set fds; - int res; - - if (send(socket->fd, data.ptr, data.len, 0) != data.len) - { - DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno)); - put_socket(socket); - return NULL; - } - tv.tv_sec = i; - tv.tv_usec = 0; - - while (TRUE) + DBG1(DBG_CFG, "received RADIUS %N from %#H", radius_message_code_names, + res->get_code(res), this->server->get_address(this->server)); + save_state(this, res); + if (res->get_code(res) == RMC_ACCESS_ACCEPT) { - FD_ZERO(&fds); - FD_SET(socket->fd, &fds); - res = select(socket->fd + 1, &fds, NULL, NULL, &tv); - /* TODO: updated tv to time not waited. Linux does this for us. */ - if (res < 0) - { /* failed */ - DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", - strerror(errno)); - break; - } - if (res == 0) - { /* timeout */ - DBG1(DBG_CFG, "retransmitting RADIUS message"); - retransmit = TRUE; - break; - } - res = recv(socket->fd, buf, sizeof(buf), MSG_DONTWAIT); - if (res <= 0) - { - DBG1(DBG_CFG, "receiving RADIUS message failed: %s", - strerror(errno)); - break; - } - response = radius_message_parse_response(chunk_create(buf, res)); - if (response) - { - if (response->verify(response, req->get_authenticator(req), - secret, socket->hasher, socket->signer)) - { - save_state(this, response); - put_socket(socket); - return response; - } - response->destroy(response); - } - DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); - } - if (!retransmit) - { - break; + chunk_clear(&this->msk); + this->msk = socket->decrypt_msk(socket, req, res); } + this->server->put_socket(this->server, socket, TRUE); + return res; } - DBG1(DBG_CFG, "RADIUS server is not responding"); - put_socket(socket); + this->server->put_socket(this->server, socket, FALSE); charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); return NULL; } -/** - * Decrypt a MS-MPPE-Send/Recv-Key - */ -static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt, - chunk_t C, radius_message_t *request) +METHOD(radius_client_t, get_msk, chunk_t, + private_radius_client_t *this) { - chunk_t A, R, P, seed; - u_char *c, *p; - hasher_t *hasher; - - /** - * From RFC2548 (encryption): - * b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) - * b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) - * . . . - * b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i) - */ - - if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5) - { - return chunk_empty; - } - - hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - if (!hasher) - { - return chunk_empty; - } - - A = chunk_create((u_char*)&salt, sizeof(salt)); - R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5); - P = chunk_alloca(C.len); - p = P.ptr; - c = C.ptr; - - seed = chunk_cata("cc", R, A); - - while (c < C.ptr + C.len) - { - /* b(i) = MD5(S + c(i-1)) */ - hasher->get_hash(hasher, secret, NULL); - hasher->get_hash(hasher, seed, p); - - /* p(i) = b(i) xor c(1) */ - memxor(p, c, HASH_SIZE_MD5); - - /* prepare next round */ - seed = chunk_create(c, HASH_SIZE_MD5); - c += HASH_SIZE_MD5; - p += HASH_SIZE_MD5; - } - hasher->destroy(hasher); + return this->msk; +} - /* remove truncation, first byte is key length */ - if (*P.ptr >= P.len) - { /* decryption failed? */ - return chunk_empty; - } - return chunk_clone(chunk_create(P.ptr + 1, *P.ptr)); +METHOD(radius_client_t, destroy, void, + private_radius_client_t *this) +{ + chunk_clear(&this->msk); + free(this->state.ptr); + free(this); } /** - * Implementation of radius_client_t.decrypt_msk + * See header */ -static chunk_t decrypt_msk(private_radius_client_t *this, - radius_message_t *response, radius_message_t *request) +radius_client_t *radius_client_create() { - struct { - u_int32_t id; - u_int8_t type; - u_int8_t length; - u_int16_t salt; - u_int8_t key[]; - } __attribute__((packed)) *mppe_key; + private_radius_client_t *this; enumerator_t *enumerator; - chunk_t data, send = chunk_empty, recv = chunk_empty; - int type; - - enumerator = response->create_enumerator(response); - while (enumerator->enumerate(enumerator, &type, &data)) + radius_server_t *server; + int current, best = -1; + + INIT(this, + .public = { + .request = _request, + .get_msk = _get_msk, + .destroy = _destroy, + }, + ); + + enumerator = eap_radius_create_server_enumerator(); + while (enumerator->enumerate(enumerator, &server)) { - if (type == RAT_VENDOR_SPECIFIC && - data.len > sizeof(*mppe_key)) + current = server->get_preference(server); + if (current > best || + /* for two with equal preference, 50-50 chance */ + (current == best && random() % 2 == 0)) + { + DBG2(DBG_CFG, "RADIUS server %H is candidate: %d", + server->get_address(server), current); + best = current; + this->server = server; + } + else { - mppe_key = (void*)data.ptr; - if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT && - mppe_key->length == data.len - sizeof(mppe_key->id)) - { - data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key)); - if (mppe_key->type == MS_MPPE_SEND_KEY) - { - send = decrypt_mppe_key(this, mppe_key->salt, data, request); - } - if (mppe_key->type == MS_MPPE_RECV_KEY) - { - recv = decrypt_mppe_key(this, mppe_key->salt, data, request); - } - } + DBG2(DBG_CFG, "RADIUS server %H skipped: %d", + server->get_address(server), current); } } enumerator->destroy(enumerator); - if (send.ptr && recv.ptr) + + if (!this->server) { - return chunk_cat("mm", recv, send); + free(this); + return NULL; } - chunk_clear(&send); - chunk_clear(&recv); - return chunk_empty; -} - -/** - * Implementation of radius_client_t.destroy. - */ -static void destroy(private_radius_client_t *this) -{ - free(this->state.ptr); - free(this); -} - -/** - * See header - */ -radius_client_t *radius_client_create() -{ - private_radius_client_t *this = malloc_thing(private_radius_client_t); - - this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request; - this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk; - this->public.destroy = (void(*)(radius_client_t*))destroy; - - this->state = chunk_empty; return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/radius_client.h b/src/libcharon/plugins/eap_radius/radius_client.h index 77ba94807..e4f3a7222 100644 --- a/src/libcharon/plugins/eap_radius/radius_client.h +++ b/src/libcharon/plugins/eap_radius/radius_client.h @@ -29,19 +29,14 @@ typedef struct radius_client_t radius_client_t; * RADIUS client functionality. * * To communicate with a RADIUS server, create a client and send messages over - * it. All instances share a fixed size pool of sockets. The client reserves - * a socket during request() and releases it afterwards. + * it. The client allocates a socket from the best RADIUS server abailable. */ struct radius_client_t { /** * Send a RADIUS request and wait for the response. * - * The client fills in RADIUS Message identifier, NAS-Identifier, - * NAS-Port-Type, builds a Request-Authenticator and calculates the - * Message-Authenticator attribute. - * The received response gets verified using the Response-Identifier - * and the Message-Authenticator attribute. + * The client fills in NAS-Identifier nad NAS-Port-Type * * @param msg RADIUS request message to send * @return response, NULL if timed out/verification failed @@ -49,14 +44,11 @@ struct radius_client_t { radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg); /** - * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key. + * Get the EAP MSK after successful RADIUS authentication. * - * @param response RADIUS response message containing attributes - * @param request associated RADIUS request message - * @return allocated MSK, empty chunk if none found + * @return MSK, allocated */ - chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response, - radius_message_t *request); + chunk_t (*get_msk)(radius_client_t *this); /** * Destroy the client, release the socket. @@ -65,24 +57,10 @@ struct radius_client_t { }; /** - * Create a RADIUS client, acquire a socket. - * - * This call might block if the socket pool is empty. + * Create a RADIUS client. * * @return radius_client_t object */ radius_client_t *radius_client_create(); -/** - * Initialize the socket pool. - * - * @return TRUE if initialization successful - */ -bool radius_client_init(); - -/** - * Cleanup the socket pool. - */ -void radius_client_cleanup(); - #endif /** RADIUS_CLIENT_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/radius_message.c b/src/libcharon/plugins/eap_radius/radius_message.c index 11a1d8dfc..23a29b772 100644 --- a/src/libcharon/plugins/eap_radius/radius_message.c +++ b/src/libcharon/plugins/eap_radius/radius_message.c @@ -215,13 +215,8 @@ typedef struct { int left; } attribute_enumerator_t; - -/** - * Implementation of attribute_enumerator_t.enumerate - */ -static bool attribute_enumerate(attribute_enumerator_t *this, - int *type, chunk_t *data) - +METHOD(enumerator_t, attribute_enumerate, bool, + attribute_enumerator_t *this, int *type, chunk_t *data) { if (this->left == 0) { @@ -241,10 +236,8 @@ static bool attribute_enumerate(attribute_enumerator_t *this, return TRUE; } -/** - * Implementation of radius_message_t.create_enumerator - */ -static enumerator_t* create_enumerator(private_radius_message_t *this) +METHOD(radius_message_t, create_enumerator, enumerator_t*, + private_radius_message_t *this) { attribute_enumerator_t *e; @@ -252,20 +245,19 @@ static enumerator_t* create_enumerator(private_radius_message_t *this) { return enumerator_create_empty(); } - - e = malloc_thing(attribute_enumerator_t); - e->public.enumerate = (void*)attribute_enumerate; - e->public.destroy = (void*)free; - e->next = (rattr_t*)this->msg->attributes; - e->left = ntohs(this->msg->length) - sizeof(rmsg_t); + INIT(e, + .public = { + .enumerate = (void*)_attribute_enumerate, + .destroy = (void*)free, + }, + .next = (rattr_t*)this->msg->attributes, + .left = ntohs(this->msg->length) - sizeof(rmsg_t), + ); return &e->public; } -/** - * Implementation of radius_message_t.add - */ -static void add(private_radius_message_t *this, radius_attribute_type_t type, - chunk_t data) +METHOD(radius_message_t, add, void, + private_radius_message_t *this, radius_attribute_type_t type, chunk_t data) { rattr_t *attribute; @@ -279,10 +271,8 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type, this->msg->length = htons(ntohs(this->msg->length) + attribute->length); } -/** - * Implementation of radius_message_t.sign - */ -static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer) +METHOD(radius_message_t, sign, void, + private_radius_message_t *this, rng_t *rng, signer_t *signer) { char buf[HASH_SIZE_MD5]; @@ -297,11 +287,9 @@ static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer) ((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5); } -/** - * Implementation of radius_message_t.verify - */ -static bool verify(private_radius_message_t *this, u_int8_t *req_auth, - chunk_t secret, hasher_t *hasher, signer_t *signer) +METHOD(radius_message_t, verify, bool, + private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret, + hasher_t *hasher, signer_t *signer) { char buf[HASH_SIZE_MD5], res_auth[HASH_SIZE_MD5]; enumerator_t *enumerator; @@ -369,51 +357,39 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth, return TRUE; } -/** - * Implementation of radius_message_t.get_code - */ -static radius_message_code_t get_code(private_radius_message_t *this) +METHOD(radius_message_t, get_code, radius_message_code_t, + private_radius_message_t *this) { return this->msg->code; } -/** - * Implementation of radius_message_t.get_identifier - */ -static u_int8_t get_identifier(private_radius_message_t *this) +METHOD(radius_message_t, get_identifier, u_int8_t, + private_radius_message_t *this) { return this->msg->identifier; } -/** - * Implementation of radius_message_t.set_identifier - */ -static void set_identifier(private_radius_message_t *this, u_int8_t identifier) +METHOD(radius_message_t, set_identifier, void, + private_radius_message_t *this, u_int8_t identifier) { this->msg->identifier = identifier; } -/** - * Implementation of radius_message_t.get_authenticator - */ -static u_int8_t* get_authenticator(private_radius_message_t *this) +METHOD(radius_message_t, get_authenticator, u_int8_t*, + private_radius_message_t *this) { return this->msg->authenticator; } -/** - * Implementation of radius_message_t.get_encoding - */ -static chunk_t get_encoding(private_radius_message_t *this) +METHOD(radius_message_t, get_encoding, chunk_t, + private_radius_message_t *this) { return chunk_create((u_char*)this->msg, ntohs(this->msg->length)); } -/** - * Implementation of radius_message_t.destroy. - */ -static void destroy(private_radius_message_t *this) +METHOD(radius_message_t, destroy, void, + private_radius_message_t *this) { free(this->msg); free(this); @@ -424,18 +400,22 @@ static void destroy(private_radius_message_t *this) */ static private_radius_message_t *radius_message_create() { - private_radius_message_t *this = malloc_thing(private_radius_message_t); - - this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator; - this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add; - this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code; - this->public.get_identifier = (u_int8_t(*)(radius_message_t*))get_identifier; - this->public.set_identifier = (void(*)(radius_message_t*, u_int8_t identifier))set_identifier; - this->public.get_authenticator = (u_int8_t*(*)(radius_message_t*))get_authenticator; - this->public.get_encoding = (chunk_t(*)(radius_message_t*))get_encoding; - this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign; - this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify; - this->public.destroy = (void(*)(radius_message_t*))destroy; + private_radius_message_t *this; + + INIT(this, + .public = { + .create_enumerator = _create_enumerator, + .add = _add, + .get_code = _get_code, + .get_identifier = _get_identifier, + .set_identifier = _set_identifier, + .get_authenticator = _get_authenticator, + .get_encoding = _get_encoding, + .sign = _sign, + .verify = _verify, + .destroy = _destroy, + }, + ); return this; } @@ -447,10 +427,11 @@ radius_message_t *radius_message_create_request() { private_radius_message_t *this = radius_message_create(); - this->msg = malloc_thing(rmsg_t); - this->msg->code = RMC_ACCESS_REQUEST; - this->msg->identifier = 0; - this->msg->length = htons(sizeof(rmsg_t)); + INIT(this->msg, + .code = RMC_ACCESS_REQUEST, + .identifier = 0, + .length = htons(sizeof(rmsg_t)), + ); return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/radius_server.c b/src/libcharon/plugins/eap_radius/radius_server.c new file mode 100644 index 000000000..f54b8b2cd --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_server.c @@ -0,0 +1,212 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "radius_server.h" + +#include <threading/mutex.h> +#include <threading/condvar.h> +#include <utils/linked_list.h> + +typedef struct private_radius_server_t private_radius_server_t; + +/** + * Private data of an radius_server_t object. + */ +struct private_radius_server_t { + + /** + * Public radius_server_t interface. + */ + radius_server_t public; + + /** + * RADIUS server address + */ + host_t *host; + + /** + * list of radius sockets, as radius_socket_t + */ + linked_list_t *sockets; + + /** + * Total number of sockets, in list + currently in use + */ + int socket_count; + + /** + * mutex to lock sockets list + */ + mutex_t *mutex; + + /** + * condvar to wait for sockets + */ + condvar_t *condvar; + + /** + * RADIUS secret + */ + chunk_t secret; + + /** + * NAS-Identifier + */ + chunk_t nas_identifier; + + /** + * Preference boost for this server + */ + int preference; + + /** + * Is the server currently reachable + */ + bool reachable; + + /** + * Retry counter for unreachable servers + */ + int retry; +}; + +METHOD(radius_server_t, get_socket, radius_socket_t*, + private_radius_server_t *this) +{ + radius_socket_t *skt; + + this->mutex->lock(this->mutex); + while (this->sockets->remove_first(this->sockets, (void**)&skt) != SUCCESS) + { + this->condvar->wait(this->condvar, this->mutex); + } + this->mutex->unlock(this->mutex); + return skt; +} + +METHOD(radius_server_t, put_socket, void, + private_radius_server_t *this, radius_socket_t *skt, bool result) +{ + this->mutex->lock(this->mutex); + this->sockets->insert_last(this->sockets, skt); + this->mutex->unlock(this->mutex); + this->condvar->signal(this->condvar); + this->reachable = result; +} + +METHOD(radius_server_t, get_nas_identifier, chunk_t, + private_radius_server_t *this) +{ + return this->nas_identifier; +} + +METHOD(radius_server_t, get_preference, int, + private_radius_server_t *this) +{ + int pref; + + if (this->socket_count == 0) + { /* don't have sockets, huh? */ + return -1; + } + /* calculate preference between 0-100 + boost */ + pref = this->preference; + pref += this->sockets->get_count(this->sockets) * 100 / this->socket_count; + if (this->reachable) + { /* reachable server get a boost: pref = 110-210 + boost */ + return pref + 110; + } + /* Not reachable. Increase preference randomly to let it retry from + * time to time, especially if other servers have high load. */ + this->retry++; + if (this->retry % 128 == 0) + { /* every 64th request gets 210, same as unloaded reachable */ + return pref + 110; + } + if (this->retry % 32 == 0) + { /* every 32th request gets 190, wins against average loaded */ + return pref + 90; + } + if (this->retry % 8 == 0) + { /* every 8th request gets 110, same as server under load */ + return pref + 10; + } + /* other get ~100, less than fully loaded */ + return pref; +} + +METHOD(radius_server_t, get_address, host_t*, + private_radius_server_t *this) +{ + return this->host; +} + +METHOD(radius_server_t, destroy, void, + private_radius_server_t *this) +{ + DESTROY_IF(this->host); + this->mutex->destroy(this->mutex); + this->condvar->destroy(this->condvar); + this->sockets->destroy_offset(this->sockets, + offsetof(radius_socket_t, destroy)); + free(this); +} + +/** + * See header + */ +radius_server_t *radius_server_create(char *server, u_int16_t port, + char *nas_identifier, char *secret, int sockets, int preference) +{ + private_radius_server_t *this; + radius_socket_t *socket; + + INIT(this, + .public = { + .get_socket = _get_socket, + .put_socket = _put_socket, + .get_nas_identifier = _get_nas_identifier, + .get_preference = _get_preference, + .get_address = _get_address, + .destroy = _destroy, + }, + .reachable = TRUE, + .nas_identifier = chunk_create(nas_identifier, strlen(nas_identifier)), + .socket_count = sockets, + .sockets = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .host = host_create_from_dns(server, 0, port), + .preference = preference, + ); + + if (!this->host) + { + destroy(this); + return NULL; + } + while (sockets--) + { + socket = radius_socket_create(this->host, + chunk_create(secret, strlen(secret))); + if (!socket) + { + destroy(this); + return NULL; + } + this->sockets->insert_last(this->sockets, socket); + } + return &this->public; +} diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h new file mode 100644 index 000000000..b820cb583 --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_server.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup radius_server radius_server + * @{ @ingroup eap_radius + */ + +#ifndef RADIUS_SERVER_H_ +#define RADIUS_SERVER_H_ + +typedef struct radius_server_t radius_server_t; + +#include "radius_socket.h" + +/** + * RADIUS server configuration. + */ +struct radius_server_t { + + /** + * Get a RADIUS socket from the pool to communicate with this server. + * + * @return RADIUS socket + */ + radius_socket_t* (*get_socket)(radius_server_t *this); + + /** + * Release a socket to the pool after use. + * + * @param skt RADIUS socket to release + * @param result result of the socket use, TRUE for success + */ + void (*put_socket)(radius_server_t *this, radius_socket_t *skt, bool result); + + /** + * Get the NAS-Identifier to use with this server. + * + * @return NAS-Identifier, internal data + */ + chunk_t (*get_nas_identifier)(radius_server_t *this); + + /** + * Get the preference of this server. + * + * Based on the available sockets and the server reachability a preference + * value is calculated: better servers return a higher value. + */ + int (*get_preference)(radius_server_t *this); + + /** + * Get the address of the RADIUS server. + * + * @return address, internal data + */ + host_t* (*get_address)(radius_server_t *this); + + /** + * Destroy a radius_server_t. + */ + void (*destroy)(radius_server_t *this); +}; + +/** + * Create a radius_server instance. + * + * @param server server address + * @param port server port + * @param nas_identifier NAS-Identifier to use with this server + * @param sockets number of sockets to create in pool + * @param preference preference boost for this server + */ +radius_server_t *radius_server_create(char *server, u_int16_t port, + char *nas_identifier, char *secret, int sockets, int preference); + +#endif /** RADIUS_SERVER_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/radius_socket.c b/src/libcharon/plugins/eap_radius/radius_socket.c new file mode 100644 index 000000000..f46c27ede --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_socket.c @@ -0,0 +1,309 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "radius_socket.h" + +#include <errno.h> +#include <unistd.h> + +#include <debug.h> + +/** + * Vendor-Id of Microsoft specific attributes + */ +#define VENDOR_ID_MICROSOFT 311 + +/** + * Microsoft specific vendor attributes + */ +#define MS_MPPE_SEND_KEY 16 +#define MS_MPPE_RECV_KEY 17 + +typedef struct private_radius_socket_t private_radius_socket_t; + +/** + * Private data of an radius_socket_t object. + */ +struct private_radius_socket_t { + + /** + * Public radius_socket_t interface. + */ + radius_socket_t public; + + /** + * socket file descriptor + */ + int fd; + + /** + * current RADIUS identifier + */ + u_int8_t identifier; + + /** + * hasher to use for response verification + */ + hasher_t *hasher; + + /** + * HMAC-MD5 signer to build Message-Authenticator attribute + */ + signer_t *signer; + + /** + * random number generator for RADIUS request authenticator + */ + rng_t *rng; + + /** + * RADIUS secret + */ + chunk_t secret; +}; + +METHOD(radius_socket_t, request, radius_message_t*, + private_radius_socket_t *this, radius_message_t *request) +{ + chunk_t data; + int i; + + /* set Message Identifier */ + request->set_identifier(request, this->identifier++); + /* sign the request */ + request->sign(request, this->rng, this->signer); + + data = request->get_encoding(request); + /* timeout after 2, 3, 4, 5 seconds */ + for (i = 2; i <= 5; i++) + { + radius_message_t *response; + bool retransmit = FALSE; + struct timeval tv; + char buf[4096]; + fd_set fds; + int res; + + if (send(this->fd, data.ptr, data.len, 0) != data.len) + { + DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno)); + return NULL; + } + tv.tv_sec = i; + tv.tv_usec = 0; + + while (TRUE) + { + FD_ZERO(&fds); + FD_SET(this->fd, &fds); + res = select(this->fd + 1, &fds, NULL, NULL, &tv); + /* TODO: updated tv to time not waited. Linux does this for us. */ + if (res < 0) + { /* failed */ + DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", + strerror(errno)); + break; + } + if (res == 0) + { /* timeout */ + DBG1(DBG_CFG, "retransmitting RADIUS message"); + retransmit = TRUE; + break; + } + res = recv(this->fd, buf, sizeof(buf), MSG_DONTWAIT); + if (res <= 0) + { + DBG1(DBG_CFG, "receiving RADIUS message failed: %s", + strerror(errno)); + break; + } + response = radius_message_parse_response(chunk_create(buf, res)); + if (response) + { + if (response->verify(response, + request->get_authenticator(request), this->secret, + this->hasher, this->signer)) + { + return response; + } + response->destroy(response); + } + DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); + } + if (!retransmit) + { + break; + } + } + DBG1(DBG_CFG, "RADIUS server is not responding"); + return NULL; +} + +/** + * Decrypt a MS-MPPE-Send/Recv-Key + */ +static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt, + chunk_t C, radius_message_t *request) +{ + chunk_t A, R, P, seed; + u_char *c, *p; + + /** + * From RFC2548 (encryption): + * b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) + * b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) + * . . . + * b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i) + */ + + if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5) + { + return chunk_empty; + } + + A = chunk_create((u_char*)&salt, sizeof(salt)); + R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5); + P = chunk_alloca(C.len); + p = P.ptr; + c = C.ptr; + + seed = chunk_cata("cc", R, A); + + while (c < C.ptr + C.len) + { + /* b(i) = MD5(S + c(i-1)) */ + this->hasher->get_hash(this->hasher, this->secret, NULL); + this->hasher->get_hash(this->hasher, seed, p); + + /* p(i) = b(i) xor c(1) */ + memxor(p, c, HASH_SIZE_MD5); + + /* prepare next round */ + seed = chunk_create(c, HASH_SIZE_MD5); + c += HASH_SIZE_MD5; + p += HASH_SIZE_MD5; + } + + /* remove truncation, first byte is key length */ + if (*P.ptr >= P.len) + { /* decryption failed? */ + return chunk_empty; + } + return chunk_clone(chunk_create(P.ptr + 1, *P.ptr)); +} + +METHOD(radius_socket_t, decrypt_msk, chunk_t, + private_radius_socket_t *this, radius_message_t *request, + radius_message_t *response) +{ + struct { + u_int32_t id; + u_int8_t type; + u_int8_t length; + u_int16_t salt; + u_int8_t key[]; + } __attribute__((packed)) *mppe_key; + enumerator_t *enumerator; + chunk_t data, send = chunk_empty, recv = chunk_empty; + int type; + + enumerator = response->create_enumerator(response); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == RAT_VENDOR_SPECIFIC && + data.len > sizeof(*mppe_key)) + { + mppe_key = (void*)data.ptr; + if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT && + mppe_key->length == data.len - sizeof(mppe_key->id)) + { + data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key)); + if (mppe_key->type == MS_MPPE_SEND_KEY) + { + send = decrypt_mppe_key(this, mppe_key->salt, data, request); + } + if (mppe_key->type == MS_MPPE_RECV_KEY) + { + recv = decrypt_mppe_key(this, mppe_key->salt, data, request); + } + } + } + } + enumerator->destroy(enumerator); + if (send.ptr && recv.ptr) + { + return chunk_cat("mm", recv, send); + } + chunk_clear(&send); + chunk_clear(&recv); + return chunk_empty; +} + +METHOD(radius_socket_t, destroy, void, + private_radius_socket_t *this) +{ + DESTROY_IF(this->hasher); + DESTROY_IF(this->signer); + DESTROY_IF(this->rng); + close(this->fd); + free(this); +} + +/** + * See header + */ +radius_socket_t *radius_socket_create(host_t *host, chunk_t secret) +{ + private_radius_socket_t *this; + + INIT(this, + .public = { + .request = _request, + .decrypt_msk = _decrypt_msk, + .destroy = _destroy, + }, + ); + + this->fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); + if (this->fd < 0) + { + DBG1(DBG_CFG, "opening RADIUS socket failed: %s", strerror(errno)); + free(this); + return NULL; + } + if (connect(this->fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) < 0) + { + DBG1(DBG_CFG, "connecting RADIUS socket failed"); + close(this->fd); + free(this); + return NULL; + } + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128); + this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!this->hasher || !this->signer || !this->rng) + { + DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required"); + destroy(this); + return NULL; + } + this->secret = secret; + this->signer->set_key(this->signer, secret); + /* we use a random identifier, helps if we restart often */ + this->identifier = random(); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_radius/radius_socket.h b/src/libcharon/plugins/eap_radius/radius_socket.h new file mode 100644 index 000000000..fe8491a8f --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_socket.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup radius_socket radius_socket + * @{ @ingroup eap_radius + */ + +#ifndef RADIUS_SOCKET_H_ +#define RADIUS_SOCKET_H_ + +typedef struct radius_socket_t radius_socket_t; + +#include "radius_message.h" + +#include <utils/host.h> + +/** + * RADIUS socket to a server. + */ +struct radius_socket_t { + + /** + * Send a RADIUS request, wait for response. + + * The socket fills in RADIUS Message identifier, builds a + * Request-Authenticator and calculates the Message-Authenticator + * attribute. + * The received response gets verified using the Response-Identifier + * and the Message-Authenticator attribute. + * + * @param request request message + * @return response message, NULL if timed out + */ + radius_message_t* (*request)(radius_socket_t *this, + radius_message_t *request); + + /** + * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key. + * + * @param request associated RADIUS request message + * @param response RADIUS response message containing attributes + * @return allocated MSK, empty chunk if none found + */ + chunk_t (*decrypt_msk)(radius_socket_t *this, radius_message_t *request, + radius_message_t *response); + + /** + * Destroy a radius_socket_t. + */ + void (*destroy)(radius_socket_t *this); +}; + +/** + * Create a radius_socket instance. + * + * @param host RADIUS server address to connect to + * @param secret RADIUS secret + */ +radius_socket_t *radius_socket_create(host_t *host, chunk_t secret); + +#endif /** RADIUS_SOCKET_H_ @}*/ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index 588965113..d0f44e925 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c index 961cfd30d..a3506f4ba 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c @@ -484,7 +484,6 @@ static status_t process_notification(private_eap_sim_peer_t *this, /* test success bit */ if (!(data.ptr[0] & 0x80)) { - success = FALSE; DBG1(DBG_IKE, "received EAP-SIM notification error '%N'", simaka_notification_names, code); } diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 2d998dbcc..2aa0ac832 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 6c44ea2bb..7d80f8019 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 35d8e7c3b..fc26f4497 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am new file mode 100644 index 000000000..73768be0e --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\" + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +else +plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +endif + +libstrongswan_eap_simaka_sql_la_SOURCES = \ + eap_simaka_sql_plugin.h eap_simaka_sql_plugin.c \ + eap_simaka_sql_card.h eap_simaka_sql_card.c \ + eap_simaka_sql_provider.h eap_simaka_sql_provider.c + +libstrongswan_eap_simaka_sql_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in new file mode 100644 index 000000000..f2e82df0a --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -0,0 +1,592 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_simaka_sql +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_eap_simaka_sql_la_LIBADD = +am_libstrongswan_eap_simaka_sql_la_OBJECTS = eap_simaka_sql_plugin.lo \ + eap_simaka_sql_card.lo eap_simaka_sql_provider.lo +libstrongswan_eap_simaka_sql_la_OBJECTS = \ + $(am_libstrongswan_eap_simaka_sql_la_OBJECTS) +libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_simaka_sql_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_sql_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_sql_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\" +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +libstrongswan_eap_simaka_sql_la_SOURCES = \ + eap_simaka_sql_plugin.h eap_simaka_sql_plugin.c \ + eap_simaka_sql_card.h eap_simaka_sql_card.c \ + eap_simaka_sql_provider.h eap_simaka_sql_provider.c + +libstrongswan_eap_simaka_sql_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) + $(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_card.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_provider.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c new file mode 100644 index 000000000..b7590405f --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c @@ -0,0 +1,177 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_simaka_sql_card.h" + +#include <time.h> + +#include <daemon.h> + +typedef struct private_eap_simaka_sql_card_t private_eap_simaka_sql_card_t; + +/** + * Private data of an eap_simaka_sql_card_t object. + */ +struct private_eap_simaka_sql_card_t { + + /** + * Public eap_simaka_sql_card_t interface. + */ + eap_simaka_sql_card_t public; + + /** + * Triplet/quintuplet database + */ + database_t *db; + + /** + * Remove used triplets/quintuplets from database + */ + bool remove_used; +}; + +METHOD(sim_card_t, get_triplet, bool, + private_eap_simaka_sql_card_t *this, identification_t *id, + char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]) +{ + chunk_t sres_chunk, kc_chunk; + enumerator_t *query; + bool found = FALSE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, + "select sres, kc from triplets where rand = ? and id = ? " + "order by use limit 1", + DB_BLOB, chunk_create(rand, SIM_RAND_LEN), DB_TEXT, buf, + DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &sres_chunk, &kc_chunk)) + { + if (sres_chunk.len == SIM_SRES_LEN && + kc_chunk.len == SIM_KC_LEN) + { + memcpy(sres, sres_chunk.ptr, SIM_SRES_LEN); + memcpy(kc, kc_chunk.ptr, SIM_KC_LEN); + found = TRUE; + } + } + query->destroy(query); + } + if (found) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from triplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update triplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + } + return found; +} + +METHOD(sim_card_t, get_quintuplet, status_t, + private_eap_simaka_sql_card_t *this, identification_t *id, + char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], + char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len) +{ + chunk_t ck_chunk, ik_chunk, res_chunk; + enumerator_t *query; + status_t found = FAILED; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, "select ck, ik, res from quintuplets " + "where rand = ? and autn = ? and id = ? order by use limit 1", + DB_BLOB, chunk_create(rand, AKA_RAND_LEN), + DB_BLOB, chunk_create(autn, AKA_AUTN_LEN), DB_TEXT, buf, + DB_BLOB, DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &ck_chunk, &ik_chunk, &res_chunk)) + { + if (ck_chunk.len == AKA_CK_LEN && + ik_chunk.len == AKA_IK_LEN && + res_chunk.len <= AKA_RES_MAX) + { + memcpy(ck, ck_chunk.ptr, AKA_CK_LEN); + memcpy(ik, ik_chunk.ptr, AKA_IK_LEN); + memcpy(res, res_chunk.ptr, res_chunk.len); + *res_len = res_chunk.len; + found = SUCCESS; + } + } + query->destroy(query); + } + if (found == SUCCESS) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from quintuplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update quintuplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, AKA_RAND_LEN)); + } + } + return found; +} + +METHOD(eap_simaka_sql_card_t, destroy, void, + private_eap_simaka_sql_card_t *this) +{ + free(this); +} + +/** + * See header + */ +eap_simaka_sql_card_t *eap_simaka_sql_card_create(database_t *db, + bool remove_used) +{ + private_eap_simaka_sql_card_t *this; + + INIT(this, + .public = { + .card = { + .get_triplet = _get_triplet, + .get_quintuplet = _get_quintuplet, + .resync = (void*)return_false, + .get_pseudonym = (void*)return_null, + .set_pseudonym = (void*)nop, + .get_reauth = (void*)return_null, + .set_reauth = (void*)nop, + }, + .destroy = _destroy, + }, + .db = db, + .remove_used = remove_used, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h new file mode 100644 index 000000000..46b7de25e --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_simaka_sql_card eap_simaka_sql_card + * @{ @ingroup eap_simaka_sql + */ + +#ifndef EAP_SIMAKA_SQL_CARD_H_ +#define EAP_SIMAKA_SQL_CARD_H_ + +#include <database/database.h> +#include <sa/authenticators/eap/sim_manager.h> + +typedef struct eap_simaka_sql_card_t eap_simaka_sql_card_t; + +/** + * SIM card implementation using a triplet/quintuplet database backend. + */ +struct eap_simaka_sql_card_t { + + /** + * Implements sim_card_t interface + */ + sim_card_t card; + + /** + * Destroy a eap_simaka_sql_card_t. + */ + void (*destroy)(eap_simaka_sql_card_t *this); +}; + +/** + * Create a eap_simaka_sql_card instance. + * + * @param db triplet/quintuplet database + * @param remove_used TRUE to remove used triplets/quintuplets from db + */ +eap_simaka_sql_card_t *eap_simaka_sql_card_create(database_t *db, + bool remove_used); + +#endif /** EAP_SIMAKA_SQL_CARD_H_ @}*/ diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c new file mode 100644 index 000000000..0f5319792 --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_simaka_sql_plugin.h" +#include "eap_simaka_sql_card.h" +#include "eap_simaka_sql_provider.h" + +#include <daemon.h> + +typedef struct private_eap_simaka_sql_t private_eap_simaka_sql_t; + +/** + * Private data of an eap_simaka_sql_t object. + */ +struct private_eap_simaka_sql_t { + + /** + * Public eap_simaka_sql_plugin_t interface. + */ + eap_simaka_sql_plugin_t public; + + /** + * (U)SIM card + */ + eap_simaka_sql_card_t *card; + + /** + * (U)SIM provider + */ + eap_simaka_sql_provider_t *provider; + + /** + * Database with triplets/quintuplets + */ + database_t *db; +}; + +METHOD(plugin_t, destroy, void, + private_eap_simaka_sql_t *this) +{ + charon->sim->remove_card(charon->sim, &this->card->card); + charon->sim->remove_provider(charon->sim, &this->provider->provider); + this->card->destroy(this->card); + this->provider->destroy(this->provider); + this->db->destroy(this->db); + free(this); +} + +/** + * See header + */ +plugin_t *eap_simaka_sql_plugin_create() +{ + private_eap_simaka_sql_t *this; + database_t *db; + bool remove_used; + char *uri; + + uri = lib->settings->get_str(lib->settings, + "charon.plugins.eap-simaka-sql.database", NULL); + if (!uri) + { + DBG1(DBG_CFG, "eap-simaka-sql database URI missing"); + return NULL; + } + db = lib->db->create(lib->db, uri); + if (!db) + { + DBG1(DBG_CFG, "opening eap-simaka-sql database failed"); + return NULL; + } + remove_used = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-simaka-sql.remove_used", FALSE); + + INIT(this, + .public.plugin = { + .destroy = _destroy, + }, + .db = db, + .provider = eap_simaka_sql_provider_create(db, remove_used), + .card = eap_simaka_sql_card_create(db, remove_used), + ); + + charon->sim->add_card(charon->sim, &this->card->card); + charon->sim->add_provider(charon->sim, &this->provider->provider); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h new file mode 100644 index 000000000..3064580bf --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_simaka_sql eap_simaka_sql + * @ingroup cplugins + * + * @defgroup eap_simaka_sql_plugin eap_simaka_sql_plugin + * @{ @ingroup eap_simaka_sql + */ + +#ifndef EAP_SIMAKA_SQL_PLUGIN_H_ +#define EAP_SIMAKA_SQL_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_simaka_sql_plugin_t eap_simaka_sql_plugin_t; + +/** + * Plugin to provide SIM/AKA cards/providers using triplets from a database. + */ +struct eap_simaka_sql_plugin_t { + + /** + * Implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** EAP_SIMAKA_SQL_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c new file mode 100644 index 000000000..73cccf549 --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_simaka_sql_provider.h" + +#include <time.h> + +#include <daemon.h> + +typedef struct private_eap_simaka_sql_provider_t private_eap_simaka_sql_provider_t; + +/** + * Private data of an eap_simaka_sql_provider_t object. + */ +struct private_eap_simaka_sql_provider_t { + + /** + * Public eap_simaka_sql_provider_t interface. + */ + eap_simaka_sql_provider_t public; + + /** + * Triplet/quintuplet database + */ + database_t *db; + + /** + * Remove used triplets/quintuplets from database + */ + bool remove_used; +}; + +METHOD(sim_provider_t, get_triplet, bool, + private_eap_simaka_sql_provider_t *this, identification_t *id, + char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]) +{ + chunk_t rand_chunk, sres_chunk, kc_chunk; + enumerator_t *query; + bool found = FALSE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, + "select rand, sres, kc from triplets where id = ? order by use", + DB_TEXT, buf, DB_BLOB, DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &rand_chunk, &sres_chunk, &kc_chunk)) + { + if (rand_chunk.len == SIM_RAND_LEN && + sres_chunk.len == SIM_SRES_LEN && + kc_chunk.len == SIM_KC_LEN) + { + memcpy(rand, rand_chunk.ptr, SIM_RAND_LEN); + memcpy(sres, sres_chunk.ptr, SIM_SRES_LEN); + memcpy(kc, kc_chunk.ptr, SIM_KC_LEN); + found = TRUE; + } + } + query->destroy(query); + } + if (found) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from triplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update triplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + } + return found; +} + +METHOD(sim_provider_t, get_quintuplet, bool, + private_eap_simaka_sql_provider_t *this, identification_t *id, + char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, + char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]) +{ + chunk_t rand_chunk, xres_chunk, ck_chunk, ik_chunk, autn_chunk; + enumerator_t *query; + bool found = FALSE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, "select rand, res, ck, ik, autn " + "from quintuplets where id = ? order by use", DB_TEXT, buf, + DB_BLOB, DB_BLOB, DB_BLOB, DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &rand_chunk, &xres_chunk, + &ck_chunk, &ik_chunk, &autn_chunk)) + { + if (rand_chunk.len == AKA_RAND_LEN && + xres_chunk.len <= AKA_RES_MAX && + ck_chunk.len == AKA_CK_LEN && + ik_chunk.len == AKA_IK_LEN && + autn_chunk.len == AKA_AUTN_LEN) + { + memcpy(rand, rand_chunk.ptr, AKA_RAND_LEN); + memcpy(xres, xres_chunk.ptr, xres_chunk.len); + *xres_len = xres_chunk.len; + memcpy(ck, ck_chunk.ptr, AKA_CK_LEN); + memcpy(ik, ik_chunk.ptr, AKA_IK_LEN); + memcpy(autn, autn_chunk.ptr, AKA_AUTN_LEN); + found = TRUE; + } + } + query->destroy(query); + } + if (found) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from quintuplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update quintuplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, AKA_RAND_LEN)); + } + } + return found; +} + +METHOD(eap_simaka_sql_provider_t, destroy, void, + private_eap_simaka_sql_provider_t *this) +{ + free(this); +} + +/** + * See header + */ +eap_simaka_sql_provider_t *eap_simaka_sql_provider_create(database_t *db, + bool remove_used) +{ + private_eap_simaka_sql_provider_t *this; + + INIT(this, + .public = { + .provider = { + .get_triplet = _get_triplet, + .get_quintuplet = _get_quintuplet, + .resync = (void*)return_false, + .is_pseudonym = (void*)return_null, + .gen_pseudonym = (void*)return_null, + .is_reauth = (void*)return_null, + .gen_reauth = (void*)return_null, + }, + .destroy = _destroy, + }, + .db = db, + .remove_used = remove_used, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h new file mode 100644 index 000000000..ecb0c8cb0 --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_simaka_sql_provider eap_simaka_sql_provider + * @{ @ingroup eap_simaka_sql + */ + +#ifndef EAP_SIMAKA_SQL_PROVIDER_H_ +#define EAP_SIMAKA_SQL_PROVIDER_H_ + +#include <database/database.h> +#include <sa/authenticators/eap/sim_manager.h> + +typedef struct eap_simaka_sql_provider_t eap_simaka_sql_provider_t; + +/** + * SIM provider implementation using a triplet/quintuplet database backend. + */ +struct eap_simaka_sql_provider_t { + + /** + * Implements sim_provider_t interface + */ + sim_provider_t provider; + + /** + * Destroy a eap_simaka_sql_provider_t. + */ + void (*destroy)(eap_simaka_sql_provider_t *this); +}; + +/** + * Create a eap_simaka_sql_provider instance. + * + * @param db triplet/quintuplet database + * @param remove_used TRUE to remove used triplets/quintuplets from db + */ +eap_simaka_sql_provider_t *eap_simaka_sql_provider_create(database_t *db, + bool remove_used); + +#endif /** EAP_SIMAKA_SQL_PROVIDER_H_ @}*/ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 20ac77080..47952b99e 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c index 29e64e32d..20bb44fd3 100644 --- a/src/libcharon/plugins/farp/farp_spoofer.c +++ b/src/libcharon/plugins/farp/farp_spoofer.c @@ -156,8 +156,8 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener) BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3), BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 28, 0, 1), - BPF_STMT(BPF_RET+BPF_A, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, sizeof(arp_t), 0, 1), + BPF_STMT(BPF_RET+BPF_K, sizeof(arp_t)), BPF_STMT(BPF_RET+BPF_K, 0), }; struct sock_fprog arp_request_filter = { diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am index 74fe1f4c7..0df1b8d91 100644 --- a/src/libcharon/plugins/ha/Makefile.am +++ b/src/libcharon/plugins/ha/Makefile.am @@ -17,9 +17,11 @@ libstrongswan_ha_la_SOURCES = \ ha_tunnel.h ha_tunnel.c \ ha_dispatcher.h ha_dispatcher.c \ ha_segments.h ha_segments.c \ + ha_cache.h ha_cache.c \ ha_kernel.h ha_kernel.c \ ha_ctl.h ha_ctl.c \ ha_ike.h ha_ike.c \ - ha_child.h ha_child.c + ha_child.h ha_child.c \ + ha_attribute.h ha_attribute.c libstrongswan_ha_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index c60d3bf56..5ca9b464b 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -76,7 +76,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_ha_la_LIBADD = am_libstrongswan_ha_la_OBJECTS = ha_plugin.lo ha_message.lo \ ha_socket.lo ha_tunnel.lo ha_dispatcher.lo ha_segments.lo \ - ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo + ha_cache.lo ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo \ + ha_attribute.lo libstrongswan_ha_la_OBJECTS = $(am_libstrongswan_ha_la_OBJECTS) libstrongswan_ha_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -269,10 +270,12 @@ libstrongswan_ha_la_SOURCES = \ ha_tunnel.h ha_tunnel.c \ ha_dispatcher.h ha_dispatcher.c \ ha_segments.h ha_segments.c \ + ha_cache.h ha_cache.c \ ha_kernel.h ha_kernel.c \ ha_ctl.h ha_ctl.c \ ha_ike.h ha_ike.c \ - ha_child.h ha_child.c + ha_child.h ha_child.c \ + ha_attribute.h ha_attribute.c libstrongswan_ha_la_LDFLAGS = -module -avoid-version all: all-am @@ -358,6 +361,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_attribute.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_child.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_ctl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_dispatcher.Plo@am__quote@ diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c new file mode 100644 index 000000000..b08abe1a9 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_attribute.c @@ -0,0 +1,364 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ha_attribute.h" + +#include <utils/linked_list.h> +#include <threading/mutex.h> + +typedef struct private_ha_attribute_t private_ha_attribute_t; + +/** + * Private data of an ha_attribute_t object. + */ +struct private_ha_attribute_t { + + /** + * Public ha_attribute_t interface. + */ + ha_attribute_t public; + + /** + * List of pools, pool_t + */ + linked_list_t *pools; + + /** + * Mutex to lock mask + */ + mutex_t *mutex; + + /** + * Kernel helper + */ + ha_kernel_t *kernel; + + /** + * Segment responsibility + */ + ha_segments_t *segments; +}; + +/** + * In-memory pool. + */ +typedef struct { + /** name of the pool */ + char *name; + /** base address of pool */ + host_t *base; + /** total number of addresses in this pool */ + int size; + /** bitmask for address usage */ + u_char *mask; +} pool_t; + +/** + * Clean up a pool entry + */ +static void pool_destroy(pool_t *pool) +{ + pool->base->destroy(pool->base); + free(pool->name); + free(pool->mask); + free(pool); +} + +/** + * convert a pool offset to an address + */ +static host_t* offset2host(pool_t *pool, int offset) +{ + chunk_t addr; + host_t *host; + u_int32_t *pos; + + if (offset > pool->size) + { + return NULL; + } + + addr = chunk_clone(pool->base->get_address(pool->base)); + if (pool->base->get_family(pool->base) == AF_INET6) + { + pos = (u_int32_t*)(addr.ptr + 12); + } + else + { + pos = (u_int32_t*)addr.ptr; + } + *pos = htonl(offset + ntohl(*pos)); + host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0); + free(addr.ptr); + return host; +} + +/** + * convert a host to a pool offset + */ +static int host2offset(pool_t *pool, host_t *addr) +{ + chunk_t host, base; + u_int32_t hosti, basei; + + if (addr->get_family(addr) != pool->base->get_family(pool->base)) + { + return -1; + } + host = addr->get_address(addr); + base = pool->base->get_address(pool->base); + if (addr->get_family(addr) == AF_INET6) + { + /* only look at last /32 block */ + if (!memeq(host.ptr, base.ptr, 12)) + { + return -1; + } + host = chunk_skip(host, 12); + base = chunk_skip(base, 12); + } + hosti = ntohl(*(u_int32_t*)(host.ptr)); + basei = ntohl(*(u_int32_t*)(base.ptr)); + if (hosti > basei + pool->size) + { + return -1; + } + return hosti - basei; +} + +/** + * Find a pool by its name + */ +static pool_t* get_pool(private_ha_attribute_t *this, char *name) +{ + enumerator_t *enumerator; + pool_t *pool, *found = NULL; + + enumerator = this->pools->create_enumerator(this->pools); + while (enumerator->enumerate(enumerator, &pool)) + { + if (streq(name, pool->name)) + { + found = pool; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** + * Check if we are responsible for a bit in our bitmask + */ +static bool responsible_for(private_ha_attribute_t *this, int bit) +{ + u_int segment; + + segment = this->kernel->get_segment_int(this->kernel, bit); + return this->segments->is_active(this->segments, segment); +} + +METHOD(attribute_provider_t, acquire_address, host_t*, + private_ha_attribute_t *this, char *name, identification_t *id, + host_t *requested) +{ + pool_t *pool; + int offset = -1, byte, bit; + host_t *address; + + this->mutex->lock(this->mutex); + pool = get_pool(this, name); + if (pool) + { + for (byte = 0; byte < pool->size / 8; byte++) + { + if (pool->mask[byte] != 0xFF) + { + for (bit = 0; bit < 8; bit++) + { + if (!(pool->mask[byte] & 1 << bit) && + responsible_for(this, bit)) + { + offset = byte * 8 + bit; + pool->mask[byte] |= 1 << bit; + break; + } + } + } + if (offset != -1) + { + break; + } + } + if (offset == -1) + { + DBG1(DBG_CFG, "no address left in HA pool '%s' belonging to" + "a responsible segment", name); + } + } + this->mutex->unlock(this->mutex); + if (offset != -1) + { + address = offset2host(pool, offset); + DBG1(DBG_CFG, "acquired address %H from HA pool '%s'", address, name); + return address; + } + return NULL; +} + +METHOD(attribute_provider_t, release_address, bool, + private_ha_attribute_t *this, char *name, host_t *address, + identification_t *id) +{ + pool_t *pool; + int offset; + bool found = FALSE; + + this->mutex->lock(this->mutex); + pool = get_pool(this, name); + if (pool) + { + offset = host2offset(pool, address); + if (offset > 0 && offset < pool->size) + { + pool->mask[offset / 8] &= ~(1 << (offset % 8)); + DBG1(DBG_CFG, "released address %H to HA pool '%s'", address, name); + found = TRUE; + } + } + this->mutex->unlock(this->mutex); + return found; +} + +METHOD(ha_attribute_t, reserve, void, + private_ha_attribute_t *this, char *name, host_t *address) +{ + pool_t *pool; + int offset; + + this->mutex->lock(this->mutex); + pool = get_pool(this, name); + if (pool) + { + offset = host2offset(pool, address); + if (offset > 0 && offset < pool->size) + { + pool->mask[offset / 8] |= 1 << (offset % 8); + DBG1(DBG_CFG, "reserved address %H in HA pool '%s'", address, name); + } + } + this->mutex->unlock(this->mutex); +} + +METHOD(ha_attribute_t, destroy, void, + private_ha_attribute_t *this) +{ + this->pools->destroy_function(this->pools, (void*)pool_destroy); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * Load the configured pools. + */ +static void load_pools(private_ha_attribute_t *this) +{ + enumerator_t *enumerator; + char *name, *net, *bits; + host_t *base; + int mask, maxbits; + pool_t *pool; + + enumerator = lib->settings->create_key_value_enumerator(lib->settings, + "charon.plugins.ha.pools"); + while (enumerator->enumerate(enumerator, &name, &net)) + { + net = strdup(net); + bits = strchr(net, '/'); + if (!bits) + { + DBG1(DBG_CFG, "invalid HA pool '%s' subnet, skipped", name); + free(net); + continue; + } + *bits++ = '\0'; + + base = host_create_from_string(net, 0); + mask = atoi(bits); + free(net); + if (!base || !mask) + { + DESTROY_IF(base); + DBG1(DBG_CFG, "invalid HA pool '%s', skipped", name); + continue; + } + maxbits = base->get_family(base) == AF_INET ? 32 : 128; + mask = maxbits - mask; + if (mask > 24) + { + mask = 24; + DBG1(DBG_CFG, "size of HA pool '%s' limited to /%d", + name, maxbits - mask); + } + if (mask < 3) + { + DBG1(DBG_CFG, "HA pool '%s' too small, skipped", name); + base->destroy(base); + continue; + } + + INIT(pool, + .name = strdup(name), + .base = base, + .size = (1 << mask), + ); + pool->mask = calloc(pool->size / 8, 1); + /* do not use first/last address of pool */ + pool->mask[0] |= 0x01; + pool->mask[pool->size / 8 - 1] |= 0x80; + + DBG1(DBG_CFG, "loaded HA pool '%s' %H/%d (%d addresses)", + pool->name, pool->base, maxbits - mask, pool->size - 2); + this->pools->insert_last(this->pools, pool); + } + enumerator->destroy(enumerator); +} + +/** + * See header + */ +ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments) +{ + private_ha_attribute_t *this; + + INIT(this, + .public = { + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_attribute_enumerator = enumerator_create_empty, + }, + .reserve = _reserve, + .destroy = _destroy, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .pools = linked_list_create(), + .kernel = kernel, + .segments = segments, + ); + + load_pools(this); + + return &this->public; +} diff --git a/src/libcharon/plugins/ha/ha_attribute.h b/src/libcharon/plugins/ha/ha_attribute.h new file mode 100644 index 000000000..d1e4f5e89 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_attribute.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ha_attribute ha_attribute + * @{ @ingroup ha + */ + +#ifndef HA_ATTRIBUTE_H_ +#define HA_ATTRIBUTE_H_ + +#include "ha_kernel.h" +#include "ha_segments.h" + +#include <attributes/attribute_provider.h> + +typedef struct ha_attribute_t ha_attribute_t; + +/** + * A HA enabled in memory address pool attribute provider. + */ +struct ha_attribute_t { + + /** + * Implements attribute provider interface. + */ + attribute_provider_t provider; + + /** + * Reserve an address for a passive IKE_SA. + * + * @param name pool name to reserve address in + * @param address address to reserve + */ + void (*reserve)(ha_attribute_t *this, char *name, host_t *address); + + /** + * Destroy a ha_attribute_t. + */ + void (*destroy)(ha_attribute_t *this); +}; + +/** + * Create a ha_attribute instance. + */ +ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments); + +#endif /** HA_ATTRIBUTE_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c new file mode 100644 index 000000000..1ebc33ca4 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -0,0 +1,362 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ha_cache.h" + +#include <utils/hashtable.h> +#include <utils/linked_list.h> +#include <threading/mutex.h> +#include <processing/jobs/callback_job.h> + +typedef struct private_ha_cache_t private_ha_cache_t; + +/** + * Private data of an ha_cache_t object. + */ +struct private_ha_cache_t { + + /** + * Public ha_cache_t interface. + */ + ha_cache_t public; + + /** + * Kernel helper functions + */ + ha_kernel_t *kernel; + + /** + * Socket to send sync messages over + */ + ha_socket_t *socket; + + /** + * Total number of segments + */ + u_int count; + + /** + * cached entries (ike_sa_t, entry_t) + */ + hashtable_t *cache; + + /** + * Mutex to lock cache + */ + mutex_t *mutex; +}; + +/** + * Hashtable hash function + */ +static u_int hash(void *key) +{ + return (uintptr_t)key; +} + +/** + * Hashtable equals function + */ +static bool equals(void *a, void *b) +{ + return a == b; +} + +/** + * Cache entry for an IKE_SA + */ +typedef struct { + /* segment this entry is associate to */ + u_int segment; + /* ADD message */ + ha_message_t *add; + /* list of updates UPDATE message */ + linked_list_t *updates; + /* last initiator mid */ + ha_message_t *midi; + /* last responder mid */ + ha_message_t *midr; +} entry_t; + +/** + * Create a entry with an add message + */ +static entry_t *entry_create(ha_message_t *add) +{ + entry_t *entry; + + INIT(entry, + .add = add, + .updates = linked_list_create(), + ); + return entry; +} + +/** + * clean up a entry + */ +static void entry_destroy(entry_t *entry) +{ + entry->updates->destroy_offset(entry->updates, + offsetof(ha_message_t, destroy)); + entry->add->destroy(entry->add); + DESTROY_IF(entry->midi); + DESTROY_IF(entry->midr); + free(entry); +} + +METHOD(ha_cache_t, cache, void, + private_ha_cache_t *this, ike_sa_t *ike_sa, ha_message_t *message) +{ + entry_t *entry; + + this->mutex->lock(this->mutex); + switch (message->get_type(message)) + { + case HA_IKE_ADD: + entry = entry_create(message); + entry = this->cache->put(this->cache, ike_sa, entry); + if (entry) + { + entry_destroy(entry); + } + break; + case HA_IKE_UPDATE: + entry = this->cache->get(this->cache, ike_sa); + if (entry) + { + entry->segment = this->kernel->get_segment(this->kernel, + ike_sa->get_other_host(ike_sa)); + entry->updates->insert_last(entry->updates, message); + break; + } + message->destroy(message); + break; + case HA_IKE_MID_INITIATOR: + entry = this->cache->get(this->cache, ike_sa); + if (entry) + { + DESTROY_IF(entry->midi); + entry->midi = message; + break; + } + message->destroy(message); + break; + case HA_IKE_MID_RESPONDER: + entry = this->cache->get(this->cache, ike_sa); + if (entry) + { + DESTROY_IF(entry->midr); + entry->midr = message; + break; + } + message->destroy(message); + break; + case HA_IKE_DELETE: + entry = this->cache->remove(this->cache, ike_sa); + if (entry) + { + entry_destroy(entry); + } + message->destroy(message); + break; + default: + message->destroy(message); + break; + } + this->mutex->unlock(this->mutex); +} + +METHOD(ha_cache_t, delete_, void, + private_ha_cache_t *this, ike_sa_t *ike_sa) +{ + entry_t *entry; + + entry = this->cache->remove(this->cache, ike_sa); + if (entry) + { + entry_destroy(entry); + } +} + +/** + * Rekey all children of an IKE_SA + */ +static status_t rekey_children(ike_sa_t *ike_sa) +{ + iterator_t *iterator; + child_sa_t *child_sa; + status_t status = SUCCESS; + + iterator = ike_sa->create_child_sa_iterator(ike_sa); + while (iterator->iterate(iterator, (void**)&child_sa)) + { + DBG1(DBG_CFG, "resyncing CHILD_SA"); + status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE)); + if (status == DESTROY_ME) + { + break; + } + } + iterator->destroy(iterator); + return status; +} + +/** + * Trigger rekeying of CHILD_SA in segment + */ +static void rekey_segment(private_ha_cache_t *this, u_int segment) +{ + ike_sa_t *ike_sa; + enumerator_t *enumerator; + linked_list_t *list; + ike_sa_id_t *id; + + list = linked_list_create(); + + enumerator = charon->ike_sa_manager->create_enumerator( + charon->ike_sa_manager); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && + this->kernel->get_segment(this->kernel, + ike_sa->get_other_host(ike_sa)) == segment) + { + id = ike_sa->get_id(ike_sa); + list->insert_last(list, id->clone(id)); + } + } + enumerator->destroy(enumerator); + + while (list->remove_last(list, (void**)&id) == SUCCESS) + { + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id); + if (ike_sa) + { + if (rekey_children(ike_sa) != DESTROY_ME) + { + charon->ike_sa_manager->checkin( + charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + } + id->destroy(id); + } + list->destroy(list); +} + +METHOD(ha_cache_t, resync, void, + private_ha_cache_t *this, u_int segment) +{ + enumerator_t *enumerator, *updates; + ike_sa_t *ike_sa; + entry_t *entry; + ha_message_t *message; + + DBG1(DBG_CFG, "resyncing HA segment %d", segment); + + this->mutex->lock(this->mutex); + enumerator = this->cache->create_enumerator(this->cache); + while (enumerator->enumerate(enumerator, &ike_sa, &entry)) + { + if (entry->segment == segment) + { + this->socket->push(this->socket, entry->add); + updates = entry->updates->create_enumerator(entry->updates); + while (updates->enumerate(updates, &message)) + { + this->socket->push(this->socket, message); + } + updates->destroy(updates); + if (entry->midi) + { + this->socket->push(this->socket, entry->midi); + } + if (entry->midr) + { + this->socket->push(this->socket, entry->midr); + } + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + rekey_segment(this, segment); +} + +/** + * Request a resync of all segments + */ +static job_requeue_t request_resync(private_ha_cache_t *this) +{ + ha_message_t *message; + int i; + + DBG1(DBG_CFG, "requesting HA resynchronization"); + + message = ha_message_create(HA_RESYNC); + for (i = 1; i <= this->count; i++) + { + message->add_attribute(message, HA_SEGMENT, i); + } + this->socket->push(this->socket, message); + message->destroy(message); + return JOB_REQUEUE_NONE; +} + +METHOD(ha_cache_t, destroy, void, + private_ha_cache_t *this) +{ + this->cache->destroy(this->cache); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, + bool sync, u_int count) +{ + private_ha_cache_t *this; + + INIT(this, + .public = { + .cache = _cache, + .delete = _delete_, + .resync = _resync, + .destroy = _destroy, + }, + .count = count, + .kernel = kernel, + .socket = socket, + .cache = hashtable_create(hash, equals, 8), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + if (sync) + { + /* request a resync as soon as we are up */ + charon->scheduler->schedule_job(charon->scheduler, (job_t*) + callback_job_create((callback_job_cb_t)request_resync, + this, NULL, NULL), 1); + } + return &this->public; +} diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h new file mode 100644 index 000000000..39f1947a8 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_cache.h @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ha_cache ha_cache + * @{ @ingroup ha + */ + +#ifndef HA_CACHE_H_ +#define HA_CACHE_H_ + +typedef struct ha_cache_t ha_cache_t; + +#include "ha_message.h" +#include "ha_kernel.h" +#include "ha_socket.h" + +#include <utils/enumerator.h> + +#include <sa/ike_sa.h> + +/** + * HA message caching facility, allows reintegration of new nodes. + */ +struct ha_cache_t { + + /** + * Cache an IKE specific message. + * + * @param ike_sa associated IKE_SA + * @param message message to cache + */ + void (*cache)(ha_cache_t *this, ike_sa_t *ike_sa, ha_message_t *message); + + /** + * Delete a cache entry for an IKE_SA. + * + * @param ike_sa cache entry to delete + */ + void (*delete)(ha_cache_t *this, ike_sa_t *ike_sa); + + /** + * Resync a segment to the node using the cached messages. + * + * @param segment segment to resync + */ + void (*resync)(ha_cache_t *this, u_int segment); + + /** + * Destroy a ha_cache_t. + */ + void (*destroy)(ha_cache_t *this); +}; + +/** + * Create a ha_cache instance. + * + * @param kernel kernel helper + * @param socket socket to send resync messages + * @param resync request a resync during startup? + * @param count total number of segments + */ +ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, + bool resync, u_int count); + +#endif /** HA_CACHE_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c index 2eb8e27f6..1a9425423 100644 --- a/src/libcharon/plugins/ha/ha_child.c +++ b/src/libcharon/plugins/ha/ha_child.c @@ -36,22 +36,30 @@ struct private_ha_child_t { * tunnel securing sync messages */ ha_tunnel_t *tunnel; + + /** + * Segment handling + */ + ha_segments_t *segments; + + /** + * Kernel helper + */ + ha_kernel_t *kernel; }; -/** - * Implementation of listener_t.child_keys - */ -static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r) +METHOD(listener_t, child_keys, bool, + private_ha_child_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool initiator, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r) { ha_message_t *m; chunk_t secret; proposal_t *proposal; u_int16_t alg, len; - linked_list_t *list; + linked_list_t *local_ts, *remote_ts; enumerator_t *enumerator; traffic_selector_t *ts; + u_int seg_i, seg_o; if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa)) { /* do not sync SA between nodes */ @@ -61,6 +69,7 @@ static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa, m = ha_message_create(HA_CHILD_ADD); m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); + m->add_attribute(m, HA_INITIATOR, (u_int8_t)initiator); m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE)); m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE)); m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE)); @@ -90,31 +99,40 @@ static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa, chunk_clear(&secret); } - list = child_sa->get_traffic_selectors(child_sa, TRUE); - enumerator = list->create_enumerator(list); + local_ts = child_sa->get_traffic_selectors(child_sa, TRUE); + enumerator = local_ts->create_enumerator(local_ts); while (enumerator->enumerate(enumerator, &ts)) { m->add_attribute(m, HA_LOCAL_TS, ts); } enumerator->destroy(enumerator); - list = child_sa->get_traffic_selectors(child_sa, FALSE); - enumerator = list->create_enumerator(list); + remote_ts = child_sa->get_traffic_selectors(child_sa, FALSE); + enumerator = remote_ts->create_enumerator(remote_ts); while (enumerator->enumerate(enumerator, &ts)) { m->add_attribute(m, HA_REMOTE_TS, ts); } enumerator->destroy(enumerator); + seg_i = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE)); + seg_o = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE)); + DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R " + "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), + child_sa->get_reqid(child_sa), local_ts, remote_ts, + seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", + seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); + this->socket->push(this->socket, m); + m->destroy(m); return TRUE; } -/** - * Implementation of listener_t.child_state_change - */ -static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa, child_sa_state_t state) +METHOD(listener_t, child_state_change, bool, + private_ha_child_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa, child_sa_state_t state) { if (!ike_sa || ike_sa->get_state(ike_sa) == IKE_PASSIVE || @@ -138,14 +156,13 @@ static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa, m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE)); this->socket->push(this->socket, m); + m->destroy(m); } return TRUE; } -/** - * Implementation of ha_child_t.destroy. - */ -static void destroy(private_ha_child_t *this) +METHOD(ha_child_t, destroy, void, + private_ha_child_t *this) { free(this); } @@ -153,17 +170,24 @@ static void destroy(private_ha_child_t *this) /** * See header */ -ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel) +ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_segments_t *segments, ha_kernel_t *kernel) { - private_ha_child_t *this = malloc_thing(private_ha_child_t); - - memset(&this->public.listener, 0, sizeof(listener_t)); - this->public.listener.child_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys; - this->public.listener.child_state_change = (bool(*)(listener_t*,ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state))child_state_change; - this->public.destroy = (void(*)(ha_child_t*))destroy; - - this->socket = socket; - this->tunnel = tunnel; + private_ha_child_t *this; + + INIT(this, + .public = { + .listener = { + .child_keys = _child_keys, + .child_state_change = _child_state_change, + }, + .destroy = _destroy, + }, + .socket = socket, + .tunnel = tunnel, + .segments = segments, + .kernel = kernel, + ); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_child.h b/src/libcharon/plugins/ha/ha_child.h index ea83495f7..56cd769ba 100644 --- a/src/libcharon/plugins/ha/ha_child.h +++ b/src/libcharon/plugins/ha/ha_child.h @@ -21,14 +21,15 @@ #ifndef HA_CHILD_H_ #define HA_CHILD_H_ +typedef struct ha_child_t ha_child_t; + #include "ha_socket.h" #include "ha_tunnel.h" #include "ha_segments.h" +#include "ha_kernel.h" #include <daemon.h> -typedef struct ha_child_t ha_child_t; - /** * Listener to synchronize CHILD_SAs. */ @@ -50,8 +51,11 @@ struct ha_child_t { * * @param socket socket to use for sending synchronization messages * @param tunnel tunnel securing sync messages, if any + * @param segments segment handling + * @param kernel kernel helper * @return CHILD listener */ -ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel); +ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_segments_t *segments, ha_kernel_t *kernel); -#endif /* HA_CHILD_ @}*/ +#endif /** HA_CHILD_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index 441d26d9e..e188a8484 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -45,6 +45,11 @@ struct private_ha_ctl_t { ha_segments_t *segments; /** + * Resynchronization message cache + */ + ha_cache_t *cache; + + /** * FIFO reader thread */ callback_job_t *job; @@ -84,7 +89,7 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) this->segments->deactivate(this->segments, segment, TRUE); break; case '*': - this->segments->resync(this->segments, segment); + this->cache->resync(this->cache, segment); break; default: break; @@ -96,10 +101,8 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) return JOB_REQUEUE_DIRECT; } -/** - * Implementation of ha_ctl_t.destroy. - */ -static void destroy(private_ha_ctl_t *this) +METHOD(ha_ctl_t, destroy, void, + private_ha_ctl_t *this) { this->job->cancel(this->job); free(this); @@ -108,11 +111,17 @@ static void destroy(private_ha_ctl_t *this) /** * See header */ -ha_ctl_t *ha_ctl_create(ha_segments_t *segments) +ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) { - private_ha_ctl_t *this = malloc_thing(private_ha_ctl_t); + private_ha_ctl_t *this; - this->public.destroy = (void(*)(ha_ctl_t*))destroy; + INIT(this, + .public = { + .destroy = _destroy, + }, + .segments = segments, + .cache = cache, + ); if (access(HA_FIFO, R_OK|W_OK) != 0) { @@ -123,7 +132,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments) } } - this->segments = segments; this->job = callback_job_create((callback_job_cb_t)dispatch_fifo, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/libcharon/plugins/ha/ha_ctl.h b/src/libcharon/plugins/ha/ha_ctl.h index f33a809be..1e717832a 100644 --- a/src/libcharon/plugins/ha/ha_ctl.h +++ b/src/libcharon/plugins/ha/ha_ctl.h @@ -22,6 +22,7 @@ #define HA_CTL_H_ #include "ha_segments.h" +#include "ha_cache.h" typedef struct ha_ctl_t ha_ctl_t; @@ -40,8 +41,9 @@ struct ha_ctl_t { * Create a ha_ctl instance. * * @param segments segments to control + * @param cache message cache for resynchronization * @return HA control interface */ -ha_ctl_t *ha_ctl_create(ha_segments_t *segments); +ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache); -#endif /* HA_CTL_ @}*/ +#endif /** HA_CTL_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 7df2f1fa8..3bc426ea0 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -41,6 +41,21 @@ struct private_ha_dispatcher_t { ha_segments_t *segments; /** + * Cache for resync + */ + ha_cache_t *cache; + + /** + * Kernel helper + */ + ha_kernel_t *kernel; + + /** + * HA enabled pool + */ + ha_attribute_t *attr; + + /** * Dispatcher job */ callback_job_t *job; @@ -153,6 +168,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message old_sa = NULL; } ike_sa->set_state(ike_sa, IKE_CONNECTING); + this->cache->cache(this->cache, ike_sa, message); + message = NULL; charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } else @@ -167,6 +184,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message { charon->ike_sa_manager->checkin(charon->ike_sa_manager, old_sa); } + DESTROY_IF(message); } /** @@ -201,6 +219,8 @@ static void process_ike_update(private_ha_dispatcher_t *this, enumerator_t *enumerator; ike_sa_t *ike_sa = NULL; peer_cfg_t *peer_cfg = NULL; + auth_cfg_t *auth; + bool received_vip = FALSE; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -222,6 +242,11 @@ static void process_ike_update(private_ha_dispatcher_t *this, case HA_REMOTE_ID: ike_sa->set_other_id(ike_sa, value.id->clone(value.id)); break; + case HA_REMOTE_EAP_ID: + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_EAP_IDENTITY, value.id->clone(value.id)); + ike_sa->add_auth_cfg(ike_sa, FALSE, auth); + break; case HA_LOCAL_ADDR: ike_sa->set_my_host(ike_sa, value.host->clone(value.host)); break; @@ -233,6 +258,7 @@ static void process_ike_update(private_ha_dispatcher_t *this, break; case HA_REMOTE_VIP: ike_sa->set_virtual_ip(ike_sa, FALSE, value.host); + received_vip = TRUE; break; case HA_ADDITIONAL_ADDR: ike_sa->add_additional_address(ike_sa, @@ -265,12 +291,6 @@ static void process_ike_update(private_ha_dispatcher_t *this, set_condition(ike_sa, value.u32, COND_CERTREQ_SEEN); set_condition(ike_sa, value.u32, COND_ORIGINAL_INITIATOR); break; - case HA_INITIATE_MID: - ike_sa->set_message_id(ike_sa, TRUE, value.u32); - break; - case HA_RESPOND_MID: - ike_sa->set_message_id(ike_sa, FALSE, value.u32); - break; default: break; } @@ -282,10 +302,81 @@ static void process_ike_update(private_ha_dispatcher_t *this, if (ike_sa->get_state(ike_sa) == IKE_CONNECTING && ike_sa->get_peer_cfg(ike_sa)) { + DBG1(DBG_CFG, "installed HA passive IKE_SA '%s' %H[%Y]...%H[%Y]", + ike_sa->get_name(ike_sa), + ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), + ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); ike_sa->set_state(ike_sa, IKE_PASSIVE); } + if (received_vip) + { + host_t *vip; + char *pool; + + peer_cfg = ike_sa->get_peer_cfg(ike_sa); + vip = ike_sa->get_virtual_ip(ike_sa, FALSE); + if (peer_cfg && vip) + { + pool = peer_cfg->get_pool(peer_cfg); + if (pool) + { + this->attr->reserve(this->attr, pool, vip); + } + } + } + this->cache->cache(this->cache, ike_sa, message); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } + else + { + DBG1(DBG_CFG, "passive HA IKE_SA to update not found"); + message->destroy(message); + } +} + +/** + * Process messages of type IKE_MID_INITIATOR/RESPONDER + */ +static void process_ike_mid(private_ha_dispatcher_t *this, + ha_message_t *message, bool initiator) +{ + ha_message_attribute_t attribute; + ha_message_value_t value; + enumerator_t *enumerator; + ike_sa_t *ike_sa = NULL; + u_int32_t mid = 0; + + enumerator = message->create_attribute_enumerator(message); + while (enumerator->enumerate(enumerator, &attribute, &value)) + { + switch (attribute) + { + case HA_IKE_ID: + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + value.ike_sa_id); + break; + case HA_MID: + mid = value.u32; + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (ike_sa) + { + if (mid) + { + ike_sa->set_message_id(ike_sa, initiator, mid); + } + this->cache->cache(this->cache, ike_sa, message); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + else + { + message->destroy(message); + } } /** @@ -297,7 +388,7 @@ static void process_ike_delete(private_ha_dispatcher_t *this, ha_message_attribute_t attribute; ha_message_value_t value; enumerator_t *enumerator; - ike_sa_t *ike_sa; + ike_sa_t *ike_sa = NULL; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -307,17 +398,22 @@ static void process_ike_delete(private_ha_dispatcher_t *this, case HA_IKE_ID: ike_sa = charon->ike_sa_manager->checkout( charon->ike_sa_manager, value.ike_sa_id); - if (ike_sa) - { - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); - } break; default: break; } } enumerator->destroy(enumerator); + if (ike_sa) + { + this->cache->cache(this->cache, ike_sa, message); + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + else + { + message->destroy(message); + } } /** @@ -366,6 +462,7 @@ static void process_child_add(private_ha_dispatcher_t *this, u_int16_t inbound_cpi = 0, outbound_cpi = 0; u_int8_t mode = MODE_TUNNEL, ipcomp = 0; u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0; + u_int seg_i, seg_o; chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty; chunk_t encr_i, integ_i, encr_r, integ_r; linked_list_t *local_ts, *remote_ts; @@ -381,11 +478,13 @@ static void process_child_add(private_ha_dispatcher_t *this, case HA_IKE_ID: ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, value.ike_sa_id); - initiator = value.ike_sa_id->is_initiator(value.ike_sa_id); break; case HA_CONFIG_NAME: config_name = value.str; break; + case HA_INITIATOR: + initiator = value.u8; + break; case HA_INBOUND_SPI: inbound_spi = value.u32; break; @@ -431,6 +530,7 @@ static void process_child_add(private_ha_dispatcher_t *this, if (!ike_sa) { DBG1(DBG_CHD, "IKE_SA for HA CHILD_SA not found"); + message->destroy(message); return; } config = find_child_cfg(ike_sa, config_name); @@ -438,6 +538,7 @@ static void process_child_add(private_ha_dispatcher_t *this, { DBG1(DBG_CHD, "HA is missing nodes child configuration"); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + message->destroy(message); return; } @@ -524,15 +625,27 @@ static void process_child_add(private_ha_dispatcher_t *this, local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy)); remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy)); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + message->destroy(message); return; } + seg_i = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_my_host(ike_sa), inbound_spi); + seg_o = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_other_host(ike_sa), outbound_spi); + + DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R " + "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), + child_sa->get_reqid(child_sa), local_ts, remote_ts, + seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", + seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); child_sa->add_policies(child_sa, local_ts, remote_ts); local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy)); remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy)); child_sa->set_state(child_sa, CHILD_INSTALLED); ike_sa->add_child_sa(ike_sa, child_sa); + message->destroy(message); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } @@ -546,6 +659,8 @@ static void process_child_delete(private_ha_dispatcher_t *this, ha_message_value_t value; enumerator_t *enumerator; ike_sa_t *ike_sa = NULL; + child_sa_t *child_sa; + u_int32_t spi = 0; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -557,20 +672,24 @@ static void process_child_delete(private_ha_dispatcher_t *this, value.ike_sa_id); break; case HA_INBOUND_SPI: - if (ike_sa) - { - ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, value.u32); - } + spi = value.u32; break; default: break; } } + enumerator->destroy(enumerator); + if (ike_sa) { + child_sa = ike_sa->get_child_sa(ike_sa, PROTO_ESP, spi, TRUE); + if (child_sa) + { + ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, spi); + } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } - enumerator->destroy(enumerator); + message->destroy(message); } /** @@ -605,6 +724,7 @@ static void process_segment(private_ha_dispatcher_t *this, } } enumerator->destroy(enumerator); + message->destroy(message); } /** @@ -633,6 +753,7 @@ static void process_status(private_ha_dispatcher_t *this, enumerator->destroy(enumerator); this->segments->handle_status(this->segments, mask); + message->destroy(message); } /** @@ -651,13 +772,14 @@ static void process_resync(private_ha_dispatcher_t *this, switch (attribute) { case HA_SEGMENT: - this->segments->resync(this->segments, value.u16); + this->cache->resync(this->cache, value.u16); break; default: break; } } enumerator->destroy(enumerator); + message->destroy(message); } /** @@ -666,9 +788,16 @@ static void process_resync(private_ha_dispatcher_t *this, static job_requeue_t dispatch(private_ha_dispatcher_t *this) { ha_message_t *message; + ha_message_type_t type; message = this->socket->pull(this->socket); - switch (message->get_type(message)) + type = message->get_type(message); + if (type != HA_STATUS) + { + DBG2(DBG_CFG, "received HA %N message", ha_message_type_names, + message->get_type(message)); + } + switch (type) { case HA_IKE_ADD: process_ike_add(this, message); @@ -676,6 +805,12 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this) case HA_IKE_UPDATE: process_ike_update(this, message); break; + case HA_IKE_MID_INITIATOR: + process_ike_mid(this, message, TRUE); + break; + case HA_IKE_MID_RESPONDER: + process_ike_mid(this, message, FALSE); + break; case HA_IKE_DELETE: process_ike_delete(this, message); break; @@ -698,19 +833,15 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this) process_resync(this, message); break; default: - DBG1(DBG_CFG, "received unknown HA message type %d", - message->get_type(message)); + DBG1(DBG_CFG, "received unknown HA message type %d", type); + message->destroy(message); break; } - message->destroy(message); - return JOB_REQUEUE_DIRECT; } -/** - * Implementation of ha_dispatcher_t.destroy. - */ -static void destroy(private_ha_dispatcher_t *this) +METHOD(ha_dispatcher_t, destroy, void, + private_ha_dispatcher_t *this) { this->job->cancel(this->job); free(this); @@ -720,14 +851,22 @@ static void destroy(private_ha_dispatcher_t *this) * See header */ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, - ha_segments_t *segments) + ha_segments_t *segments, ha_cache_t *cache, + ha_kernel_t *kernel, ha_attribute_t *attr) { - private_ha_dispatcher_t *this = malloc_thing(private_ha_dispatcher_t); - - this->public.destroy = (void(*)(ha_dispatcher_t*))destroy; - - this->socket = socket; - this->segments = segments; + private_ha_dispatcher_t *this; + + + INIT(this, + .public = { + .destroy = _destroy, + }, + .socket = socket, + .segments = segments, + .cache = cache, + .kernel = kernel, + .attr = attr, + ); this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/libcharon/plugins/ha/ha_dispatcher.h b/src/libcharon/plugins/ha/ha_dispatcher.h index d2baace3f..105a40473 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.h +++ b/src/libcharon/plugins/ha/ha_dispatcher.h @@ -23,6 +23,9 @@ #include "ha_socket.h" #include "ha_segments.h" +#include "ha_cache.h" +#include "ha_kernel.h" +#include "ha_attribute.h" typedef struct ha_dispatcher_t ha_dispatcher_t; @@ -42,9 +45,13 @@ struct ha_dispatcher_t { * * @param socket socket to pull messages from * @param segments segments to control based on received messages + * @param cache message cache to use for resynchronization + * @param kernel kernel helper + * @param attr HA enabled pool * @return dispatcher object */ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, - ha_segments_t *segments); + ha_segments_t *segments, ha_cache_t *cache, + ha_kernel_t *kernel, ha_attribute_t *attr); -#endif /* HA_DISPATCHER_ @}*/ +#endif /** HA_DISPATCHER_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 1f025d0e5..1efba4e8f 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -36,6 +36,11 @@ struct private_ha_ike_t { * tunnel securing sync messages */ ha_tunnel_t *tunnel; + + /** + * message cache + */ + ha_cache_t *cache; }; /** @@ -62,12 +67,9 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext) return 0; } -/** - * Implementation of listener_t.ike_keys - */ -static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey) +METHOD(listener_t, ike_keys, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey) { ha_message_t *m; chunk_t secret; @@ -120,14 +122,13 @@ static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa, chunk_clear(&secret); this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); return TRUE; } -/** - * Implementation of listener_t.ike_updown - */ -static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) +METHOD(listener_t, ike_updown, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) { ha_message_t *m; @@ -147,6 +148,7 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) u_int32_t extension, condition; host_t *addr; ike_sa_id_t *id; + identification_t *eap_id; peer_cfg = ike_sa->get_peer_cfg(ike_sa); @@ -168,6 +170,11 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) m->add_attribute(m, HA_IKE_ID, id); m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa)); m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa)); + eap_id = ike_sa->get_other_eap_id(ike_sa); + if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa))) + { + m->add_attribute(m, HA_REMOTE_EAP_ID, eap_id); + } m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa)); m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa)); m->add_attribute(m, HA_CONDITIONS, condition); @@ -186,24 +193,31 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); } this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); return TRUE; } -/** - * Implementation of listener_t.ike_rekey - */ -static bool ike_rekey(private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new) +METHOD(listener_t, ike_rekey, bool, + private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new) { ike_updown(this, old, FALSE); ike_updown(this, new, TRUE); return TRUE; } -/** - * Implementation of listener_t.message - */ -static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa, - message_t *message, bool incoming) +METHOD(listener_t, ike_state_change, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new) +{ + /* delete any remaining cache entry if IKE_SA gets destroyed */ + if (new == IKE_DESTROYING) + { + this->cache->delete(this->cache, ike_sa); + } + return TRUE; +} + +METHOD(listener_t, message_hook, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming) { if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa)) { /* do not sync SA between nodes */ @@ -214,20 +228,19 @@ static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa, message->get_request(message)) { /* we sync on requests, but skip it on IKE_SA_INIT */ ha_message_t *m; - u_int32_t mid; - m = ha_message_create(HA_IKE_UPDATE); - m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); - mid = message->get_message_id(message) + 1; if (incoming) { - m->add_attribute(m, HA_RESPOND_MID, mid); + m = ha_message_create(HA_IKE_MID_RESPONDER); } else { - m->add_attribute(m, HA_INITIATE_MID, mid); + m = ha_message_create(HA_IKE_MID_INITIATOR); } + m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); + m->add_attribute(m, HA_MID, message->get_message_id(message) + 1); this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); } if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && message->get_exchange_type(message) == IKE_AUTH && @@ -245,15 +258,14 @@ static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa, m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); m->add_attribute(m, HA_REMOTE_VIP, vip); this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); } } return TRUE; } -/** - * Implementation of ha_ike_t.destroy. - */ -static void destroy(private_ha_ike_t *this) +METHOD(ha_ike_t, destroy, void, + private_ha_ike_t *this) { free(this); } @@ -261,19 +273,26 @@ static void destroy(private_ha_ike_t *this) /** * See header */ -ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel) +ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_cache_t *cache) { - private_ha_ike_t *this = malloc_thing(private_ha_ike_t); - - memset(&this->public.listener, 0, sizeof(listener_t)); - this->public.listener.ike_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh,chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys; - this->public.listener.ike_updown = (bool(*)(listener_t*,ike_sa_t *ike_sa, bool up))ike_updown; - this->public.listener.ike_rekey = (bool(*)(listener_t*,ike_sa_t *old, ike_sa_t *new))ike_rekey; - this->public.listener.message = (bool(*)(listener_t*, ike_sa_t *, message_t *,bool))message_hook; - this->public.destroy = (void(*)(ha_ike_t*))destroy; - - this->socket = socket; - this->tunnel = tunnel; + private_ha_ike_t *this; + + INIT(this, + .public = { + .listener = { + .ike_keys = _ike_keys, + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .ike_state_change = _ike_state_change, + .message = _message_hook, + }, + .destroy = _destroy, + }, + .socket = socket, + .tunnel = tunnel, + .cache = cache, + ); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_ike.h b/src/libcharon/plugins/ha/ha_ike.h index 9de210e67..b22cd6250 100644 --- a/src/libcharon/plugins/ha/ha_ike.h +++ b/src/libcharon/plugins/ha/ha_ike.h @@ -21,14 +21,15 @@ #ifndef HA_IKE_H_ #define HA_IKE_H_ +typedef struct ha_ike_t ha_ike_t; + #include "ha_socket.h" #include "ha_tunnel.h" #include "ha_segments.h" +#include "ha_cache.h" #include <daemon.h> -typedef struct ha_ike_t ha_ike_t; - /** * Listener to synchronize IKE_SAs. */ @@ -50,8 +51,10 @@ struct ha_ike_t { * * @param socket socket to use for sending synchronization messages * @param tunnel tunnel securing sync messages, if any + * @param cache message cache * @return IKE listener */ -ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel); +ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_cache_t *cache); -#endif /* HA_IKE_ @}*/ +#endif /** HA_IKE_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index 0ad9c22c3..10a63453a 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -52,24 +52,57 @@ struct private_ha_kernel_t { }; /** - * Implementation of ha_kernel_t.in_segment + * Segmentate a calculated hash */ -static bool in_segment(private_ha_kernel_t *this, host_t *host, u_int segment) +static u_int hash2segment(private_ha_kernel_t *this, u_int64_t hash) +{ + return ((hash * this->count) >> 32) + 1; +} + +/** + * Get a host as an integer for hashing + */ +static u_int32_t host2int(host_t *host) { if (host->get_family(host) == AF_INET) { - unsigned long hash; - u_int32_t addr; + return *(u_int32_t*)host->get_address(host).ptr; + } + return 0; +} - addr = *(u_int32_t*)host->get_address(host).ptr; - hash = jhash_1word(ntohl(addr), this->initval); +METHOD(ha_kernel_t, get_segment, u_int, + private_ha_kernel_t *this, host_t *host) +{ + unsigned long hash; + u_int32_t addr; - if ((((u_int64_t)hash * this->count) >> 32) + 1 == segment) - { - return TRUE; - } - } - return FALSE; + addr = host2int(host); + hash = jhash_1word(ntohl(addr), this->initval); + + return hash2segment(this, hash); +} + +METHOD(ha_kernel_t, get_segment_spi, u_int, + private_ha_kernel_t *this, host_t *host, u_int32_t spi) +{ + unsigned long hash; + u_int32_t addr; + + addr = host2int(host); + hash = jhash_2words(ntohl(addr), ntohl(spi), this->initval); + + return hash2segment(this, hash); +} + +METHOD(ha_kernel_t, get_segment_int, u_int, + private_ha_kernel_t *this, int n) +{ + unsigned long hash; + + hash = jhash_1word(ntohl(n), this->initval); + + return hash2segment(this, hash); } /** @@ -142,10 +175,8 @@ static segment_mask_t get_active(private_ha_kernel_t *this, char *file) return mask; } -/** - * Implementation of ha_kernel_t.activate - */ -static void activate(private_ha_kernel_t *this, u_int segment) +METHOD(ha_kernel_t, activate, void, + private_ha_kernel_t *this, u_int segment) { enumerator_t *enumerator; char *file; @@ -158,10 +189,8 @@ static void activate(private_ha_kernel_t *this, u_int segment) enumerator->destroy(enumerator); } -/** - * Implementation of ha_kernel_t.deactivate - */ -static void deactivate(private_ha_kernel_t *this, u_int segment) +METHOD(ha_kernel_t, deactivate, void, + private_ha_kernel_t *this, u_int segment) { enumerator_t *enumerator; char *file; @@ -199,10 +228,8 @@ static void disable_all(private_ha_kernel_t *this) enumerator->destroy(enumerator); } -/** - * Implementation of ha_kernel_t.destroy. - */ -static void destroy(private_ha_kernel_t *this) +METHOD(ha_kernel_t, destroy, void, + private_ha_kernel_t *this) { free(this); } @@ -212,15 +239,20 @@ static void destroy(private_ha_kernel_t *this) */ ha_kernel_t *ha_kernel_create(u_int count) { - private_ha_kernel_t *this = malloc_thing(private_ha_kernel_t); - - this->public.in_segment = (bool(*)(ha_kernel_t*, host_t *host, u_int segment))in_segment; - this->public.activate = (void(*)(ha_kernel_t*, u_int segment))activate; - this->public.deactivate = (void(*)(ha_kernel_t*, u_int segment))deactivate; - this->public.destroy = (void(*)(ha_kernel_t*))destroy; + private_ha_kernel_t *this; - this->initval = 0; - this->count = count; + INIT(this, + .public = { + .get_segment = _get_segment, + .get_segment_spi = _get_segment_spi, + .get_segment_int = _get_segment_int, + .activate = _activate, + .deactivate = _deactivate, + .destroy = _destroy, + }, + .initval = 0, + .count = count, + ); disable_all(this); diff --git a/src/libcharon/plugins/ha/ha_kernel.h b/src/libcharon/plugins/ha/ha_kernel.h index b37cc7667..7b56f1e3a 100644 --- a/src/libcharon/plugins/ha/ha_kernel.h +++ b/src/libcharon/plugins/ha/ha_kernel.h @@ -31,13 +31,28 @@ typedef struct ha_kernel_t ha_kernel_t; struct ha_kernel_t { /** - * Check if a host is in a segment. + * Get the segment a host is in. * - * @param host host to check - * @param segment segment - * @return TRUE if host belongs to segment + * @param host host to get segment for + * @return segment number */ - bool (*in_segment)(ha_kernel_t *this, host_t *host, u_int segment); + u_int (*get_segment)(ha_kernel_t *this, host_t *host); + + /** + * Get the segment a host/SPI is in, as used for CHILD_SA segmentation. + * + * @param host host to get segment for + * @param spi SPI to include in hash + * @return segment number + */ + u_int (*get_segment_spi)(ha_kernel_t *this, host_t *host, u_int32_t spi); + + /** + * Get the segment an arbitrary integer is in. + * + * @param n integer to segmentate + */ + u_int (*get_segment_int)(ha_kernel_t *this, int n); /** * Activate a segment at kernel level for all cluster addresses. @@ -63,8 +78,7 @@ struct ha_kernel_t { * Create a ha_kernel instance. * * @param count total number of segments to use - * @param active bitmask of initially active segments */ ha_kernel_t *ha_kernel_create(u_int count); -#endif /* HA_KERNEL_ @}*/ +#endif /** HA_KERNEL_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c index 54b10f05d..7ce9cbe09 100644 --- a/src/libcharon/plugins/ha/ha_message.c +++ b/src/libcharon/plugins/ha/ha_message.c @@ -46,6 +46,20 @@ struct private_ha_message_t { chunk_t buf; }; +ENUM(ha_message_type_names, HA_IKE_ADD, HA_RESYNC, + "IKE_ADD", + "IKE_UPDATE", + "IKE_MID_INITIATOR", + "IKE_MID_RESPONDER", + "IKE_DELETE", + "CHILD_ADD", + "CHILD_DELETE", + "SEGMENT_DROP", + "SEGMENT_TAKE", + "STATUS", + "RESYNC", +); + typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t; /** @@ -93,10 +107,8 @@ struct ts_encoding_t { char encoding[]; } __attribute__((packed)); -/** - * Implementation of ha_message_t.get_type - */ -static ha_message_type_t get_type(private_ha_message_t *this) +METHOD(ha_message_t, get_type, ha_message_type_t, + private_ha_message_t *this) { return this->buf.ptr[1]; } @@ -119,11 +131,8 @@ static void check_buf(private_ha_message_t *this, size_t len) } } -/** - * Implementation of ha_message_t.add_attribute - */ -static void add_attribute(private_ha_message_t *this, - ha_message_attribute_t attribute, ...) +METHOD(ha_message_t, add_attribute, void, + private_ha_message_t *this, ha_message_attribute_t attribute, ...) { size_t len; va_list args; @@ -154,6 +163,7 @@ static void add_attribute(private_ha_message_t *this, /* identification_t* */ case HA_LOCAL_ID: case HA_REMOTE_ID: + case HA_REMOTE_EAP_ID: { identification_encoding_t *enc; identification_t *id; @@ -203,6 +213,7 @@ static void add_attribute(private_ha_message_t *this, break; } /* u_int8_t */ + case HA_INITIATOR: case HA_IPSEC_MODE: case HA_IPCOMP: { @@ -237,8 +248,7 @@ static void add_attribute(private_ha_message_t *this, case HA_EXTENSIONS: case HA_INBOUND_SPI: case HA_OUTBOUND_SPI: - case HA_INITIATE_MID: - case HA_RESPOND_MID: + case HA_MID: { u_int32_t val; @@ -310,12 +320,9 @@ typedef struct { void *cleanup_data; } attribute_enumerator_t; -/** - * Implementation of create_attribute_enumerator().enumerate - */ -static bool attribute_enumerate(attribute_enumerator_t *this, - ha_message_attribute_t *attr_out, - ha_message_value_t *value) +METHOD(enumerator_t, attribute_enumerate, bool, + attribute_enumerator_t *this, ha_message_attribute_t *attr_out, + ha_message_value_t *value) { ha_message_attribute_t attr; @@ -354,6 +361,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this, /* identification_t* */ case HA_LOCAL_ID: case HA_REMOTE_ID: + case HA_REMOTE_EAP_ID: { identification_encoding_t *enc; @@ -417,6 +425,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this, return TRUE; } /* u_int8_t */ + case HA_INITIATOR: case HA_IPSEC_MODE: case HA_IPCOMP: { @@ -453,8 +462,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this, case HA_EXTENSIONS: case HA_INBOUND_SPI: case HA_OUTBOUND_SPI: - case HA_INITIATE_MID: - case HA_RESPOND_MID: + case HA_MID: { if (this->buf.len < sizeof(u_int32_t)) { @@ -559,10 +567,8 @@ static bool attribute_enumerate(attribute_enumerator_t *this, } } -/** - * Implementation of create_attribute_enumerator().destroy - */ -static void enum_destroy(attribute_enumerator_t *this) +METHOD(enumerator_t, enum_destroy, void, + attribute_enumerator_t *this) { if (this->cleanup) { @@ -571,35 +577,30 @@ static void enum_destroy(attribute_enumerator_t *this) free(this); } -/** - * Implementation of ha_message_t.create_attribute_enumerator - */ -static enumerator_t* create_attribute_enumerator(private_ha_message_t *this) +METHOD(ha_message_t, create_attribute_enumerator, enumerator_t*, + private_ha_message_t *this) { - attribute_enumerator_t *e = malloc_thing(attribute_enumerator_t); - - e->public.enumerate = (void*)attribute_enumerate; - e->public.destroy = (void*)enum_destroy; + attribute_enumerator_t *e; - e->buf = chunk_skip(this->buf, 2); - e->cleanup = NULL; - e->cleanup_data = NULL; + INIT(e, + .public = { + .enumerate = (void*)_attribute_enumerate, + .destroy = _enum_destroy, + }, + .buf = chunk_skip(this->buf, 2), + ); return &e->public; } -/** - * Implementation of ha_message_t.get_encoding - */ -static chunk_t get_encoding(private_ha_message_t *this) +METHOD(ha_message_t, get_encoding, chunk_t, + private_ha_message_t *this) { return this->buf; } -/** - * Implementation of ha_message_t.destroy. - */ -static void destroy(private_ha_message_t *this) +METHOD(ha_message_t, destroy, void, + private_ha_message_t *this) { free(this->buf.ptr); free(this); @@ -608,14 +609,17 @@ static void destroy(private_ha_message_t *this) static private_ha_message_t *ha_message_create_generic() { - private_ha_message_t *this = malloc_thing(private_ha_message_t); - - this->public.get_type = (ha_message_type_t(*)(ha_message_t*))get_type; - this->public.add_attribute = (void(*)(ha_message_t*, ha_message_attribute_t attribute, ...))add_attribute; - this->public.create_attribute_enumerator = (enumerator_t*(*)(ha_message_t*))create_attribute_enumerator; - this->public.get_encoding = (chunk_t(*)(ha_message_t*))get_encoding; - this->public.destroy = (void(*)(ha_message_t*))destroy; + private_ha_message_t *this; + INIT(this, + .public = { + .get_type = _get_type, + .add_attribute = _add_attribute, + .create_attribute_enumerator = _create_attribute_enumerator, + .get_encoding = _get_encoding, + .destroy = _destroy, + }, + ); return this; } diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h index b2bc23724..50e11830f 100644 --- a/src/libcharon/plugins/ha/ha_message.h +++ b/src/libcharon/plugins/ha/ha_message.h @@ -30,7 +30,7 @@ /** * Protocol version of this implementation */ -#define HA_MESSAGE_VERSION 1 +#define HA_MESSAGE_VERSION 2 typedef struct ha_message_t ha_message_t; typedef enum ha_message_type_t ha_message_type_t; @@ -43,8 +43,12 @@ typedef union ha_message_value_t ha_message_value_t; enum ha_message_type_t { /** add a completely new IKE_SA */ HA_IKE_ADD = 1, - /** update an existing IKE_SA (message IDs, address update, ...) */ + /** update an existing IKE_SA (identities, address update, ...) */ HA_IKE_UPDATE, + /** update initiator message id */ + HA_IKE_MID_INITIATOR, + /** update responder message id */ + HA_IKE_MID_RESPONDER, /** delete an existing IKE_SA */ HA_IKE_DELETE, /** add a new CHILD_SA */ @@ -62,6 +66,11 @@ enum ha_message_type_t { }; /** + * Enum names for message types + */ +extern enum_name_t *ha_message_type_names; + +/** * Type of attributes contained in a message */ enum ha_message_attribute_t { @@ -73,6 +82,8 @@ enum ha_message_attribute_t { HA_LOCAL_ID, /** identification_t*, remote identity */ HA_REMOTE_ID, + /** identification_t*, remote EAP identity */ + HA_REMOTE_EAP_ID, /** host_t*, local address */ HA_LOCAL_ADDR, /** host_t*, remote address */ @@ -89,6 +100,8 @@ enum ha_message_attribute_t { HA_REMOTE_VIP, /** host_t*, additional MOBIKE peer address */ HA_ADDITIONAL_ADDR, + /** u_int8_t, initiator of an exchange, TRUE for local */ + HA_INITIATOR, /** chunk_t, initiators nonce */ HA_NONCE_I, /** chunk_t, responders nonce */ @@ -123,10 +136,8 @@ enum ha_message_attribute_t { HA_LOCAL_TS, /** traffic_selector_t*, remote traffic selector */ HA_REMOTE_TS, - /** u_int32_t, initiating message ID */ - HA_INITIATE_MID, - /** u_int32_t, responding message ID */ - HA_RESPOND_MID, + /** u_int32_t, message ID */ + HA_MID, /** u_int16_t, HA segment */ HA_SEGMENT, }; @@ -190,7 +201,6 @@ struct ha_message_t { /** * Create a new ha_message instance, ready for adding attributes * - * @param version protocol version to create a message from * @param type type of the message */ ha_message_t *ha_message_create(ha_message_type_t type); @@ -202,4 +212,4 @@ ha_message_t *ha_message_create(ha_message_type_t type); */ ha_message_t *ha_message_parse(chunk_t data); -#endif /* HA_MESSAGE_ @}*/ +#endif /** HA_MESSAGE_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index ea255c8ab..e722b4f3a 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -21,8 +21,11 @@ #include "ha_dispatcher.h" #include "ha_segments.h" #include "ha_ctl.h" +#include "ha_cache.h" +#include "ha_attribute.h" #include <daemon.h> +#include <hydra.h> #include <config/child_cfg.h> typedef struct private_ha_plugin_t private_ha_plugin_t; @@ -76,20 +79,31 @@ struct private_ha_plugin_t { * Segment control interface via FIFO */ ha_ctl_t *ctl; + + /** + * Message cache for resynchronization + */ + ha_cache_t *cache; + + /** + * Attribute provider + */ + ha_attribute_t *attr; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_ha_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_ha_plugin_t *this) { DESTROY_IF(this->ctl); + hydra->attributes->remove_provider(hydra->attributes, &this->attr->provider); charon->bus->remove_listener(charon->bus, &this->segments->listener); charon->bus->remove_listener(charon->bus, &this->ike->listener); charon->bus->remove_listener(charon->bus, &this->child->listener); this->ike->destroy(this->ike); this->child->destroy(this->child); this->dispatcher->destroy(this->dispatcher); + this->attr->destroy(this->attr); + this->cache->destroy(this->cache); this->segments->destroy(this->segments); this->kernel->destroy(this->kernel); this->socket->destroy(this->socket); @@ -127,11 +141,9 @@ plugin_t *ha_plugin_create() return NULL; } - this = malloc_thing(private_ha_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - this->tunnel = NULL; - this->ctl = NULL; + INIT(this, + .public.plugin.destroy = _destroy, + ); if (secret) { @@ -146,17 +158,22 @@ plugin_t *ha_plugin_create() } this->kernel = ha_kernel_create(count); this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel, - count, strcmp(local, remote) > 0, monitor, resync); + count, strcmp(local, remote) > 0, monitor); + this->cache = ha_cache_create(this->kernel, this->socket, resync, count); if (fifo) { - this->ctl = ha_ctl_create(this->segments); + this->ctl = ha_ctl_create(this->segments, this->cache); } - this->dispatcher = ha_dispatcher_create(this->socket, this->segments); - this->ike = ha_ike_create(this->socket, this->tunnel); - this->child = ha_child_create(this->socket, this->tunnel); + this->attr = ha_attribute_create(this->kernel, this->segments); + this->dispatcher = ha_dispatcher_create(this->socket, this->segments, + this->cache, this->kernel, this->attr); + this->ike = ha_ike_create(this->socket, this->tunnel, this->cache); + this->child = ha_child_create(this->socket, this->tunnel, this->segments, + this->kernel); charon->bus->add_listener(charon->bus, &this->segments->listener); charon->bus->add_listener(charon->bus, &this->ike->listener); charon->bus->add_listener(charon->bus, &this->child->listener); + hydra->attributes->add_provider(hydra->attributes, &this->attr->provider); return &this->public.plugin; } diff --git a/src/libcharon/plugins/ha/ha_plugin.h b/src/libcharon/plugins/ha/ha_plugin.h index 1ae2fe6dd..d4d746f91 100644 --- a/src/libcharon/plugins/ha/ha_plugin.h +++ b/src/libcharon/plugins/ha/ha_plugin.h @@ -44,4 +44,4 @@ struct ha_plugin_t { plugin_t plugin; }; -#endif /* HA_PLUGIN_H_ @}*/ +#endif /** HA_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 2199671fc..be2d7e428 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -22,8 +22,8 @@ #include <utils/linked_list.h> #include <processing/jobs/callback_job.h> -#define HEARTBEAT_DELAY 1000 -#define HEARTBEAT_TIMEOUT 2100 +#define DEFAULT_HEARTBEAT_DELAY 1000 +#define DEFAULT_HEARTBEAT_TIMEOUT 2100 typedef struct private_ha_segments_t private_ha_segments_t; @@ -81,6 +81,16 @@ struct private_ha_segments_t { * Node number */ u_int node; + + /** + * Interval we send hearbeats + */ + int heartbeat_delay; + + /** + * Timeout for heartbeats received from other node + */ + int heartbeat_timeout; }; /** @@ -168,8 +178,8 @@ static void enable_disable(private_ha_segments_t *this, u_int segment, { continue; } - if (this->kernel->in_segment(this->kernel, - ike_sa->get_other_host(ike_sa), segment)) + if (this->kernel->get_segment(this->kernel, + ike_sa->get_other_host(ike_sa)) == segment) { ike_sa->set_state(ike_sa, new); } @@ -183,6 +193,7 @@ static void enable_disable(private_ha_segments_t *this, u_int segment, message = ha_message_create(type); message->add_attribute(message, HA_SEGMENT, segment); this->socket->push(this->socket, message); + message->destroy(message); } } @@ -209,135 +220,37 @@ static void enable_disable_all(private_ha_segments_t *this, u_int segment, this->mutex->unlock(this->mutex); } -/** - * Implementation of ha_segments_t.activate - */ -static void activate(private_ha_segments_t *this, u_int segment, bool notify) +METHOD(ha_segments_t, activate, void, + private_ha_segments_t *this, u_int segment, bool notify) { enable_disable_all(this, segment, TRUE, notify); } -/** - * Implementation of ha_segments_t.deactivate - */ -static void deactivate(private_ha_segments_t *this, u_int segment, bool notify) +METHOD(ha_segments_t, deactivate, void, + private_ha_segments_t *this, u_int segment, bool notify) { enable_disable_all(this, segment, FALSE, notify); } -/** - * Rekey all children of an IKE_SA - */ -static status_t rekey_children(ike_sa_t *ike_sa) +METHOD(listener_t, alert_hook, bool, + private_ha_segments_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args) { - iterator_t *iterator; - child_sa_t *child_sa; - status_t status = SUCCESS; - - iterator = ike_sa->create_child_sa_iterator(ike_sa); - while (iterator->iterate(iterator, (void**)&child_sa)) - { - DBG1(DBG_CFG, "resyncing CHILD_SA"); - status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE)); - if (status == DESTROY_ME) - { - break; - } - } - iterator->destroy(iterator); - return status; -} - -/** - * Implementation of ha_segments_t.resync - */ -static void resync(private_ha_segments_t *this, u_int segment) -{ - ike_sa_t *ike_sa; - enumerator_t *enumerator; - linked_list_t *list; - ike_sa_id_t *id; - - list = linked_list_create(); - this->mutex->lock(this->mutex); - - if (segment > 0 && segment <= this->count) + if (alert == ALERT_SHUTDOWN_SIGNAL) { - DBG1(DBG_CFG, "resyncing HA segment %d", segment); - - /* we do the actual rekeying in a seperate loop to avoid rekeying - * an SA twice. */ - enumerator = charon->ike_sa_manager->create_enumerator( - charon->ike_sa_manager); - while (enumerator->enumerate(enumerator, &ike_sa)) + if (this->job) { - if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && - this->kernel->in_segment(this->kernel, - ike_sa->get_other_host(ike_sa), segment)) - { - id = ike_sa->get_id(ike_sa); - list->insert_last(list, id->clone(id)); - } + DBG1(DBG_CFG, "HA heartbeat active, dropping all segments"); + deactivate(this, 0, TRUE); } - enumerator->destroy(enumerator); - } - this->mutex->unlock(this->mutex); - - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id); - id->destroy(id); - if (ike_sa) + else { - DBG1(DBG_CFG, "resyncing IKE_SA"); - if (ike_sa->rekey(ike_sa) != DESTROY_ME) - { - if (rekey_children(ike_sa) != DESTROY_ME) - { - charon->ike_sa_manager->checkin( - charon->ike_sa_manager, ike_sa); - continue; - } - } - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); + DBG1(DBG_CFG, "no HA heartbeat active, closing IKE_SAs"); } } - list->destroy(list); -} - -/** - * Implementation of listener_t.alert - */ -static bool alert_hook(private_ha_segments_t *this, ike_sa_t *ike_sa, - alert_t alert, va_list args) -{ - if (alert == ALERT_SHUTDOWN_SIGNAL) - { - deactivate(this, 0, TRUE); - } return TRUE; } /** - * Request a resync of all segments - */ -static job_requeue_t request_resync(private_ha_segments_t *this) -{ - ha_message_t *message; - int i; - - message = ha_message_create(HA_RESYNC); - for (i = 1; i <= this->count; i++) - { - message->add_attribute(message, HA_SEGMENT, i); - } - this->socket->push(this->socket, message); - return JOB_REQUEUE_NONE; -} - -/** * Monitor heartbeat activity of remote node */ static job_requeue_t watchdog(private_ha_segments_t *this) @@ -349,7 +262,7 @@ static job_requeue_t watchdog(private_ha_segments_t *this) pthread_cleanup_push((void*)this->mutex->unlock, this->mutex); pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); timeout = this->condvar->timed_wait(this->condvar, this->mutex, - HEARTBEAT_TIMEOUT); + this->heartbeat_timeout); pthread_setcancelstate(oldstate, NULL); pthread_cleanup_pop(TRUE); if (timeout) @@ -373,10 +286,8 @@ static void start_watchdog(private_ha_segments_t *this) charon->processor->queue_job(charon->processor, (job_t*)this->job); } -/** - * Implementation of ha_segments_t.handle_status - */ -static void handle_status(private_ha_segments_t *this, segment_mask_t mask) +METHOD(ha_segments_t, handle_status, void, + private_ha_segments_t *this, segment_mask_t mask) { segment_mask_t missing; int i; @@ -431,20 +342,25 @@ static job_requeue_t send_status(private_ha_segments_t *this) } this->socket->push(this->socket, message); + message->destroy(message); /* schedule next invocation */ charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*) callback_job_create((callback_job_cb_t) send_status, this, NULL, NULL), - HEARTBEAT_DELAY); + this->heartbeat_delay); return JOB_REQUEUE_NONE; } -/** - * Implementation of ha_segments_t.destroy. - */ -static void destroy(private_ha_segments_t *this) +METHOD(ha_segments_t, is_active, bool, + private_ha_segments_t *this, u_int segment) +{ + return (this->active & SEGMENTS_BIT(segment)) != 0; +} + +METHOD(ha_segments_t, destroy, void, + private_ha_segments_t *this) { if (this->job) { @@ -460,44 +376,40 @@ static void destroy(private_ha_segments_t *this) */ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, ha_tunnel_t *tunnel, u_int count, u_int node, - bool monitor, bool sync) + bool monitor) { - private_ha_segments_t *this = malloc_thing(private_ha_segments_t); - - memset(&this->public.listener, 0, sizeof(listener_t)); - this->public.listener.alert = (bool(*)(listener_t*, ike_sa_t *, alert_t, va_list))alert_hook; - this->public.activate = (void(*)(ha_segments_t*, u_int segment,bool))activate; - this->public.deactivate = (void(*)(ha_segments_t*, u_int segment,bool))deactivate; - this->public.resync = (void(*)(ha_segments_t*, u_int segment))resync; - this->public.handle_status = (void(*)(ha_segments_t*, segment_mask_t mask))handle_status; - this->public.destroy = (void(*)(ha_segments_t*))destroy; - - this->socket = socket; - this->tunnel = tunnel; - this->kernel = kernel; - this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); - this->count = count; - this->node = node; - this->job = NULL; - - /* initially all segments are deactivated */ - this->active = 0; + private_ha_segments_t *this; + + INIT(this, + .public = { + .listener.alert = _alert_hook, + .activate = _activate, + .deactivate = _deactivate, + .handle_status = _handle_status, + .is_active = _is_active, + .destroy = _destroy, + }, + .socket = socket, + .tunnel = tunnel, + .kernel = kernel, + .count = count, + .node = node, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .heartbeat_delay = lib->settings->get_int(lib->settings, + "charon.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY), + .heartbeat_timeout = lib->settings->get_int(lib->settings, + "charon.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT), + ); if (monitor) { + DBG1(DBG_CFG, "starting HA heartbeat, delay %dms, timeout %dms", + this->heartbeat_delay, this->heartbeat_timeout); send_status(this); start_watchdog(this); } - if (sync) - { - /* request a resync as soon as we are up */ - charon->processor->queue_job(charon->processor, (job_t*) - callback_job_create((callback_job_cb_t)request_resync, - this, NULL, NULL)); - } - return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h index 6d1cd5441..eb9e5c1d5 100644 --- a/src/libcharon/plugins/ha/ha_segments.h +++ b/src/libcharon/plugins/ha/ha_segments.h @@ -68,23 +68,19 @@ struct ha_segments_t { void (*deactivate)(ha_segments_t *this, u_int segment, bool notify); /** - * Resync an active segment. - * - * To reintegrade a node into the cluster, resynchronization is reqired. - * IKE_SAs and CHILD_SAs are synced automatically during rekeying. A call - * to this method enforces a rekeying immediately sync all state of a - * segment. + * Handle a status message from the remote node. * - * @param segment segment to resync + * @param mask segments the remote node is serving actively */ - void (*resync)(ha_segments_t *this, u_int segment); + void (*handle_status)(ha_segments_t *this, segment_mask_t mask); /** - * Handle a status message from the remote node. + * Check if a given segment is currently active. * - * @param mask segments the remote node is serving actively + * @param segment segment to check + * @return TRUE if segment active */ - void (*handle_status)(ha_segments_t *this, segment_mask_t mask); + bool (*is_active)(ha_segments_t *this, u_int segment); /** * Destroy a ha_segments_t. @@ -101,11 +97,10 @@ struct ha_segments_t { * @param count number of segments the cluster uses * @param node node, currently 1 or 0 * @param monitor should we use monitoring functionality - * @param resync request a complete resync on startup * @return segment object */ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, ha_tunnel_t *tunnel, u_int count, u_int node, - bool monitor, bool resync); + bool monitor); -#endif /* HA_SEGMENTS_ @}*/ +#endif /** HA_SEGMENTS_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index b84b02868..21e6eb6d5 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -58,8 +58,8 @@ struct private_ha_socket_t { * Data to pass to the send_message() callback job */ typedef struct { - ha_message_t *message; - private_ha_socket_t *this; + chunk_t chunk; + int fd; } job_data_t; /** @@ -67,7 +67,7 @@ typedef struct { */ static void job_data_destroy(job_data_t *this) { - this->message->destroy(this->message); + free(this->chunk.ptr); free(this); } @@ -76,22 +76,15 @@ static void job_data_destroy(job_data_t *this) */ static job_requeue_t send_message(job_data_t *data) { - private_ha_socket_t *this; - chunk_t chunk; - - this = data->this; - chunk = data->message->get_encoding(data->message); - if (send(this->fd, chunk.ptr, chunk.len, 0) < chunk.len) + if (send(data->fd, data->chunk.ptr, data->chunk.len, 0) < data->chunk.len) { DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno)); } return JOB_REQUEUE_NONE; } -/** - * Implementation of ha_socket_t.push - */ -static void push(private_ha_socket_t *this, ha_message_t *message) +METHOD(ha_socket_t, push, void, + private_ha_socket_t *this, ha_message_t *message) { chunk_t chunk; @@ -107,9 +100,10 @@ static void push(private_ha_socket_t *this, ha_message_t *message) /* Fallback to asynchronous transmission. This is required, as sendto() * is a blocking call if it acquires a policy. We could end up in a * deadlock, as we own an IKE_SA. */ - data = malloc_thing(job_data_t); - data->message = message; - data->this = this; + INIT(data, + .chunk = chunk_clone(chunk), + .fd = this->fd, + ); job = callback_job_create((callback_job_cb_t)send_message, data, (void*)job_data_destroy, NULL); @@ -118,13 +112,10 @@ static void push(private_ha_socket_t *this, ha_message_t *message) } DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno)); } - message->destroy(message); } -/** - * Implementation of ha_socket_t.pull - */ -static ha_message_t *pull(private_ha_socket_t *this) +METHOD(ha_socket_t, pull, ha_message_t*, + private_ha_socket_t *this) { while (TRUE) { @@ -189,10 +180,8 @@ static bool open_socket(private_ha_socket_t *this) return TRUE; } -/** - * Implementation of ha_socket_t.destroy. - */ -static void destroy(private_ha_socket_t *this) +METHOD(ha_socket_t, destroy, void, + private_ha_socket_t *this) { if (this->fd != -1) { @@ -208,15 +197,18 @@ static void destroy(private_ha_socket_t *this) */ ha_socket_t *ha_socket_create(char *local, char *remote) { - private_ha_socket_t *this = malloc_thing(private_ha_socket_t); - - this->public.push = (void(*)(ha_socket_t*, ha_message_t*))push; - this->public.pull = (ha_message_t*(*)(ha_socket_t*))pull; - this->public.destroy = (void(*)(ha_socket_t*))destroy; + private_ha_socket_t *this; - this->local = host_create_from_dns(local, 0, HA_PORT); - this->remote = host_create_from_dns(remote, 0, HA_PORT); - this->fd = -1; + INIT(this, + .public = { + .push = _push, + .pull = _pull, + .destroy = _destroy, + }, + .local = host_create_from_dns(local, 0, HA_PORT), + .remote = host_create_from_dns(remote, 0, HA_PORT), + .fd = -1, + ); if (!this->local || !this->remote) { diff --git a/src/libcharon/plugins/ha/ha_socket.h b/src/libcharon/plugins/ha/ha_socket.h index 8d398e22b..a4789a51d 100644 --- a/src/libcharon/plugins/ha/ha_socket.h +++ b/src/libcharon/plugins/ha/ha_socket.h @@ -35,7 +35,7 @@ struct ha_socket_t { /** * Push synchronization information to the responsible node. * - * @param message message to send, gets destroyed by push() + * @param message message to send */ void (*push)(ha_socket_t *this, ha_message_t *message); @@ -57,4 +57,4 @@ struct ha_socket_t { */ ha_socket_t *ha_socket_create(char *local, char *remote); -#endif /* HA_SOCKET_ @}*/ +#endif /** HA_SOCKET_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index b3511e5f0..fef84a430 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -92,10 +92,8 @@ struct private_ha_tunnel_t { ha_creds_t creds; }; -/** - * Implementation of ha_tunnel_t.is_sa - */ -static bool is_sa(private_ha_tunnel_t *this, ike_sa_t *ike_sa) +METHOD(ha_tunnel_t, is_sa, bool, + private_ha_tunnel_t *this, ike_sa_t *ike_sa) { peer_cfg_t *cfg = this->backend.cfg; @@ -112,11 +110,8 @@ typedef struct { shared_key_t *key; } shared_enum_t; -/** - * Implementation of shared_enum_t.enumerate - */ -static bool shared_enumerate(shared_enum_t *this, shared_key_t **key, - id_match_t *me, id_match_t *other) +METHOD(enumerator_t, shared_enumerate, bool, + shared_enum_t *this, shared_key_t **key, id_match_t *me, id_match_t *other) { if (this->key) { @@ -135,12 +130,9 @@ static bool shared_enumerate(shared_enum_t *this, shared_key_t **key, return FALSE; } -/** - * Implements ha_creds_t.create_shared_enumerator - */ -static enumerator_t* create_shared_enumerator(ha_creds_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) +METHOD(ha_creds_t, create_shared_enumerator, enumerator_t*, + ha_creds_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) { shared_enum_t *enumerator; @@ -157,28 +149,25 @@ static enumerator_t* create_shared_enumerator(ha_creds_t *this, return NULL; } - enumerator = malloc_thing(shared_enum_t); - enumerator->public.enumerate = (void*)shared_enumerate; - enumerator->public.destroy = (void*)free; - enumerator->key = this->key; + INIT(enumerator, + .public = { + .enumerate = (void*)_shared_enumerate, + .destroy = (void*)free, + }, + .key = this->key, + ); return &enumerator->public; } -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(ha_backend_t *this, - identification_t *me, identification_t *other) +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + ha_backend_t *this, identification_t *me, identification_t *other) { return enumerator_create_single(this->cfg, NULL); } -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(ha_backend_t *this, - host_t *me, host_t *other) +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + ha_backend_t *this, host_t *me, host_t *other) { return enumerator_create_single(this->cfg->get_ike_cfg(this->cfg), NULL); } @@ -207,11 +196,11 @@ static void setup_tunnel(private_ha_tunnel_t *this, chunk_clone(chunk_create(secret, strlen(secret)))); this->creds.public.create_private_enumerator = (void*)return_null; this->creds.public.create_cert_enumerator = (void*)return_null; - this->creds.public.create_shared_enumerator = (void*)create_shared_enumerator; + this->creds.public.create_shared_enumerator = (void*)_create_shared_enumerator; this->creds.public.create_cdp_enumerator = (void*)return_null; this->creds.public.cache_cert = (void*)nop; - charon->credentials->add_set(charon->credentials, &this->creds.public); + lib->credmgr->add_set(lib->credmgr, &this->creds.public); /* create config and backend */ ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT, @@ -233,8 +222,9 @@ static void setup_tunnel(private_ha_tunnel_t *this, identification_create_from_string(remote)); peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); - child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, - MODE_TRANSPORT, ACTION_NONE, ACTION_NONE, FALSE, 0); + child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); @@ -247,8 +237,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, peer_cfg->add_child_cfg(peer_cfg, child_cfg); this->backend.cfg = peer_cfg; - this->backend.public.create_peer_cfg_enumerator = (void*)create_peer_cfg_enumerator; - this->backend.public.create_ike_cfg_enumerator = (void*)create_ike_cfg_enumerator; + this->backend.public.create_peer_cfg_enumerator = (void*)_create_peer_cfg_enumerator; + this->backend.public.create_ike_cfg_enumerator = (void*)_create_ike_cfg_enumerator; this->backend.public.get_peer_cfg_by_name = (void*)return_null; charon->backends->add_backend(charon->backends, &this->backend.public); @@ -257,10 +247,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg); } -/** - * Implementation of ha_tunnel_t.destroy. - */ -static void destroy(private_ha_tunnel_t *this) +METHOD(ha_tunnel_t, destroy, void, + private_ha_tunnel_t *this) { if (this->backend.cfg) { @@ -269,7 +257,7 @@ static void destroy(private_ha_tunnel_t *this) } if (this->creds.key) { - charon->credentials->remove_set(charon->credentials, &this->creds.public); + lib->credmgr->remove_set(lib->credmgr, &this->creds.public); this->creds.key->destroy(this->creds.key); } this->creds.local->destroy(this->creds.local); @@ -286,10 +274,14 @@ static void destroy(private_ha_tunnel_t *this) */ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret) { - private_ha_tunnel_t *this = malloc_thing(private_ha_tunnel_t); + private_ha_tunnel_t *this; - this->public.is_sa = (bool(*)(ha_tunnel_t*, ike_sa_t *ike_sa))is_sa; - this->public.destroy = (void(*)(ha_tunnel_t*))destroy; + INIT(this, + .public = { + .is_sa = _is_sa, + .destroy = _destroy, + }, + ); setup_tunnel(this, local, remote, secret); diff --git a/src/libcharon/plugins/ha/ha_tunnel.h b/src/libcharon/plugins/ha/ha_tunnel.h index 085fb6122..549e33055 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.h +++ b/src/libcharon/plugins/ha/ha_tunnel.h @@ -54,4 +54,4 @@ struct ha_tunnel_t { */ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret); -#endif /* HA_TUNNEL_H_ @}*/ +#endif /** HA_TUNNEL_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libcharon/plugins/kernel_klips/Makefile.in index f0d112a0f..9cac89ec3 100644 --- a/src/libcharon/plugins/kernel_klips/Makefile.in +++ b/src/libcharon/plugins/kernel_klips/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c index 01df4f71a..6b5aeb342 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1690,10 +1690,11 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime, - u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, - bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + protocol_id_t protocol, u_int32_t reqid, mark_t mark, + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1849,7 +1850,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) + bool encap, bool new_encap, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1920,14 +1921,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; /* TODO */ } METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1992,8 +1993,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -2210,7 +2211,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, METHOD(kernel_ipsec_t, query_policy, status_t, private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { #define IDLE_PREFIX "idle=" static const char *path_eroute = "/proc/net/ipsec_eroute"; @@ -2365,7 +2367,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg = (struct sadb_msg*)request, *out; @@ -2574,7 +2577,7 @@ METHOD(kernel_ipsec_t, destroy, void, { close(this->socket); } - if (this->socket_evnets > 0) + if (this->socket_events > 0) { close(this->socket_events); } diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in index 8c9965467..49cc895bc 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libcharon/plugins/kernel_netlink/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 1b8c1b879..019ec93f8 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -280,6 +280,9 @@ struct policy_entry_t { /** parameters of installed policy */ struct xfrm_selector sel; + /** optional mark */ + u_int32_t mark; + /** associated route installed for this policy */ route_entry_t *route; @@ -292,7 +295,8 @@ struct policy_entry_t { */ static u_int policy_hash(policy_entry_t *key) { - chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector)); + chunk_t chunk = chunk_create((void*)&key->sel, + sizeof(struct xfrm_selector) + sizeof(u_int32_t)); return chunk_hash(chunk); } @@ -301,7 +305,8 @@ static u_int policy_hash(policy_entry_t *key) */ static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key) { - return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) && + return memeq(&key->sel, &other_key->sel, + sizeof(struct xfrm_selector) + sizeof(u_int32_t)) && key->direction == other_key->direction; } @@ -917,11 +922,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, + u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts, - traffic_selector_t* dst_ts) + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool encap, bool inbound, + traffic_selector_t* src_ts, traffic_selector_t* dst_ts) { netlink_buf_t request; char *alg_name; @@ -934,8 +939,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (ipcomp != IPCOMP_NONE && cpi != 0) { lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft, - ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, + add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, + &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, FALSE, inbound, NULL, NULL); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ @@ -944,9 +949,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", - ntohl(spi), reqid); - + if (mark.value) + { + DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} " + "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", + ntohl(spi), reqid); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; @@ -1151,6 +1163,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (encap) { + struct xfrm_encap_tmpl *tmpl; + rthdr->rta_type = XFRMA_ENCAP; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); @@ -1160,7 +1174,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, return FAILED; } - struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); + tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); tmpl->encap_type = UDP_ENCAP_ESPINUDP; tmpl->encap_sport = htons(src->get_port(src)); tmpl->encap_dport = htons(dst->get_port(dst)); @@ -1177,9 +1191,36 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } + if (mark.value) + { + struct xfrm_mark *mrk; + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + rthdr = XFRM_RTA_NEXT(rthdr); + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); + if (mark.value) + { + DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x " + "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); + } return FAILED; } return SUCCESS; @@ -1275,7 +1316,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -1285,8 +1326,15 @@ METHOD(kernel_ipsec_t, query_sa, status_t, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - + if (mark.value) + { + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)", + ntohl(spi), mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_GETSA; @@ -1298,6 +1346,24 @@ METHOD(kernel_ipsec_t, query_sa, status_t, sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1313,8 +1379,20 @@ METHOD(kernel_ipsec_t, query_sa, status_t, case NLMSG_ERROR: { struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)", - ntohl(spi), strerror(-err->error), -err->error); + + if (mark.value) + { + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " + "(mark %u/0x%8x) failed: %s (%d)", + ntohl(spi), mark.value, mark.mask, + strerror(-err->error), -err->error); + } + else + { + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " + "failed: %s (%d)", ntohl(spi), + strerror(-err->error), -err->error); + } break; } default: @@ -1341,7 +1419,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1350,13 +1428,20 @@ METHOD(kernel_ipsec_t, del_sa, status_t, /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { - del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); + del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark); } memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - + if (mark.value) + { + DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)", + ntohl(spi), mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = XFRM_MSG_DELSA; @@ -1368,19 +1453,53 @@ METHOD(kernel_ipsec_t, del_sa, status_t, sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); + if (mark.value) + { + DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x " + "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); + } return FAILED; } - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); + if (mark.value) + { + DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)", + ntohl(spi), mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); + } return SUCCESS; } METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool old_encap, bool new_encap) + bool old_encap, bool new_encap, mark_t mark) { netlink_buf_t request; u_char *pos; @@ -1398,7 +1517,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, if (cpi) { update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0, - src, dst, new_src, new_dst, FALSE, FALSE); + src, dst, new_src, new_dst, FALSE, FALSE, mark); } memset(&request, 0, sizeof(request)); @@ -1459,7 +1578,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, } /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) + if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1558,8 +1677,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { policy_entry_t *current, *policy; bool found = FALSE; @@ -1571,6 +1690,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy = malloc_thing(policy_entry_t); memset(policy, 0, sizeof(policy_entry_t)); policy->sel = ts2selector(src_ts, dst_ts); + policy->mark = mark.value & mark.mask; policy->direction = direction; /* find the policy, which matches EXACTLY */ @@ -1580,9 +1700,19 @@ METHOD(kernel_ipsec_t, add_policy, status_t, { /* use existing policy */ current->refcount++; - DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing " - "refcount", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) " + "already exists, increasing refcount", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "policy %R === %R %N " + "already exists, increasing refcount", + src_ts, dst_ts, policy_dir_names, direction); + } free(policy); policy = current; found = TRUE; @@ -1593,8 +1723,17 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy->refcount = 1; } - DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG2(DBG_KNL, "adding policy %R === %R %N (mark %u/0x%8x)", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "adding policy %R === %R %N", + src_ts, dst_ts, policy_dir_names, direction); + } memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; @@ -1673,6 +1812,25 @@ METHOD(kernel_ipsec_t, add_policy, status_t, tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); + rthdr = XFRM_RTA_NEXT(rthdr); + + if (mark.value) + { + struct xfrm_mark *mrk; + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { @@ -1741,7 +1899,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, METHOD(kernel_ipsec_t, query_policy, status_t, private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -1751,9 +1910,17 @@ METHOD(kernel_ipsec_t, query_policy, status_t, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - + if (mark.value) + { + DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, + policy_dir_names, direction); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_GETPOLICY; @@ -1763,6 +1930,25 @@ METHOD(kernel_ipsec_t, query_policy, status_t, policy_id->sel = ts2selector(src_ts, dst_ts); policy_id->dir = direction; + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1816,7 +2002,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { policy_entry_t *current, policy, *to_delete = NULL; route_entry_t *route; @@ -1824,12 +2011,22 @@ METHOD(kernel_ipsec_t, del_policy, status_t, struct nlmsghdr *hdr; struct xfrm_userpolicy_id *policy_id; - DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "deleting policy %R === %R %N", + src_ts, dst_ts, policy_dir_names, direction); + } /* create a policy */ memset(&policy, 0, sizeof(policy_entry_t)); policy.sel = ts2selector(src_ts, dst_ts); + policy.mark = mark.value & mark.mask; policy.direction = direction; /* find the policy */ @@ -1851,8 +2048,17 @@ METHOD(kernel_ipsec_t, del_policy, status_t, this->mutex->unlock(this->mutex); if (!to_delete) { - DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); + if (mark.value) + { + DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) " + "failed, not found", src_ts, dst_ts, policy_dir_names, + direction, mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", + src_ts, dst_ts, policy_dir_names, direction); + } return NOT_FOUND; } @@ -1867,13 +2073,40 @@ METHOD(kernel_ipsec_t, del_policy, status_t, policy_id->sel = to_delete->sel; policy_id->dir = direction; + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + route = to_delete->route; free(to_delete); if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG1(DBG_KNL, "unable to delete policy %R === %R %N " + "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names, + direction, mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "unable to delete policy %R === %R %N", + src_ts, dst_ts, policy_dir_names, direction); + } return FAILED; } diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in index 2b028ba71..1dda6827b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 8a7883c8a..a64c27f6f 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2009 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -67,8 +67,10 @@ /** non linux specific */ #ifndef IPPROTO_COMP +#ifdef IPPROTO_IPCOMP #define IPPROTO_COMP IPPROTO_IPCOMP #endif +#endif #ifndef SADB_X_AALG_SHA2_256HMAC #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 @@ -600,17 +602,43 @@ static int lookup_algorithm(kernel_algorithm_t *list, int ikev2) } /** - * add a host behind a sadb_address extension + * Copy a host_t as sockaddr_t to the given memory location. Ports are + * reset to zero as per RFC 2367. + * @return the number of bytes copied */ -static void host2ext(host_t *host, struct sadb_address *ext) +static size_t hostcpy(void *dest, host_t *host) { - sockaddr_t *host_addr = host->get_sockaddr(host); + sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest; socklen_t *len = host->get_sockaddr_len(host); + memcpy(dest, addr, *len); #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - host_addr->sa_len = *len; + dest_addr->sa_len = *len; #endif - memcpy((char*)(ext + 1), host_addr, *len); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); + switch (dest_addr->sa_family) + { + case AF_INET: + { + struct sockaddr_in *sin = dest; + sin->sin_port = 0; + break; + } + case AF_INET6: + { + struct sockaddr_in6 *sin6 = dest; + sin6->sin6_port = 0; + break; + } + } + return *len; +} + +/** + * add a host behind an sadb_address extension + */ +static void host2ext(host_t *host, struct sadb_address *ext) +{ + size_t len = hostcpy(ext + 1, host); + ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len); } /** @@ -1019,7 +1047,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } #endif /*SADB_X_MIGRATE*/ -#ifdef HAVE_NATT +#ifdef SADB_X_NAT_T_NEW_MAPPING /** * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel */ @@ -1075,7 +1103,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } } } -#endif /*HAVE_NATT*/ +#endif /*SADB_X_NAT_T_NEW_MAPPING*/ /** * Receives events from kernel @@ -1137,11 +1165,11 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) process_migrate(this, msg); break; #endif /*SADB_X_MIGRATE*/ -#ifdef HAVE_NATT +#ifdef SADB_X_NAT_T_NEW_MAPPING case SADB_X_NAT_T_NEW_MAPPING: process_mapping(this, msg); break; -#endif /*HAVE_NATT*/ +#endif /*SADB_X_NAT_T_NEW_MAPPING*/ default: break; } @@ -1217,10 +1245,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime, - u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, - bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + protocol_id_t protocol, u_int32_t reqid, mark_t mark, + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1364,7 +1393,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) + bool encap, bool new_encap, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1497,7 +1526,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1553,7 +1582,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1604,8 +1633,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1679,14 +1708,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t, req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; if (mode == MODE_TUNNEL) { - sockaddr_t *sa; - socklen_t sl; - sa = src->get_sockaddr(src); - sl = *src->get_sockaddr_len(src); - memcpy(req + 1, sa, sl); - sa = dst->get_sockaddr(dst); - memcpy((u_int8_t*)(req + 1) + sl, sa, sl); - req->sadb_x_ipsecrequest_len += sl * 2; + len = hostcpy(req + 1, src); + req->sadb_x_ipsecrequest_len += len; + len = hostcpy((char*)(req + 1) + len, dst); + req->sadb_x_ipsecrequest_len += len; } pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len); @@ -1771,22 +1796,30 @@ METHOD(kernel_ipsec_t, add_policy, status_t, route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)); route->prefixlen = policy->src.mask; - switch (charon->kernel_interface->add_route(charon->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name)) + if (route->if_name) + { + switch (charon->kernel_interface->add_route( + charon->kernel_interface, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name)) + { + default: + DBG1(DBG_KNL, "unable to install source route for %H", + route->src_ip); + /* FALL */ + case ALREADY_DONE: + /* route exists, do not uninstall */ + route_entry_destroy(route); + break; + case SUCCESS: + /* cache the installed route */ + policy->route = route; + break; + } + } + else { - default: - DBG1(DBG_KNL, "unable to install source route for %H", - route->src_ip); - /* FALL */ - case ALREADY_DONE: - /* route exists, do not uninstall */ - route_entry_destroy(route); - break; - case SUCCESS: - /* cache the installed route */ - policy->route = route; - break; + route_entry_destroy(route); } } else @@ -1802,7 +1835,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, METHOD(kernel_ipsec_t, query_policy, status_t, private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1905,7 +1939,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in index 3a4d2c3b5..f78a97013 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 8965aff78..d049bb41b 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index c1f98f2fe..a230aa3f5 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num); } - child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, - MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0); + child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1"); child_cfg->add_proposal(child_cfg, proposal); ts = traffic_selector_create_dynamic(0, 0, 65535); diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 1218443cc..43c0ef009 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -34,118 +34,89 @@ struct private_load_tester_ipsec_t { u_int32_t spi; }; -/** - * Implementation of kernel_interface_t.get_spi. - */ -static status_t get_spi(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, - u_int32_t *spi) +METHOD(kernel_ipsec_t, get_spi, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) { *spi = ++this->spi; return SUCCESS; } -/** - * Implementation of kernel_interface_t.get_cpi. - */ -static status_t get_cpi(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) +METHOD(kernel_ipsec_t, get_cpi, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t reqid, u_int16_t *cpi) { return FAILED; } -/** - * Implementation of kernel_interface_t.add_sa. - */ -static status_t add_sa(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - lifetime_cfg_t *lifetime, - u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool inbound, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts) +METHOD(kernel_ipsec_t, add_sa, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.update_sa. - */ -static status_t update_sa(private_load_tester_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, - host_t *src, host_t *dst, - host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) +METHOD(kernel_ipsec_t, update_sa, status_t, + private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, + host_t *new_dst, bool encap, bool new_encap, mark_t mark) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.query_sa. - */ -static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src, - host_t *dst, u_int32_t spi, protocol_id_t protocol, - u_int64_t *bytes) +METHOD(kernel_ipsec_t, query_sa, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; } -/** - * Implementation of kernel_interface_t.del_sa. - */ -static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, - host_t *dst, u_int32_t spi, protocol_id_t protocol, - u_int16_t cpi) +METHOD(kernel_ipsec_t, del_sa, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.add_policy. - */ -static status_t add_policy(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) +METHOD(kernel_ipsec_t, add_policy, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.query_policy. - */ -static status_t query_policy(private_load_tester_ipsec_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time) +METHOD(kernel_ipsec_t, query_policy, status_t, + private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { *use_time = time_monotonic(NULL); return SUCCESS; } -/** - * Implementation of kernel_interface_t.del_policy. - */ -static status_t del_policy(private_load_tester_ipsec_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, bool unrouted) +METHOD(kernel_ipsec_t, del_policy, status_t, + private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.destroy. - */ -static void destroy(private_load_tester_ipsec_t *this) +METHOD(kernel_ipsec_t, bypass_socket, bool, + private_load_tester_ipsec_t *this, int fd, int family) +{ + return TRUE; +} + +METHOD(kernel_ipsec_t, destroy, void, + private_load_tester_ipsec_t *this) { free(this); } @@ -155,21 +126,26 @@ static void destroy(private_load_tester_ipsec_t *this) */ load_tester_ipsec_t *load_tester_ipsec_create() { - private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t); - - /* public functions */ - this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; - this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; - this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa; - this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; - this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; - this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; - this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; - this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy; - - this->spi = 0; + private_load_tester_ipsec_t *this; + + INIT(this, + .public = { + .interface = { + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .add_sa = _add_sa, + .update_sa = _update_sa, + .query_sa = _query_sa, + .del_sa = _del_sa, + .add_policy = _add_policy, + .query_policy = _query_policy, + .del_policy = _del_policy, + .bypass_socket = _bypass_socket, + .destroy = _destroy, + }, + }, + .spi = 0, + ); return &this->public; } diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index 46145b803..15dbccb00 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -158,7 +158,7 @@ static void destroy(private_load_tester_plugin_t *this) charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)load_tester_ipsec_create); charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set); charon->bus->remove_listener(charon->bus, &this->listener->listener); this->config->destroy(this->config); this->creds->destroy(this->creds); @@ -209,7 +209,7 @@ plugin_t *load_tester_plugin_create() this->creds = load_tester_creds_create(); this->listener = load_tester_listener_create(shutdown_on); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->credentials->add_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set); charon->bus->add_listener(charon->bus, &this->listener->listener); if (lib->settings->get_bool(lib->settings, diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 539890ec3..c26d325a9 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index e355d55f7..6cbaf36f2 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -181,8 +181,9 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam identification_create_from_encoding(ID_KEY_ID, other)); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); - child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, - MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0); + child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); @@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c index 397168d46..6befbf440 100644 --- a/src/libcharon/plugins/medcli/medcli_plugin.c +++ b/src/libcharon/plugins/medcli/medcli_plugin.c @@ -61,7 +61,7 @@ static void destroy(private_medcli_plugin_t *this) { charon->bus->remove_listener(charon->bus, &this->listener->listener); charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); this->listener->destroy(this->listener); this->config->destroy(this->config); this->creds->destroy(this->creds); @@ -100,7 +100,7 @@ plugin_t *medcli_plugin_create() this->config = medcli_config_create(this->db); this->listener = medcli_listener_create(this->db); - charon->credentials->add_set(charon->credentials, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); charon->backends->add_backend(charon->backends, &this->config->backend); charon->bus->add_listener(charon->bus, &this->listener->listener); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index a103a1340..4dc9c00d0 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c index 262d26d6b..c150346cb 100644 --- a/src/libcharon/plugins/medsrv/medsrv_plugin.c +++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c @@ -54,7 +54,7 @@ struct private_medsrv_plugin_t { static void destroy(private_medsrv_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); this->config->destroy(this->config); this->creds->destroy(this->creds); this->db->destroy(this->db); @@ -91,7 +91,7 @@ plugin_t *medsrv_plugin_create() this->creds = medsrv_creds_create(this->db); this->config = medsrv_config_create(this->db); - charon->credentials->add_set(charon->credentials, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); charon->backends->add_backend(charon->backends, &this->config->backend); return &this->public.plugin; diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index c7f288f54..1b3e4c5a6 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c index 6087f6589..250e6f7f9 100644 --- a/src/libcharon/plugins/nm/nm_plugin.c +++ b/src/libcharon/plugins/nm/nm_plugin.c @@ -84,7 +84,7 @@ static void destroy(private_nm_plugin_t *this) { g_object_unref(this->plugin); } - charon->credentials->remove_set(charon->credentials, &this->creds->set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); this->creds->destroy(this->creds); this->handler->destroy(this->handler); @@ -110,7 +110,7 @@ plugin_t *nm_plugin_create() this->creds = nm_creds_create(); this->handler = nm_handler_create(); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); - charon->credentials->add_set(charon->credentials, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); this->plugin = nm_strongswan_plugin_new(this->creds, this->handler); if (!this->plugin) { diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index cdf7dc962..07318bbbf 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, child_cfg = child_cfg_create(priv->name, &lifetime, NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_NONE, ipcomp, 0); + ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index b88283f38..35fb8367f 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 03c438acd..df63d862e 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 3a5fb3778..8a3a15188 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 65ad6a7a9..32bd9e0a1 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c index e0155fa87..166870421 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c +++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c @@ -538,11 +538,12 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) /* Destination Port must be either port or natt_port */ BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 5, 12), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 6, 14), /* port */ - /* IKE version must be 2.0 */ + /* IKE version must be 2.x */ BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10), + BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 11), /* packet length is length in IKEv2 header + ip header + udp header */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET), BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN), @@ -550,10 +551,11 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) /* natt_port */ /* nat-t: check for marker */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5), - /* nat-t: IKE version must be 2.0 */ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 6), + /* nat-t: IKE version must be 2.x */ BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3), + BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 3), /* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET), BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN), diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 5803dc898..e32dc7b57 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index 23366898a..a47d93f7b 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter } }; child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode, - dpd, close, ipcomp, 0); + dpd, close, ipcomp, 0, 0, NULL, NULL); /* TODO: read proposal from db */ child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); add_traffic_selectors(this, child_cfg, id); diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c index e2d2d63b3..7b0a198d1 100644 --- a/src/libcharon/plugins/sql/sql_plugin.c +++ b/src/libcharon/plugins/sql/sql_plugin.c @@ -59,7 +59,7 @@ struct private_sql_plugin_t { static void destroy(private_sql_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->cred->set); + lib->credmgr->remove_set(lib->credmgr, &this->cred->set); charon->bus->remove_listener(charon->bus, &this->logger->listener); this->config->destroy(this->config); this->cred->destroy(this->cred); @@ -99,7 +99,7 @@ plugin_t *sql_plugin_create() this->logger = sql_logger_create(this->db); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->credentials->add_set(charon->credentials, &this->cred->set); + lib->credmgr->add_set(lib->credmgr, &this->cred->set); charon->bus->add_listener(charon->bus, &this->logger->listener); return &this->public.plugin; diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 8815ba741..e094200ca 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index 49146f18b..9a3ae0ab9 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -306,7 +306,8 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg) return; } ca_section_destroy(ca); - /* TODO: flush cached certs */ + + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); } /** @@ -356,12 +357,16 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer { if (section->certuribase && cert->issued_by(cert, section->cert)) { - chunk_t hash, encoded = cert->get_encoding(cert); - hasher->allocate_hash(hasher, encoded, &hash); - section->hashes->insert_last(section->hashes, - identification_create_from_encoding(ID_KEY_ID, hash)); - chunk_free(&hash); - chunk_free(&encoded); + chunk_t hash, encoded; + + if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) + { + hasher->allocate_hash(hasher, encoded, &hash); + section->hashes->insert_last(section->hashes, + identification_create_from_encoding(ID_KEY_ID, hash)); + chunk_free(&hash); + chunk_free(&encoded); + } break; } } @@ -400,11 +405,11 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) /* list authkey and keyid */ if (public) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) { fprintf(out, " authkey: %#B\n", &chunk); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk)) { fprintf(out, " keyid: %#B\n", &chunk); } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index bbc1e7a31..617069432 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -399,8 +399,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (ca) { identity = identification_create_from_string(ca); - certificate = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, identity, TRUE); + certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509, + KEY_ANY, identity, TRUE); identity->destroy(identity); if (certificate) { @@ -413,7 +413,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } } - /* AC groups */ + /* groups */ if (end->groups) { enumerator_t *enumerator; @@ -422,9 +422,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator = enumerator_create_token(end->groups, ",", " "); while (enumerator->enumerate(enumerator, &group)) { - identity = identification_create_from_encoding(ID_IETF_ATTR_STRING, - chunk_create(group, strlen(group))); - cfg->add(cfg, AUTH_RULE_AC_GROUP, identity); + cfg->add(cfg, AUTH_RULE_GROUP, + identification_create_from_string(group)); } enumerator->destroy(enumerator); } @@ -769,6 +768,14 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100 } }; + mark_t mark_in = { + .value = msg->add_conn.mark_in.value, + .mask = msg->add_conn.mark_in.mask + }; + mark_t mark_out = { + .value = msg->add_conn.mark_out.value, + .mask = msg->add_conn.mark_out.mask + }; switch (msg->add_conn.dpd.action) { /* map startes magic values to our action type */ @@ -787,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, - msg->add_conn.inactivity); + msg->add_conn.inactivity, msg->add_conn.reqid, + &mark_in, &mark_out); child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index a03aef697..f64421551 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -186,6 +186,11 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o } else { + if (!pos) + { + DBG1(DBG_CFG, "error parsing string"); + return; + } if (*(pos + 1) == '*') { /* is name[*] */ all = TRUE; diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index e0a5210a9..2816b9bb2 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) } if (found) { - new = cert->is_newer(cert, current); + new = crl_is_newer(crl, crl_c); if (new) { this->certs->remove_at(this->certs, enumerator); @@ -587,9 +587,11 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex); free(hex.ptr); - chunk = cert->get_encoding(cert); - chunk_write(chunk, buf, "crl", 022, TRUE); - free(chunk.ptr); + if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk)) + { + chunk_write(chunk, buf, "crl", 022, TRUE); + free(chunk.ptr); + } } } } diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index c2a98da33..a6de35466 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -17,6 +17,10 @@ #include <time.h> +#ifdef HAVE_MALLINFO +#include <malloc.h> +#endif /* HAVE_MALLINFO */ + #include <daemon.h> #include <utils/linked_list.h> #include <credentials/certificates/x509.h> @@ -55,6 +59,33 @@ struct private_stroke_list_t { }; /** + * Log tasks of a specific queue to out + */ +static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name) +{ + enumerator_t *enumerator; + bool has = FALSE; + task_t *task; + + enumerator = ike_sa->create_task_enumerator(ike_sa, q); + while (enumerator->enumerate(enumerator, &task)) + { + if (!has) + { + fprintf(out, "%12s[%d]: Tasks %s: ", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa), name); + has = TRUE; + } + fprintf(out, "%N ", task_type_names, task->get_type(task)); + } + enumerator->destroy(enumerator); + if (has) + { + fprintf(out, "\n"); + } +} + +/** * log an IKE_SA to out */ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) @@ -140,6 +171,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), buf+4); } + + log_task_q(out, ike_sa, TASK_QUEUE_QUEUED, "queued"); + log_task_q(out, ike_sa, TASK_QUEUE_ACTIVE, "active"); + log_task_q(out, ike_sa, TASK_QUEUE_PASSIVE, "passive"); } } @@ -342,7 +377,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) rules = auth->create_enumerator(auth); while (rules->enumerate(rules, &rule, &id)) { - if (rule == AUTH_RULE_AC_GROUP) + if (rule == AUTH_RULE_GROUP) { fprintf(out, "%12s: group: %Y\n", name, id); } @@ -373,12 +408,19 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo u_int32_t dpd; time_t since, now; u_int size, online, offline; - now = time_monotonic(NULL); since = time(NULL) - (now - this->uptime); fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n"); fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE); +#ifdef HAVE_MALLINFO + { + struct mallinfo mi = mallinfo(); + + fprintf(out, " malloc: sbrk %d, mmap %d, used %d, free %d\n", + mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks); + } +#endif /* HAVE_MALLINFO */ fprintf(out, " worker threads: %d idle of %d,", charon->processor->get_idle_threads(charon->processor), charon->processor->get_total_threads(charon->processor)); @@ -534,9 +576,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo static linked_list_t* create_unique_cert_list(certificate_type_t type) { linked_list_t *list = linked_list_create(); - enumerator_t *enumerator = charon->credentials->create_cert_enumerator( - charon->credentials, type, KEY_ANY, - NULL, FALSE); + enumerator_t *enumerator = lib->credmgr->create_cert_enumerator( + lib->credmgr, type, KEY_ANY, NULL, FALSE); certificate_t *cert; while (enumerator->enumerate(enumerator, (void**)&cert)) @@ -585,11 +626,11 @@ static void list_public_key(public_key_t *public, FILE *out) identification_t *id; auth_cfg_t *auth; - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) { id = identification_create_from_encoding(ID_KEY_ID, keyid); auth = auth_cfg_create(); - private = charon->credentials->get_private(charon->credentials, + private = lib->credmgr->get_private(lib->credmgr, public->get_type(public), id, auth); auth->destroy(auth); id->destroy(id); @@ -599,11 +640,11 @@ static void list_public_key(public_key_t *public, FILE *out) key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { fprintf(out, " keyid: %#B\n", &keyid); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) { fprintf(out, " subjkey: %#B\n", &keyid); } diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 56c18da38..18afa5af4 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -344,8 +344,7 @@ static void stroke_purge(private_stroke_socket_t *this, { if (msg->purge.flags & PURGE_OCSP) { - charon->credentials->flush_cache(charon->credentials, - CERT_X509_OCSP_RESPONSE); + lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE); } if (msg->purge.flags & PURGE_IKE) { @@ -622,8 +621,8 @@ static bool open_socket(private_stroke_socket_t *this) static void destroy(private_stroke_socket_t *this) { this->job->cancel(this->job); - charon->credentials->remove_set(charon->credentials, &this->ca->set); - charon->credentials->remove_set(charon->credentials, &this->cred->set); + lib->credmgr->remove_set(lib->credmgr, &this->ca->set); + lib->credmgr->remove_set(lib->credmgr, &this->cred->set); charon->backends->remove_backend(charon->backends, &this->config->backend); hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); this->cred->destroy(this->cred); @@ -657,8 +656,8 @@ stroke_socket_t *stroke_socket_create() this->control = stroke_control_create(); this->list = stroke_list_create(this->attribute); - charon->credentials->add_set(charon->credentials, &this->ca->set); - charon->credentials->add_set(charon->credentials, &this->cred->set); + lib->credmgr->add_set(lib->credmgr, &this->ca->set); + lib->credmgr->add_set(lib->credmgr, &this->cred->set); charon->backends->add_backend(charon->backends, &this->config->backend); hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider); diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index c10829bb3..934ab6080 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index bd58afbf0..ddddae782 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net)); diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c index 742fcf4d0..4790ef4e7 100644 --- a/src/libcharon/plugins/uci/uci_plugin.c +++ b/src/libcharon/plugins/uci/uci_plugin.c @@ -64,7 +64,7 @@ struct private_uci_plugin_t { static void destroy(private_uci_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set); this->config->destroy(this->config); this->creds->destroy(this->creds); this->parser->destroy(this->parser); @@ -86,7 +86,7 @@ plugin_t *uci_plugin_create() this->creds = uci_creds_create(this->parser); this->control = uci_control_create(); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->credentials->add_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set); return &this->public.plugin; } diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am index e27d1f859..c46d2b85d 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.am +++ b/src/libcharon/plugins/unit_tester/Makefile.am @@ -24,6 +24,7 @@ libstrongswan_unit_tester_la_SOURCES = \ tests/test_chunk.c \ tests/test_pool.c \ tests/test_agent.c \ - tests/test_id.c + tests/test_id.c \ + tests/test_hashtable.c libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 6ca43a38f..47850c1c5 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -78,7 +78,7 @@ am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \ test_enumerator.lo test_auth_info.lo test_curl.lo \ test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \ test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \ - test_agent.lo test_id.lo + test_agent.lo test_id.lo test_hashtable.lo libstrongswan_unit_tester_la_OBJECTS = \ $(am_libstrongswan_unit_tester_la_OBJECTS) libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \ @@ -281,7 +281,8 @@ libstrongswan_unit_tester_la_SOURCES = \ tests/test_chunk.c \ tests/test_pool.c \ tests/test_agent.c \ - tests/test_id.c + tests/test_id.c \ + tests/test_hashtable.c libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version all: all-am @@ -373,6 +374,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hashtable.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@ @@ -494,6 +496,13 @@ test_id.lo: tests/test_id.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c +test_hashtable.lo: tests/test_hashtable.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_hashtable.lo -MD -MP -MF $(DEPDIR)/test_hashtable.Tpo -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/test_hashtable.Tpo $(DEPDIR)/test_hashtable.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tests/test_hashtable.c' object='test_hashtable.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h index 96313d390..cd38c8a99 100644 --- a/src/libcharon/plugins/unit_tester/tests.h +++ b/src/libcharon/plugins/unit_tester/tests.h @@ -19,6 +19,7 @@ */ DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE) +DEFINE_TEST("hashtable_t->remove_at()", test_hashtable_remove_at, FALSE) DEFINE_TEST("simple enumerator", test_enumerate, FALSE) DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE) DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE) diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c index d6abe7a05..c250c356f 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c +++ b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c @@ -15,7 +15,7 @@ #include <daemon.h> #include <library.h> -#include <config/auth_cfg.h> +#include <credentials/auth_cfg.h> static chunk_t certchunk = chunk_from_chars( diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c new file mode 100644 index 000000000..bd79e12f7 --- /dev/null +++ b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <library.h> +#include <utils/hashtable.h> + +static u_int hash(char *key) +{ + return chunk_hash(chunk_create(key, strlen(key))); +} + +static u_int equals(char *key1, char *key2) +{ + return streq(key1, key2); +} + +/** + * Test the remove_at method + */ +bool test_hashtable_remove_at() +{ + char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key; + char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value; + enumerator_t *enumerator; + hashtable_t *ht = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 0); + + ht->put(ht, k1, v1); + ht->put(ht, k2, v2); + ht->put(ht, k3, v3); + + if (ht->get_count(ht) != 3) + { + return FALSE; + } + + enumerator = ht->create_enumerator(ht); + while (enumerator->enumerate(enumerator, &key, &value)) + { + if (streq(key, k2)) + { + ht->remove_at(ht, enumerator); + } + } + enumerator->destroy(enumerator); + + if (ht->get_count(ht) != 2) + { + return FALSE; + } + + if (ht->get(ht, k1) == NULL || + ht->get(ht, k3) == NULL) + { + return FALSE; + } + + if (ht->get(ht, k2) != NULL) + { + return FALSE; + } + + ht->put(ht, k2, v2); + + if (ht->get_count(ht) != 3) + { + return FALSE; + } + + if (ht->get(ht, k1) == NULL || + ht->get(ht, k2) == NULL || + ht->get(ht, k3) == NULL) + { + return FALSE; + } + + enumerator = ht->create_enumerator(ht); + while (enumerator->enumerate(enumerator, &key, &value)) + { + ht->remove_at(ht, enumerator); + } + enumerator->destroy(enumerator); + + if (ht->get_count(ht) != 0) + { + return FALSE; + } + + if (ht->get(ht, k1) != NULL || + ht->get(ht, k2) != NULL || + ht->get(ht, k3) != NULL) + { + return FALSE; + } + + ht->destroy(ht); + + return TRUE; +} diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c index 7fd78b0bc..ae1d08e15 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c +++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c @@ -37,11 +37,11 @@ bool test_med_db() bool good = FALSE; id = identification_create_from_encoding(ID_KEY_ID, keyid); - enumerator = charon->credentials->create_public_enumerator( - charon->credentials, KEY_ANY, id, NULL); + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + KEY_ANY, id, NULL); while (enumerator->enumerate(enumerator, &public, &auth)) { - good = public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &found); + good = public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &found); if (good) { good = chunk_equals(id->get_encoding(id), found); diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index d3c509a32..ce233ad04 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 5a6746f92..ea4a792c2 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -115,7 +115,8 @@ METHOD(listener_t, child_updown, bool, { char command[1024]; char *my_client, *other_client, *my_client_mask, *other_client_mask; - char *pos, *virtual_ip, *iface; + char *pos, *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc; + mark_t mark; bool is_host, is_ipv6; FILE *shell; @@ -160,6 +161,61 @@ METHOD(listener_t, child_updown, bool, } } + /* check for the presence of an inbound mark */ + mark = config->get_mark(config, TRUE); + if (mark.value) + { + if (asprintf(&mark_in, "PLUTO_MARK_IN='%u/0x%08x' ", + mark.value, mark.mask ) < 0) + { + mark_in = NULL; + } + } + else + { + if (asprintf(&mark_in, "") < 0) + { + mark_in = NULL; + } + } + + /* check for the presence of an outbound mark */ + mark = config->get_mark(config, FALSE); + if (mark.value) + { + if (asprintf(&mark_out, "PLUTO_MARK_OUT='%u/0x%08x' ", + mark.value, mark.mask ) < 0) + { + mark_out = NULL; + } + } + else + { + if (asprintf(&mark_out, "") < 0) + { + mark_out = NULL; + } + } + + /* check for a NAT condition causing ESP_IN_UDP encapsulation */ + if (ike_sa->has_condition(ike_sa, COND_NAT_ANY)) + { + if (asprintf(&udp_enc, "PLUTO_UDP_ENC='%u' ", + other->get_port(other)) < 0) + { + udp_enc = NULL; + } + + } + else + { + if (asprintf(&udp_enc, "") < 0) + { + udp_enc = NULL; + } + + } + if (up) { iface = charon->kernel_interface->get_interface( @@ -205,6 +261,9 @@ METHOD(listener_t, child_updown, bool, "PLUTO_PEER_PROTOCOL='%u' " "%s" "%s" + "%s" + "%s" + "%s" "%s", up ? "up" : "down", is_host ? "-host" : "-client", @@ -223,11 +282,17 @@ METHOD(listener_t, child_updown, bool, other_ts->get_from_port(other_ts), other_ts->get_protocol(other_ts), virtual_ip, + mark_in, + mark_out, + udp_enc, config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "", script); free(my_client); free(other_client); free(virtual_ip); + free(mark_in); + free(mark_out); + free(udp_enc); free(iface); DBG3(DBG_CHD, "running updown script: %s", command); @@ -283,7 +348,9 @@ updown_listener_t *updown_listener_create() INIT(this, .public = { - .listener.child_updown = _child_updown, + .listener = { + .child_updown = _child_updown, + }, .destroy = _destroy, }, .iface_cache = linked_list_create(), diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c index 13586a23e..cd340e53e 100644 --- a/src/libcharon/sa/authenticators/authenticator.c +++ b/src/libcharon/sa/authenticators/authenticator.c @@ -34,13 +34,6 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS, "ECDSA-521 signature"); ENUM_END(auth_method_names, AUTH_ECDSA_521); -ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, - "any", - "public key", - "pre-shared key", - "EAP", -); - /** * Described in header. */ diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h index fff91ed34..89178b5cf 100644 --- a/src/libcharon/sa/authenticators/authenticator.h +++ b/src/libcharon/sa/authenticators/authenticator.h @@ -24,11 +24,10 @@ #define AUTHENTICATOR_H_ typedef enum auth_method_t auth_method_t; -typedef enum auth_class_t auth_class_t; typedef struct authenticator_t authenticator_t; #include <library.h> -#include <config/auth_cfg.h> +#include <credentials/auth_cfg.h> #include <sa/ike_sa.h> /** @@ -76,27 +75,6 @@ enum auth_method_t { extern enum_name_t *auth_method_names; /** - * Class of authentication to use. This is different to auth_method_t in that - * it does not specify a method, but a class of acceptable methods. The found - * certificate finally dictates wich method is used. - */ -enum auth_class_t { - /** any class acceptable */ - AUTH_CLASS_ANY = 0, - /** authentication using public keys (RSA, ECDSA) */ - AUTH_CLASS_PUBKEY = 1, - /** authentication using a pre-shared secrets */ - AUTH_CLASS_PSK = 2, - /** authentication using EAP */ - AUTH_CLASS_EAP = 3, -}; - -/** - * enum strings for auth_class_t - */ -extern enum_name_t *auth_class_names; - -/** * Authenticator interface implemented by the various authenticators. * * An authenticator implementation handles AUTH and EAP payloads. Received diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c index 91fa5305f..ad7b92cfa 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.c +++ b/src/libcharon/sa/authenticators/eap/eap_method.c @@ -15,44 +15,6 @@ #include "eap_method.h" -ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, - "EAP_IDENTITY", - "EAP_NOTIFICATION", - "EAP_NAK", - "EAP_MD5", - "EAP_OTP", - "EAP_GTC"); -ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, - "EAP_SIM"); -ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, - "EAP_AKA"); -ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, - "EAP_MSCHAPV2"); -ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, - "EAP_RADIUS", - "EAP_EXPANDED", - "EAP_EXPERIMENTAL"); -ENUM_END(eap_type_names, EAP_EXPERIMENTAL); - -ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, - "ID", - "NTF", - "NAK", - "MD5", - "OTP", - "GTC"); -ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC, - "SIM"); -ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM, - "AKA"); -ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, - "MSCHAPV2"); -ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, - "RAD", - "EXP", - "XP"); -ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); - /* * See header */ diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h index 4cab84535..df354edb4 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.h +++ b/src/libcharon/sa/authenticators/eap/eap_method.h @@ -23,7 +23,6 @@ typedef struct eap_method_t eap_method_t; typedef enum eap_role_t eap_role_t; -typedef enum eap_type_t eap_type_t; typedef enum eap_code_t eap_code_t; #include <library.h> @@ -43,35 +42,6 @@ enum eap_role_t { extern enum_name_t *eap_role_names; /** - * EAP types, defines the EAP method implementation - */ -enum eap_type_t { - EAP_IDENTITY = 1, - EAP_NOTIFICATION = 2, - EAP_NAK = 3, - EAP_MD5 = 4, - EAP_OTP = 5, - EAP_GTC = 6, - EAP_SIM = 18, - EAP_AKA = 23, - EAP_MSCHAPV2 = 26, - /** not a method, but an implementation providing different methods */ - EAP_RADIUS = 253, - EAP_EXPANDED = 254, - EAP_EXPERIMENTAL = 255, -}; - -/** - * enum names for eap_type_t. - */ -extern enum_name_t *eap_type_names; - -/** - * short string enum names for eap_type_t. - */ -extern enum_name_t *eap_type_short_names; - -/** * Lookup the EAP method type from a string. * * @param name EAP method name (such as "md5", "aka") diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index 4617c4d8d..3c0f3c358 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -140,17 +140,26 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this, id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); if (id) { - this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER); - if (this->method) + if (id->get_type(id) == ID_ANY) { - if (this->method->initiate(this->method, &out) == NEED_MORE) + this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER); + if (this->method) { - DBG1(DBG_IKE, "initiating EAP-Identity request"); - return out; + if (this->method->initiate(this->method, &out) == NEED_MORE) + { + DBG1(DBG_IKE, "initiating EAP-Identity request"); + return out; + } + this->method->destroy(this->method); } - this->method->destroy(this->method); + DBG1(DBG_IKE, "EAP-Identity request configured, " + "but not supported"); + } + else + { + DBG1(DBG_IKE, "using configured EAP-Identity %Y", id); + this->eap_identity = id->clone(id); } - DBG1(DBG_IKE, "EAP-Identity request configured, but not supported"); } } /* invoke real EAP method */ @@ -220,7 +229,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, eap_type_t type, received_type; u_int32_t vendor, received_vendor; eap_payload_t *out; - auth_cfg_t *cfg; if (in->get_code(in) != EAP_RESPONSE) { @@ -283,12 +291,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, } this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE); - cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - cfg->add(cfg, AUTH_RULE_EAP_TYPE, type); - if (vendor) - { - cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor); - } this->eap_complete = TRUE; return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); case FAILED: diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c index 67197d690..e69f30dcf 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/authenticators/psk_authenticator.c @@ -63,8 +63,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) other_id = this->ike_sa->get_other_id(this->ike_sa); DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_method_names, AUTH_PSK); - key = charon->credentials->get_shared(charon->credentials, SHARED_IKE, - my_id, other_id); + key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id); if (key == NULL) { DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); @@ -107,8 +106,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) recv_auth_data = auth_payload->get_data(auth_payload); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); - enumerator = charon->credentials->create_shared_enumerator( - charon->credentials, SHARED_IKE, my_id, other_id); + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_IKE, my_id, other_id); while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL)) { keys_found++; diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index f1dca2702..3c67f6db6 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -65,8 +65,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) id = this->ike_sa->get_my_id(this->ike_sa); auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); - private = charon->credentials->get_private(charon->credentials, KEY_ANY, - id, auth); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth); if (private == NULL) { DBG1(DBG_IKE, "no private key found for '%Y'", id); @@ -178,8 +177,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, this->nonce, id); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - enumerator = charon->credentials->create_public_enumerator( - charon->credentials, key_type, id, auth); + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + key_type, id, auth); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, scheme, octets, auth_data)) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 3fdfb51ad..bd41cba56 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -98,6 +98,16 @@ struct private_child_sa_t { u_int32_t reqid; /** + * inbound mark used for this child_sa + */ + mark_t mark_in; + + /** + * outbound mark used for this child_sa + */ + mark_t mark_out; + + /** * absolute time when rekeying is scheduled */ time_t rekey_time; @@ -128,6 +138,16 @@ struct private_child_sa_t { ipsec_mode_t mode; /** + * Action to enforce if peer closes the CHILD_SA + */ + action_t close_action; + + /** + * Action to enforce if peer is considered dead + */ + action_t dpd_action; + + /** * selected proposal */ proposal_t *proposal; @@ -272,6 +292,38 @@ static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp) } /** + * Implementation of child_sa_t.set_close_action. + */ +static void set_close_action(private_child_sa_t *this, action_t action) +{ + this->close_action = action; +} + +/** + * Implementation of child_sa_t.get_close_action. + */ +static action_t get_close_action(private_child_sa_t *this) +{ + return this->close_action; +} + +/** + * Implementation of child_sa_t.set_dpd_action. + */ +static void set_dpd_action(private_child_sa_t *this, action_t action) +{ + this->dpd_action = action; +} + +/** + * Implementation of child_sa_t.get_dpd_action. + */ +static action_t get_dpd_action(private_child_sa_t *this) +{ + return this->dpd_action; +} + +/** * Implementation of child_sa_t.get_proposal */ static proposal_t* get_proposal(private_child_sa_t *this) @@ -389,10 +441,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->my_spi) { - status = charon->kernel_interface->query_sa( - charon->kernel_interface, + status = charon->kernel_interface->query_sa(charon->kernel_interface, this->other_addr, this->my_addr, - this->my_spi, this->protocol, &bytes); + this->my_spi, this->protocol, + this->mark_in, &bytes); if (status == SUCCESS) { if (bytes > this->my_usebytes) @@ -408,10 +460,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->other_spi) { - status = charon->kernel_interface->query_sa( - charon->kernel_interface, + status = charon->kernel_interface->query_sa(charon->kernel_interface, this->my_addr, this->other_addr, - this->other_spi, this->protocol, &bytes); + this->other_spi, this->protocol, + this->mark_out, &bytes); if (status == SUCCESS) { if (bytes > this->other_usebytes) @@ -443,14 +495,14 @@ static void update_usetime(private_child_sa_t *this, bool inbound) if (inbound) { if (charon->kernel_interface->query_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, &in) == SUCCESS) + other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS) { last_use = max(last_use, in); } if (this->mode != MODE_TRANSPORT) { if (charon->kernel_interface->query_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS) + other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS) { last_use = max(last_use, fwd); } @@ -459,7 +511,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound) else { if (charon->kernel_interface->query_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, &out) == SUCCESS) + my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS) { last_use = max(last_use, out); } @@ -623,9 +675,10 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, } status = charon->kernel_interface->add_sa(charon->kernel_interface, - src, dst, spi, this->protocol, this->reqid, lifetime, - enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, - this->encap, update, src_ts, dst_ts); + src, dst, spi, this->protocol, this->reqid, + inbound ? this->mark_in : this->mark_out, + lifetime, enc_alg, encr, int_alg, integ, this->mode, + this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); free(lifetime); @@ -666,19 +719,19 @@ static status_t add_policies(private_child_sa_t *this, /* install 3 policies: out, in and forward */ status |= charon->kernel_interface->add_policy(charon->kernel_interface, this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT, - this->other_spi, this->protocol, this->reqid, this->mode, - this->ipcomp, this->other_cpi, routed); + this->other_spi, this->protocol, this->reqid, this->mark_out, + this->mode, this->ipcomp, this->other_cpi, routed); status |= charon->kernel_interface->add_policy(charon->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN, - this->my_spi, this->protocol, this->reqid, this->mode, - this->ipcomp, this->my_cpi, routed); + this->my_spi, this->protocol, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, routed); if (this->mode != MODE_TRANSPORT) { status |= charon->kernel_interface->add_policy(charon->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD, - this->my_spi, this->protocol, this->reqid, this->mode, - this->ipcomp, this->my_cpi, routed); + this->my_spi, this->protocol, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, routed); } if (status != SUCCESS) @@ -726,7 +779,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, this->my_spi, this->protocol, this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, this->other_addr, this->my_addr, other, me, - this->encap, encap) == NOT_SUPPORTED) + this->encap, encap, this->mark_in) == NOT_SUPPORTED) { return NOT_SUPPORTED; } @@ -739,7 +792,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, this->other_spi, this->protocol, this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, this->my_addr, this->other_addr, me, other, - this->encap, encap) == NOT_SUPPORTED) + this->encap, encap, this->mark_out) == NOT_SUPPORTED) { return NOT_SUPPORTED; } @@ -761,13 +814,13 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, { /* remove old policies first */ charon->kernel_interface->del_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, FALSE); + my_ts, other_ts, POLICY_OUT, this->mark_out, FALSE); charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, FALSE); + other_ts, my_ts, POLICY_IN, this->mark_in, FALSE); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, FALSE); + other_ts, my_ts, POLICY_FWD, this->mark_in, FALSE); } /* check whether we have to update a "dynamic" traffic selector */ @@ -793,18 +846,18 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, /* reinstall updated policies */ charon->kernel_interface->add_policy(charon->kernel_interface, me, other, my_ts, other_ts, POLICY_OUT, this->other_spi, - this->protocol, this->reqid, this->mode, this->ipcomp, - this->other_cpi, FALSE); + this->protocol, this->reqid, this->mark_out, this->mode, + this->ipcomp, this->other_cpi, FALSE); charon->kernel_interface->add_policy(charon->kernel_interface, other, me, other_ts, my_ts, POLICY_IN, this->my_spi, - this->protocol, this->reqid, this->mode, this->ipcomp, - this->my_cpi, FALSE); + this->protocol, this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, FALSE); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->add_policy(charon->kernel_interface, other, me, other_ts, my_ts, POLICY_FWD, this->my_spi, - this->protocol, this->reqid, this->mode, this->ipcomp, - this->my_cpi, FALSE); + this->protocol, this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, FALSE); } } enumerator->destroy(enumerator); @@ -854,13 +907,13 @@ static void destroy(private_child_sa_t *this) } charon->kernel_interface->del_sa(charon->kernel_interface, this->other_addr, this->my_addr, this->my_spi, - this->protocol, this->my_cpi); + this->protocol, this->my_cpi, this->mark_in); } if (this->other_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, this->my_addr, this->other_addr, this->other_spi, - this->protocol, this->other_cpi); + this->protocol, this->other_cpi, this->mark_out); } if (this->config->install_policy(this->config)) @@ -870,13 +923,13 @@ static void destroy(private_child_sa_t *this) while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { charon->kernel_interface->del_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, unrouted); + my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted); charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, unrouted); + other_ts, my_ts, POLICY_IN, this->mark_in, unrouted); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, unrouted); + other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted); } } enumerator->destroy(enumerator); @@ -919,6 +972,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->public.has_encap = (bool(*)(child_sa_t*))has_encap; this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp; this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp; + this->public.get_close_action = (action_t(*)(child_sa_t*))get_close_action; + this->public.set_close_action = (void(*)(child_sa_t*,action_t))set_close_action; + this->public.get_dpd_action = (action_t(*)(child_sa_t*))get_dpd_action; + this->public.set_dpd_action = (void(*)(child_sa_t*,action_t))set_dpd_action; this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi; this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi; this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install; @@ -942,17 +999,26 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->other_usetime = 0; this->my_usebytes = 0; this->other_usebytes = 0; - /* reuse old reqid if we are rekeying an existing CHILD_SA */ - this->reqid = rekey ? rekey : ++reqid; this->my_ts = linked_list_create(); this->other_ts = linked_list_create(); this->protocol = PROTO_NONE; this->mode = MODE_TUNNEL; + this->close_action = config->get_close_action(config); + this->dpd_action = config->get_dpd_action(config); this->proposal = NULL; this->rekey_time = 0; this->expire_time = 0; this->config = config; config->get_ref(config); + this->reqid = config->get_reqid(config); + this->mark_in = config->get_mark(config, TRUE); + this->mark_out = config->get_mark(config, FALSE); + + if (!this->reqid) + { + /* reuse old reqid if we are rekeying an existing CHILD_SA */ + this->reqid = rekey ? rekey : ++reqid; + } /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index e6c603504..95bc297b0 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -208,6 +208,34 @@ struct child_sa_t { void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp); /** + * Get the action to enforce if the remote peer closes the CHILD_SA. + * + * @return close action + */ + action_t (*get_close_action)(child_sa_t *this); + + /** + * Override the close action specified by the CHILD_SA config. + * + * @param close action to enforce + */ + void (*set_close_action)(child_sa_t *this, action_t action); + + /** + * Get the action to enforce if the peer is considered dead. + * + * @return dpd action + */ + action_t (*get_dpd_action)(child_sa_t *this); + + /** + * Override the DPD action specified by the CHILD_SA config. + * + * @param close action to enforce + */ + void (*set_dpd_action)(child_sa_t *this, action_t action); + + /** * Get the selected proposal. * * @return selected proposal diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 023f0749f..7536662ca 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -287,18 +287,14 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound) return use_time; } -/** - * Implementation of ike_sa_t.get_unique_id - */ -static u_int32_t get_unique_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_unique_id, u_int32_t, + private_ike_sa_t *this) { return this->unique_id; } -/** - * Implementation of ike_sa_t.get_name. - */ -static char *get_name(private_ike_sa_t *this) +METHOD(ike_sa_t, get_name, char*, + private_ike_sa_t *this) { if (this->peer_cfg) { @@ -307,10 +303,8 @@ static char *get_name(private_ike_sa_t *this) return "(unnamed)"; } -/** - * Implementation of ike_sa_t.get_statistic. - */ -static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind) +METHOD(ike_sa_t, get_statistic, u_int32_t, + private_ike_sa_t *this, statistic_t kind) { if (kind < STAT_MAX) { @@ -319,52 +313,40 @@ static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind) return 0; } -/** - * Implementation of ike_sa_t.get_my_host. - */ -static host_t *get_my_host(private_ike_sa_t *this) +METHOD(ike_sa_t, get_my_host, host_t*, + private_ike_sa_t *this) { return this->my_host; } -/** - * Implementation of ike_sa_t.set_my_host. - */ -static void set_my_host(private_ike_sa_t *this, host_t *me) +METHOD(ike_sa_t, set_my_host, void, + private_ike_sa_t *this, host_t *me) { DESTROY_IF(this->my_host); this->my_host = me; } -/** - * Implementation of ike_sa_t.get_other_host. - */ -static host_t *get_other_host(private_ike_sa_t *this) +METHOD(ike_sa_t, get_other_host, host_t*, + private_ike_sa_t *this) { return this->other_host; } -/** - * Implementation of ike_sa_t.set_other_host. - */ -static void set_other_host(private_ike_sa_t *this, host_t *other) +METHOD(ike_sa_t, set_other_host, void, + private_ike_sa_t *this, host_t *other) { DESTROY_IF(this->other_host); this->other_host = other; } -/** - * Implementation of ike_sa_t.get_peer_cfg - */ -static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this) +METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*, + private_ike_sa_t *this) { return this->peer_cfg; } -/** - * Implementation of ike_sa_t.set_peer_cfg - */ -static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg) +METHOD(ike_sa_t, set_peer_cfg, void, + private_ike_sa_t *this, peer_cfg_t *peer_cfg) { DESTROY_IF(this->peer_cfg); peer_cfg->get_ref(peer_cfg); @@ -377,10 +359,8 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg) } } -/** - * Implementation of ike_sa_t.get_auth_cfg - */ -static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local) +METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*, + private_ike_sa_t *this, bool local) { if (local) { @@ -389,10 +369,8 @@ static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local) return this->other_auth; } -/** - * Implementation of ike_sa_t.add_auth_cfg - */ -static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg) +METHOD(ike_sa_t, add_auth_cfg, void, + private_ike_sa_t *this, bool local, auth_cfg_t *cfg) { if (local) { @@ -404,11 +382,8 @@ static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg) } } -/** - * Implementation of ike_sa_t.create_auth_cfg_enumerator - */ -static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this, - bool local) +METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*, + private_ike_sa_t *this, bool local) { if (local) { @@ -424,42 +399,33 @@ static void flush_auth_cfgs(private_ike_sa_t *this) { auth_cfg_t *cfg; - if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", FALSE)) + while (this->my_auths->remove_last(this->my_auths, + (void**)&cfg) == SUCCESS) { - while (this->my_auths->remove_last(this->my_auths, - (void**)&cfg) == SUCCESS) - { - cfg->destroy(cfg); - } - while (this->other_auths->remove_last(this->other_auths, - (void**)&cfg) == SUCCESS) - { - cfg->destroy(cfg); - } + cfg->destroy(cfg); + } + while (this->other_auths->remove_last(this->other_auths, + (void**)&cfg) == SUCCESS) + { + cfg->destroy(cfg); } } -/** - * Implementation of ike_sa_t.get_proposal - */ -static proposal_t* get_proposal(private_ike_sa_t *this) +METHOD(ike_sa_t, get_proposal, proposal_t*, + private_ike_sa_t *this) { return this->proposal; } -/** - * Implementation of ike_sa_t.set_proposal - */ -static void set_proposal(private_ike_sa_t *this, proposal_t *proposal) +METHOD(ike_sa_t, set_proposal, void, + private_ike_sa_t *this, proposal_t *proposal) { DESTROY_IF(this->proposal); this->proposal = proposal->clone(proposal); } -/** - * Implementation of ike_sa_t.set_message_id - */ -static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid) +METHOD(ike_sa_t, set_message_id, void, + private_ike_sa_t *this, bool initiate, u_int32_t mid) { if (initiate) { @@ -471,10 +437,8 @@ static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid) } } -/** - * Implementation of ike_sa_t.send_keepalive - */ -static void send_keepalive(private_ike_sa_t *this) +METHOD(ike_sa_t, send_keepalive, void, + private_ike_sa_t *this) { send_keepalive_job_t *job; time_t last_out, now, diff; @@ -510,52 +474,39 @@ static void send_keepalive(private_ike_sa_t *this) this->keepalive_interval - diff); } -/** - * Implementation of ike_sa_t.get_ike_cfg - */ -static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this) +METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, + private_ike_sa_t *this) { return this->ike_cfg; } -/** - * Implementation of ike_sa_t.set_ike_cfg - */ -static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg) +METHOD(ike_sa_t, set_ike_cfg, void, + private_ike_sa_t *this, ike_cfg_t *ike_cfg) { ike_cfg->get_ref(ike_cfg); this->ike_cfg = ike_cfg; } -/** - * Implementation of ike_sa_t.enable_extension. - */ -static void enable_extension(private_ike_sa_t *this, ike_extension_t extension) +METHOD(ike_sa_t, enable_extension, void, + private_ike_sa_t *this, ike_extension_t extension) { this->extensions |= extension; } -/** - * Implementation of ike_sa_t.has_extension. - */ -static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension) +METHOD(ike_sa_t, supports_extension, bool, + private_ike_sa_t *this, ike_extension_t extension) { return (this->extensions & extension) != FALSE; } -/** - * Implementation of ike_sa_t.has_condition. - */ -static bool has_condition(private_ike_sa_t *this, ike_condition_t condition) +METHOD(ike_sa_t, has_condition, bool, + private_ike_sa_t *this, ike_condition_t condition) { return (this->conditions & condition) != FALSE; } -/** - * Implementation of ike_sa_t.enable_condition. - */ -static void set_condition(private_ike_sa_t *this, ike_condition_t condition, - bool enable) +METHOD(ike_sa_t, set_condition, void, + private_ike_sa_t *this, ike_condition_t condition, bool enable) { if (has_condition(this, condition) != enable) { @@ -601,10 +552,8 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition, } } -/** - * Implementation of ike_sa_t.send_dpd - */ -static status_t send_dpd(private_ike_sa_t *this) +METHOD(ike_sa_t, send_dpd, status_t, + private_ike_sa_t *this) { job_t *job; time_t diff, delay; @@ -660,18 +609,14 @@ static status_t send_dpd(private_ike_sa_t *this) return SUCCESS; } -/** - * Implementation of ike_sa_t.get_state. - */ -static ike_sa_state_t get_state(private_ike_sa_t *this) +METHOD(ike_sa_t, get_state, ike_sa_state_t, + private_ike_sa_t *this) { return this->state; } -/** - * Implementation of ike_sa_t.set_state. - */ -static void set_state(private_ike_sa_t *this, ike_sa_state_t state) +METHOD(ike_sa_t, set_state, void, + private_ike_sa_t *this, ike_sa_state_t state) { DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N", get_name(this), this->unique_id, @@ -754,10 +699,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) this->state = state; } -/** - * Implementation of ike_sa_t.reset - */ -static void reset(private_ike_sa_t *this) +METHOD(ike_sa_t, reset, void, + private_ike_sa_t *this) { /* the responder ID is reset, as peer may choose another one */ if (this->ike_sa_id->is_initiator(this->ike_sa_id)) @@ -767,21 +710,22 @@ static void reset(private_ike_sa_t *this) set_state(this, IKE_CREATED); + flush_auth_cfgs(this); + + this->keymat->destroy(this->keymat); + this->keymat = keymat_create(this->ike_sa_id->is_initiator(this->ike_sa_id)); + this->task_manager->reset(this->task_manager, 0, 0); } -/** - * Implementation of ike_sa_t.get_keymat - */ -static keymat_t* get_keymat(private_ike_sa_t *this) +METHOD(ike_sa_t, get_keymat, keymat_t*, + private_ike_sa_t *this) { return this->keymat; } -/** - * Implementation of ike_sa_t.set_virtual_ip - */ -static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) +METHOD(ike_sa_t, set_virtual_ip, void, + private_ike_sa_t *this, bool local, host_t *ip) { if (local) { @@ -811,10 +755,8 @@ static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) } } -/** - * Implementation of ike_sa_t.get_virtual_ip - */ -static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) +METHOD(ike_sa_t, get_virtual_ip, host_t*, + private_ike_sa_t *this, bool local) { if (local) { @@ -826,27 +768,21 @@ static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) } } -/** - * Implementation of ike_sa_t.add_additional_address. - */ -static void add_additional_address(private_ike_sa_t *this, host_t *host) +METHOD(ike_sa_t, add_additional_address, void, + private_ike_sa_t *this, host_t *host) { this->additional_addresses->insert_last(this->additional_addresses, host); } -/** - * Implementation of ike_sa_t.create_additional_address_iterator. - */ -static iterator_t* create_additional_address_iterator(private_ike_sa_t *this) +METHOD(ike_sa_t, create_additional_address_iterator, iterator_t*, + private_ike_sa_t *this) { return this->additional_addresses->create_iterator( this->additional_addresses, TRUE); } -/** - * Implementation of ike_sa_t.has_mapping_changed - */ -static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash) +METHOD(ike_sa_t, has_mapping_changed, bool, + private_ike_sa_t *this, chunk_t hash) { if (this->nat_detection_dest.ptr == NULL) { @@ -862,26 +798,20 @@ static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash) return TRUE; } -/** - * Implementation of ike_sa_t.set_pending_updates. - */ -static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates) +METHOD(ike_sa_t, set_pending_updates, void, + private_ike_sa_t *this, u_int32_t updates) { this->pending_updates = updates; } -/** - * Implementation of ike_sa_t.get_pending_updates. - */ -static u_int32_t get_pending_updates(private_ike_sa_t *this) +METHOD(ike_sa_t, get_pending_updates, u_int32_t, + private_ike_sa_t *this) { return this->pending_updates; } -/** - * Update hosts, as addresses may change (NAT) - */ -static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) +METHOD(ike_sa_t, update_hosts, void, + private_ike_sa_t *this, host_t *me, host_t *other) { bool update = FALSE; @@ -946,11 +876,8 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) } } -/** - * Implementation of ike_sa_t.generate - */ -static status_t generate_message(private_ike_sa_t *this, message_t *message, - packet_t **packet) +METHOD(ike_sa_t, generate_message, status_t, + private_ike_sa_t *this, message_t *message, packet_t **packet) { this->stats[STAT_OUTBOUND] = time_monotonic(NULL); message->set_ike_sa_id(message, this->ike_sa_id); @@ -994,10 +921,8 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request, response->destroy(response); } -/** - * Implementation of ike_sa_t.set_kmaddress. - */ -static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote) +METHOD(ike_sa_t, set_kmaddress, void, + private_ike_sa_t *this, host_t *local, host_t *remote) { DESTROY_IF(this->local_host); DESTROY_IF(this->remote_host); @@ -1006,46 +931,35 @@ static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote) } #ifdef ME -/** - * Implementation of ike_sa_t.act_as_mediation_server. - */ -static void act_as_mediation_server(private_ike_sa_t *this) +METHOD(ike_sa_t, act_as_mediation_server, void, + private_ike_sa_t *this) { charon->mediation_manager->update_sa_id(charon->mediation_manager, this->other_id, this->ike_sa_id); this->is_mediation_server = TRUE; } -/** - * Implementation of ike_sa_t.get_server_reflexive_host. - */ -static host_t *get_server_reflexive_host(private_ike_sa_t *this) +METHOD(ike_sa_t, get_server_reflexive_host, host_t*, + private_ike_sa_t *this) { return this->server_reflexive_host; } -/** - * Implementation of ike_sa_t.set_server_reflexive_host. - */ -static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host) +METHOD(ike_sa_t, set_server_reflexive_host, void, + private_ike_sa_t *this, host_t *host) { DESTROY_IF(this->server_reflexive_host); this->server_reflexive_host = host; } -/** - * Implementation of ike_sa_t.get_connect_id. - */ -static chunk_t get_connect_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_connect_id, chunk_t, + private_ike_sa_t *this) { return this->connect_id; } -/** - * Implementation of ike_sa_t.respond - */ -static status_t respond(private_ike_sa_t *this, identification_t *peer_id, - chunk_t connect_id) +METHOD(ike_sa_t, respond, status_t, + private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->respond(task, peer_id, connect_id); @@ -1053,10 +967,8 @@ static status_t respond(private_ike_sa_t *this, identification_t *peer_id, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.callback - */ -static status_t callback(private_ike_sa_t *this, identification_t *peer_id) +METHOD(ike_sa_t, callback, status_t, + private_ike_sa_t *this, identification_t *peer_id) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->callback(task, peer_id); @@ -1064,12 +976,9 @@ static status_t callback(private_ike_sa_t *this, identification_t *peer_id) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.relay - */ -static status_t relay(private_ike_sa_t *this, identification_t *requester, - chunk_t connect_id, chunk_t connect_key, - linked_list_t *endpoints, bool response) +METHOD(ike_sa_t, relay, status_t, + private_ike_sa_t *this, identification_t *requester, chunk_t connect_id, + chunk_t connect_key, linked_list_t *endpoints, bool response) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->relay(task, requester, connect_id, connect_key, endpoints, response); @@ -1077,11 +986,8 @@ static status_t relay(private_ike_sa_t *this, identification_t *requester, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.initiate_mediation - */ -static status_t initiate_mediation(private_ike_sa_t *this, - peer_cfg_t *mediated_cfg) +METHOD(ike_sa_t, initiate_mediation, status_t, + private_ike_sa_t *this, peer_cfg_t *mediated_cfg) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->connect(task, mediated_cfg->get_peer_id(mediated_cfg)); @@ -1089,11 +995,8 @@ static status_t initiate_mediation(private_ike_sa_t *this, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.initiate_mediated - */ -static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, - host_t *other, chunk_t connect_id) +METHOD(ike_sa_t, initiate_mediated, status_t, + private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id) { set_my_host(this, me->clone(me)); set_other_host(this, other->clone(other)); @@ -1166,12 +1069,9 @@ static void resolve_hosts(private_ike_sa_t *this) } } -/** - * Implementation of ike_sa_t.initiate - */ -static status_t initiate(private_ike_sa_t *this, - child_cfg_t *child_cfg, u_int32_t reqid, - traffic_selector_t *tsi, traffic_selector_t *tsr) +METHOD(ike_sa_t, initiate, status_t, + private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid, + traffic_selector_t *tsi, traffic_selector_t *tsr) { task_t *task; @@ -1259,10 +1159,8 @@ static status_t initiate(private_ike_sa_t *this, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.process_message. - */ -static status_t process_message(private_ike_sa_t *this, message_t *message) +METHOD(ike_sa_t, process_message, status_t, + private_ike_sa_t *this, message_t *message) { status_t status; bool is_request; @@ -1367,7 +1265,9 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) } status = this->task_manager->process_message(this->task_manager, message); if (message->get_exchange_type(message) == IKE_AUTH && - this->state == IKE_ESTABLISHED) + this->state == IKE_ESTABLISHED && + lib->settings->get_bool(lib->settings, + "charon.flush_auth_cfg", FALSE)) { /* authentication completed */ flush_auth_cfgs(this); } @@ -1375,43 +1275,33 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) return status; } -/** - * Implementation of ike_sa_t.get_id. - */ -static ike_sa_id_t* get_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_id, ike_sa_id_t*, + private_ike_sa_t *this) { return this->ike_sa_id; } -/** - * Implementation of ike_sa_t.get_my_id. - */ -static identification_t* get_my_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_my_id, identification_t*, + private_ike_sa_t *this) { return this->my_id; } -/** - * Implementation of ike_sa_t.set_my_id. - */ -static void set_my_id(private_ike_sa_t *this, identification_t *me) +METHOD(ike_sa_t, set_my_id, void, + private_ike_sa_t *this, identification_t *me) { DESTROY_IF(this->my_id); this->my_id = me; } -/** - * Implementation of ike_sa_t.get_other_id. - */ -static identification_t* get_other_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_other_id, identification_t*, + private_ike_sa_t *this) { return this->other_id; } -/** - * Implementation of ike_sa_t.get_other_eap_id. - */ -static identification_t* get_other_eap_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_other_eap_id, identification_t*, + private_ike_sa_t *this) { identification_t *id = NULL, *current; enumerator_t *enumerator; @@ -1440,28 +1330,21 @@ static identification_t* get_other_eap_id(private_ike_sa_t *this) return this->other_id; } -/** - * Implementation of ike_sa_t.set_other_id. - */ -static void set_other_id(private_ike_sa_t *this, identification_t *other) +METHOD(ike_sa_t, set_other_id, void, + private_ike_sa_t *this, identification_t *other) { DESTROY_IF(this->other_id); this->other_id = other; } -/** - * Implementation of ike_sa_t.add_child_sa. - */ -static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa) +METHOD(ike_sa_t, add_child_sa, void, + private_ike_sa_t *this, child_sa_t *child_sa) { this->child_sas->insert_last(this->child_sas, child_sa); } -/** - * Implementation of ike_sa_t.get_child_sa. - */ -static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi, bool inbound) +METHOD(ike_sa_t, get_child_sa, child_sa_t*, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound) { iterator_t *iterator; child_sa_t *current, *found = NULL; @@ -1479,19 +1362,14 @@ static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return found; } -/** - * Implementation of ike_sa_t.create_child_sa_iterator. - */ -static iterator_t* create_child_sa_iterator(private_ike_sa_t *this) +METHOD(ike_sa_t, create_child_sa_iterator, iterator_t*, + private_ike_sa_t *this) { return this->child_sas->create_iterator(this->child_sas, TRUE); } -/** - * Implementation of ike_sa_t.rekey_child_sa. - */ -static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi) +METHOD(ike_sa_t, rekey_child_sa, status_t, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { child_rekey_t *child_rekey; @@ -1500,11 +1378,8 @@ static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.delete_child_sa. - */ -static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi) +METHOD(ike_sa_t, delete_child_sa, status_t, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { child_delete_t *child_delete; @@ -1513,11 +1388,8 @@ static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.destroy_child_sa. - */ -static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi) +METHOD(ike_sa_t, destroy_child_sa, status_t, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { iterator_t *iterator; child_sa_t *child_sa; @@ -1539,10 +1411,8 @@ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return status; } -/** - * Implementation of public_ike_sa_t.delete. - */ -static status_t delete_(private_ike_sa_t *this) +METHOD(ike_sa_t, delete_, status_t, + private_ike_sa_t *this) { ike_delete_t *ike_delete; @@ -1567,10 +1437,8 @@ static status_t delete_(private_ike_sa_t *this) return DESTROY_ME; } -/** - * Implementation of ike_sa_t.rekey. - */ -static status_t rekey(private_ike_sa_t *this) +METHOD(ike_sa_t, rekey, status_t, + private_ike_sa_t *this) { ike_rekey_t *ike_rekey; @@ -1580,10 +1448,8 @@ static status_t rekey(private_ike_sa_t *this) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.reauth - */ -static status_t reauth(private_ike_sa_t *this) +METHOD(ike_sa_t, reauth, status_t, + private_ike_sa_t *this) { task_t *task; @@ -1618,10 +1484,8 @@ static status_t reauth(private_ike_sa_t *this) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.reestablish - */ -static status_t reestablish(private_ike_sa_t *this) +METHOD(ike_sa_t, reestablish, status_t, + private_ike_sa_t *this) { ike_sa_t *new; host_t *host; @@ -1636,14 +1500,13 @@ static status_t reestablish(private_ike_sa_t *this) iterator = create_child_sa_iterator(this); while (iterator->iterate(iterator, (void**)&child_sa)) { - child_cfg = child_sa->get_config(child_sa); if (this->state == IKE_DELETING) { - action = child_cfg->get_close_action(child_cfg); + action = child_sa->get_close_action(child_sa); } else { - action = child_cfg->get_dpd_action(child_cfg); + action = child_sa->get_dpd_action(child_sa); } switch (action) { @@ -1651,7 +1514,8 @@ static status_t reestablish(private_ike_sa_t *this) restart = TRUE; break; case ACTION_ROUTE: - charon->traps->install(charon->traps, this->peer_cfg, child_cfg); + charon->traps->install(charon->traps, this->peer_cfg, + child_sa->get_config(child_sa)); break; default: break; @@ -1707,18 +1571,18 @@ static status_t reestablish(private_ike_sa_t *this) iterator = create_child_sa_iterator(this); while (iterator->iterate(iterator, (void**)&child_sa)) { - child_cfg = child_sa->get_config(child_sa); if (this->state == IKE_DELETING) { - action = child_cfg->get_close_action(child_cfg); + action = child_sa->get_close_action(child_sa); } else { - action = child_cfg->get_dpd_action(child_cfg); + action = child_sa->get_dpd_action(child_sa); } switch (action) { case ACTION_RESTART: + child_cfg = child_sa->get_config(child_sa); DBG1(DBG_IKE, "restarting CHILD_SA %s", child_cfg->get_name(child_cfg)); child_cfg->get_ref(child_cfg); @@ -1750,9 +1614,41 @@ static status_t reestablish(private_ike_sa_t *this) } /** - * Implementation of ike_sa_t.retransmit. + * Requeue the IKE_SA_INIT tasks for initiation, if required */ -static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) +static void requeue_init_tasks(private_ike_sa_t *this) +{ + enumerator_t *enumerator; + bool has_init = FALSE; + task_t *task; + + /* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks + * have already completed. Recreate them if necessary. */ + enumerator = this->task_manager->create_task_enumerator( + this->task_manager, TASK_QUEUE_QUEUED); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == IKE_INIT) + { + has_init = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + if (!has_init) + { + task = (task_t*)ike_vendor_create(&this->public, TRUE); + this->task_manager->queue_task(this->task_manager, task); + task = (task_t*)ike_natd_create(&this->public, TRUE); + this->task_manager->queue_task(this->task_manager, task); + task = (task_t*)ike_init_create(&this->public, TRUE, NULL); + this->task_manager->queue_task(this->task_manager, task); + } +} + +METHOD(ike_sa_t, retransmit, status_t, + private_ike_sa_t *this, u_int32_t message_id) { this->stats[STAT_OUTBOUND] = time_monotonic(NULL); if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS) @@ -1770,6 +1666,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", this->keyingtry + 1, tries); reset(this); + requeue_init_tasks(this); return this->task_manager->initiate(this->task_manager); } DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding"); @@ -1790,10 +1687,8 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) return SUCCESS; } -/** - * Implementation of ike_sa_t.set_auth_lifetime. - */ -static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime) +METHOD(ike_sa_t, set_auth_lifetime, void, + private_ike_sa_t *this, u_int32_t lifetime) { u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg); u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction; @@ -1823,10 +1718,8 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime) } } -/** - * Implementation of ike_sa_t.roam. - */ -static status_t roam(private_ike_sa_t *this, bool address) +METHOD(ike_sa_t, roam, status_t, + private_ike_sa_t *this, bool address) { host_t *src; ike_mobike_t *mobike; @@ -1919,12 +1812,9 @@ static status_t roam(private_ike_sa_t *this, bool address) return reauth(this); } -/** - * Implementation of ike_sa_t.add_configuration_attribute - */ -static void add_configuration_attribute(private_ike_sa_t *this, - attribute_handler_t *handler, - configuration_attribute_type_t type, chunk_t data) +METHOD(ike_sa_t, add_configuration_attribute, void, + private_ike_sa_t *this, attribute_handler_t *handler, + configuration_attribute_type_t type, chunk_t data) { attribute_entry_t *entry = malloc_thing(attribute_entry_t); @@ -1935,11 +1825,16 @@ static void add_configuration_attribute(private_ike_sa_t *this, this->attributes->insert_last(this->attributes, entry); } -/** - * Implementation of ike_sa_t.inherit. - */ -static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) +METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, + private_ike_sa_t *this, task_queue_t queue) +{ + return this->task_manager->create_task_enumerator(this->task_manager, queue); +} + +METHOD(ike_sa_t, inherit, status_t, + private_ike_sa_t *this, ike_sa_t *other_public) { + private_ike_sa_t *other = (private_ike_sa_t*)other_public; child_sa_t *child_sa; attribute_entry_t *entry; @@ -2021,10 +1916,8 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.destroy. - */ -static void destroy(private_ike_sa_t *this) +METHOD(ike_sa_t, destroy, void, + private_ike_sa_t *this) { attribute_entry_t *entry; @@ -2106,122 +1999,107 @@ static void destroy(private_ike_sa_t *this) */ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) { - private_ike_sa_t *this = malloc_thing(private_ike_sa_t); + private_ike_sa_t *this; static u_int32_t unique_id = 0; - /* Public functions */ - this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state; - this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state; - this->public.get_name = (char* (*)(ike_sa_t*))get_name; - this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic; - this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message; - this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate; - this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg; - this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg; - this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg; - this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg; - this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg; - this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator; - this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg; - this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal; - this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal; - this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id; - this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host; - this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host; - this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host; - this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host; - this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id; - this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts; - this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id; - this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id; - this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id; - this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id; - this->public.get_other_eap_id = (identification_t* (*)(ike_sa_t*)) get_other_eap_id; - this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension; - this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension; - this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition; - this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition; - this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates; - this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates; - this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator; - this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address; - this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed; - this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit; - this->public.delete = (status_t (*)(ike_sa_t*))delete_; - this->public.destroy = (void (*)(ike_sa_t*))destroy; - this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd; - this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive; - this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat; - this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa; - this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa; - this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator; - this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa; - this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa; - this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa; - this->public.rekey = (status_t (*)(ike_sa_t*))rekey; - this->public.reauth = (status_t (*)(ike_sa_t*))reauth; - this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish; - this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime; - this->public.roam = (status_t(*)(ike_sa_t*,bool))roam; - this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit; - this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message; - this->public.reset = (void (*)(ike_sa_t*))reset; - this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id; - this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip; - this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip; - this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute; - this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress; + INIT(this, + .public = { + .get_state = _get_state, + .set_state = _set_state, + .get_name = _get_name, + .get_statistic = _get_statistic, + .process_message = _process_message, + .initiate = _initiate, + .get_ike_cfg = _get_ike_cfg, + .set_ike_cfg = _set_ike_cfg, + .get_peer_cfg = _get_peer_cfg, + .set_peer_cfg = _set_peer_cfg, + .get_auth_cfg = _get_auth_cfg, + .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, + .add_auth_cfg = _add_auth_cfg, + .get_proposal = _get_proposal, + .set_proposal = _set_proposal, + .get_id = _get_id, + .get_my_host = _get_my_host, + .set_my_host = _set_my_host, + .get_other_host = _get_other_host, + .set_other_host = _set_other_host, + .set_message_id = _set_message_id, + .update_hosts = _update_hosts, + .get_my_id = _get_my_id, + .set_my_id = _set_my_id, + .get_other_id = _get_other_id, + .set_other_id = _set_other_id, + .get_other_eap_id = _get_other_eap_id, + .enable_extension = _enable_extension, + .supports_extension = _supports_extension, + .set_condition = _set_condition, + .has_condition = _has_condition, + .set_pending_updates = _set_pending_updates, + .get_pending_updates = _get_pending_updates, + .create_additional_address_iterator = _create_additional_address_iterator, + .add_additional_address = _add_additional_address, + .has_mapping_changed = _has_mapping_changed, + .retransmit = _retransmit, + .delete = _delete_, + .destroy = _destroy, + .send_dpd = _send_dpd, + .send_keepalive = _send_keepalive, + .get_keymat = _get_keymat, + .add_child_sa = _add_child_sa, + .get_child_sa = _get_child_sa, + .create_child_sa_iterator = _create_child_sa_iterator, + .rekey_child_sa = _rekey_child_sa, + .delete_child_sa = _delete_child_sa, + .destroy_child_sa = _destroy_child_sa, + .rekey = _rekey, + .reauth = _reauth, + .reestablish = _reestablish, + .set_auth_lifetime = _set_auth_lifetime, + .roam = _roam, + .inherit = _inherit, + .generate_message = _generate_message, + .reset = _reset, + .get_unique_id = _get_unique_id, + .set_virtual_ip = _set_virtual_ip, + .get_virtual_ip = _get_virtual_ip, + .add_configuration_attribute = _add_configuration_attribute, + .set_kmaddress = _set_kmaddress, + .create_task_enumerator = _create_task_enumerator, #ifdef ME - this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server; - this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host; - this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host; - this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id; - this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation; - this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated; - this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay; - this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback; - this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond; + .act_as_mediation_server = _act_as_mediation_server, + .get_server_reflexive_host = _get_server_reflexive_host, + .set_server_reflexive_host = _set_server_reflexive_host, + .get_connect_id = _get_connect_id, + .initiate_mediation = _initiate_mediation, + .initiate_mediated = _initiate_mediated, + .relay = _relay, + .callback = _callback, + .respond = _respond, #endif /* ME */ - - /* initialize private fields */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->child_sas = linked_list_create(); - this->my_host = host_create_any(AF_INET); + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + .child_sas = linked_list_create(), + .my_host = host_create_any(AF_INET), + .other_host = host_create_any(AF_INET), + .my_id = identification_create_from_encoding(ID_ANY, chunk_empty), + .other_id = identification_create_from_encoding(ID_ANY, chunk_empty), + .keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)), + .state = IKE_CREATED, + .stats[STAT_INBOUND] = time_monotonic(NULL), + .stats[STAT_OUTBOUND] = time_monotonic(NULL), + .my_auth = auth_cfg_create(), + .other_auth = auth_cfg_create(), + .my_auths = linked_list_create(), + .other_auths = linked_list_create(), + .task_manager = task_manager_create(&this->public), + .unique_id = ++unique_id, + .additional_addresses = linked_list_create(), + .attributes = linked_list_create(), + .keepalive_interval = lib->settings->get_time(lib->settings, + "charon.keep_alive", KEEPALIVE_INTERVAL), + ); this->my_host->set_port(this->my_host, IKEV2_UDP_PORT); - this->other_host = host_create_any(AF_INET); - this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty); - this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty); - this->extensions = 0; - this->conditions = 0; - this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)); - this->state = IKE_CREATED; - this->keepalive_interval = lib->settings->get_time(lib->settings, - "charon.keep_alive", KEEPALIVE_INTERVAL); - memset(this->stats, 0, sizeof(this->stats)); - this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL); - this->ike_cfg = NULL; - this->peer_cfg = NULL; - this->my_auth = auth_cfg_create(); - this->other_auth = auth_cfg_create(); - this->my_auths = linked_list_create(); - this->other_auths = linked_list_create(); - this->proposal = NULL; - this->task_manager = task_manager_create(&this->public); - this->unique_id = ++unique_id; - this->my_virtual_ip = NULL; - this->other_virtual_ip = NULL; - this->additional_addresses = linked_list_create(); - this->attributes = linked_list_create(); - this->nat_detection_dest = chunk_empty; - this->pending_updates = 0; - this->keyingtry = 0; - this->local_host = NULL; - this->remote_host = NULL; -#ifdef ME - this->is_mediation_server = FALSE; - this->server_reflexive_host = NULL; - this->connect_id = chunk_empty; -#endif /* ME */ return &this->public; } diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c61502edf..34842a573 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -37,11 +37,11 @@ typedef struct ike_sa_t ike_sa_t; #include <encoding/payloads/configuration_attribute.h> #include <sa/ike_sa_id.h> #include <sa/child_sa.h> -#include <sa/tasks/task.h> +#include <sa/task_manager.h> #include <sa/keymat.h> #include <config/peer_cfg.h> #include <config/ike_cfg.h> -#include <config/auth_cfg.h> +#include <credentials/auth_cfg.h> /** * Timeout in seconds after that a half open IKE_SA gets deleted. @@ -888,6 +888,14 @@ struct ike_sa_t { void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote); /** + * Create enumerator over a task queue of this IKE_SA. + * + * @param queue type to enumerate + * @return enumerator over task_t + */ + enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue); + + /** * Inherit all attributes of other to this after rekeying. * * When rekeying is completed, all CHILD_SAs, the virtual IP and all diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 3ef0f3bb0..c71c3b297 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -886,9 +886,10 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id { if (wait_for_entry(this, entry, segment)) { - DBG2(DBG_MGR, "IKE_SA successfully checked out"); entry->checked_out = TRUE; ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } unlock_single_segment(this, segment); } @@ -916,7 +917,8 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator) } ike_sa = ike_sa_create(ike_sa_id); - DBG2(DBG_MGR, "created IKE_SA"); + DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); if (!initiator) { @@ -971,10 +973,11 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, } else if (wait_for_entry(this, entry, segment)) { - DBG2(DBG_MGR, "IKE_SA checked out by hash"); entry->checked_out = TRUE; entry->message_id = message->get_message_id(message); ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "IKE_SA %s[%u] checked out by hash", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } unlock_single_segment(this, segment); } @@ -998,7 +1001,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, entry->init_hash = hash; ike_sa = entry->ike_sa; - DBG2(DBG_MGR, "created IKE_SA"); + DBG2(DBG_MGR, "created IKE_SA %s[%u]", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } else { @@ -1027,7 +1031,6 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, else if (wait_for_entry(this, entry, segment)) { ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa); - DBG2(DBG_MGR, "IKE_SA successfully checked out"); entry->checked_out = TRUE; entry->message_id = message->get_message_id(message); if (ike_id->get_responder_spi(ike_id) == 0) @@ -1035,6 +1038,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, ike_id->set_responder_spi(ike_id, id->get_responder_spi(id)); } ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } unlock_single_segment(this, segment); } @@ -1056,6 +1061,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, ike_cfg_t *current_ike; u_int segment; + DBG2(DBG_MGR, "checkout IKE_SA by config"); + if (!this->reuse_ikesa) { /* IKE_SA reuse disable by config */ ike_sa = checkout_new(this, TRUE); @@ -1081,10 +1088,11 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, current_ike = current_peer->get_ike_cfg(current_peer); if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) { - DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config", - current_peer->get_name(current_peer)); entry->checked_out = TRUE; ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", + ike_sa->get_unique_id(ike_sa), + current_peer->get_name(current_peer)); break; } } @@ -1112,6 +1120,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, child_sa_t *child_sa; u_int segment; + DBG2(DBG_MGR, "checkout IKE_SA by ID"); + enumerator = create_table_enumerator(this); while (enumerator->enumerate(enumerator, &entry, &segment)) { @@ -1142,6 +1152,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, if (ike_sa) { entry->checked_out = TRUE; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } } @@ -1195,6 +1207,8 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name, if (ike_sa) { entry->checked_out = TRUE; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } } @@ -1251,7 +1265,8 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) other_id = ike_sa->get_other_id(ike_sa); other = ike_sa->get_other_host(ike_sa); - DBG2(DBG_MGR, "checkin IKE_SA"); + DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); /* look for the entry */ if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS) @@ -1327,7 +1342,8 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa ike_sa_id = ike_sa->get_id(ike_sa); - DBG2(DBG_MGR, "checkin and destroy IKE_SA"); + DBG2(DBG_MGR, "checkin and destroy IKE_SA %s[%u]", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS) { diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index eeda6c860..a68826440 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Tobias Brunner - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2007-2010 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -195,10 +195,8 @@ static bool activate_task(private_task_manager_t *this, task_type_t type) return found; } -/** - * Implementation of task_manager_t.retransmit - */ -static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) +METHOD(task_manager_t, retransmit, status_t, + private_task_manager_t *this, u_int32_t message_id) { if (message_id == this->initiating.mid) { @@ -281,11 +279,8 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) return SUCCESS; } -/** - * build a request using the active task list - * Implementation of task_manager_t.initiate - */ -static status_t build_request(private_task_manager_t *this) +METHOD(task_manager_t, initiate, status_t, + private_task_manager_t *this) { iterator_t *iterator; task_t *task; @@ -296,7 +291,8 @@ static status_t build_request(private_task_manager_t *this) if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED) { - DBG2(DBG_IKE, "delaying task initiation, exchange in progress"); + DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress", + exchange_type_names, this->initiating.type); /* do not initiate if we already have a message in the air */ return SUCCESS; } @@ -534,7 +530,7 @@ static status_t process_response(private_task_manager_t *this, { /* start all over again if we were reset */ this->reset = FALSE; iterator->destroy(iterator); - return build_request(this); + return initiate(this); } } iterator->destroy(iterator); @@ -544,7 +540,7 @@ static status_t process_response(private_task_manager_t *this, this->initiating.packet->destroy(this->initiating.packet); this->initiating.packet = NULL; - return build_request(this); + return initiate(this); } /** @@ -883,10 +879,8 @@ static status_t process_request(private_task_manager_t *this, return build_response(this, message); } -/** - * Implementation of task_manager_t.process_message - */ -static status_t process_message(private_task_manager_t *this, message_t *msg) +METHOD(task_manager_t, process_message, status_t, + private_task_manager_t *this, message_t *msg) { u_int32_t mid = msg->get_message_id(msg); @@ -943,10 +937,8 @@ static status_t process_message(private_task_manager_t *this, message_t *msg) return SUCCESS; } -/** - * Implementation of task_manager_t.queue_task - */ -static void queue_task(private_task_manager_t *this, task_t *task) +METHOD(task_manager_t, queue_task, void, + private_task_manager_t *this, task_t *task) { if (task->get_type(task) == IKE_MOBIKE) { /* there is no need to queue more than one mobike task */ @@ -969,11 +961,10 @@ static void queue_task(private_task_manager_t *this, task_t *task) this->queued_tasks->insert_last(this->queued_tasks, task); } -/** - * Implementation of task_manager_t.adopt_tasks - */ -static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other) +METHOD(task_manager_t, adopt_tasks, void, + private_task_manager_t *this, task_manager_t *other_public) { + private_task_manager_t *other = (private_task_manager_t*)other_public; task_t *task; /* move queued tasks from other to this */ @@ -986,20 +977,16 @@ static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *ot } } -/** - * Implementation of task_manager_t.busy - */ -static bool busy(private_task_manager_t *this) +METHOD(task_manager_t, busy, bool, + private_task_manager_t *this) { return (this->active_tasks->get_count(this->active_tasks) > 0); } -/** - * Implementation of task_manager_t.reset - */ -static void reset(private_task_manager_t *this, - u_int32_t initiate, u_int32_t respond) +METHOD(task_manager_t, reset, void, + private_task_manager_t *this, u_int32_t initiate, u_int32_t respond) { + enumerator_t *enumerator; task_t *task; /* reset message counters and retransmit packets */ @@ -1017,6 +1004,14 @@ static void reset(private_task_manager_t *this, } this->initiating.type = EXCHANGE_TYPE_UNDEFINED; + /* reset queued tasks */ + enumerator = this->queued_tasks->create_enumerator(this->queued_tasks); + while (enumerator->enumerate(enumerator, &task)) + { + task->migrate(task, this->ike_sa); + } + enumerator->destroy(enumerator); + /* reset active tasks */ while (this->active_tasks->remove_last(this->active_tasks, (void**)&task) == SUCCESS) @@ -1028,10 +1023,24 @@ static void reset(private_task_manager_t *this, this->reset = TRUE; } -/** - * Implementation of task_manager_t.destroy - */ -static void destroy(private_task_manager_t *this) +METHOD(task_manager_t, create_task_enumerator, enumerator_t*, + private_task_manager_t *this, task_queue_t queue) +{ + switch (queue) + { + case TASK_QUEUE_ACTIVE: + return this->active_tasks->create_enumerator(this->active_tasks); + case TASK_QUEUE_PASSIVE: + return this->passive_tasks->create_enumerator(this->passive_tasks); + case TASK_QUEUE_QUEUED: + return this->queued_tasks->create_enumerator(this->queued_tasks); + default: + return enumerator_create_empty(); + } +} + +METHOD(task_manager_t, destroy, void, + private_task_manager_t *this) { flush(this); @@ -1049,34 +1058,32 @@ static void destroy(private_task_manager_t *this) */ task_manager_t *task_manager_create(ike_sa_t *ike_sa) { - private_task_manager_t *this = malloc_thing(private_task_manager_t); - - this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message; - this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task; - this->public.initiate = (status_t(*)(task_manager_t*))build_request; - this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit; - this->public.reset = (void(*)(task_manager_t*,u_int32_t,u_int32_t))reset; - this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks; - this->public.busy = (bool(*)(task_manager_t*))busy; - this->public.destroy = (void(*)(task_manager_t*))destroy; - - this->ike_sa = ike_sa; - this->responding.packet = NULL; - this->initiating.packet = NULL; - this->responding.mid = 0; - this->initiating.mid = 0; - this->initiating.type = EXCHANGE_TYPE_UNDEFINED; - this->queued_tasks = linked_list_create(); - this->active_tasks = linked_list_create(); - this->passive_tasks = linked_list_create(); - this->reset = FALSE; - - this->retransmit_tries = lib->settings->get_int(lib->settings, - "charon.retransmit_tries", RETRANSMIT_TRIES); - this->retransmit_timeout = lib->settings->get_double(lib->settings, - "charon.retransmit_timeout", RETRANSMIT_TIMEOUT); - this->retransmit_base = lib->settings->get_double(lib->settings, - "charon.retransmit_base", RETRANSMIT_BASE); + private_task_manager_t *this; + + INIT(this, + .public = { + .process_message = _process_message, + .queue_task = _queue_task, + .initiate = _initiate, + .retransmit = _retransmit, + .reset = _reset, + .adopt_tasks = _adopt_tasks, + .busy = _busy, + .create_task_enumerator = _create_task_enumerator, + .destroy = _destroy, + }, + .ike_sa = ike_sa, + .initiating.type = EXCHANGE_TYPE_UNDEFINED, + .queued_tasks = linked_list_create(), + .active_tasks = linked_list_create(), + .passive_tasks = linked_list_create(), + .retransmit_tries = lib->settings->get_int(lib->settings, + "charon.retransmit_tries", RETRANSMIT_TRIES), + .retransmit_timeout = lib->settings->get_double(lib->settings, + "charon.retransmit_timeout", RETRANSMIT_TIMEOUT), + .retransmit_base = lib->settings->get_double(lib->settings, + "charon.retransmit_base", RETRANSMIT_BASE), + ); return &this->public; } diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index 731ed4898..14fccd5f9 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -22,6 +22,7 @@ #define TASK_MANAGER_H_ typedef struct task_manager_t task_manager_t; +typedef enum task_queue_t task_queue_t; #include <limits.h> @@ -55,6 +56,17 @@ typedef struct task_manager_t task_manager_t; */ #define ROUTEABILITY_CHECK_TRIES 10 +/** + * Type of task queues the task manager uses to handle tasks + */ +enum task_queue_t { + /** tasks currently active, initiated by us */ + TASK_QUEUE_ACTIVE, + /** passive tasks initiated by the remote peer */ + TASK_QUEUE_PASSIVE, + /** tasks queued for initiated, but not yet activated */ + TASK_QUEUE_QUEUED, +}; /** * The task manager, juggles task and handles message exchanges. @@ -158,6 +170,15 @@ struct task_manager_t { bool (*busy) (task_manager_t *this); /** + * Create an enumerator over tasks in a specific queue. + * + * @param queue queue to create an enumerator over + * @return enumerator over task_t + */ + enumerator_t* (*create_task_enumerator)(task_manager_t *this, + task_queue_t queue); + + /** * Destroy the task_manager_t. */ void (*destroy) (task_manager_t *this); diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index bea4f73d5..3de27ee3f 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -273,7 +273,8 @@ static void schedule_inactivity_timeout(private_child_create_t *this) * - INVALID_ARG: diffie hellman group inacceptable * - NOT_FOUND: TS inacceptable */ -static status_t select_and_install(private_child_create_t *this, bool no_dh) +static status_t select_and_install(private_child_create_t *this, + bool no_dh, bool ike_auth) { status_t status, status_i, status_o; chunk_t nonce_i, nonce_r; @@ -364,6 +365,25 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, other_vip); + if (this->initiator) + { + if (ike_auth) + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts); + } + else + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_POST_AUTH, my_ts, other_ts); + } + } + else + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_RESPONDER, my_ts, other_ts); + } + if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0) { my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); @@ -418,66 +438,6 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) } } - /* check for any certificate-based IP address block constraints */ - if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL) - { - auth_cfg_t *auth; - enumerator_t *auth_enum; - certificate_t *cert = NULL; - - auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE); - while (auth_enum->enumerate(auth_enum, &auth)) - { - cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); - if (cert) - { - break; - } - } - auth_enum->destroy(auth_enum); - - if (cert && cert->get_type(cert) == CERT_X509) - { - x509_t *x509 = (x509_t*)cert; - - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - enumerator_t *enumerator, *block_enum; - traffic_selector_t *ts, *block_ts; - - DBG1(DBG_IKE, "checking certificate-based traffic selector " - "constraints [RFC 3779]"); - enumerator = other_ts->create_enumerator(other_ts); - while (enumerator->enumerate(enumerator, &ts)) - { - bool contained = FALSE; - - block_enum = x509->create_ipAddrBlock_enumerator(x509); - while (block_enum->enumerate(block_enum, &block_ts)) - { - if (ts->is_contained_in(ts, block_ts)) - { - DBG1(DBG_IKE, " TS %R is contained in address block" - " constraint %R", ts, block_ts); - contained = TRUE; - break; - } - } - block_enum->destroy(block_enum); - - if (!contained) - { - DBG1(DBG_IKE, " TS %R is not contained in any" - " address block constraint", ts); - enumerator->destroy(enumerator); - return FAILED; - } - } - enumerator->destroy(enumerator); - } - } - } - this->child_sa->set_state(this->child_sa, CHILD_INSTALLING); this->child_sa->set_ipcomp(this->child_sa, this->ipcomp); this->child_sa->set_mode(this->child_sa, this->mode); @@ -529,8 +489,8 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) return NOT_FOUND; } - charon->bus->child_keys(charon->bus, this->child_sa, this->dh, - nonce_i, nonce_r); + charon->bus->child_keys(charon->bus, this->child_sa, this->initiator, + this->dh, nonce_i, nonce_r); /* add to IKE_SA, and remove from task */ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); @@ -848,6 +808,17 @@ static status_t build_i(private_child_create_t *this, message_t *message) add_ipcomp_notify(this, message, IPCOMP_DEFLATE); } + if (message->get_exchange_type(message) == IKE_AUTH) + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr); + } + else + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr); + } + build_payloads(this, message); this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); @@ -914,7 +885,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) peer_cfg_t *peer_cfg; payload_t *payload; enumerator_t *enumerator; - bool no_dh = TRUE; + bool no_dh = TRUE, ike_auth = FALSE; switch (message->get_exchange_type(message)) { @@ -934,6 +905,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) { /* wait until all authentication round completed */ return NEED_MORE; } + ike_auth = TRUE; default: break; } @@ -1016,7 +988,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) } } - switch (select_and_install(this, no_dh)) + switch (select_and_install(this, no_dh, ike_auth)) { case SUCCESS: break; @@ -1064,7 +1036,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; - bool no_dh = TRUE; + bool no_dh = TRUE, ike_auth = FALSE; switch (message->get_exchange_type(message)) { @@ -1079,6 +1051,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) { /* wait until all authentication round completed */ return NEED_MORE; } + ike_auth = TRUE; default: break; } @@ -1159,7 +1132,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) return SUCCESS; } - if (select_and_install(this, no_dh) == SUCCESS) + if (select_and_install(this, no_dh, ike_auth) == SUCCESS) { DBG0(DBG_IKE, "CHILD_SA %s{%d} established " "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", @@ -1229,11 +1202,11 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); - if (this->tsi) + if (this->tsr) { this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); } - if (this->tsr) + if (this->tsi) { this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); } diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c index d7c6b0541..b0cd30e1e 100644 --- a/src/libcharon/sa/tasks/child_delete.c +++ b/src/libcharon/sa/tasks/child_delete.c @@ -191,6 +191,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_cfg_t *child_cfg; protocol_id_t protocol; u_int32_t spi; + action_t action; status_t status = SUCCESS; iterator = this->child_sas->create_iterator(this->child_sas, TRUE); @@ -205,10 +206,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) protocol = child_sa->get_protocol(child_sa); child_cfg = child_sa->get_config(child_sa); child_cfg->get_ref(child_cfg); + action = child_sa->get_close_action(child_sa); this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi); if (this->check_delete_action) { /* enforce child_cfg policy if deleted passively */ - switch (child_cfg->get_close_action(child_cfg)) + switch (action) { case ACTION_RESTART: child_cfg->get_ref(child_cfg); diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index b5e4e84b4..fb3452efd 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -215,6 +215,64 @@ static status_t build_r(private_child_rekey_t *this, message_t *message) } /** + * Handle a rekey collision + */ +static child_sa_t *handle_collision(private_child_rekey_t *this) +{ + child_sa_t *to_delete; + + if (this->collision->get_type(this->collision) == CHILD_REKEY) + { + chunk_t this_nonce, other_nonce; + private_child_rekey_t *other = (private_child_rekey_t*)this->collision; + + this_nonce = this->child_create->get_lower_nonce(this->child_create); + other_nonce = other->child_create->get_lower_nonce(other->child_create); + + /* if we have the lower nonce, delete rekeyed SA. If not, delete + * the redundant. */ + if (memcmp(this_nonce.ptr, other_nonce.ptr, + min(this_nonce.len, other_nonce.len)) < 0) + { + child_sa_t *child_sa; + + DBG1(DBG_IKE, "CHILD_SA rekey collision won, " + "deleting rekeyed child"); + to_delete = this->child_sa; + /* disable close action for the redundand child */ + child_sa = other->child_create->get_child(other->child_create); + child_sa->set_close_action(child_sa, ACTION_NONE); + } + else + { + DBG1(DBG_IKE, "CHILD_SA rekey collision lost, " + "deleting redundant child"); + to_delete = this->child_create->get_child(this->child_create); + } + } + else + { /* CHILD_DELETE */ + child_delete_t *del = (child_delete_t*)this->collision; + + /* we didn't had a chance to compare the nonces, so we delete + * the CHILD_SA the other is not deleting. */ + if (del->get_child(del) != this->child_sa) + { + DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, " + "deleting rekeyed child"); + to_delete = this->child_sa; + } + else + { + DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, " + "deleting redundant child"); + to_delete = this->child_create->get_child(this->child_create); + } + } + return to_delete; +} + +/** * Implementation of task_t.process for initiator */ static status_t process_i(private_child_rekey_t *this, message_t *message) @@ -263,35 +321,14 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) return SUCCESS; } - to_delete = this->child_sa; - /* check for rekey collisions */ - if (this->collision && - this->collision->get_type(this->collision) == CHILD_REKEY) + if (this->collision) { - chunk_t this_nonce, other_nonce; - private_child_rekey_t *other = (private_child_rekey_t*)this->collision; - - this_nonce = this->child_create->get_lower_nonce(this->child_create); - other_nonce = other->child_create->get_lower_nonce(other->child_create); - - /* if we have the lower nonce, delete rekeyed SA. If not, delete - * the redundant. */ - if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) - { - DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child"); - } - else - { - DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child"); - to_delete = this->child_create->get_child(this->child_create); - if (to_delete == NULL) - { - /* ooops, should not happen, fallback */ - to_delete = this->child_sa; - } - } + to_delete = handle_collision(this); + } + else + { + to_delete = this->child_sa; } if (to_delete != this->child_create->get_child(this->child_create)) @@ -300,6 +337,10 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) this->child_create->get_child(this->child_create)); } + if (to_delete == NULL) + { + return SUCCESS; + } spi = to_delete->get_spi(to_delete, TRUE); protocol = to_delete->get_protocol(to_delete); diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index a07f96767..a954782f2 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -518,6 +518,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK && (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0)) { /* peer requested EAP, but current config does not match */ + DBG1(DBG_IKE, "peer requested EAP, config inacceptable"); this->peer_cfg->destroy(this->peer_cfg); this->peer_cfg = NULL; if (!update_cfg_candidates(this, FALSE)) @@ -527,7 +528,16 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) } cand = get_auth_cfg(this, FALSE); } - cfg->merge(cfg, cand, TRUE); + /* copy over the EAP specific rules for authentication */ + cfg->add(cfg, AUTH_RULE_EAP_TYPE, + cand->get(cand, AUTH_RULE_EAP_TYPE)); + cfg->add(cfg, AUTH_RULE_EAP_VENDOR, + cand->get(cand, AUTH_RULE_EAP_VENDOR)); + id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY); + if (id) + { + cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id)); + } } /* verify authentication data */ diff --git a/src/libcharon/sa/tasks/ike_cert_post.c b/src/libcharon/sa/tasks/ike_cert_post.c index c831df975..cc810a49a 100644 --- a/src/libcharon/sa/tasks/ike_cert_post.c +++ b/src/libcharon/sa/tasks/ike_cert_post.c @@ -72,14 +72,18 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, return cert_payload_create_from_cert(cert); } - encoded = cert->get_encoding(cert); + if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) + { + DBG1(DBG_IKE, "encoding certificate for cert payload failed"); + hasher->destroy(hasher); + return NULL; + } hasher->allocate_hash(hasher, encoded, &hash); chunk_free(&encoded); hasher->destroy(hasher); id = identification_create_from_encoding(ID_KEY_ID, hash); - enumerator = charon->credentials->create_cdp_enumerator(charon->credentials, - CERT_X509, id); + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, CERT_X509, id); if (enumerator->enumerate(enumerator, &url)) { payload = cert_payload_create_from_hash_and_url(hash, url); diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c index 0805d0290..1c0c54727 100644 --- a/src/libcharon/sa/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/tasks/ike_cert_pre.c @@ -93,8 +93,8 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) certificate_t *cert; id = identification_create_from_encoding(ID_KEY_ID, keyid); - cert = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, id, TRUE); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, TRUE); if (cert) { DBG1(DBG_IKE, "received cert request for \"%Y\"", @@ -156,8 +156,8 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload) break; } id = identification_create_from_encoding(ID_KEY_ID, hash); - cert = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, id, FALSE); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, FALSE); id->destroy(id); break; } @@ -299,7 +299,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert) { *req = certreq_payload_create_type(CERT_X509); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { (*req)->add_keyid(*req, keyid); DBG1(DBG_IKE, "sending cert request for \"%Y\"", @@ -370,8 +370,8 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) if (!req) { /* otherwise add all trusted CA certificates */ - enumerator = charon->credentials->create_cert_enumerator( - charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_ANY, KEY_ANY, NULL, TRUE); while (enumerator->enumerate(enumerator, &cert)) { add_certreq(&req, cert); diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c index 58bcf0762..c92b5bca5 100644 --- a/src/libcharon/sa/tasks/ike_config.c +++ b/src/libcharon/sa/tasks/ike_config.c @@ -333,7 +333,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message) chunk_empty); return SUCCESS; } - DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip); + DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", vip, id); this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip); cp = cp_payload_create_type(CFG_REPLY); @@ -342,7 +342,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message) /* query registered providers for additional attributes to include */ enumerator = hydra->attributes->create_responder_enumerator( - hydra->attributes, id, vip); + hydra->attributes, config->get_pool(config), id, vip); while (enumerator->enumerate(enumerator, &type, &value)) { if (!cp) diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c index 5eb33b540..38fb572f4 100644 --- a/src/libcharon/sa/tasks/ike_init.c +++ b/src/libcharon/sa/tasks/ike_init.c @@ -543,6 +543,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa) chunk_free(&this->other_nonce); this->ike_sa = ike_sa; + this->keymat = ike_sa->get_keymat(ike_sa); this->proposal = NULL; DESTROY_IF(this->dh); this->dh = this->keymat->create_dh(this->keymat, this->dh_group); diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 878170c83..80bf647cd 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -128,7 +128,7 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer, ike_cfg = peer->get_ike_cfg(peer); other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, ike_cfg->get_other_port(ike_cfg)); - if (!other) + if (!other || other->is_anyaddr(other)) { DBG1(DBG_CFG, "installing trap failed, remote address unknown"); return 0; diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index f6d1f20a5..a84b272dc 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libfast/request.c b/src/libfast/request.c index 6bf596fd8..16c1ae583 100644 --- a/src/libfast/request.c +++ b/src/libfast/request.c @@ -204,6 +204,14 @@ static char* get_query_data(private_request_t *this, char *name) } /** + * Implementation of request_t.read_data. + */ +static int read_data(private_request_t *this, char *buf, int len) +{ + return FCGX_GetStr(buf, len, this->req.in); +} + +/** * Implementation of request_t.get_base. */ static char* get_base(private_request_t *this) @@ -407,6 +415,7 @@ request_t *request_create(int fd, bool debug) this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie; this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie; this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data; + this->public.read_data = (int(*)(request_t*, char*, int))read_data; this->public.session_closed = (bool(*)(request_t*))session_closed; this->public.close_session = (void(*)(request_t*))close_session; this->public.redirect = (void(*)(request_t*, char *fmt,...))redirect; diff --git a/src/libfast/request.h b/src/libfast/request.h index af0f8e4f5..9ca74a91e 100644 --- a/src/libfast/request.h +++ b/src/libfast/request.h @@ -86,6 +86,15 @@ struct request_t { char* (*get_query_data)(request_t *this, char *name); /** + * Read raw POST/PUT data from HTTP request. + * + * @param buf buffer to read data into + * @param len size of the supplied buffer + * @return number of bytes read, < 0 on error + */ + int (*read_data)(request_t *this, char *buf, int len); + + /** * Close the session and it's context after handling. */ void (*close_session)(request_t *this); diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index e752df82d..6d640d778 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am index 601a56e38..4e5c55d3f 100644 --- a/src/libhydra/Makefile.am +++ b/src/libhydra/Makefile.am @@ -40,3 +40,10 @@ if MONOLITHIC endif endif +if USE_RESOLVE + SUBDIRS += plugins/resolve +if MONOLITHIC + libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la +endif +endif + diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 32027d1ea..a3aec26c9 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -38,6 +38,8 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la @USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la +@USE_RESOLVE_TRUE@am__append_5 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_6 = plugins/resolve/libstrongswan-resolve.la subdir = src/libhydra DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -77,7 +79,8 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) +libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \ + $(am__append_6) am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \ mem_pool.lo libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS) @@ -110,7 +113,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/attr plugins/attr_sql +DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/resolve DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -300,7 +303,7 @@ attributes/attribute_provider.h attributes/attribute_handler.h \ attributes/attribute_manager.c attributes/attribute_manager.h \ attributes/mem_pool.c attributes/mem_pool.h -libhydra_la_LIBADD = $(am__append_2) $(am__append_4) +libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ -DIPSEC_DIR=\"${ipsecdir}\" \ @@ -308,11 +311,13 @@ AM_CFLAGS = \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" EXTRA_DIST = Android.mk -@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) +@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \ +@MONOLITHIC_FALSE@ $(am__append_5) # build optional plugins ######################## -@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) +@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) \ +@MONOLITHIC_TRUE@ $(am__append_5) all: all-recursive .SUFFIXES: @@ -447,7 +452,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -472,7 +477,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c index 3080b56eb..0d4cbda82 100644 --- a/src/libhydra/attributes/attribute_manager.c +++ b/src/libhydra/attributes/attribute_manager.c @@ -51,6 +51,8 @@ struct private_attribute_manager_t { * Data to pass to enumerator filters */ typedef struct { + /** attribute group pool */ + char *pool; /** server/peer identity */ identification_t *id; /** requesting/assigned virtual IP */ @@ -123,17 +125,20 @@ static void release_address(private_attribute_manager_t *this, static enumerator_t *responder_enum_create(attribute_provider_t *provider, enum_data_t *data) { - return provider->create_attribute_enumerator(provider, data->id, data->vip); + return provider->create_attribute_enumerator(provider, data->pool, + data->id, data->vip); } /** * Implementation of attribute_manager_t.create_responder_enumerator */ static enumerator_t* create_responder_enumerator( - private_attribute_manager_t *this, identification_t *id, host_t *vip) + private_attribute_manager_t *this, char *pool, + identification_t *id, host_t *vip) { enum_data_t *data = malloc_thing(enum_data_t); + data->pool = pool; data->id = id; data->vip = vip; this->lock->read_lock(this->lock); @@ -355,7 +360,7 @@ attribute_manager_t *attribute_manager_create() this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address; this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address; - this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_responder_enumerator; + this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, char *name, identification_t*, host_t*))create_responder_enumerator; this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider; this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider; this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*,identification_t*, attribute_handler_t*, configuration_attribute_type_t, chunk_t))handle; diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libhydra/attributes/attribute_manager.h index 642662366..56afef7c6 100644 --- a/src/libhydra/attributes/attribute_manager.h +++ b/src/libhydra/attributes/attribute_manager.h @@ -61,12 +61,13 @@ struct attribute_manager_t { /** * Create an enumerator over attributes to hand out to a peer. * + * @param pool pool name to get attributes from * @param id peer identity to hand out attributes to * @param vip virtual IP to assign to peer, if any * @return enumerator (configuration_attribute_type_t, chunk_t) */ enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this, - identification_t *id, host_t *vip); + char *pool, identification_t *id, host_t *vip); /** * Register an attribute provider to the manager. diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h index f8485cc6c..e4b4e13f3 100644 --- a/src/libhydra/attributes/attribute_provider.h +++ b/src/libhydra/attributes/attribute_provider.h @@ -56,12 +56,13 @@ struct attribute_provider_t { /** * Create an enumerator over attributes to hand out to a peer. * + * @param pool pool name to get attributes from * @param id peer ID * @param vip virtual IP to assign to peer, if any * @return enumerator (configuration_attribute_type_t, chunk_t) */ enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this, - identification_t *id, host_t *vip); + char *pool, identification_t *id, host_t *vip); }; #endif /** ATTRIBUTE_PROVIDER_H_ @}*/ diff --git a/src/libhydra/attributes/attributes.c b/src/libhydra/attributes/attributes.c index 83feed17e..ea87109e2 100644 --- a/src/libhydra/attributes/attributes.c +++ b/src/libhydra/attributes/attributes.c @@ -36,8 +36,77 @@ ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP "MIP6_HOME_PREFIX", "INTERNAL_IP6_LINK", "INTERNAL_IP6_PREFIX"); -ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_PREFIX, +ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL_IP6_PREFIX, + "XAUTH_TYPE", + "XAUTH_USER_NAME", + "XAUTH_USER_PASSWORD", + "XAUTH_PASSCODE", + "XAUTH_MESSAGE", + "XAUTH_CHALLENGE", + "XAUTH_DOMAIN", + "XAUTH_STATUS", + "XAUTH_NEXT_PIN", + "XAUTH_ANSWER"); +ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, "INTERNAL_IP4_SERVER", "INTERNAL_IP6_SERVER"); -ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER); +ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, + "UNITY_BANNER", + "UNITY_SAVE_PASSWD", + "UNITY_DEF_DOMAIN", + "UNITY_SPLITDNS_NAME", + "UNITY_SPLIT_INCLUDE", + "UNITY_NATT_PORT", + "UNITY_LOCAL_LAN", + "UNITY_PFS", + "UNITY_FW_TYPE", + "UNITY_BACKUP_SERVERS", + "UNITY_DDNS_HOSTNAME"); +ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME); +ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_PREFIX, + "ADDR", + "MASK", + "DNS", + "NBNS", + "EXP", + "DHCP", + "VER", + "ADDR6", + "MASK6", + "DNS6", + "NBNS6", + "DHCP6", + "SUBNET", + "SUPPORTED", + "SUBNET6", + "MIP6HPFX", + "LINK6", + "PFX6"); +ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL_IP6_PREFIX, + "XAUTH_TYPE", + "XAUTH_USER_NAME", + "XAUTH_USER_PASSWORD", + "XAUTH_PASSCODE", + "XAUTH_MESSAGE", + "XAUTH_CHALLENGE", + "XAUTH_DOMAIN", + "XAUTH_STATUS", + "XAUTH_NEXT_PIN", + "XAUTH_ANSWER"); +ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, + "SRV", + "SRV6"); +ENUM_NEXT(configuration_attribute_type_short_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, + "UNITY_BANNER", + "UNITY_SAVE_PASSWD", + "UNITY_DEF_DOMAIN", + "UNITY_SPLITDNS_NAME", + "UNITY_SPLIT_INCLUDE", + "UNITY_NATT_PORT", + "UNITY_LOCAL_LAN", + "UNITY_PFS", + "UNITY_FW_TYPE", + "UNITY_BACKUP_SERVERS", + "UNITY_DDNS_HOSTNAME"); +ENUM_END(configuration_attribute_type_short_names, UNITY_DDNS_HOSTNAME); diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h index f4a396f21..3a40ba367 100644 --- a/src/libhydra/attributes/attributes.h +++ b/src/libhydra/attributes/attributes.h @@ -30,27 +30,50 @@ typedef enum configuration_attribute_type_t configuration_attribute_type_t; * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig. */ enum configuration_attribute_type_t { - INTERNAL_IP4_ADDRESS = 1, - INTERNAL_IP4_NETMASK = 2, - INTERNAL_IP4_DNS = 3, - INTERNAL_IP4_NBNS = 4, + INTERNAL_IP4_ADDRESS = 1, + INTERNAL_IP4_NETMASK = 2, + INTERNAL_IP4_DNS = 3, + INTERNAL_IP4_NBNS = 4, INTERNAL_ADDRESS_EXPIRY = 5, - INTERNAL_IP4_DHCP = 6, - APPLICATION_VERSION = 7, - INTERNAL_IP6_ADDRESS = 8, - INTERNAL_IP6_NETMASK = 9, - INTERNAL_IP6_DNS = 10, - INTERNAL_IP6_NBNS = 11, - INTERNAL_IP6_DHCP = 12, - INTERNAL_IP4_SUBNET = 13, - SUPPORTED_ATTRIBUTES = 14, - INTERNAL_IP6_SUBNET = 15, - MIP6_HOME_PREFIX = 16, - INTERNAL_IP6_LINK = 17, - INTERNAL_IP6_PREFIX = 18, + INTERNAL_IP4_DHCP = 6, + APPLICATION_VERSION = 7, + INTERNAL_IP6_ADDRESS = 8, + INTERNAL_IP6_NETMASK = 9, + INTERNAL_IP6_DNS = 10, + INTERNAL_IP6_NBNS = 11, + INTERNAL_IP6_DHCP = 12, + INTERNAL_IP4_SUBNET = 13, + SUPPORTED_ATTRIBUTES = 14, + INTERNAL_IP6_SUBNET = 15, + MIP6_HOME_PREFIX = 16, + INTERNAL_IP6_LINK = 17, + INTERNAL_IP6_PREFIX = 18, + /* XAUTH attributes */ + XAUTH_TYPE = 16520, + XAUTH_USER_NAME = 16521, + XAUTH_USER_PASSWORD = 16522, + XAUTH_PASSCODE = 16523, + XAUTH_MESSAGE = 16524, + XAUTH_CHALLENGE = 16525, + XAUTH_DOMAIN = 16526, + XAUTH_STATUS = 16527, + XAUTH_NEXT_PIN = 16528, + XAUTH_ANSWER = 16529, /* proprietary Microsoft attributes */ - INTERNAL_IP4_SERVER = 23456, - INTERNAL_IP6_SERVER = 23457 + INTERNAL_IP4_SERVER = 23456, + INTERNAL_IP6_SERVER = 23457, + /* proprietary Cisco Unity attributes */ + UNITY_BANNER = 28672, + UNITY_SAVE_PASSWD = 28673, + UNITY_DEF_DOMAIN = 28674, + UNITY_SPLITDNS_NAME = 28675, + UNITY_SPLIT_INCLUDE = 28676, + UNITY_NATT_PORT = 28677, + UNITY_LOCAL_LAN = 28678, + UNITY_PFS = 28679, + UNITY_FW_TYPE = 28680, + UNITY_BACKUP_SERVERS = 28681, + UNITY_DDNS_HOSTNAME = 28682 }; /** @@ -58,5 +81,10 @@ enum configuration_attribute_type_t { */ extern enum_name_t *configuration_attribute_type_names; +/** + * Short enum names for configuration_attribute_type_t. + */ +extern enum_name_t *configuration_attribute_type_short_names; + #endif /** ATTRIBUTES_H_ @}*/ diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c index 65018e3a9..e1d69fd6b 100644 --- a/src/libhydra/attributes/mem_pool.c +++ b/src/libhydra/attributes/mem_pool.c @@ -225,9 +225,18 @@ METHOD(mem_pool_t, acquire_address, host_t*, /* check for a valid online lease, reassign */ offset = (uintptr_t)this->online->get(this->online, id); - if (offset && offset == host2offset(this, requested)) + if (offset) { - DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + if (offset == host2offset(this, requested)) + { + DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + } + else + { + DBG1(DBG_CFG, "'%Y' already has an online lease, " + "unable to assign address", id); + offset = 0; + } break; } diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 54aa64beb..71402fc7f 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c index 9d6daa892..b3c0cc076 100644 --- a/src/libhydra/plugins/attr/attr_provider.c +++ b/src/libhydra/plugins/attr/attr_provider.c @@ -65,7 +65,7 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in, * Implementation of attribute_provider_t.create_attribute_enumerator */ static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this, - identification_t *id, host_t *vip) + char *pool, identification_t *id, host_t *vip) { if (vip) { @@ -148,6 +148,7 @@ static struct { {"dhcp", INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP}, {"netmask", INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK}, {"server", INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER}, + {"subnet", INTERNAL_IP4_SUBNET, INTERNAL_IP6_SUBNET}, }; /** @@ -165,12 +166,19 @@ static void load_entries(private_attr_provider_t *this) configuration_attribute_type_t type; attribute_entry_t *entry; host_t *host; - int i; + char *pos; + int i, mask = -1; type = atoi(key); tokens = enumerator_create_token(value, ",", " "); while (tokens->enumerate(tokens, &token)) { + pos = strchr(token, '/'); + if (pos) + { + *(pos++) = '\0'; + mask = atoi(pos); + } host = host_create_from_string(token, 0); if (!host) { @@ -201,7 +209,27 @@ static void load_entries(private_attr_provider_t *this) } entry = malloc_thing(attribute_entry_t); entry->type = type; - entry->value = chunk_clone(host->get_address(host)); + if (mask == -1) + { + entry->value = chunk_clone(host->get_address(host)); + } + else + { + if (host->get_family(host) == AF_INET) + { /* IPv4 attributes contain a subnet mask */ + u_int32_t netmask; + + mask = 32 - mask; + netmask = htonl((0xFFFFFFFF >> mask) << mask); + entry->value = chunk_cat("cc", host->get_address(host), + chunk_from_thing(netmask)); + } + else + { /* IPv6 addresses the prefix only */ + entry->value = chunk_cat("cc", host->get_address(host), + chunk_from_chars(mask)); + } + } host->destroy(host); this->attributes->insert_last(this->attributes, entry); } @@ -222,7 +250,7 @@ attr_provider_t *attr_provider_create(database_t *db) this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null; this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))create_attribute_enumerator; + this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *vip))create_attribute_enumerator; this->public.destroy = (void(*)(attr_provider_t*))destroy; this->attributes = linked_list_create(); diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am index 376a8259c..a3dac863f 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.am +++ b/src/libhydra/plugins/attr_sql/Makefile.am @@ -18,6 +18,8 @@ libstrongswan_attr_sql_la_SOURCES = \ libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version ipsec_PROGRAMS = pool -pool_SOURCES = pool.c -pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \ + pool_usage.h pool_usage.c +pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la pool.o : $(top_builddir)/config.status diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index 99e97cefc..edf51059b 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -88,10 +88,12 @@ libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_attr_sql_la_rpath = PROGRAMS = $(ipsec_PROGRAMS) -am_pool_OBJECTS = pool.$(OBJEXT) +am_pool_OBJECTS = pool.$(OBJEXT) pool_attributes.$(OBJEXT) \ + pool_usage.$(OBJEXT) pool_OBJECTS = $(am_pool_OBJECTS) pool_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -277,8 +279,12 @@ libstrongswan_attr_sql_la_SOURCES = \ sql_attribute.h sql_attribute.c libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version -pool_SOURCES = pool.c -pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \ + pool_usage.h pool_usage.c + +pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la + all: all-am .SUFFIXES: @@ -410,6 +416,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool_attributes.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool_usage.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@ .c.o: diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c index fed89fc51..b4bdfc629 100644 --- a/src/libhydra/plugins/attr_sql/pool.c +++ b/src/libhydra/plugins/attr_sql/pool.c @@ -27,15 +27,18 @@ #include <utils/identification.h> #include <attributes/attributes.h> +#include "pool_attributes.h" +#include "pool_usage.h" + /** * global database handle */ database_t *db; /** - * --start/--end/--server addresses of various subcommands + * --start/--end addresses of various subcommands */ -host_t *start = NULL, *end = NULL, *server = NULL; +host_t *start = NULL, *end = NULL; /** * whether --add should --replace an existing pool @@ -126,23 +129,6 @@ static bool is_attribute(char *name) } /** - * determine configuration attribute type - */ -static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr) -{ - if (strcaseeq(name, "dns")) - { - return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS : - INTERNAL_IP6_DNS; - } - else - { - return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS : - INTERNAL_IP6_NBNS; - } -} - -/** * calculate the size of a pool using start and end address chunk */ static u_int get_pool_size(chunk_t start, chunk_t end) @@ -159,85 +145,6 @@ static u_int get_pool_size(chunk_t start, chunk_t end) } /** - * print usage info - */ -static void usage(void) -{ - printf("\ -Usage:\n\ - ipsec pool --status|--add|--replace|--del|--resize|--purge [options]\n\ - \n\ - ipsec pool --status\n\ - Show a list of installed pools with statistics.\n\ - \n\ - ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\ - ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\ - Add a new pool to or replace an existing pool in the database.\n\ - name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ - start: Start address of the pool\n\ - end: End address of the pool\n\ - timeout: Lease time in hours, 0 for static leases\n\ - \n\ - ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\ - ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\ - Add a new pool to or replace an existing pool in the database.\n\ - name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ - file: File newline separated addresses for the pool are read from.\n\ - Optionally each address can be pre-assigned to a roadwarrior\n\ - identity, e.g. 10.231.14.2=alice@strongswan.org.\n\ - If a - (hyphen) is given instead of a file name, the addresses\n\ - are read from STDIN. Reading addresses stops at the end of file\n\ - or an empty line. Pools created with this command can not be\n\ - resized.\n\ - timeout: Lease time in hours, 0 for static leases\n\ - \n\ - ipsec pool --add dns|nbns|wins --server <server>\n\ - Add a new DNS or NBNS server to the database.\n\ - server: IP address of the name server\n\ - \n\ - ipsec pool --del <name>\n\ - Delete a pool from the database.\n\ - name: Name of the pool to delete\n\ - \n\ - ipsec pool --del dns|nbns|wins [--server <server>]\n\ - Delete a specific or all DNS or NBNS servers from the database.\n\ - server: IP address of the name server to delete\n\ - \n\ - ipsec pool --resize <name> --end <end>\n\ - Grow or shrink an existing pool.\n\ - name: Name of the pool to resize\n\ - end: New end address for the pool\n\ - \n\ - ipsec pool --leases [--filter <filter>] [--utc]\n\ - Show lease information using filters:\n\ - filter: Filter string containing comma separated key=value filters,\n\ - e.g. id=alice@strongswan.org,addr=1.1.1.1\n\ - pool: name of the pool\n\ - id: assigned identity of the lease\n\ - addr: lease IP address\n\ - tstamp: UNIX timestamp when lease was valid, as integer\n\ - status: status of the lease: online|valid|expired\n\ - utc: Show times in UTC instead of local time\n\ - \n\ - ipsec pool --purge <name>\n\ - Delete lease history of a pool:\n\ - name: Name of the pool to purge\n\ - \n\ - ipsec pool --batch <file>\n\ - Read commands from a file and execute them atomically.\n\ - file: File to read the newline separated commands from. Commands\n\ - appear as they are written on the command line, e.g.\n\ - --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\ - --del dns\n\ - --add dns --server 10.1.0.1\n\ - --add dns --server 10.1.1.1\n\ - If a - (hyphen) is given as a file name, the commands are read\n\ - from STDIN. Readin commands stops at the end of file. Empty\n\ - lines are ignored. The file may not contain a --batch command.\n\ - \n"); -} - -/** * ipsec pool --status - show pool overview */ static void status(void) @@ -483,29 +390,14 @@ static bool add_address(u_int pool_id, char *address_str, int *family) char *pos_eq = strchr(address_str, '='); if (pos_eq != NULL) { - enumerator_t *e; identification_t *id = identification_create_from_string(pos_eq + 1); + user_id = get_identity(id); + id->destroy(id); - /* look for peer identity in the identities table */ - e = db->query(db, - "SELECT id FROM identities WHERE type = ? AND data = ?", - DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), - DB_UINT); - - if (!e || !e->enumerate(e, &user_id)) + if (user_id == 0) { - /* not found, insert new one */ - if (db->execute(db, &user_id, - "INSERT INTO identities (type, data) VALUES (?, ?)", - DB_INT, id->get_type(id), - DB_BLOB, id->get_encoding(id)) != 1) - { - fprintf(stderr, "creating id '%s' failed.\n", pos_eq + 1); - return FALSE; - } + return FALSE; } - DESTROY_IF(e); - id->destroy(id); *pos_eq = '\0'; } @@ -593,26 +485,6 @@ static void add_addresses(char *pool, char *path, int timeout) } /** - * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry - */ -static void add_attr(char *name, host_t *server) -{ - configuration_attribute_type_t type; - chunk_t value; - - type = get_attribute_type(name, server); - value = server->get_address(server); - if (db->execute(db, NULL, - "INSERT INTO attributes (type, value) VALUES (?, ?)", - DB_INT, type, DB_BLOB, value) != 1) - { - fprintf(stderr, "adding %s server %H failed.\n", name, server); - exit(EXIT_FAILURE); - } - printf("added %s server %H\n", name, server); -} - -/** * ipsec pool --del - delete a pool */ static void del(char *name) @@ -653,88 +525,6 @@ static void del(char *name) } /** - * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry - */ -static void del_attr(char *name, host_t *server) -{ - configuration_attribute_type_t type; - chunk_t value; - u_int id; - enumerator_t *query; - bool found = FALSE; - - if (server) - { - type = get_attribute_type(name, server); - value = server->get_address(server); - query = db->query(db, - "SELECT id, type, value FROM attributes " - "WHERE type = ? AND value = ?", - DB_INT, type, DB_BLOB, value, - DB_UINT, DB_INT, DB_BLOB); - } - else - { - configuration_attribute_type_t type_ip4, type_ip6; - - if (strcaseeq(name, "dns")) - { - type_ip4 = INTERNAL_IP4_DNS; - type_ip6 = INTERNAL_IP6_DNS; - } - else - { - type_ip4 = INTERNAL_IP4_NBNS; - type_ip6 = INTERNAL_IP6_NBNS; - } - - query = db->query(db, - "SELECT id, type, value FROM attributes " - "WHERE type = ? OR type = ?", - DB_INT, type_ip4, DB_INT, type_ip6, - DB_UINT, DB_INT, DB_BLOB); - } - if (!query) - { - fprintf(stderr, "deleting %s servers failed.\n", name); - exit(EXIT_FAILURE); - } - - while (query->enumerate(query, &id, &type, &value)) - { - int family; - host_t *host; - - found = TRUE; - family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ? - AF_INET : AF_INET6; - host = host_create_from_chunk(family, value, 0); - if (db->execute(db, NULL, - "DELETE FROM attributes WHERE id = ?", - DB_UINT, id) != 1) - { - fprintf(stderr, "deleting %s server %H failed\n", name, host); - query->destroy(query); - DESTROY_IF(host); - exit(EXIT_FAILURE); - } - printf("deleted %s server %H\n", name, host); - DESTROY_IF(host); - } - query->destroy(query); - - if (!found && server) - { - printf("%s server %H not found\n", name, server); - exit(EXIT_FAILURE); - } - else if (!found) - { - printf("no %s servers found\n", name); - } -} - -/** * ipsec pool --resize - resize a pool */ static void resize(char *name, host_t *end) @@ -1134,22 +924,26 @@ static void cleanup(void) db->destroy(db); DESTROY_IF(start); DESTROY_IF(end); - DESTROY_IF(server); } static void do_args(int argc, char *argv[]) { - char *name = "", *filter = "", *addresses = NULL; + char *name = "", *value = "", *filter = ""; + char *pool = NULL, *identity = NULL, *addresses = NULL; + value_type_t value_type = VALUE_NONE; int timeout = 0; - bool utc = FALSE; + bool utc = FALSE, hexout = FALSE; + enum { OP_UNDEF, OP_USAGE, OP_STATUS, + OP_STATUS_ATTR, OP_ADD, OP_ADD_ATTR, OP_DEL, OP_DEL_ATTR, + OP_SHOW_ATTR, OP_RESIZE, OP_LEASES, OP_PURGE, @@ -1174,14 +968,26 @@ static void do_args(int argc, char *argv[]) { "resize", required_argument, NULL, 'r' }, { "leases", no_argument, NULL, 'l' }, { "purge", required_argument, NULL, 'p' }, + { "statusattr", no_argument, NULL, '1' }, + { "addattr", required_argument, NULL, '2' }, + { "delattr", required_argument, NULL, '3' }, + { "showattr", no_argument, NULL, '4' }, { "batch", required_argument, NULL, 'b' }, { "start", required_argument, NULL, 's' }, { "end", required_argument, NULL, 'e' }, - { "addresses", required_argument, NULL, 'x' }, + { "addresses", required_argument, NULL, 'y' }, { "timeout", required_argument, NULL, 't' }, { "filter", required_argument, NULL, 'f' }, + { "addr", required_argument, NULL, 'v' }, + { "mask", required_argument, NULL, 'v' }, { "server", required_argument, NULL, 'v' }, + { "subnet", required_argument, NULL, 'n' }, + { "string", required_argument, NULL, 'g' }, + { "hex", required_argument, NULL, 'x' }, + { "hexout", no_argument, NULL, '5' }, + { "pool", required_argument, NULL, '6' }, + { "identity", required_argument, NULL, '7' }, { 0,0,0,0 } }; @@ -1196,6 +1002,8 @@ static void do_args(int argc, char *argv[]) case 'w': operation = OP_STATUS; break; + case '1': + operation = OP_STATUS_ATTR; case 'u': utc = TRUE; continue; @@ -1207,15 +1015,27 @@ static void do_args(int argc, char *argv[]) operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD; if (replace_pool && operation == OP_ADD_ATTR) { - fprintf(stderr, "invalid pool name: '%s'.\n", optarg); + fprintf(stderr, "invalid pool name: " + "reserved for '%s' attribute.\n", optarg); usage(); exit(EXIT_FAILURE); } continue; + case '2': + name = optarg; + operation = OP_ADD_ATTR; + continue; case 'd': name = optarg; operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL; continue; + case '3': + name = optarg; + operation = OP_DEL_ATTR; + continue; + case '4': + operation = OP_SHOW_ATTR; + continue; case 'r': name = optarg; operation = OP_RESIZE; @@ -1268,18 +1088,33 @@ static void do_args(int argc, char *argv[]) case 'f': filter = optarg; continue; - case 'x': + case 'y': addresses = optarg; continue; + case 'g': + value_type = VALUE_STRING; + value = optarg; + continue; + case 'n': + value_type = VALUE_SUBNET; + value = optarg; + continue; case 'v': - DESTROY_IF(server); - server = host_create_from_string(optarg, 0); - if (server == NULL) - { - fprintf(stderr, "invalid server address: '%s'.\n", optarg); - usage(); - exit(EXIT_FAILURE); - } + value_type = VALUE_ADDR; + value = optarg; + continue; + case 'x': + value_type = VALUE_HEX; + value = optarg; + continue; + case '5': + hexout = TRUE; + continue; + case '6': + pool = optarg; + continue; + case '7': + identity = optarg; continue; default: usage(); @@ -1297,6 +1132,9 @@ static void do_args(int argc, char *argv[]) case OP_STATUS: status(); break; + case OP_STATUS_ATTR: + status_attr(hexout); + break; case OP_ADD: if (addresses != NULL) { @@ -1314,19 +1152,34 @@ static void do_args(int argc, char *argv[]) } break; case OP_ADD_ATTR: - if (server == NULL) + if (value_type == VALUE_NONE) { fprintf(stderr, "missing arguments.\n"); usage(); exit(EXIT_FAILURE); } - add_attr(name, server); + if (identity && !pool) + { + fprintf(stderr, "--identity option can't be used without --pool.\n"); + usage(); + exit(EXIT_FAILURE); + } + add_attr(name, pool, identity, value, value_type); break; case OP_DEL: del(name); break; case OP_DEL_ATTR: - del_attr(name, server); + if (identity && !pool) + { + fprintf(stderr, "--identity option can't be used without --pool.\n"); + usage(); + exit(EXIT_FAILURE); + } + del_attr(name, pool, identity, value, value_type); + break; + case OP_SHOW_ATTR: + show_attr(); break; case OP_RESIZE: if (end == NULL) diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c new file mode 100644 index 000000000..5f7afdfcd --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_attributes.c @@ -0,0 +1,715 @@ +/* + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include <string.h> + +#include <library.h> +#include <utils/host.h> + +#include "pool_attributes.h" +#include "pool_usage.h" + +/** + * global database handle + */ +extern database_t *db; + +#define UNITY_NETWORK_LEN 14 + +ENUM(value_type_names, VALUE_HEX, VALUE_SUBNET, + "hex", + "string", + "addr", + "subnet" +); + +typedef struct attr_info_t attr_info_t; + +struct attr_info_t { + char* keyword; + value_type_t value_type; + configuration_attribute_type_t type; + configuration_attribute_type_t type_ip6; +}; + +static const attr_info_t attr_info[] = { + { "internal_ip4_netmask", VALUE_ADDR, INTERNAL_IP4_NETMASK, 0 }, + { "internal_ip6_netmask", VALUE_ADDR, INTERNAL_IP6_NETMASK, 0 }, + { "netmask", VALUE_ADDR, INTERNAL_IP4_NETMASK, + INTERNAL_IP6_NETMASK }, + { "internal_ip4_dns", VALUE_ADDR, INTERNAL_IP4_DNS, 0 }, + { "internal_ip6_dns", VALUE_ADDR, INTERNAL_IP6_DNS, 0 }, + { "dns", VALUE_ADDR, INTERNAL_IP4_DNS, + INTERNAL_IP6_DNS }, + { "internal_ip4_nbns", VALUE_ADDR, INTERNAL_IP4_NBNS, 0 }, + { "internal_ip6_nbns", VALUE_ADDR, INTERNAL_IP6_NBNS, 0 }, + { "nbns", VALUE_ADDR, INTERNAL_IP4_NBNS, + INTERNAL_IP6_NBNS }, + { "wins", VALUE_ADDR, INTERNAL_IP4_NBNS, + INTERNAL_IP6_NBNS }, + { "internal_ip4_dhcp", VALUE_ADDR, INTERNAL_IP4_DHCP, 0 }, + { "internal_ip6_dhcp", VALUE_ADDR, INTERNAL_IP6_DHCP, 0 }, + { "dhcp", VALUE_ADDR, INTERNAL_IP4_DHCP, + INTERNAL_IP6_DHCP }, + { "internal_ip4_server", VALUE_ADDR, INTERNAL_IP4_SERVER, 0 }, + { "internal_ip6_server", VALUE_ADDR, INTERNAL_IP6_SERVER, 0 }, + { "server", VALUE_ADDR, INTERNAL_IP4_SERVER, + INTERNAL_IP6_SERVER }, + { "application_version", VALUE_STRING, APPLICATION_VERSION, 0 }, + { "version", VALUE_STRING, APPLICATION_VERSION, 0 }, + { "unity_banner", VALUE_STRING, UNITY_BANNER, 0 }, + { "banner", VALUE_STRING, UNITY_BANNER, 0 }, + { "unity_def_domain", VALUE_STRING, UNITY_DEF_DOMAIN, 0 }, + { "unity_splitdns_name", VALUE_STRING, UNITY_SPLITDNS_NAME, 0 }, + { "unity_split_include", VALUE_SUBNET, UNITY_SPLIT_INCLUDE, 0 }, + { "unity_local_lan", VALUE_SUBNET, UNITY_LOCAL_LAN, 0 }, +}; + +/** + * Determine the type of the attribute and its value + */ +static bool parse_attributes(char *name, char *value, value_type_t *value_type, + configuration_attribute_type_t *type, + configuration_attribute_type_t *type_ip6, + chunk_t *blob) +{ + host_t *addr = NULL, *mask = NULL; + chunk_t addr_chunk, mask_chunk, blob_next; + char *text = "", *pos_addr, *pos_mask, *pos_next, *endptr; + int i; + + switch (*value_type) + { + case VALUE_STRING: + *blob = chunk_create(value, strlen(value)); + *blob = chunk_clone(*blob); + break; + case VALUE_HEX: + *blob = chunk_from_hex(chunk_create(value, strlen(value)), NULL); + break; + case VALUE_ADDR: + addr = host_create_from_string(value, 0); + if (addr == NULL) + { + fprintf(stderr, "invalid IP address: '%s'.\n", value); + return FALSE; + } + addr_chunk = addr->get_address(addr); + *blob = chunk_clone(addr_chunk); + break; + case VALUE_SUBNET: + *blob = chunk_empty; + pos_next = value; + + do + { + pos_addr = pos_next; + pos_next = strchr(pos_next, ','); + if (pos_next) + { + *pos_next = '\0'; + pos_next += 1; + } + pos_mask = strchr(pos_addr, '/'); + if (pos_mask == NULL) + { + fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", pos_addr); + free(blob->ptr); + return FALSE; + } + *pos_mask = '\0'; + pos_mask += 1; + addr = host_create_from_string(pos_addr, 0); + mask = host_create_from_string(pos_mask, 0); + if (addr == NULL || addr->get_family(addr) != AF_INET || + mask == NULL || mask->get_family(addr) != AF_INET) + { + fprintf(stderr, "invalid IPv4 subnet: '%s/%s'.\n", + pos_addr, pos_mask); + DESTROY_IF(addr); + DESTROY_IF(mask); + free(blob->ptr); + return FALSE; + } + addr_chunk = addr->get_address(addr); + mask_chunk = mask->get_address(mask); + blob_next = chunk_alloc(blob->len + UNITY_NETWORK_LEN); + memcpy(blob_next.ptr, blob->ptr, blob->len); + pos_addr = blob_next.ptr + blob->len; + memset(pos_addr, 0x00, UNITY_NETWORK_LEN); + memcpy(pos_addr, addr_chunk.ptr, 4); + memcpy(pos_addr + 4, mask_chunk.ptr, 4); + addr->destroy(addr); + mask->destroy(mask); + chunk_free(blob); + *blob = blob_next; + } + while (pos_next); + break; + case VALUE_NONE: + *blob = chunk_empty; + break; + } + + /* init the attribute type */ + *type = 0; + *type_ip6 = 0; + + for (i = 0; i < countof(attr_info); i++) + { + if (strcaseeq(name, attr_info[i].keyword)) + { + *type = attr_info[i].type; + *type_ip6 = attr_info[i].type_ip6; + + if (*value_type == VALUE_NONE) + { + *value_type = attr_info[i].value_type; + return TRUE; + } + + if (*value_type != attr_info[i].value_type && + *value_type != VALUE_HEX) + { + switch (attr_info[i].value_type) + { + case VALUE_STRING: + text = "a string"; + break; + case VALUE_HEX: + text = "a hex"; + break; + case VALUE_ADDR: + text = "an IP address"; + break; + case VALUE_SUBNET: + text = "a subnet"; + break; + case VALUE_NONE: + text = "no"; + break; + } + fprintf(stderr, "the %s attribute requires %s value.\n", + name, text); + DESTROY_IF(addr); + free(blob->ptr); + return FALSE; + } + + if (*value_type == VALUE_ADDR) + { + *type = (addr->get_family(addr) == AF_INET) ? + attr_info[i].type : attr_info[i].type_ip6; + addr->destroy(addr); + } + else if (*value_type == VALUE_HEX) + { + *value_type = attr_info[i].value_type; + + if (*value_type == VALUE_ADDR) + { + if (blob->len == 16) + { + *type = attr_info[i].type_ip6; + } + else if (blob->len != 4) + { + fprintf(stderr, "the %s attribute requires " + "a valid IP address.\n", name); + free(blob->ptr); + return FALSE; + } + } + } + return TRUE; + } + } + + /* clean up */ + DESTROY_IF(addr); + + /* is the attribute type numeric? */ + *type = strtol(name, &endptr, 10); + + if (*endptr != '\0') + { + fprintf(stderr, "the %s attribute is not recognized.\n", name); + free(blob->ptr); + return FALSE; + } + if (*type < 1 || *type > 32767) + { + fprintf(stderr, "the attribute type must lie in the range 1..32767.\n"); + free(blob->ptr); + return FALSE; + } + if (*value_type == VALUE_NONE) + { + *value_type = VALUE_HEX; + } + return TRUE; +} + +/** + * Lookup/insert an attribute pool by name + */ +static u_int get_attr_pool(char *name) +{ + enumerator_t *e; + u_int row = 0; + + /* look for an existing attribute pool in the table */ + e = db->query(db, "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (db->execute(db, &row, "INSERT INTO attribute_pools (name) VALUES (?)", + DB_TEXT, name) != 1) + { + fprintf(stderr, "creating attribute pool '%s' failed.\n", name); + return 0; + } + return row; +} + +/** + * Lookup/insert an identity + */ +u_int get_identity(identification_t *id) +{ + enumerator_t *e; + u_int row; + + /* look for peer identity in the identities table */ + e = db->query(db, "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (db->execute(db, &row, "INSERT INTO identities (type,data) VALUES (?,?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) != 1) + { + fprintf(stderr, "creating id '%Y' failed.\n", id); + return 0; + } + return row; +} + +/** + * ipsec pool --addattr <type> - add attribute entry + */ +void add_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type) +{ + configuration_attribute_type_t type, type_ip6; + u_int pool_id = 0, identity_id = 0; + char id_pool_str[128] = ""; + chunk_t blob; + bool success; + + if (pool) + { + pool_id = get_attr_pool(pool); + if (pool_id == 0) + { + exit(EXIT_FAILURE); + } + + if (identity) + { + identification_t *id; + + id = identification_create_from_string(identity); + identity_id = get_identity(id); + id->destroy(id); + if (identity_id == 0) + { + exit(EXIT_FAILURE); + } + snprintf(id_pool_str, sizeof(id_pool_str), + " for '%s' in pool '%s'", identity, pool); + } + else + { + snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool); + } + } + + if (value_type == VALUE_NONE) + { + fprintf(stderr, "the value of the %s attribute is missing.\n", name); + usage(); + } + if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob)) + { + exit(EXIT_FAILURE); + } + + success = db->execute(db, NULL, + "INSERT INTO attributes (identity, pool, type, value) " + "VALUES (?, ?, ?, ?)", DB_UINT, identity_id, DB_UINT, pool_id, + DB_INT, type, DB_BLOB, blob) == 1; + free(blob.ptr); + + if (success) + { + printf("added %s attribute (%N)%s.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } + else + { + fprintf(stderr, "adding %s attribute (%N)%s failed.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } +} + +/** + * ipsec pool --delattr <type> - delete attribute entry + */ +void del_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type) +{ + configuration_attribute_type_t type, type_ip6, type_db; + u_int pool_id = 0, identity_id = 0; + char id_pool_str[128] = ""; + chunk_t blob, blob_db; + u_int id; + enumerator_t *query; + bool found = FALSE; + + if (pool) + { + pool_id = get_attr_pool(pool); + if (pool_id == 0) + { + exit(EXIT_FAILURE); + } + + if (identity) + { + identification_t *id; + + id = identification_create_from_string(identity); + identity_id = get_identity(id); + id->destroy(id); + if (identity_id == 0) + { + exit(EXIT_FAILURE); + } + snprintf(id_pool_str, sizeof(id_pool_str), + " for '%s' in pool '%s'", identity, pool); + } + else + { + snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool); + } + } + + if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob)) + { + exit(EXIT_FAILURE); + } + + if (blob.len > 0) + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND type = ? AND value = ?", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_BLOB, blob, DB_UINT, DB_INT, DB_BLOB); + } + else if (type_ip6 == 0) + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND type = ?", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_UINT, DB_INT, DB_BLOB); + } + else + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND (type = ? OR type = ?)", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_INT, type_ip6, DB_UINT, DB_INT, DB_BLOB); + } + + if (!query) + { + fprintf(stderr, "deleting '%s' attribute (%N)%s failed.\n", + name, configuration_attribute_type_names, type, id_pool_str); + free(blob.ptr); + exit(EXIT_FAILURE); + } + + while (query->enumerate(query, &id, &type_db, &blob_db)) + { + host_t *server = NULL; + + found = TRUE; + + if (value_type == VALUE_ADDR) + { + int family = (type_db == type_ip6) ? AF_INET6 : AF_INET; + + server = host_create_from_chunk(family, blob_db, 0); + } + + if (db->execute(db, NULL, + "DELETE FROM attributes WHERE id = ?", + DB_UINT, id) != 1) + { + if (server) + { + fprintf(stderr, "deleting %s server %H%s failed\n", + name, server, id_pool_str); + server->destroy(server); + } + else if (value_type == VALUE_STRING) + { + fprintf(stderr, "deleting %s attribute (%N) with value '%.*s'%s failed.\n", + name, configuration_attribute_type_names, type, + blob_db.len, blob_db.ptr, id_pool_str); + } + + else + { + fprintf(stderr, "deleting %s attribute (%N) with value %#B%s failed.\n", + name, configuration_attribute_type_names, type, + &blob_db, id_pool_str); + } + query->destroy(query); + free(blob.ptr); + exit(EXIT_FAILURE); + } + if (server) + { + printf("deleted %s server %H%s\n", name, server, id_pool_str); + server->destroy(server); + } + else if (value_type == VALUE_STRING) + { + printf("deleted %s attribute (%N) with value '%.*s'%s.\n", + name, configuration_attribute_type_names, type, + blob_db.len, blob_db.ptr, id_pool_str); + } + else + { + printf("deleted %s attribute (%N) with value %#B%s.\n", + name, configuration_attribute_type_names, type, + &blob_db, id_pool_str); + } + } + query->destroy(query); + + if (!found) + { + if (blob.len == 0) + { + if (type_ip6 == 0) + { + fprintf(stderr, "no %s attribute (%N) was found%s.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } + else + { + fprintf(stderr, "no %s attribute%s was found.\n", + name, id_pool_str); + } + } + else + { + if (value_type == VALUE_ADDR) + { + host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0); + + fprintf(stderr, "the %s server %H%s was not found.\n", name, + server, id_pool_str); + server->destroy(server); + } + else + { + fprintf(stderr, "the %s attribute (%N) with value '%.*s'%s " + "was not found.\n", name, + configuration_attribute_type_names, type, + blob.len, blob.ptr, id_pool_str); + } + } + } + free(blob.ptr); +} + +/** + * ipsec pool --statusattr - show all attribute entries + */ +void status_attr(bool hexout) +{ + configuration_attribute_type_t type; + value_type_t value_type; + chunk_t value, addr_chunk, mask_chunk, identity_chunk; + identification_t *identity; + enumerator_t *enumerator; + host_t *addr, *mask; + char type_name[30]; + bool first = TRUE; + int i, identity_type; + char *pool_name; + + /* enumerate over all attributes */ + enumerator = db->query(db, + "SELECT attributes.type, attribute_pools.name, " + "identities.type, identities.data, attributes.value " + "FROM attributes " + "LEFT OUTER JOIN identities " + "ON attributes.identity = identities.id " + "LEFT OUTER JOIN attribute_pools " + "ON attributes.pool = attribute_pools.id " + "ORDER BY attributes.type, attribute_pools.name, " + "identities.type, identities.data, attributes.value", + DB_INT, DB_TEXT, DB_INT, DB_BLOB, DB_BLOB); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &type,&pool_name, + &identity_type, &identity_chunk, &value)) + { + if (first) + { + printf(" type description pool " + " identity value\n"); + first = FALSE; + } + snprintf(type_name, sizeof(type_name), "%N", + configuration_attribute_type_names, type); + if (type_name[0] == '(') + { + type_name[0] = '\0'; + } + printf("%5d %-20s ",type, type_name); + + printf(" %-10s ", (pool_name ? pool_name : "")); + + if (identity_type) + { + identity = identification_create_from_encoding(identity_type, identity_chunk); + printf(" %-20.20Y ", identity); + identity->destroy(identity); + } + else + { + printf(" "); + } + + value_type = VALUE_HEX; + if (!hexout) + { + for (i = 0; i < countof(attr_info); i++) + { + if (type == attr_info[i].type) + { + value_type = attr_info[i].value_type; + break; + } + } + } + switch (value_type) + { + case VALUE_ADDR: + addr = host_create_from_chunk(AF_UNSPEC, value, 0); + if (addr) + { + printf(" %H\n", addr); + addr->destroy(addr); + } + else + { + /* value cannot be represented as an IP address */ + printf(" %#B\n", &value); + } + break; + case VALUE_SUBNET: + if (value.len % UNITY_NETWORK_LEN == 0) + { + for (i = 0; i < value.len / UNITY_NETWORK_LEN; i++) + { + addr_chunk = chunk_create(value.ptr + i*UNITY_NETWORK_LEN, 4); + addr = host_create_from_chunk(AF_INET, addr_chunk, 0); + mask_chunk = chunk_create(addr_chunk.ptr + 4, 4); + mask = host_create_from_chunk(AF_INET, mask_chunk, 0); + printf("%s%H/%H", (i > 0) ? "," : " ", addr, mask); + addr->destroy(addr); + mask->destroy(mask); + } + printf("\n"); + } + else + { + /* value cannot be represented as a list of subnets */ + printf(" %#B\n", &value); + } + break; + case VALUE_STRING: + printf("\"%.*s\"\n", value.len, value.ptr); + break; + case VALUE_HEX: + default: + printf(" %#B\n", &value); + } + } + enumerator->destroy(enumerator); + } +} + +/** + * ipsec pool --showattr - show all supported attribute keywords + */ +void show_attr(void) +{ + int i; + + for (i = 0; i < countof(attr_info); i++) + { + char value_name[10]; + + + snprintf(value_name, sizeof(value_name), "%N", + value_type_names, attr_info[i].value_type); + + printf("%-20s --%-6s (%N", + attr_info[i].keyword, value_name, + configuration_attribute_type_names, attr_info[i].type); + + if (attr_info[i].type_ip6) + { + printf(", %N)\n", + configuration_attribute_type_names, attr_info[i].type_ip6); + } + else + { + printf(")\n"); + } + } +} + diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.h b/src/libhydra/plugins/attr_sql/pool_attributes.h new file mode 100644 index 000000000..a42291f57 --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_attributes.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef POOL_ATTRIBUTES_H_ +#define POOL_ATTRIBUTES_H_ + +#include <attributes/attributes.h> + +typedef enum value_type_t value_type_t; + +enum value_type_t { + VALUE_NONE, + VALUE_HEX, + VALUE_STRING, + VALUE_ADDR, + VALUE_SUBNET +}; + +/** + * enum names for value_type_t. + */ +extern enum_name_t *value_type_names; + +/** + * lookup/insert an identity + */ +u_int get_identity(identification_t *id); + +/** + * ipsec pool --addattr <type> - add attribute entry + */ +void add_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type); + +/** + * ipsec pool --delattr <type> - delete attribute entry + */ +void del_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type); + +/** + * ipsec pool --statusattr - show all attribute entries + */ +void status_attr(bool hexout); + +/** + * ipsec pool --showattr - show all supported attribute keywords + */ +void show_attr(void); + +#endif /* POOL_ATTRIBUTES_H_ */ + + diff --git a/src/libhydra/plugins/attr_sql/pool_usage.c b/src/libhydra/plugins/attr_sql/pool_usage.c new file mode 100644 index 000000000..985bc3ae8 --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_usage.c @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2008 Martin Willi + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdio.h> + +/** + * print pool usage info + */ +void usage(void) +{ + printf("\ +Usage:\n\ + ipsec pool --status|--add|--replace|--del|--resize|--leases|--purge [options]\n\ + ipsec pool --showattr|--statusattr|--addattr|--delattr [options]\n\ + \n\ + ipsec pool --status\n\ + Show a list of installed pools with statistics plus nameserver info.\n\ + \n\ + ipsec pool --statusattr [--hexout]\n\ + Show a list of all attributes stored in the database with the values\n\ + converted to the correct format if the type is known by --showattr or\n\ + in hex format otherwise.\n\ + hexout: Output all values in hex format\n\ + \n\ + ipsec pool --showattr\n\ + Show a keyword list of the major attribute types.\n\ + \n\ + ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\ + ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\ + Add a new pool to or replace an existing pool in the database.\n\ + name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ + start: Start address of the pool\n\ + end: End address of the pool\n\ + timeout: Lease time in hours, 0 for static leases\n\ + \n\ + ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\ + ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\ + Add a new pool to or replace an existing pool in the database.\n\ + name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ + file: File newline separated addresses for the pool are read from.\n\ + Optionally each address can be pre-assigned to a roadwarrior\n\ + identity, e.g. 10.231.14.2=alice@strongswan.org.\n\ + If a - (hyphen) is given instead of a file name, the addresses\n\ + are read from STDIN. Reading addresses stops at the end of file\n\ + or an empty line. Pools created with this command can not be\n\ + resized.\n\ + timeout: Lease time in hours, 0 for static leases\n\ + \n\ + ipsec pool --addattr <type> [--pool <name> [--identity <id>]]\n\ + --addr|--mask|--server|--subnet|--string|--hex <value>\n\ + Add a new attribute to the database. Attributes can be bundled by using\n\ + the --pool and --identity options. If a bundle matches a peer the contained\n\ + attributes are sent to that peer instead of the global ones.\n\ + type: a keyword from --showattr or a number from the range 1..32767\n\ + name: the name of the pool this attribute is added to\n\ + id: identity of the peer this attribute is bound to\n\ + addr: IPv4 or IPv6 address\n\ + mask: IPv4 or IPv6 netmask (synonym for --addr)\n\ + server: IPv4 or IPv6 address of a server (synonym for --addr)\n\ + subnet: IPv4 subnet[s] given by network/mask[,network/mask,...]\n\ + string: value of a string-type attribute\n\ + hex: hex value of any attribute\n\ + \n\ + ipsec pool --del <name>\n\ + Delete a pool from the database.\n\ + name: Name of the pool to delete\n\ + \n\ + ipsec pool --delattr <type> [--pool <name> [--identity <id>]]\n\ + [--addr|--mask|--server|--subnet|--string|--hex <value>]\n\ + Delete a specific or all attributes of a given type from the database.\n\ + type: a keyword from --showattr or a number from the range 1..32767\n\ + name: the name of the pool this attribute is added to\n\ + id: identity of the peer this attribute is bound to\n\ + addr: IPv4 or IPv6 address\n\ + mask: IPv4 or IPv6 netmask (synonym for --addr)\n\ + server: IPv4 or IPv6 address of a server (synonym for --addr)\n\ + subnet: IPv4 subnet[s] given by network/mask[,network/mask,...]\n\ + string: value of a string-type attribute\n\ + hex: hex value of any attribute\n\ + \n\ + ipsec pool --resize <name> --end <end>\n\ + Grow or shrink an existing pool.\n\ + name: Name of the pool to resize\n\ + end: New end address for the pool\n\ + \n\ + ipsec pool --leases [--filter <filter>] [--utc]\n\ + Show lease information using filters:\n\ + filter: Filter string containing comma separated key=value filters,\n\ + e.g. id=alice@strongswan.org,addr=1.1.1.1\n\ + pool: name of the pool\n\ + id: assigned identity of the lease\n\ + addr: lease IP address\n\ + tstamp: UNIX timestamp when lease was valid, as integer\n\ + status: status of the lease: online|valid|expired\n\ + utc: Show times in UTC instead of local time\n\ + \n\ + ipsec pool --purge <name>\n\ + Delete lease history of a pool:\n\ + name: Name of the pool to purge\n\ + \n\ + ipsec pool --batch <file>\n\ + Read commands from a file and execute them atomically.\n\ + file: File to read the newline separated commands from. Commands\n\ + appear as they are written on the command line, e.g.\n\ + --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\ + --del dns\n\ + --add dns --server 10.1.0.1\n\ + --add dns --server 10.1.1.1\n\ + If a - (hyphen) is given as a file name, the commands are read\n\ + from STDIN. Readin commands stops at the end of file. Empty\n\ + lines are ignored. The file may not contain a --batch command.\n\ + \n"); +} + diff --git a/src/libhydra/plugins/attr_sql/pool_usage.h b/src/libhydra/plugins/attr_sql/pool_usage.h new file mode 100644 index 000000000..a98b0d680 --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_usage.h @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2008 Martin Willi + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef POOL_USAGE_H_ +#define POOL_USAGE_H_ + +/** + * print pool usage info + */ +void usage(void); + + +#endif /* POOL_USAGE_H_ */ diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c index a7cfde649..7f7bb190c 100644 --- a/src/libhydra/plugins/attr_sql/sql_attribute.c +++ b/src/libhydra/plugins/attr_sql/sql_attribute.c @@ -74,6 +74,26 @@ static u_int get_identity(private_sql_attribute_t *this, identification_t *id) } /** + * Lookup an attribute pool by name + */ +static u_int get_attr_pool(private_sql_attribute_t *this, char *name) +{ + enumerator_t *e; + u_int row = 0; + + e = this->db->query(this->db, + "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e) + { + e->enumerate(e, &row); + } + DESTROY_IF(e); + + return row; +} + +/** * Lookup pool by name */ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout) @@ -327,20 +347,101 @@ static bool release_address(private_sql_attribute_t *this, * Implementation of sql_attribute_t.create_attribute_enumerator */ static enumerator_t* create_attribute_enumerator(private_sql_attribute_t *this, - identification_t *id, host_t *vip) + char *names, identification_t *id, host_t *vip) { + enumerator_t *attr_enumerator = NULL; + if (vip) { - enumerator_t *enumerator; + enumerator_t *names_enumerator; + u_int count; + char *name; - enumerator = this->db->query(this->db, - "SELECT type, value FROM attributes", DB_INT, DB_BLOB); - if (enumerator) + this->db->execute(this->db, NULL, "BEGIN EXCLUSIVE TRANSACTION"); + + /* in a first step check for attributes that match name and id */ + if (id) { - return enumerator; + u_int identity = get_identity(this, id); + + names_enumerator = enumerator_create_token(names, ",", " "); + while (names_enumerator->enumerate(names_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = ?", + DB_UINT, attr_pool, DB_UINT, identity, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = ?", DB_UINT, + attr_pool, DB_UINT, identity, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + names_enumerator->destroy(names_enumerator); + } + + /* in a second step check for attributes that match name */ + if (!attr_enumerator) + { + names_enumerator = enumerator_create_token(names, ",", " "); + while (names_enumerator->enumerate(names_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + names_enumerator->destroy(names_enumerator); + } + + this->db->execute(this->db, NULL, "END TRANSACTION"); + + /* lastly try to find global attributes */ + if (!attr_enumerator) + { + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = 0 AND identity = 0", + DB_INT, DB_BLOB); } } - return enumerator_create_empty(); + + return (attr_enumerator ? attr_enumerator : enumerator_create_empty()); } /** @@ -361,7 +462,7 @@ sql_attribute_t *sql_attribute_create(database_t *db) this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address; this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *host))create_attribute_enumerator; + this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *host))create_attribute_enumerator; this->public.destroy = (void(*)(sql_attribute_t*))destroy; this->db = db; diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am index f8830d42e..f8830d42e 100644 --- a/src/libcharon/plugins/resolve/Makefile.am +++ b/src/libhydra/plugins/resolve/Makefile.am diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index 92ee85539..e16c66923 100644 --- a/src/libcharon/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/resolve +subdir = src/libhydra/plugins/resolve DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -283,9 +283,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile + $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c index 714c751a6..cdc639038 100644 --- a/src/libcharon/plugins/resolve/resolve_handler.c +++ b/src/libhydra/plugins/resolve/resolve_handler.c @@ -17,7 +17,8 @@ #include <unistd.h> -#include <daemon.h> +#include <hydra.h> +#include <debug.h> #include <threading/mutex.h> typedef struct private_resolve_handler_t private_resolve_handler_t; @@ -244,7 +245,7 @@ resolve_handler_t *resolve_handler_create() this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->file = lib->settings->get_str(lib->settings, - "charon.plugins.resolve.file", RESOLV_CONF); + "%s.plugins.resolve.file", RESOLV_CONF, hydra->daemon); return &this->public; } diff --git a/src/libcharon/plugins/resolve/resolve_handler.h b/src/libhydra/plugins/resolve/resolve_handler.h index 77bf9781c..77bf9781c 100644 --- a/src/libcharon/plugins/resolve/resolve_handler.h +++ b/src/libhydra/plugins/resolve/resolve_handler.h diff --git a/src/libcharon/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c index 502129593..502129593 100644 --- a/src/libcharon/plugins/resolve/resolve_plugin.c +++ b/src/libhydra/plugins/resolve/resolve_plugin.c diff --git a/src/libcharon/plugins/resolve/resolve_plugin.h b/src/libhydra/plugins/resolve/resolve_plugin.h index 0148b10d7..0148b10d7 100644 --- a/src/libcharon/plugins/resolve/resolve_plugin.h +++ b/src/libhydra/plugins/resolve/resolve_plugin.h diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index ab07cb214..d53df9bb2 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index d639220e3..1931dfa45 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -26,7 +26,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \ crypto/transform.c crypto/transform.h \ credentials/credential_factory.c credentials/credential_factory.h \ credentials/builder.c credentials/builder.h \ -credentials/keys/key_encoding.c credentials/keys/key_encoding.h \ +credentials/cred_encoding.c credentials/cred_encoding.h \ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ @@ -39,6 +39,12 @@ credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \ +credentials/credential_manager.c credentials/credential_manager.h \ +credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ +credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ +credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ +credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ +credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ selectors/traffic_selector.c selectors/traffic_selector.h \ @@ -68,7 +74,7 @@ LOCAL_SRC_FILES += $(call add_plugin, des) LOCAL_SRC_FILES += $(call add_plugin, fips-prf) LOCAL_SRC_FILES += $(call add_plugin, gmp) -ifneq ($(call plugin_enabled, gmp)),) +ifneq ($(call plugin_enabled, gmp),) LOCAL_C_INCLUDES += $(libgmp_PATH) LOCAL_SHARED_LIBRARIES += libgmp endif @@ -80,7 +86,7 @@ LOCAL_SRC_FILES += $(call add_plugin, md4) LOCAL_SRC_FILES += $(call add_plugin, md5) LOCAL_SRC_FILES += $(call add_plugin, openssl) -ifneq ($(call plugin_enabled, openssl)),) +ifneq ($(call plugin_enabled, openssl),) LOCAL_C_INCLUDES += external/openssl/include LOCAL_SHARED_LIBRARIES += libcrypto endif diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 157d37b5e..3678abd5d 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -24,7 +24,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \ crypto/transform.c crypto/transform.h \ credentials/credential_factory.c credentials/credential_factory.h \ credentials/builder.c credentials/builder.h \ -credentials/keys/key_encoding.c credentials/keys/key_encoding.h \ +credentials/cred_encoding.c credentials/cred_encoding.h \ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ @@ -37,6 +37,12 @@ credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \ +credentials/credential_manager.c credentials/credential_manager.h \ +credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ +credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ +credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ +credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ +credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ selectors/traffic_selector.c selectors/traffic_selector.h \ @@ -203,6 +209,13 @@ if MONOLITHIC endif endif +if USE_REVOCATION + SUBDIRS += plugins/revocation +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/revocation/libstrongswan-revocation.la +endif +endif + if USE_PUBKEY SUBDIRS += plugins/pubkey if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index b8d967d4a..b6dcf6be5 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -68,36 +68,38 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la @USE_X509_TRUE@am__append_29 = plugins/x509 @MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la -@USE_PUBKEY_TRUE@am__append_31 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_32 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_33 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_34 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PGP_TRUE@am__append_35 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_36 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_37 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_38 = plugins/dnskey/libstrongswan-dnskey.la -@USE_PEM_TRUE@am__append_39 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_40 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_41 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_42 = plugins/curl/libstrongswan-curl.la -@USE_LDAP_TRUE@am__append_43 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_44 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_45 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_46 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_47 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_48 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_49 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_50 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_51 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_52 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_53 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_54 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_55 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_56 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_57 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_58 = plugins/agent/libstrongswan-agent.la -@USE_TEST_VECTORS_TRUE@am__append_59 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_60 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la +@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PGP_TRUE@am__append_37 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la +@USE_PEM_TRUE@am__append_41 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_43 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la +@USE_LDAP_TRUE@am__append_45 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_47 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_59 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la +@USE_TEST_VECTORS_TRUE@am__append_61 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_62 = plugins/test_vectors/libstrongswan-test-vectors.la subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -150,7 +152,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_42) $(am__append_44) $(am__append_46) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ - $(am__append_60) + $(am__append_60) $(am__append_62) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \ @@ -167,8 +169,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ credentials/credential_factory.c \ credentials/credential_factory.h credentials/builder.c \ - credentials/builder.h credentials/keys/key_encoding.c \ - credentials/keys/key_encoding.h credentials/keys/private_key.c \ + credentials/builder.h credentials/cred_encoding.c \ + credentials/cred_encoding.h credentials/keys/private_key.c \ credentials/keys/private_key.h credentials/keys/public_key.c \ credentials/keys/public_key.h credentials/keys/shared_key.c \ credentials/keys/shared_key.h \ @@ -184,6 +186,15 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c \ credentials/ietf_attributes/ietf_attributes.h \ + credentials/credential_manager.c \ + credentials/credential_manager.h \ + credentials/sets/auth_cfg_wrapper.c \ + credentials/sets/auth_cfg_wrapper.h \ + credentials/sets/ocsp_response_wrapper.c \ + credentials/sets/ocsp_response_wrapper.h \ + credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ + credentials/auth_cfg.c credentials/auth_cfg.h \ + credentials/credential_set.h credentials/cert_validator.h \ database/database.h database/database_factory.h \ database/database_factory.c fetcher/fetcher.h \ fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ @@ -208,9 +219,11 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \ rng.lo prf_plus.lo signer.lo crypto_factory.lo \ crypto_tester.lo diffie_hellman.lo transform.lo \ - credential_factory.lo builder.lo key_encoding.lo \ + credential_factory.lo builder.lo cred_encoding.lo \ private_key.lo public_key.lo shared_key.lo certificate.lo \ x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \ + credential_manager.lo auth_cfg_wrapper.lo \ + ocsp_response_wrapper.lo cert_cache.lo auth_cfg.lo \ database_factory.lo fetcher_manager.lo traffic_selector.lo \ thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \ identification.lo lexparser.lo linked_list.lo hashtable.lo \ @@ -249,10 +262,11 @@ CTAGS = ctags DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \ plugins/random plugins/hmac plugins/xcbc plugins/x509 \ - plugins/pubkey plugins/pkcs1 plugins/pgp plugins/dnskey \ - plugins/pem plugins/curl plugins/ldap plugins/mysql \ - plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \ - plugins/fips_prf plugins/agent plugins/test_vectors + plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \ + plugins/dnskey plugins/pem plugins/curl plugins/ldap \ + plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ + plugins/gcrypt plugins/fips_prf plugins/agent \ + plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -451,8 +465,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ credentials/credential_factory.c \ credentials/credential_factory.h credentials/builder.c \ - credentials/builder.h credentials/keys/key_encoding.c \ - credentials/keys/key_encoding.h credentials/keys/private_key.c \ + credentials/builder.h credentials/cred_encoding.c \ + credentials/cred_encoding.h credentials/keys/private_key.c \ credentials/keys/private_key.h credentials/keys/public_key.c \ credentials/keys/public_key.h credentials/keys/shared_key.c \ credentials/keys/shared_key.h \ @@ -468,6 +482,15 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c \ credentials/ietf_attributes/ietf_attributes.h \ + credentials/credential_manager.c \ + credentials/credential_manager.h \ + credentials/sets/auth_cfg_wrapper.c \ + credentials/sets/auth_cfg_wrapper.h \ + credentials/sets/ocsp_response_wrapper.c \ + credentials/sets/ocsp_response_wrapper.h \ + credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ + credentials/auth_cfg.c credentials/auth_cfg.h \ + credentials/credential_set.h credentials/cert_validator.h \ database/database.h database/database_factory.h \ database/database_factory.c fetcher/fetcher.h \ fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ @@ -494,7 +517,7 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_42) $(am__append_44) $(am__append_46) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ - $(am__append_60) + $(am__append_60) $(am__append_62) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \ @@ -525,7 +548,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_FALSE@ $(am__append_47) $(am__append_49) \ @MONOLITHIC_FALSE@ $(am__append_51) $(am__append_53) \ @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ -@MONOLITHIC_FALSE@ $(am__append_59) +@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) # build plugins with their own Makefile ####################################### @@ -542,7 +565,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_TRUE@ $(am__append_47) $(am__append_49) \ @MONOLITHIC_TRUE@ $(am__append_51) $(am__append_53) \ @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ -@MONOLITHIC_TRUE@ $(am__append_59) +@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -620,11 +643,16 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cred_encoding.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_factory.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_factory.Plo@am__quote@ @@ -641,13 +669,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key_encoding.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@ @@ -810,12 +838,12 @@ builder.lo: credentials/builder.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c -key_encoding.lo: credentials/keys/key_encoding.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT key_encoding.lo -MD -MP -MF $(DEPDIR)/key_encoding.Tpo -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/key_encoding.Tpo $(DEPDIR)/key_encoding.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/keys/key_encoding.c' object='key_encoding.lo' libtool=yes @AMDEPBACKSLASH@ +cred_encoding.lo: credentials/cred_encoding.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c private_key.lo: credentials/keys/private_key.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c @@ -873,6 +901,41 @@ ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c +credential_manager.lo: credentials/credential_manager.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c + +auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c + +ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c + +cert_cache.lo: credentials/sets/cert_cache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c + +auth_cfg.lo: credentials/auth_cfg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c + database_factory.lo: database/database_factory.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo @@ -1005,7 +1068,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -1030,7 +1093,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 6264bdc54..6f549d42d 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -497,8 +497,14 @@ int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters bool is_asn1(chunk_t blob) { u_int len; - u_char tag = *blob.ptr; + u_char tag; + if (!blob.len || !blob.ptr) + { + return FALSE; + } + + tag = *blob.ptr; if (tag != ASN1_SEQUENCE && tag != ASN1_SET && tag != ASN1_OCTET_STRING) { DBG2(DBG_LIB, " file content is not binary ASN.1"); diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index ef69eb4e7..4d115a816 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -434,6 +434,69 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf) return chunk_create(buf, outlen); } +/** base 32 conversion digits */ +static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; + +/** + * Described in header. + */ +chunk_t chunk_to_base32(chunk_t chunk, char *buf) +{ + int i, len; + char *pos; + + len = chunk.len + ((5 - chunk.len % 5) % 5); + if (!buf) + { + buf = malloc(len * 8 / 5 + 1); + } + pos = buf; + for (i = 0; i < len; i+=5) + { + *pos++ = b32digits[chunk.ptr[i] >> 3]; + if (i+1 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2]; + memset(pos, '=', 6); + pos += 6; + break; + } + *pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) | + (chunk.ptr[i+1] >> 6)]; + *pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1]; + if (i+2 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4]; + memset(pos, '=', 4); + pos += 4; + break; + } + *pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) | + (chunk.ptr[i+2] >> 4)]; + if (i+3 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1]; + memset(pos, '=', 3); + pos += 3; + break; + } + *pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) | + (chunk.ptr[i+3] >> 7)]; + *pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2]; + if (i+4 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3]; + *pos++ = '='; + break; + } + *pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) | + (chunk.ptr[i+4] >> 5)]; + *pos++ = b32digits[chunk.ptr[i+4] & 0x1F]; + } + *pos = '\0'; + return chunk_create(buf, len * 8 / 5); +} + /** * Described in header. */ diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index f0f9a7366..5441ccf3c 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -148,6 +148,18 @@ chunk_t chunk_to_base64(chunk_t chunk, char *buf); chunk_t chunk_from_base64(chunk_t base64, char *buf); /** + * Convert a chunk of data to its base32 encoding. + * + * The resulting string is '\\0' terminated, but the chunk does not include + * the '\\0'. If buf is supplied, it must hold (chunk.len * 8 / 5 + 1) bytes. + * + * @param chunk data to convert + * @param buf buffer to write to, NULL to malloc + * @return chunk of encoded data + */ +chunk_t chunk_to_base32(chunk_t chunk, char *buf); + +/** * Free contents of a chunk */ static inline void chunk_free(chunk_t *chunk) diff --git a/src/libcharon/config/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 94362c756..2573d0327 100644 --- a/src/libcharon/config/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -16,11 +16,57 @@ #include "auth_cfg.h" -#include <daemon.h> +#include <library.h> +#include <debug.h> #include <utils/linked_list.h> #include <utils/identification.h> #include <credentials/certificates/certificate.h> +ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, + "any", + "public key", + "pre-shared key", + "EAP", +); + +ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, + "EAP_IDENTITY", + "EAP_NOTIFICATION", + "EAP_NAK", + "EAP_MD5", + "EAP_OTP", + "EAP_GTC"); +ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, + "EAP_SIM"); +ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, + "EAP_AKA"); +ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, + "EAP_MSCHAPV2"); +ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, + "EAP_RADIUS", + "EAP_EXPANDED", + "EAP_EXPERIMENTAL"); +ENUM_END(eap_type_names, EAP_EXPERIMENTAL); + +ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, + "ID", + "NTF", + "NAK", + "MD5", + "OTP", + "GTC"); +ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC, + "SIM"); +ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM, + "AKA"); +ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, + "MSCHAPV2"); +ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, + "RAD", + "EXP", + "XP"); +ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); + ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, "RULE_IDENTITY", "RULE_AUTH_CLASS", @@ -32,7 +78,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, "RULE_SUBJECT_CERT", "RULE_CRL_VALIDATION", "RULE_OCSP_VALIDATION", - "RULE_AC_GROUP", + "RULE_GROUP", "HELPER_IM_CERT", "HELPER_SUBJECT_CERT", "HELPER_IM_HASH_URL", @@ -128,7 +174,7 @@ static void destroy_entry_value(entry_t *entry) { case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: { identification_t *id = (identification_t*)entry->value; id->destroy(id); @@ -185,7 +231,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, break; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: @@ -250,7 +296,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) return (void*)VALIDATION_FAILED; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: @@ -285,7 +331,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) break; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: @@ -308,7 +354,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { enumerator_t *e1, *e2; - bool success = TRUE; + bool success = TRUE, has_group = FALSE, group_match = FALSE; auth_rule_t t1, t2; void *value; @@ -459,14 +505,22 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } break; } - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: { - success = FALSE; - if (log_error) + identification_t *id1, *id2; + + /* for groups, a match of a single group is sufficient */ + has_group = TRUE; + id1 = (identification_t*)value; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &id2)) { - DBG1(DBG_CFG, "constraint check %N not implemented!", - auth_rule_names, t1); + if (t2 == AUTH_RULE_GROUP && id2->matches(id2, id1)) + { + group_match = TRUE; + } } + e2->destroy(e2); break; } case AUTH_HELPER_IM_CERT: @@ -482,6 +536,15 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } } e1->destroy(e1); + + if (has_group && !group_match) + { + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: group membership required"); + } + return FALSE; + } return success; } @@ -527,7 +590,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy } case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: { identification_t *id = (identification_t*)value; @@ -614,7 +677,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) } case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: { identification_t *id1, *id2; @@ -698,7 +761,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) { case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: + case AUTH_RULE_GROUP: { identification_t *id = (identification_t*)entry->value; clone->add(clone, entry->type, id->clone(id)); @@ -765,4 +828,3 @@ auth_cfg_t *auth_cfg_create() return &this->public; } - diff --git a/src/libcharon/config/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 5e6215a4a..713e16372 100644 --- a/src/libcharon/config/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -16,7 +16,7 @@ /** * @defgroup auth_cfg auth_cfg - * @{ @ingroup config + * @{ @ingroup credentials */ #ifndef AUTH_CFG_H_ @@ -26,6 +26,58 @@ typedef struct auth_cfg_t auth_cfg_t; typedef enum auth_rule_t auth_rule_t; +typedef enum auth_class_t auth_class_t; +typedef enum eap_type_t eap_type_t; + +/** + * Class of authentication to use. This is different to auth_method_t in that + * it does not specify a method, but a class of acceptable methods. The found + * certificate finally dictates wich method is used. + */ +enum auth_class_t { + /** any class acceptable */ + AUTH_CLASS_ANY = 0, + /** authentication using public keys (RSA, ECDSA) */ + AUTH_CLASS_PUBKEY = 1, + /** authentication using a pre-shared secrets */ + AUTH_CLASS_PSK = 2, + /** authentication using EAP */ + AUTH_CLASS_EAP = 3, +}; + +/** + * enum strings for auth_class_t + */ +extern enum_name_t *auth_class_names; + +/** + * EAP types, defines the EAP method implementation + */ +enum eap_type_t { + EAP_IDENTITY = 1, + EAP_NOTIFICATION = 2, + EAP_NAK = 3, + EAP_MD5 = 4, + EAP_OTP = 5, + EAP_GTC = 6, + EAP_SIM = 18, + EAP_AKA = 23, + EAP_MSCHAPV2 = 26, + /** not a method, but an implementation providing different methods */ + EAP_RADIUS = 253, + EAP_EXPANDED = 254, + EAP_EXPERIMENTAL = 255, +}; + +/** + * enum names for eap_type_t. + */ +extern enum_name_t *eap_type_names; + +/** + * short string enum names for eap_type_t. + */ +extern enum_name_t *eap_type_short_names; /** * Authentication config to use during authentication process. @@ -62,8 +114,10 @@ enum auth_rule_t { AUTH_RULE_CRL_VALIDATION, /** result of a OCSP validation, cert_validation_t */ AUTH_RULE_OCSP_VALIDATION, - /** subject is in attribute certificate group, identification_t* */ - AUTH_RULE_AC_GROUP, + /** subject is member of a group, identification_t* + * The group membership constraint is fulfilled if the subject is member of + * one group defined in the constraints. */ + AUTH_RULE_GROUP, /** intermediate certificate, certificate_t* */ AUTH_HELPER_IM_CERT, diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 8be1c1576..cfb708e33 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -44,6 +44,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", "BUILD_X509_FLAG", + "BUILD_REVOKED_ENUMERATOR", "BUILD_SMARTCARD_KEYID", "BUILD_SMARTCARD_PIN", "BUILD_RSA_MODULUS", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 62a6ffaaf..ffb09f72a 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -101,6 +101,8 @@ enum builder_part_t { BUILD_PATHLEN, /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, + /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ + BUILD_REVOKED_ENUMERATOR, /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */ BUILD_SMARTCARD_KEYID, /** pin to access a key on a smartcard, null terminated char* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h new file mode 100644 index 000000000..1e67c23ab --- /dev/null +++ b/src/libstrongswan/credentials/cert_validator.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup cert_validator cert_validator + * @{ @ingroup credentials + */ + +#ifndef CERT_VALIDATOR_H_ +#define CERT_VALIDATOR_H_ + +typedef struct cert_validator_t cert_validator_t; + +#include <library.h> + +/** + * Certificate validator interface. + * + * A certificate validator checks constraints or revocation in a certificate + * or its issuing CA certificate. The interface allows plugins to do + * revocation checking or similar tasks. + */ +struct cert_validator_t { + + /** + * Validate a subject certificate in relation to its issuer. + * + * @param subject subject certificate to check + * @param issuer issuer of subject + * @param online wheter to do online revocation checking + * @param pathlen the current length of the path up to the root CA + * @param auth container for resulting authentication info + */ + bool (*validate)(cert_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, + auth_cfg_t *auth); +}; + +#endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 156d12358..661b69e36 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -15,6 +15,7 @@ #include "certificate.h" +#include <debug.h> #include <credentials/certificates/x509.h> ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL, @@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "REVOKED", ); +/** + * See header + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other) +{ + time_t this_update, that_update; + char *type = "certificate"; + bool newer; + + if (this->get_type(this) == CERT_X509_CRL) + { + type = "crl"; + } + this->get_validity(this, NULL, &this_update, NULL); + other->get_validity(other, NULL, &that_update, NULL); + newer = this_update > that_update; + DBG1(DBG_LIB, " %s from %T is %s - existing %s from %T %s", + type, &this_update, FALSE, newer ? "newer" : "not newer", + type, &that_update, FALSE, newer ? "replaced" : "retained"); + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index a4f9aa3e0..43bfe3dc1 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -28,6 +28,7 @@ typedef enum cert_validation_t cert_validation_t; #include <library.h> #include <utils/identification.h> #include <credentials/keys/public_key.h> +#include <credentials/cred_encoding.h> /** * Kind of a certificate_t @@ -163,18 +164,14 @@ struct certificate_t { time_t *not_before, time_t *not_after); /** - * Is this newer than that? + * Get the certificate in an encoded form as a chunk. * - * @return TRUE if newer, FALSE otherwise + * @param type type of the encoding, one of CERT_* + * @param encoding encoding of the key, allocated + * @return TRUE if encoding supported */ - bool (*is_newer)(certificate_t *this, certificate_t *that); - - /** - * Get the certificate in an encoded form. - * - * @return allocated chunk of encoded cert - */ - chunk_t (*get_encoding)(certificate_t *this); + bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type, + chunk_t *encoding); /** * Check if two certificates are equal. @@ -197,4 +194,13 @@ struct certificate_t { void (*destroy)(certificate_t *this); }; +/** + * Generic check if a given certificate is newer than another. + * + * @param this first certificate to check + * @param other second certificate + * @return TRUE if this newer than other + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other); + #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c index 085ad16cc..69bd80b84 100644 --- a/src/libstrongswan/credentials/certificates/crl.c +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -16,6 +16,8 @@ #include "crl.h" +#include <debug.h> + ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", @@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "reason #7", "remove from crl", ); + +/** + * Check if this CRL is newer + */ +bool crl_is_newer(crl_t *this, crl_t *other) +{ + chunk_t this_num, other_num; + bool newer; + + this_num = this->get_serial(this); + other_num = other->get_serial(other); + + /* compare crlNumbers if available - otherwise use generic cert compare */ + if (this_num.ptr != NULL && other_num.ptr != NULL) + { + newer = chunk_compare(this_num, other_num) > 0; + DBG1(DBG_LIB, " crl #%#B is %s - existing crl #%#B %s", + &this_num, newer ? "newer" : "not newer", + &other_num, newer ? "replaced" : "retained"); + } + else + { + newer = certificate_is_newer(&this->certificate, &other->certificate); + } + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 4b612390c..9425311fb 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -80,7 +80,15 @@ struct crl_t { * @return enumerator over revoked certificates. */ enumerator_t* (*create_enumerator)(crl_t *this); - }; +/** + * Generic check if a given CRL is newer than another. + * + * @param this first CRL to check + * @param other second CRL + * @return TRUE if this newer than other + */ +bool crl_is_newer(crl_t *this, crl_t *other); + #endif /** CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 172bd9696..6e0a5002a 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -25,7 +25,6 @@ #include <credentials/certificates/certificate.h> #define X509_NO_PATH_LEN_CONSTRAINT -1 -#define X509_MAX_PATH_LEN 7 typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; diff --git a/src/libstrongswan/credentials/keys/key_encoding.c b/src/libstrongswan/credentials/cred_encoding.c index 89b25226c..edd76205b 100644 --- a/src/libstrongswan/credentials/keys/key_encoding.c +++ b/src/libstrongswan/credentials/cred_encoding.c @@ -13,7 +13,7 @@ * for more details. */ -#include "key_encoding.h" +#include "cred_encoding.h" #include <stdint.h> @@ -21,25 +21,25 @@ #include <utils/hashtable.h> #include <threading/rwlock.h> -typedef struct private_key_encoding_t private_key_encoding_t; +typedef struct private_cred_encoding_t private_cred_encoding_t; /** - * Private data of an key_encoding_t object. + * Private data of an cred_encoding_t object. */ -struct private_key_encoding_t { +struct private_cred_encoding_t { /** - * Public key_encoding_t interface. + * Public cred_encoding_t interface. */ - key_encoding_t public; + cred_encoding_t public; /** * cached encodings, a table for each encoding_type_t, containing chunk_t* */ - hashtable_t *cache[KEY_ENCODING_MAX]; + hashtable_t *cache[CRED_ENCODING_MAX]; /** - * Registered encoding fuctions, key_encoder_t + * Registered encoding fuctions, cred_encoder_t */ linked_list_t *encoders; @@ -52,7 +52,7 @@ struct private_key_encoding_t { /** * See header. */ -bool key_encoding_args(va_list args, ...) +bool cred_encoding_args(va_list args, ...) { va_list parts, copy; bool failed = FALSE; @@ -61,12 +61,12 @@ bool key_encoding_args(va_list args, ...) while (!failed) { - key_encoding_part_t current, target; + cred_encoding_part_t current, target; chunk_t *out, data; /* get the part we are looking for */ - target = va_arg(parts, key_encoding_part_t); - if (target == KEY_PART_END) + target = va_arg(parts, cred_encoding_part_t); + if (target == CRED_PART_END) { break; } @@ -75,8 +75,8 @@ bool key_encoding_args(va_list args, ...) va_copy(copy, args); while (!failed) { - current = va_arg(copy, key_encoding_part_t); - if (current == KEY_PART_END) + current = va_arg(copy, cred_encoding_part_t); + if (current == CRED_PART_END) { failed = TRUE; break; @@ -111,14 +111,14 @@ static bool equals(void *key1, void *key2) } /** - * Implementation of key_encoding_t.get_cache + * Implementation of cred_encoding_t.get_cache */ -static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type, +static bool get_cache(private_cred_encoding_t *this, cred_encoding_type_t type, void *cache, chunk_t *encoding) { chunk_t *chunk; - if (type >= KEY_ENCODING_MAX || type < 0) + if (type >= CRED_ENCODING_MAX || type < 0) { return FALSE; } @@ -133,18 +133,18 @@ static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type, } /** - * Implementation of key_encoding_t.encode + * Implementation of cred_encoding_t.encode */ -static bool encode(private_key_encoding_t *this, key_encoding_type_t type, +static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...) { enumerator_t *enumerator; va_list args, copy; - key_encoder_t encode; + cred_encoder_t encode; bool success = FALSE; chunk_t *chunk; - if (type >= KEY_ENCODING_MAX || type < 0) + if (type >= CRED_ENCODING_MAX || type < 0) { return FALSE; } @@ -168,32 +168,33 @@ static bool encode(private_key_encoding_t *this, key_encoding_type_t type, va_end(copy); if (success) { - if (cache) - { - chunk = malloc_thing(chunk_t); - *chunk = *encoding; - this->lock->unlock(this->lock); - this->lock->write_lock(this->lock); - this->cache[type]->put(this->cache[type], cache, chunk); - } break; } } enumerator->destroy(enumerator); - va_end(args); this->lock->unlock(this->lock); + va_end(args); + + if (success && cache) + { + chunk = malloc_thing(chunk_t); + *chunk = *encoding; + this->lock->write_lock(this->lock); + this->cache[type]->put(this->cache[type], cache, chunk); + this->lock->unlock(this->lock); + } return success; } /** - * Implementation of key_encoding_t.cache + * Implementation of cred_encoding_t.cache */ -static void cache(private_key_encoding_t *this, key_encoding_type_t type, +static void cache(private_cred_encoding_t *this, cred_encoding_type_t type, void *cache, chunk_t encoding) { chunk_t *chunk; - if (type >= KEY_ENCODING_MAX || type < 0) + if (type >= CRED_ENCODING_MAX || type < 0) { return free(encoding.ptr); } @@ -211,15 +212,15 @@ static void cache(private_key_encoding_t *this, key_encoding_type_t type, } /** - * Implementation of key_encoding_t.clear_cache + * Implementation of cred_encoding_t.clear_cache */ -static void clear_cache(private_key_encoding_t *this, void *cache) +static void clear_cache(private_cred_encoding_t *this, void *cache) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t *chunk; this->lock->write_lock(this->lock); - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { chunk = this->cache[type]->remove(this->cache[type], cache); if (chunk) @@ -232,9 +233,9 @@ static void clear_cache(private_key_encoding_t *this, void *cache) } /** - * Implementation of key_encoding_t.add_encoder + * Implementation of cred_encoding_t.add_encoder */ -static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder) +static void add_encoder(private_cred_encoding_t *this, cred_encoder_t encoder) { this->lock->write_lock(this->lock); this->encoders->insert_last(this->encoders, encoder); @@ -242,9 +243,9 @@ static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder) } /** - * Implementation of key_encoding_t.remove_encoder + * Implementation of cred_encoding_t.remove_encoder */ -static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder) +static void remove_encoder(private_cred_encoding_t *this, cred_encoder_t encoder) { this->lock->write_lock(this->lock); this->encoders->remove(this->encoders, encoder, NULL); @@ -252,18 +253,18 @@ static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder) } /** - * Implementation of key_encoder_t.destroy. + * Implementation of cred_encoder_t.destroy. */ -static void destroy(private_key_encoding_t *this) +static void destroy(private_cred_encoding_t *this) { - key_encoding_type_t type; + cred_encoding_type_t type; - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { - /* We explicitly do not free remaining encodings. All keys should + /* We explicitly do not free remaining encodings. All creds should * have gone now, and they are responsible for cleaning out their * cache entries. Not flushing here allows the leak detective to - * complain if a key did not flush cached encodings. */ + * complain if a credential did not flush cached encodings. */ this->cache[type]->destroy(this->cache[type]); } this->encoders->destroy(this->encoders); @@ -274,20 +275,20 @@ static void destroy(private_key_encoding_t *this) /** * See header */ -key_encoding_t *key_encoding_create() +cred_encoding_t *cred_encoding_create() { - private_key_encoding_t *this = malloc_thing(private_key_encoding_t); - key_encoding_type_t type; - - this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode; - this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache; - this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache; - this->public.clear_cache = (void(*)(key_encoding_t*, void *cache))clear_cache; - this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder; - this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder; - this->public.destroy = (void(*)(key_encoding_t*))destroy; - - for (type = 0; type < KEY_ENCODING_MAX; type++) + private_cred_encoding_t *this = malloc_thing(private_cred_encoding_t); + cred_encoding_type_t type; + + this->public.encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode; + this->public.get_cache = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding))get_cache; + this->public.cache = (void(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t encoding))cache; + this->public.clear_cache = (void(*)(cred_encoding_t*, void *cache))clear_cache; + this->public.add_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))add_encoder; + this->public.remove_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))remove_encoder; + this->public.destroy = (void(*)(cred_encoding_t*))destroy; + + for (type = 0; type < CRED_ENCODING_MAX; type++) { this->cache[type] = hashtable_create(hash, equals, 8); } diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h new file mode 100644 index 000000000..e2d69691e --- /dev/null +++ b/src/libstrongswan/credentials/cred_encoding.h @@ -0,0 +1,224 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup cred_encoding cred_encoding + * @{ @ingroup credentials + */ + +#ifndef CRED_ENCODING_H_ +#define CRED_ENCODING_H_ + +typedef struct cred_encoding_t cred_encoding_t; +typedef enum cred_encoding_type_t cred_encoding_type_t; +typedef enum cred_encoding_part_t cred_encoding_part_t; + +#include <library.h> + +/** + * Credential encoder function implementing encoding/fingerprinting. + * + * The variable argument list takes cred_encoding_part_t, followed by part + * specific arguments, terminated by KEY_PART_END. + * + * @param type format to encode the credential to + * @param args list of (cred_encoding_part_t, data) + * @param encoding encoding result, allocated + * @return TRUE if encoding successful + */ +typedef bool (*cred_encoder_t)(cred_encoding_type_t type, chunk_t *encoding, + va_list args); + +/** + * Helper function for cred_encoder_t implementations to parse argument list. + * + * Credential encoder functions get a variable argument list to parse. To + * simplify the job, this function reads the arguments and returns chunks for + * each part. + * The argument list of this function takes a cred_encoding_part_t, followed + * by a data pointer receiving the value, terminated by CRED_PART_END. + * + * @param args argument list passed to credential encoder function + * @param ... list of (cred_encoding_part_t, data*) + * @return TRUE if all parts found, FALSE otherwise + */ +bool cred_encoding_args(va_list args, ...); + +/** + * Encoding type of a fingerprint/credential. + * + * Fingerprints have have the KEYID_*, public keys the PUBKEY_* and + * private keys the PRIVKEY_* prefix. + */ +enum cred_encoding_type_t { + /** SHA1 fingerprint over subjectPublicKeyInfo */ + KEYID_PUBKEY_INFO_SHA1 = 0, + /** SHA1 fingerprint over subjectPublicKey */ + KEYID_PUBKEY_SHA1, + /** PGPv3 fingerprint */ + KEYID_PGPV3, + /** PGPv4 fingerprint */ + KEYID_PGPV4, + + KEYID_MAX, + + /** PKCS#1 and similar ASN.1 key encoding */ + PUBKEY_ASN1_DER, + PRIVKEY_ASN1_DER, + /** subjectPublicKeyInfo encoding */ + PUBKEY_SPKI_ASN1_DER, + /** PEM encoded PKCS#1 key */ + PUBKEY_PEM, + PRIVKEY_PEM, + /** PGP key encoding */ + PUBKEY_PGP, + PRIVKEY_PGP, + + /** ASN.1 DER encoded certificate */ + CERT_ASN1_DER, + /** PEM encoded certificate */ + CERT_PEM, + /** PGP Packet encoded certificate */ + CERT_PGP_PKT, + + CRED_ENCODING_MAX, +}; + +/** + * Parts of a credential to encode. + */ +enum cred_encoding_part_t { + /** modulus of a RSA key, n */ + CRED_PART_RSA_MODULUS, + /** public exponent of a RSA key, e */ + CRED_PART_RSA_PUB_EXP, + /** private exponent of a RSA key, d */ + CRED_PART_RSA_PRIV_EXP, + /** prime1 a RSA key, p */ + CRED_PART_RSA_PRIME1, + /** prime2 a RSA key, q */ + CRED_PART_RSA_PRIME2, + /** exponent1 a RSA key, exp1 */ + CRED_PART_RSA_EXP1, + /** exponent1 a RSA key, exp2 */ + CRED_PART_RSA_EXP2, + /** coefficient of RSA key, coeff */ + CRED_PART_RSA_COEFF, + /** a DER encoded RSA public key */ + CRED_PART_RSA_PUB_ASN1_DER, + /** a DER encoded RSA private key */ + CRED_PART_RSA_PRIV_ASN1_DER, + /** a DER encoded ECDSA public key */ + CRED_PART_ECDSA_PUB_ASN1_DER, + /** a DER encoded ECDSA private key */ + CRED_PART_ECDSA_PRIV_ASN1_DER, + /** a DER encoded X509 certificate */ + CRED_PART_X509_ASN1_DER, + /** a DER encoded X509 CRL */ + CRED_PART_X509_CRL_ASN1_DER, + /** a DER encoded X509 OCSP request */ + CRED_PART_X509_OCSP_REQ_ASN1_DER, + /** a DER encoded X509 OCSP response */ + CRED_PART_X509_OCSP_RES_ASN1_DER, + /** a DER encoded X509 attribute certificate */ + CRED_PART_X509_AC_ASN1_DER, + /** a DER encoded PKCS10 certificate request */ + CRED_PART_PKCS10_ASN1_DER, + /** a PGP encoded certificate */ + CRED_PART_PGP_CERT, + + CRED_PART_END, +}; + +/** + * Credential encoding and fingerprinting facility. + */ +struct cred_encoding_t { + + /** + * Encode a credential in a format using several parts, optional caching. + * + * The variable argument list takes cred_encoding_part_t, followed by part + * specific arguments, terminated by CRED_PART_END. + * If a cache key is given, the returned encoding points to internal data: + * do not free or modify. If no cache key is given, the encoding is + * allocated and must be freed by the caller. + * + * @param type format the credential should be encoded to + * @param cache key to use for caching, NULL to not cache + * @param encoding encoding result, allocated if caching disabled + * @param ... list of (cred_encoding_part_t, data) + * @return TRUE if encoding successful + */ + bool (*encode)(cred_encoding_t *this, cred_encoding_type_t type, void *cache, + chunk_t *encoding, ...); + + /** + * Clear all cached encodings of a given cache key. + * + * @param cache key used in encode() for caching + */ + void (*clear_cache)(cred_encoding_t *this, void *cache); + + /** + * Check for a cached encoding. + * + * @param type format of the credential encoding + * @param cache key to use for caching, as given to encode() + * @param encoding encoding result, internal data + * @return TRUE if cache entry found + */ + bool (*get_cache)(cred_encoding_t *this, cred_encoding_type_t type, + void *cache, chunk_t *encoding); + + /** + * Cache a credential encoding created externally. + * + * After calling cache(), the passed encoding is owned by the cred encoding + * facility. + * + * @param type format of the credential encoding + * @param cache key to use for caching, as given to encode() + * @param encoding encoding to cache, gets owned by this + */ + void (*cache)(cred_encoding_t *this, cred_encoding_type_t type, void *cache, + chunk_t encoding); + + /** + * Register a credential encoder function. + * + * @param encoder credential encoder function to add + */ + void (*add_encoder)(cred_encoding_t *this, cred_encoder_t encoder); + + /** + * Unregister a previously registered credential encoder function. + * + * @param encoder credential encoder function to remove + */ + void (*remove_encoder)(cred_encoding_t *this, cred_encoder_t encoder); + + /** + * Destroy a cred_encoding_t. + */ + void (*destroy)(cred_encoding_t *this); +}; + +/** + * Create a cred_encoding instance. + */ +cred_encoding_t *cred_encoding_create(); + +#endif /** CRED_ENCODING_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c new file mode 100644 index 000000000..46c36c941 --- /dev/null +++ b/src/libstrongswan/credentials/credential_manager.c @@ -0,0 +1,1097 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "credential_manager.h" + +#include <library.h> +#include <debug.h> +#include <threading/thread_value.h> +#include <threading/mutex.h> +#include <threading/rwlock.h> +#include <utils/linked_list.h> +#include <credentials/sets/cert_cache.h> +#include <credentials/sets/auth_cfg_wrapper.h> +#include <credentials/certificates/x509.h> + +/** + * Maximum length of a certificate trust chain + */ +#define MAX_TRUST_PATH_LEN 7 + +typedef struct private_credential_manager_t private_credential_manager_t; + +/** + * private data of credential_manager + */ +struct private_credential_manager_t { + + /** + * public functions + */ + credential_manager_t public; + + /** + * list of credential sets + */ + linked_list_t *sets; + + /** + * thread local set of credentials, linked_list_t with credential_set_t's + */ + thread_value_t *local_sets; + + /** + * trust relationship and certificate cache + */ + cert_cache_t *cache; + + /** + * certificates queued for persistent caching + */ + linked_list_t *cache_queue; + + /** + * list of certificate validators, cert_validator_t + */ + linked_list_t *validators; + + /** + * read-write lock to sets list + */ + rwlock_t *lock; + + /** + * mutex for cache queue + */ + mutex_t *queue_mutex; +}; + +/** data to pass to create_private_enumerator */ +typedef struct { + private_credential_manager_t *this; + key_type_t type; + identification_t* keyid; +} private_data_t; + +/** data to pass to create_cert_enumerator */ +typedef struct { + private_credential_manager_t *this; + certificate_type_t cert; + key_type_t key; + identification_t *id; + bool trusted; +} cert_data_t; + +/** data to pass to create_cdp_enumerator */ +typedef struct { + private_credential_manager_t *this; + certificate_type_t type; + identification_t *id; +} cdp_data_t; + +/** data to pass to create_shared_enumerator */ +typedef struct { + private_credential_manager_t *this; + shared_key_type_t type; + identification_t *me; + identification_t *other; +} shared_data_t; + +/** enumerator over local and global sets */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** enumerator over global sets */ + enumerator_t *global; + /** enumerator over local sets */ + enumerator_t *local; +} sets_enumerator_t; + + +METHOD(enumerator_t, sets_enumerate, bool, + sets_enumerator_t *this, credential_set_t **set) +{ + if (this->global) + { + if (this->global->enumerate(this->global, set)) + { + return TRUE; + } + /* end of global sets, look for local */ + this->global->destroy(this->global); + this->global = NULL; + } + if (this->local) + { + return this->local->enumerate(this->local, set); + } + return FALSE; +} + +METHOD(enumerator_t, sets_destroy, void, + sets_enumerator_t *this) +{ + DESTROY_IF(this->global); + DESTROY_IF(this->local); + free(this); +} + +/** + * create an enumerator over both, global and local sets + */ +static enumerator_t *create_sets_enumerator(private_credential_manager_t *this) +{ + sets_enumerator_t *enumerator; + linked_list_t *local; + + INIT(enumerator, + .public.enumerate = (void*)_sets_enumerate, + .public.destroy = _sets_destroy, + .global = this->sets->create_enumerator(this->sets), + ); + local = this->local_sets->get(this->local_sets); + if (local) + { + enumerator->local = local->create_enumerator(local); + } + return &enumerator->public; +} + +/** + * cleanup function for cert data + */ +static void destroy_cert_data(cert_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for certificates + */ +static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data) +{ + return set->create_cert_enumerator(set, data->cert, data->key, + data->id, data->trusted); +} + +METHOD(credential_manager_t, create_cert_enumerator, enumerator_t*, + private_credential_manager_t *this, certificate_type_t certificate, + key_type_t key, identification_t *id, bool trusted) +{ + cert_data_t *data = malloc_thing(cert_data_t); + data->this = this; + data->cert = certificate; + data->key = key; + data->id = id; + data->trusted = trusted; + + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_cert, data, + (void*)destroy_cert_data); +} + +METHOD(credential_manager_t, get_cert, certificate_t*, + private_credential_manager_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + certificate_t *current, *found = NULL; + enumerator_t *enumerator; + + enumerator = create_cert_enumerator(this, cert, key, id, trusted); + if (enumerator->enumerate(enumerator, ¤t)) + { + /* TODO: best match? order by keyid, subject, sualtname */ + found = current->get_ref(current); + } + enumerator->destroy(enumerator); + return found; +} + + +/** + * cleanup function for cdp data + */ +static void destroy_cdp_data(cdp_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for CDPs + */ +static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data) +{ + return set->create_cdp_enumerator(set, data->type, data->id); +} + +METHOD(credential_manager_t, create_cdp_enumerator, enumerator_t*, + private_credential_manager_t *this, certificate_type_t type, + identification_t *id) +{ + cdp_data_t *data; + + INIT(data, + .this = this, + .type = type, + .id = id, + ); + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_cdp, data, + (void*)destroy_cdp_data); +} + +/** + * cleanup function for private data + */ +static void destroy_private_data(private_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for private keys + */ +static enumerator_t *create_private(credential_set_t *set, private_data_t *data) +{ + return set->create_private_enumerator(set, data->type, data->keyid); +} + +/** + * Create an enumerator over private keys + */ +static enumerator_t *create_private_enumerator( + private_credential_manager_t *this, key_type_t key, identification_t *keyid) +{ + private_data_t *data; + + INIT(data, + .this = this, + .type = key, + .keyid = keyid, + ); + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_private, data, + (void*)destroy_private_data); +} + +/** + * Look up a private key by its key identifier + */ +static private_key_t* get_private_by_keyid(private_credential_manager_t *this, + key_type_t key, identification_t *keyid) +{ + private_key_t *found = NULL; + enumerator_t *enumerator; + + enumerator = create_private_enumerator(this, key, keyid); + if (enumerator->enumerate(enumerator, &found)) + { + found->get_ref(found); + } + enumerator->destroy(enumerator); + return found; +} + +/** + * cleanup function for shared data + */ +static void destroy_shared_data(shared_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for shared keys + */ +static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data) +{ + return set->create_shared_enumerator(set, data->type, data->me, data->other); +} + +METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*, + private_credential_manager_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_data_t *data; + + INIT(data, + .this = this, + .type = type, + .me = me, + .other = other, + ); + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_shared, data, + (void*)destroy_shared_data); +} + +METHOD(credential_manager_t, get_shared, shared_key_t*, + private_credential_manager_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_key_t *current, *found = NULL; + id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE; + id_match_t *match_me, *match_other; + enumerator_t *enumerator; + + enumerator = create_shared_enumerator(this, type, me, other); + while (enumerator->enumerate(enumerator, ¤t, &match_me, &match_other)) + { + if (match_other > best_other || + (match_other == best_other && match_me > best_me)) + { + DESTROY_IF(found); + found = current->get_ref(current); + best_me = match_me; + best_other = match_other; + } + } + enumerator->destroy(enumerator); + return found; +} + +METHOD(credential_manager_t, add_local_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + linked_list_t *sets; + + sets = this->local_sets->get(this->local_sets); + if (!sets) + { /* first invocation */ + sets = linked_list_create(); + this->local_sets->set(this->local_sets, sets); + } + sets->insert_last(sets, set); +} + +METHOD(credential_manager_t, remove_local_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + linked_list_t *sets; + + sets = this->local_sets->get(this->local_sets); + sets->remove(sets, set, NULL); +} + +METHOD(credential_manager_t, cache_cert, void, + private_credential_manager_t *this, certificate_t *cert) +{ + credential_set_t *set; + enumerator_t *enumerator; + + if (this->lock->try_write_lock(this->lock)) + { + enumerator = this->sets->create_enumerator(this->sets); + while (enumerator->enumerate(enumerator, &set)) + { + set->cache_cert(set, cert); + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + } + else + { /* we can't cache now as other threads are active, queue for later */ + this->queue_mutex->lock(this->queue_mutex); + this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert)); + this->queue_mutex->unlock(this->queue_mutex); + } +} + +/** + * Try to cache certificates queued for caching + */ +static void cache_queue(private_credential_manager_t *this) +{ + credential_set_t *set; + certificate_t *cert; + enumerator_t *enumerator; + + this->queue_mutex->lock(this->queue_mutex); + if (this->cache_queue->get_count(this->cache_queue) > 0 && + this->lock->try_write_lock(this->lock)) + { + while (this->cache_queue->remove_last(this->cache_queue, + (void**)&cert) == SUCCESS) + { + enumerator = this->sets->create_enumerator(this->sets); + while (enumerator->enumerate(enumerator, &set)) + { + set->cache_cert(set, cert); + } + enumerator->destroy(enumerator); + cert->destroy(cert); + } + this->lock->unlock(this->lock); + } + this->queue_mutex->unlock(this->queue_mutex); +} + +/** + * check a certificate for its lifetime + */ +static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, + bool online, int pathlen, auth_cfg_t *auth) +{ + time_t not_before, not_after; + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", + ¬_before, FALSE, ¬_after, FALSE); + return FALSE; + } + if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", + ¬_before, FALSE, ¬_after, FALSE); + return FALSE; + } + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + int pathlen_constraint; + x509_t *x509; + + /* check path length constraint */ + x509 = (x509_t*)issuer; + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + } + + enumerator = this->validators->create_enumerator(this->validators); + while (enumerator->enumerate(enumerator, &validator)) + { + if (!validator->validate(validator, subject, issuer, + online, pathlen, auth)) + { + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * Get a trusted certificate from a credential set + */ +static certificate_t *get_pretrusted_cert(private_credential_manager_t *this, + key_type_t type, identification_t *id) +{ + certificate_t *subject; + public_key_t *public; + + subject = get_cert(this, CERT_ANY, type, id, TRUE); + if (!subject) + { + return NULL; + } + public = subject->get_public_key(subject); + if (!public) + { + subject->destroy(subject); + return NULL; + } + public->destroy(public); + return subject; +} + +/** + * Get the issuing certificate of a subject certificate + */ +static certificate_t *get_issuer_cert(private_credential_manager_t *this, + certificate_t *subject, bool trusted) +{ + enumerator_t *enumerator; + certificate_t *issuer = NULL, *candidate; + + enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY, + subject->get_issuer(subject), trusted); + while (enumerator->enumerate(enumerator, &candidate)) + { + if (this->cache->issued_by(this->cache, subject, candidate)) + { + issuer = candidate->get_ref(candidate); + break; + } + } + enumerator->destroy(enumerator); + return issuer; +} + +/** + * try to verify the trust chain of subject, return TRUE if trusted + */ +static bool verify_trust_chain(private_credential_manager_t *this, + certificate_t *subject, auth_cfg_t *result, + bool trusted, bool online) +{ + certificate_t *current, *issuer; + auth_cfg_t *auth; + int pathlen; + + auth = auth_cfg_create(); + current = subject->get_ref(subject); + + for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) + { + issuer = get_issuer_cert(this, current, TRUE); + if (issuer) + { + /* accept only self-signed CAs as trust anchor */ + if (this->cache->issued_by(this->cache, issuer, issuer)) + { + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); + trusted = TRUE; + } + else + { + auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted intermediate ca certificate " + "\"%Y\"", issuer->get_subject(issuer)); + } + } + else + { + issuer = get_issuer_cert(this, current, FALSE); + if (issuer) + { + if (current->equals(current, issuer)) + { + DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted", + current->get_subject(current)); + issuer->destroy(issuer); + break; + } + auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using untrusted intermediate certificate " + "\"%Y\"", issuer->get_subject(issuer)); + } + else + { + DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", + current->get_subject(current)); + break; + } + } + if (!check_certificate(this, current, issuer, online, pathlen, + current == subject ? auth : NULL)) + { + trusted = FALSE; + issuer->destroy(issuer); + break; + } + current->destroy(current); + current = issuer; + if (trusted) + { + DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d", + pathlen); + break; + } + } + current->destroy(current); + if (pathlen > MAX_TRUST_PATH_LEN) + { + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + } + if (trusted) + { + result->merge(result, auth, FALSE); + } + auth->destroy(auth); + return trusted; +} + +/** + * enumerator for trusted certificates + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** enumerator over candidate peer certificates */ + enumerator_t *candidates; + /** reference to the credential_manager */ + private_credential_manager_t *this; + /** type of the requested key */ + key_type_t type; + /** identity the requested key belongs to */ + identification_t *id; + /** TRUE to do CRL/OCSP checking */ + bool online; + /** pretrusted certificate we have served at first invocation */ + certificate_t *pretrusted; + /** currently enumerating auth config */ + auth_cfg_t *auth; +} trusted_enumerator_t; + +METHOD(enumerator_t, trusted_enumerate, bool, + trusted_enumerator_t *this, certificate_t **cert, auth_cfg_t **auth) +{ + certificate_t *current; + + DESTROY_IF(this->auth); + this->auth = auth_cfg_create(); + + if (!this->candidates) + { + /* first invocation, build enumerator for next one */ + this->candidates = create_cert_enumerator(this->this, CERT_ANY, + this->type, this->id, FALSE); + /* check if we have a trusted certificate for that peer */ + this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id); + if (this->pretrusted) + { + /* if we find a trusted self signed certificate, we just accept it. + * However, in order to fulfill authorization rules, we try to build + * the trust chain if it is not self signed */ + if (this->this->cache->issued_by(this->this->cache, + this->pretrusted, this->pretrusted) || + verify_trust_chain(this->this, this->pretrusted, this->auth, + TRUE, this->online)) + { + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + *cert = this->pretrusted; + if (auth) + { + *auth = this->auth; + } + return TRUE; + } + } + } + /* try to verify the trust chain for each certificate found */ + while (this->candidates->enumerate(this->candidates, ¤t)) + { + if (this->pretrusted && + this->pretrusted->equals(this->pretrusted, current)) + { /* skip pretrusted certificate we already served */ + continue; + } + + DBG1(DBG_CFG, " using certificate \"%Y\"", + current->get_subject(current)); + if (verify_trust_chain(this->this, current, this->auth, FALSE, + this->online)) + { + *cert = current; + if (auth) + { + *auth = this->auth; + } + return TRUE; + } + } + return FALSE; +} + +METHOD(enumerator_t, trusted_destroy, void, + trusted_enumerator_t *this) +{ + DESTROY_IF(this->pretrusted); + DESTROY_IF(this->auth); + DESTROY_IF(this->candidates); + free(this); +} + +METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, + private_credential_manager_t *this, key_type_t type, + identification_t *id, bool online) +{ + trusted_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_trusted_enumerate, + .destroy = _trusted_destroy, + }, + .this = this, + .type = type, + .id = id, + .online = online, + ); + return &enumerator->public; +} + +/** + * enumerator for public keys + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** enumerator over candidate peer certificates */ + enumerator_t *inner; + /** reference to the credential_manager */ + private_credential_manager_t *this; + /** currently enumerating key */ + public_key_t *current; + /** credset wrapper around auth config */ + auth_cfg_wrapper_t *wrapper; +} public_enumerator_t; + +METHOD(enumerator_t, public_enumerate, bool, + public_enumerator_t *this, public_key_t **key, auth_cfg_t **auth) +{ + certificate_t *cert; + + while (this->inner->enumerate(this->inner, &cert, auth)) + { + DESTROY_IF(this->current); + this->current = cert->get_public_key(cert); + if (this->current) + { + *key = this->current; + return TRUE; + } + } + return FALSE; +} + +METHOD(enumerator_t, public_destroy, void, + public_enumerator_t *this) +{ + DESTROY_IF(this->current); + this->inner->destroy(this->inner); + if (this->wrapper) + { + remove_local_set(this->this, &this->wrapper->set); + this->wrapper->destroy(this->wrapper); + } + this->this->lock->unlock(this->this->lock); + + /* check for delayed certificate cache queue */ + cache_queue(this->this); + free(this); +} + +METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, + private_credential_manager_t *this, key_type_t type, identification_t *id, + auth_cfg_t *auth) +{ + public_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_public_enumerate, + .destroy = _public_destroy, + }, + .inner = create_trusted_enumerator(this, type, id, TRUE), + .this = this, + ); + if (auth) + { + enumerator->wrapper = auth_cfg_wrapper_create(auth); + add_local_set(this, &enumerator->wrapper->set); + } + this->lock->read_lock(this->lock); + return &enumerator->public; +} + +/** + * Check if a certificate's keyid is contained in the auth helper + */ +static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) +{ + enumerator_t *enumerator; + identification_t *value; + auth_rule_t type; + bool found = FALSE; + + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &value)) + { + if (type == AUTH_RULE_CA_CERT && + cert->equals(cert, (certificate_t*)value)) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** + * build a trustchain from subject up to a trust anchor in trusted + */ +static auth_cfg_t *build_trustchain(private_credential_manager_t *this, + certificate_t *subject, auth_cfg_t *auth) +{ + certificate_t *issuer, *current; + auth_cfg_t *trustchain; + int pathlen = 0; + + trustchain = auth_cfg_create(); + + current = auth->get(auth, AUTH_RULE_CA_CERT); + if (!current) + { + /* no trust anchor specified, return this cert only */ + trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, + subject->get_ref(subject)); + return trustchain; + } + current = subject->get_ref(subject); + while (TRUE) + { + if (auth_contains_cacert(auth, current)) + { + trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); + return trustchain; + } + if (subject == current) + { + trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current); + } + else + { + trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); + } + issuer = get_issuer_cert(this, current, FALSE); + if (!issuer || issuer->equals(issuer, current) || + pathlen > MAX_TRUST_PATH_LEN) + { + DESTROY_IF(issuer); + break; + } + current = issuer; + pathlen++; + } + trustchain->destroy(trustchain); + return NULL; +} + +/** + * find a private key of a give certificate + */ +static private_key_t *get_private_by_cert(private_credential_manager_t *this, + certificate_t *cert, key_type_t type) +{ + private_key_t *private = NULL; + identification_t *keyid; + chunk_t chunk; + public_key_t *public; + + public = cert->get_public_key(cert); + if (public) + { + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + private = get_private_by_keyid(this, type, keyid); + keyid->destroy(keyid); + } + public->destroy(public); + } + return private; +} + +METHOD(credential_manager_t, get_private, private_key_t*, + private_credential_manager_t *this, key_type_t type, identification_t *id, + auth_cfg_t *auth) +{ + enumerator_t *enumerator; + certificate_t *cert; + private_key_t *private = NULL; + auth_cfg_t *trustchain; + + /* check if this is a lookup by key ID, and do it if so */ + if (id && id->get_type(id) == ID_KEY_ID) + { + private = get_private_by_keyid(this, type, id); + if (private) + { + return private; + } + } + + /* if a specific certificate is preferred, check for a matching key */ + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + trustchain = build_trustchain(this, cert, auth); + if (trustchain) + { + auth->merge(auth, trustchain, FALSE); + trustchain->destroy(trustchain); + } + return private; + } + } + + /* try to build a trust chain for each certificate found */ + enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + trustchain = build_trustchain(this, cert, auth); + if (trustchain) + { + auth->merge(auth, trustchain, FALSE); + trustchain->destroy(trustchain); + break; + } + private->destroy(private); + private = NULL; + } + } + enumerator->destroy(enumerator); + + /* if no valid trustchain was found, fall back to the first usable cert */ + if (!private) + { + enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert)); + break; + } + } + enumerator->destroy(enumerator); + } + return private; +} + +METHOD(credential_manager_t, flush_cache, void, + private_credential_manager_t *this, certificate_type_t type) +{ + this->cache->flush(this->cache, type); +} + +METHOD(credential_manager_t, issued_by, bool, + private_credential_manager_t *this, certificate_t *subject, + certificate_t *issuer) +{ + return this->cache->issued_by(this->cache, subject, issuer); +} + +METHOD(credential_manager_t, add_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + this->lock->write_lock(this->lock); + this->sets->insert_last(this->sets, set); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, remove_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + this->lock->write_lock(this->lock); + this->sets->remove(this->sets, set, NULL); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, add_validator, void, + private_credential_manager_t *this, cert_validator_t *vdtr) +{ + this->lock->write_lock(this->lock); + this->sets->insert_last(this->validators, vdtr); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, remove_validator, void, + private_credential_manager_t *this, cert_validator_t *vdtr) +{ + this->lock->write_lock(this->lock); + this->validators->remove(this->validators, vdtr, NULL); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, destroy, void, + private_credential_manager_t *this) +{ + cache_queue(this); + this->cache_queue->destroy(this->cache_queue); + this->sets->remove(this->sets, this->cache, NULL); + this->sets->destroy(this->sets); + this->local_sets->destroy(this->local_sets); + this->cache->destroy(this->cache); + this->validators->destroy(this->validators); + this->lock->destroy(this->lock); + this->queue_mutex->destroy(this->queue_mutex); + free(this); +} + +/* + * see header file + */ +credential_manager_t *credential_manager_create() +{ + private_credential_manager_t *this; + + INIT(this, + .public = { + .create_cert_enumerator = _create_cert_enumerator, + .create_shared_enumerator = _create_shared_enumerator, + .create_cdp_enumerator = _create_cdp_enumerator, + .get_cert = _get_cert, + .get_shared = _get_shared, + .get_private = _get_private, + .create_trusted_enumerator = _create_trusted_enumerator, + .create_public_enumerator = _create_public_enumerator, + .flush_cache = _flush_cache, + .cache_cert = _cache_cert, + .issued_by = _issued_by, + .add_set = _add_set, + .remove_set = _remove_set, + .add_local_set = _add_local_set, + .remove_local_set = _remove_local_set, + .add_validator = _add_validator, + .remove_validator = _remove_validator, + .destroy = _destroy, + }, + .sets = linked_list_create(), + .validators = linked_list_create(), + .cache = cert_cache_create(), + .cache_queue = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); + this->sets->insert_first(this->sets, this->cache); + + return &this->public; +} diff --git a/src/libcharon/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index 0448da992..04269cfbf 100644 --- a/src/libcharon/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -15,21 +15,22 @@ /** * @defgroup credential_manager credential_manager - * @{ @ingroup ccredentials + * @{ @ingroup credentials */ #ifndef CREDENTIAL_MANAGER_H_ #define CREDENTIAL_MANAGER_H_ +typedef struct credential_manager_t credential_manager_t; + #include <utils/identification.h> #include <utils/enumerator.h> -#include <config/auth_cfg.h> +#include <credentials/auth_cfg.h> #include <credentials/credential_set.h> #include <credentials/keys/private_key.h> #include <credentials/keys/shared_key.h> #include <credentials/certificates/certificate.h> - -typedef struct credential_manager_t credential_manager_t; +#include <credentials/cert_validator.h> /** * Manages credentials using credential_sets. @@ -142,6 +143,24 @@ struct credential_manager_t { identification_t *id, auth_cfg_t *auth); /** + * Create an enumerator over trusted certificates. + * + * This method creates an enumerator over trusted certificates. The auth + * parameter (if given) recevies the trustchain used to validate + * the certificate. The resulting enumerator enumerates over + * certificate_t*, auth_cfg_t*. + * If online is set, revocations are checked online for the whole + * trustchain. + * + * @param type type of the key we want a certificate for + * @param id subject of the certificate + * @param online whether revocations should be checked online + * @return enumerator + */ + enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this, + key_type_t type, identification_t *id, bool online); + + /** * Create an enumerator over trusted public keys. * * This method gets a an enumerator over trusted public keys to verify a @@ -149,6 +168,8 @@ struct credential_manager_t { * authentication infos, e.g. peer and intermediate certificates. * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *, * where the auth config helper contains rules for constraint checks. + * This function is very similar to create_trusted_enumerator(), but + * gets public keys directly. * * @param type type of the key to get * @param id owner of the key, signer of the signature @@ -176,6 +197,19 @@ struct credential_manager_t { void (*flush_cache)(credential_manager_t *this, certificate_type_t type); /** + * Check if a given subject certificate is issued by an issuer certificate. + * + * This operation does signature verification, but uses the credential + * managers cache for to speed up the operation. + * + * @param subject subject certificate to check + * @param issuer issuer certificate that potentially has signed subject + * @return TRUE if issuer signed subject + */ + bool (*issued_by)(credential_manager_t *this, + certificate_t *subject, certificate_t *issuer); + + /** * Register a credential set to the manager. * * @param set set to register @@ -190,6 +224,39 @@ struct credential_manager_t { void (*remove_set)(credential_manager_t *this, credential_set_t *set); /** + * Register a thread local credential set to the manager. + * + * To add a credential set for the current trustchain verification + * operation, sets may be added for the calling thread only. This + * does not require a write lock and is therefore a much less expensive + * operation. + * + * @param set set to register + */ + void (*add_local_set)(credential_manager_t *this, credential_set_t *set); + + /** + * Unregister a thread local credential set from the manager. + * + * @param set set to unregister + */ + void (*remove_local_set)(credential_manager_t *this, credential_set_t *set); + + /** + * Register a certificate validator to the manager. + * + * @param vdtr validator to register + */ + void (*add_validator)(credential_manager_t *this, cert_validator_t *vdtr); + + /** + * Remove a certificate validator from the manager. + * + * @param vdtr validator to unregister + */ + void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr); + + /** * Destroy a credential_manager instance. */ void (*destroy)(credential_manager_t *this); diff --git a/src/libcharon/credentials/credential_set.h b/src/libstrongswan/credentials/credential_set.h index 274eb3feb..0eee237cb 100644 --- a/src/libcharon/credentials/credential_set.h +++ b/src/libstrongswan/credentials/credential_set.h @@ -15,18 +15,18 @@ /** * @defgroup credential_set credential_set - * @{ @ingroup ccredentials + * @{ @ingroup credentials */ #ifndef CREDENTIAL_SET_H_ #define CREDENTIAL_SET_H_ +typedef struct credential_set_t credential_set_t; + #include <credentials/keys/public_key.h> #include <credentials/keys/shared_key.h> #include <credentials/certificates/certificate.h> -typedef struct credential_set_t credential_set_t; - /** * A set of credentials. * diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c index ff3ddeb6f..de5b85bae 100644 --- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c +++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c @@ -159,7 +159,7 @@ static char* get_string(private_ietf_attributes_t *this) enumerator = this->list->create_enumerator(this->list); while (enumerator->enumerate(enumerator, &attr)) { - int written = 0; + int written; if (first) { @@ -168,8 +168,12 @@ static char* get_string(private_ietf_attributes_t *this) else { written = snprintf(pos, len, ", "); + if (written < 0 || written >= len) + { + break; + } pos += written; - len -= written; + len -= written; } switch (attr->type) @@ -194,8 +198,13 @@ static char* get_string(private_ietf_attributes_t *this) break; } default: + written = 0; break; } + if (written < 0 || written >= len) + { + break; + } pos += written; len -= written; } diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h deleted file mode 100644 index d8435f4b4..000000000 --- a/src/libstrongswan/credentials/keys/key_encoding.h +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup key_encoding key_encoding - * @{ @ingroup keys - */ - -#ifndef KEY_ENCODING_H_ -#define KEY_ENCODING_H_ - -typedef struct key_encoding_t key_encoding_t; -typedef enum key_encoding_type_t key_encoding_type_t; -typedef enum key_encoding_part_t key_encoding_part_t; - -#include <library.h> - -/** - * Key encoder function implementing encoding/fingerprinting. - * - * The variable argument list takes key_encoding_part_t, followed by part - * specific arguments, terminated by KEY_PART_END. - * - * @param type format to encode the key to - * @param args list of (key_encoding_part_t, data) - * @param encoding encoding result, allocated - * @return TRUE if encoding successful - */ -typedef bool (*key_encoder_t)(key_encoding_type_t type, chunk_t *encoding, - va_list args); - -/** - * Helper function for key_encoder_t implementations to parse argument list. - * - * Key encoder functions get a variable argument list to parse. To simplify - * the job, this function reads the arguments and returns chunks for each - * part. - * The argument list of this function takes a key_encoding_part_t, followed - * by a data pointer receiving the value, terminated by KEY_PART_END. - * - * @param args argument list passed to key encoder function - * @param ... list of (key_encoding_part_t, data*) - * @return TRUE if all parts found, FALSE otherwise - */ -bool key_encoding_args(va_list args, ...); - -/** - * Encoding type of a fingerprint/private-/public-key. - * - * Fingerprints have have the KEY_ID_*, public keys the KEY_PUB_* and - * private keys the KEY_PRIV_* prefix. - */ -enum key_encoding_type_t { - /** SHA1 fingerprint over subjectPublicKeyInfo */ - KEY_ID_PUBKEY_INFO_SHA1 = 0, - /** SHA1 fingerprint over subjectPublicKey */ - KEY_ID_PUBKEY_SHA1, - /** PGPv3 fingerprint */ - KEY_ID_PGPV3, - /** PGPv4 fingerprint */ - KEY_ID_PGPV4, - - KEY_ID_MAX, - - /** PKCS#1 and similar ASN.1 key encoding */ - KEY_PUB_ASN1_DER, - KEY_PRIV_ASN1_DER, - /** subjectPublicKeyInfo encoding */ - KEY_PUB_SPKI_ASN1_DER, - /** PEM encoded PKCS#1 key */ - KEY_PUB_PEM, - KEY_PRIV_PEM, - /** PGP key encoding */ - KEY_PUB_PGP, - KEY_PRIV_PGP, - - KEY_ENCODING_MAX, -}; - -/** - * Parts of a key to encode. - */ -enum key_encoding_part_t { - /** modulus of a RSA key, n */ - KEY_PART_RSA_MODULUS, - /** public exponent of a RSA key, e */ - KEY_PART_RSA_PUB_EXP, - /** private exponent of a RSA key, d */ - KEY_PART_RSA_PRIV_EXP, - /** prime1 a RSA key, p */ - KEY_PART_RSA_PRIME1, - /** prime2 a RSA key, q */ - KEY_PART_RSA_PRIME2, - /** exponent1 a RSA key, exp1 */ - KEY_PART_RSA_EXP1, - /** exponent1 a RSA key, exp2 */ - KEY_PART_RSA_EXP2, - /** coefficient of RSA key, coeff */ - KEY_PART_RSA_COEFF, - /** a DER encoded RSA public key */ - KEY_PART_RSA_PUB_ASN1_DER, - /** a DER encoded RSA private key */ - KEY_PART_RSA_PRIV_ASN1_DER, - /** a DER encoded ECDSA public key */ - KEY_PART_ECDSA_PUB_ASN1_DER, - /** a DER encoded ECDSA private key */ - KEY_PART_ECDSA_PRIV_ASN1_DER, - - KEY_PART_END, -}; - -/** - * Private/Public key encoding and fingerprinting facility. - */ -struct key_encoding_t { - - /** - * Encode a key into a format using several key parts, optional caching. - * - * The variable argument list takes key_encoding_part_t, followed by part - * specific arguments, terminated by KEY_PART_END. - * If a cache key is given, the returned encoding points to internal data: - * do not free or modify. If no cache key is given, the encoding is - * allocated and must be freed by the caller. - * - * @param type format the key should be encoded to - * @param cache key to use for caching, NULL to not cache - * @param encoding encoding result, allocated if caching disabled - * @param ... list of (key_encoding_part_t, data) - * @return TRUE if encoding successful - */ - bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache, - chunk_t *encoding, ...); - - /** - * Clear all cached encodings of a given cache key. - * - * @param cache key used in encode() for caching - */ - void (*clear_cache)(key_encoding_t *this, void *cache); - - /** - * Check for a cached encoding. - * - * @param type format of the key encoding - * @param cache key to use for caching, as given to encode() - * @param encoding encoding result, internal data - * @return TRUE if cache entry found - */ - bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type, - void *cache, chunk_t *encoding); - - /** - * Cache a key encoding created externally. - * - * After calling cache(), the passed encoding is owned by the key encoding - * facility. - * - * @param type format of the key encoding - * @param cache key to use for caching, as given to encode() - * @param encoding encoding to cache, gets owned by this - */ - void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache, - chunk_t encoding); - - /** - * Register a key encoder function. - * - * @param encoder key encoder function to add - */ - void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder); - - /** - * Unregister a previously registered key encoder function. - * - * @param encoder key encoder function to remove - */ - void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder); - - /** - * Destroy a key_encoding_t. - */ - void (*destroy)(key_encoding_t *this); -}; - -/** - * Create a key_encoding instance. - */ -key_encoding_t *key_encoding_create(); - -#endif /** KEY_ENCODING_H_ @}*/ diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c index c3b5ac55b..8292af495 100644 --- a/src/libstrongswan/credentials/keys/private_key.c +++ b/src/libstrongswan/credentials/keys/private_key.c @@ -20,7 +20,7 @@ */ bool private_key_equals(private_key_t *this, private_key_t *other) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t a, b; if (this == other) @@ -28,7 +28,7 @@ bool private_key_equals(private_key_t *this, private_key_t *other) return TRUE; } - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (this->get_fingerprint(this, type, &a) && other->get_fingerprint(other, type, &b)) @@ -44,10 +44,10 @@ bool private_key_equals(private_key_t *this, private_key_t *other) */ bool private_key_belongs_to(private_key_t *private, public_key_t *public) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t a, b; - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (private->get_fingerprint(private, type, &a) && public->get_fingerprint(public, type, &b)) @@ -63,10 +63,10 @@ bool private_key_belongs_to(private_key_t *private, public_key_t *public) */ bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t current; - for (type = 0; type < KEY_ID_MAX; type++) + for (type = 0; type < KEYID_MAX; type++) { if (private->get_fingerprint(private, type, ¤t) && chunk_equals(current, fingerprint)) diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index d4517f296..27f4ab098 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -23,6 +23,7 @@ typedef struct private_key_t private_key_t; +#include <credentials/cred_encoding.h> #include <credentials/keys/public_key.h> /** @@ -89,11 +90,11 @@ struct private_key_t { /** * Get the fingerprint of the key. * - * @param type type of fingerprint, one of KEY_ID_* + * @param type type of fingerprint, one of KEYID_* * @param fp fingerprint, points to internal data * @return TRUE if fingerprint type supported */ - bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type, + bool (*get_fingerprint)(private_key_t *this, cred_encoding_type_t type, chunk_t *fp); /** @@ -107,11 +108,11 @@ struct private_key_t { /** * Get the key in an encoded form as a chunk. * - * @param type type of the encoding, one of KEY_PRIV_* + * @param type type of the encoding, one of PRIVKEY_* * @param encoding encoding of the key, allocated * @return TRUE if encoding supported */ - bool (*get_encoding)(private_key_t *this, key_encoding_type_t type, + bool (*get_encoding)(private_key_t *this, cred_encoding_type_t type, chunk_t *encoding); /** diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index ba3036793..ce342de33 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -47,7 +47,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, */ bool public_key_equals(public_key_t *this, public_key_t *other) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t a, b; if (this == other) @@ -55,7 +55,7 @@ bool public_key_equals(public_key_t *this, public_key_t *other) return TRUE; } - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (this->get_fingerprint(this, type, &a) && other->get_fingerprint(other, type, &b)) @@ -71,10 +71,10 @@ bool public_key_equals(public_key_t *this, public_key_t *other) */ bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t current; - for (type = 0; type < KEY_ID_MAX; type++) + for (type = 0; type < KEYID_MAX; type++) { if (public->get_fingerprint(public, type, ¤t) && chunk_equals(current, fingerprint)) diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index a421e7b5b..ff827a189 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -23,12 +23,11 @@ typedef struct public_key_t public_key_t; typedef enum key_type_t key_type_t; -typedef enum key_id_type_t key_id_type_t; typedef enum signature_scheme_t signature_scheme_t; #include <library.h> #include <utils/identification.h> -#include <credentials/keys/key_encoding.h> +#include <credentials/cred_encoding.h> /** * Type of a key pair, the used crypto system @@ -147,11 +146,11 @@ struct public_key_t { /** * Get the fingerprint of the key. * - * @param type type of fingerprint, one of KEY_ID_* + * @param type type of fingerprint, one of KEYID_* * @param fp fingerprint, points to internal data * @return TRUE if fingerprint type supported */ - bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type, + bool (*get_fingerprint)(public_key_t *this, cred_encoding_type_t type, chunk_t *fp); /** @@ -165,11 +164,11 @@ struct public_key_t { /** * Get the key in an encoded form as a chunk. * - * @param type type of the encoding, one of KEY_PRIV_* + * @param type type of the encoding, one of PRIVKEY_* * @param encoding encoding of the key, allocated * @return TRUE if encoding supported */ - bool (*get_encoding)(public_key_t *this, key_encoding_type_t type, + bool (*get_encoding)(public_key_t *this, cred_encoding_type_t type, chunk_t *encoding); /** diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 82e33d283..5e8458616 100644 --- a/src/libcharon/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -14,7 +14,8 @@ * for more details. */ -#include <daemon.h> +#include <library.h> +#include <debug.h> #include "auth_cfg_wrapper.h" @@ -95,7 +96,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, } DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert)); - charon->credentials->cache_cert(charon->credentials, cert); + lib->credmgr->cache_cert(lib->credmgr, cert); if (*rule == AUTH_HELPER_IM_HASH_URL) { @@ -220,4 +221,3 @@ auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth) return &this->public; } - diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.h b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h index 7653fcdbf..3a4b197ac 100644 --- a/src/libcharon/credentials/sets/auth_cfg_wrapper.h +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h @@ -21,7 +21,7 @@ #ifndef AUTH_CFG_WRAPPER_H_ #define AUTH_CFG_WRAPPER_H_ -#include <config/auth_cfg.h> +#include <credentials/auth_cfg.h> #include <credentials/credential_set.h> typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t; diff --git a/src/libcharon/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 176accce2..7161ac9ac 100644 --- a/src/libcharon/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -18,7 +18,7 @@ #include <time.h> #include <sched.h> -#include <daemon.h> +#include <library.h> #include <threading/rwlock.h> #include <utils/linked_list.h> @@ -387,4 +387,3 @@ cert_cache_t *cert_cache_create() } return &this->public; } - diff --git a/src/libcharon/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h index d2721866e..d2721866e 100644 --- a/src/libcharon/credentials/sets/cert_cache.h +++ b/src/libstrongswan/credentials/sets/cert_cache.h diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.c b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c index 82079209a..4786495da 100644 --- a/src/libcharon/credentials/sets/ocsp_response_wrapper.c +++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c @@ -144,4 +144,3 @@ ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response) return &this->public; } - diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.h b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h index dc4b451df..dc4b451df 100644 --- a/src/libcharon/credentials/sets/ocsp_response_wrapper.h +++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 108ac2ca0..b61bdf7a0 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -18,12 +18,13 @@ #include <stdlib.h> -#include "debug.h" -#include "threading/thread.h" -#include "utils/identification.h" -#include "utils/host.h" +#include <debug.h> +#include <threading/thread.h> +#include <utils/identification.h> +#include <utils/host.h> +#include <selectors/traffic_selector.h> #ifdef LEAK_DETECTIVE -#include "utils/leak_detective.h" +#include <utils/leak_detective.h> #endif #define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so" @@ -59,9 +60,14 @@ library_t *lib; void library_deinit() { private_library_t *this = (private_library_t*)lib; + bool detailed; + + detailed = lib->settings->get_bool(lib->settings, + "libstrongswan.leak_detective.detailed", TRUE); this->public.plugins->destroy(this->public.plugins); this->public.settings->destroy(this->public.settings); + this->public.credmgr->destroy(this->public.credmgr); this->public.creds->destroy(this->public.creds); this->public.encoding->destroy(this->public.encoding); this->public.crypto->destroy(this->public.crypto); @@ -76,6 +82,7 @@ void library_deinit() #ifdef LEAK_DETECTIVE if (this->detective) { + this->detective->report(this->detective, detailed); this->detective->destroy(this->detective); } #endif /* LEAK_DETECTIVE */ @@ -124,11 +131,14 @@ bool library_init(char *settings) PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'Y', identification_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); + pfh->add_handler(pfh, 'R', traffic_selector_printf_hook, + PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); this->public.settings = settings_create(settings); this->public.crypto = crypto_factory_create(); this->public.creds = credential_factory_create(); - this->public.encoding = key_encoding_create(); + this->public.credmgr = credential_manager_create(); + this->public.encoding = cred_encoding_create(); this->public.fetcher = fetcher_manager_create(); this->public.db = database_factory_create(); this->public.plugins = plugin_loader_create(); diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 241084155..cd5dfb479 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -28,6 +28,9 @@ * @defgroup certificates certificates * @ingroup credentials * + * @defgroup sets sets + * @ingroup credentials + * * @defgroup crypto crypto * @ingroup libstrongswan * @@ -65,7 +68,8 @@ #include "fetcher/fetcher_manager.h" #include "database/database_factory.h" #include "credentials/credential_factory.h" -#include "credentials/keys/key_encoding.h" +#include "credentials/credential_manager.h" +#include "credentials/cred_encoding.h" typedef struct library_t library_t; @@ -90,9 +94,14 @@ struct library_t { credential_factory_t *creds; /** - * key encoding registry and factory + * Manager for the credential set backends + */ + credential_manager_t *credmgr; + + /** + * Credential encoding registry and factory */ - key_encoding_t *encoding; + cred_encoding_t *encoding; /** * URL fetching facility diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 391d23049..9859b75cf 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index bd6465374..c95e7b778 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index 4247f849e..51ddbecc6 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -340,7 +340,7 @@ static public_key_t* get_public_key(private_agent_private_key_t *this) * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_agent_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { return FALSE; } @@ -349,7 +349,7 @@ static bool get_encoding(private_agent_private_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_agent_private_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e, key; @@ -363,7 +363,7 @@ static bool get_fingerprint(private_agent_private_key_t *this, n = read_string(&key); return lib->encoding->encode(lib->encoding, type, this, fp, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); } /** @@ -429,9 +429,9 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args) this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; this->public.interface.belongs_to = private_key_belongs_to; this->public.interface.equals = private_key_equals; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; this->public.interface.destroy = (void (*)(private_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index f95a4abe5..6a82ce94a 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 1952b22e7..fc3b0ab1a 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index af351cfe3..319baa04c 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 1f1f90127..73f81f4db 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 70553fbd8..4ed8276c4 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am index 48bf916ab..57f3f5016 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.am +++ b/src/libstrongswan/plugins/gcrypt/Makefile.am @@ -19,4 +19,4 @@ libstrongswan_gcrypt_la_SOURCES = \ gcrypt_hasher.h gcrypt_hasher.c libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version -libstrongswan_gcrypt_la_LIBADD = -lgcrypt +libstrongswan_gcrypt_la_LIBADD = -lgcrypt -lgpg-error diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 35829c950..09131c4be 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -272,7 +272,7 @@ libstrongswan_gcrypt_la_SOURCES = \ gcrypt_hasher.h gcrypt_hasher.c libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version -libstrongswan_gcrypt_la_LIBADD = -lgcrypt +libstrongswan_gcrypt_la_LIBADD = -lgcrypt -lgpg-error all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 2cb13c5f3..b8e86aba0 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -308,7 +308,7 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this) * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty; gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2; @@ -368,11 +368,11 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, cu = gcrypt_rsa_find_token(this->key, "u", NULL); success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - KEY_PART_RSA_MODULUS, cn, - KEY_PART_RSA_PUB_EXP, ce, KEY_PART_RSA_PRIV_EXP, cd, - KEY_PART_RSA_PRIME1, cp, KEY_PART_RSA_PRIME2, cq, - KEY_PART_RSA_EXP1, cexp1, KEY_PART_RSA_EXP2, cexp2, - KEY_PART_RSA_COEFF, cu, KEY_PART_END); + CRED_PART_RSA_MODULUS, cn, + CRED_PART_RSA_PUB_EXP, ce, CRED_PART_RSA_PRIV_EXP, cd, + CRED_PART_RSA_PRIME1, cp, CRED_PART_RSA_PRIME2, cq, + CRED_PART_RSA_EXP1, cexp1, CRED_PART_RSA_EXP2, cexp2, + CRED_PART_RSA_COEFF, cu, CRED_PART_END); chunk_free(&cn); chunk_free(&ce); chunk_clear(&cd); @@ -389,7 +389,7 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -402,8 +402,8 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this, e = gcrypt_rsa_find_token(this->key, "e", NULL); success = lib->encoding->encode(lib->encoding, - type, this, fp, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + type, this, fp, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); return success; @@ -445,9 +445,9 @@ static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty() this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; this->public.interface.equals = private_key_equals; this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; this->public.interface.destroy = (void (*)(private_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 5fd15d9a3..80a91b976 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -240,7 +240,7 @@ static size_t get_keysize(private_gcrypt_rsa_public_key_t *this) * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t n, e; bool success; @@ -248,8 +248,8 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, n = gcrypt_rsa_find_token(this->key, "n", NULL); e = gcrypt_rsa_find_token(this->key, "e", NULL); success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, - KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, + CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -260,7 +260,7 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -273,8 +273,8 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this, e = gcrypt_rsa_find_token(this->key, "e", NULL); success = lib->encoding->encode(lib->encoding, - type, this, fp, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + type, this, fp, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); return success; @@ -338,9 +338,9 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type, this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.equals = public_key_equals; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; this->public.interface.destroy = (void (*)(public_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 5c1a1fcd9..bd7100b27 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index f70b0b545..cc9985320 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -403,7 +403,7 @@ static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_gmp_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t n, e, d, p, q, exp1, exp2, coeff; bool success; @@ -418,11 +418,11 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this, coeff = gmp_mpz_to_chunk(this->coeff); success = lib->encoding->encode(lib->encoding, - type, NULL, encoding, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d, - KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q, - KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2, - KEY_PART_RSA_COEFF, coeff, KEY_PART_END); + type, NULL, encoding, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d, + CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q, + CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2, + CRED_PART_RSA_COEFF, coeff, CRED_PART_END); chunk_free(&n); chunk_free(&e); chunk_clear(&d); @@ -439,7 +439,7 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_gmp_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -452,7 +452,7 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this, e = gmp_mpz_to_chunk(this->e); success = lib->encoding->encode(lib->encoding, type, this, fp, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -601,9 +601,9 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void) this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key; this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals; this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref; this->public.interface.destroy = (void (*) (private_key_t*))destroy; diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 98dbb1922..c114ae80d 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -396,7 +396,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this) * Implementation of public_key_t.get_encoding */ static bool get_encoding(private_gmp_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t n, e; bool success; @@ -405,7 +405,7 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this, e = gmp_mpz_to_chunk(this->e); success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -416,7 +416,7 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this, * Implementation of public_key_t.get_fingerprint */ static bool get_fingerprint(private_gmp_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -429,7 +429,7 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this, e = gmp_mpz_to_chunk(this->e); success = lib->encoding->encode(lib->encoding, type, this, fp, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -497,9 +497,9 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_; this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals; this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref; this->public.interface.destroy = (void (*) (public_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index c965f7392..b03ff44a6 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 3b69f082f..b96fd5abf 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index cb3307bbc..874ee07a2 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 8948ddcc5..cc32bca88 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 1a97c620e..83c1188b6 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index a50799798..5c845a19c 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -20,7 +20,9 @@ libstrongswan_openssl_la_SOURCES = \ openssl_rsa_public_key.c openssl_rsa_public_key.h \ openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \ openssl_ec_private_key.c openssl_ec_private_key.h \ - openssl_ec_public_key.c openssl_ec_public_key.h + openssl_ec_public_key.c openssl_ec_public_key.h \ + openssl_x509.c openssl_x509.h \ + openssl_crl.c openssl_crl.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index a2a931d42..de9df7271 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -79,7 +79,7 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \ openssl_sha1_prf.lo openssl_diffie_hellman.lo \ openssl_rsa_private_key.lo openssl_rsa_public_key.lo \ openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \ - openssl_ec_public_key.lo + openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo libstrongswan_openssl_la_OBJECTS = \ $(am_libstrongswan_openssl_la_OBJECTS) libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -276,7 +276,9 @@ libstrongswan_openssl_la_SOURCES = \ openssl_rsa_public_key.c openssl_rsa_public_key.h \ openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \ openssl_ec_private_key.c openssl_ec_private_key.h \ - openssl_ec_public_key.c openssl_ec_public_key.h + openssl_ec_public_key.c openssl_ec_public_key.h \ + openssl_x509.c openssl_x509.h \ + openssl_crl.c openssl_crl.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto @@ -363,6 +365,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_diffie_hellman.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@ @@ -374,6 +377,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c new file mode 100644 index 000000000..5645d72d7 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -0,0 +1,530 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* + * Copyright (C) 2010 secunet Security Networks AG + * Copyright (C) 2010 Thomas Egerer + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "openssl_crl.h" +#include "openssl_util.h" + +#include <openssl/x509.h> +#include <openssl/x509v3.h> + +#include <debug.h> +#include <utils/enumerator.h> +#include <credentials/certificates/x509.h> + +typedef struct private_openssl_crl_t private_openssl_crl_t; + +/** + * Private data of an openssl_crl_t object. + */ +struct private_openssl_crl_t { + + /** + * Public openssl_crl_t interface. + */ + openssl_crl_t public; + + /** + * OpenSSL representation of a CRL + */ + X509_CRL *crl; + + /** + * DER encoding of the CRL + */ + chunk_t encoding; + + /** + * Serial Number (crlNumber) of the CRL) + */ + chunk_t serial; + + /** + * AuthorityKeyIdentifier of the issuing CA + */ + chunk_t authKeyIdentifier; + + /** + * Date of this CRL + */ + time_t thisUpdate; + + /** + * Date of next CRL expected + */ + time_t nextUpdate; + + /** + * Issuer of this CRL + */ + identification_t *issuer; + + /** + * Signature scheme used in this CRL + */ + signature_scheme_t scheme; + + /** + * References to this CRL + */ + refcount_t ref; +}; + +/** + * Enumerator over revoked certificates + */ +typedef struct { + /** + * Implements enumerator_t + */ + enumerator_t public; + + /** + * stack of revoked certificates + */ + STACK_OF(X509_REVOKED) *stack; + + /** + * Total number of revoked certificates + */ + int num; + + /** + * Current position of enumerator + */ + int i; +} crl_enumerator_t; + + +METHOD(enumerator_t, crl_enumerate, bool, + crl_enumerator_t *this, chunk_t *serial, time_t *date, crl_reason_t *reason) +{ + if (this->i < this->num) + { + X509_REVOKED *revoked; + ASN1_ENUMERATED *crlrsn; + + revoked = sk_X509_REVOKED_value(this->stack, this->i); + if (serial) + { + *serial = openssl_asn1_str2chunk(revoked->serialNumber); + } + if (date) + { + *date = openssl_asn1_to_time(revoked->revocationDate); + } + if (reason) + { + *reason = CRL_REASON_UNSPECIFIED; + crlrsn = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, + NULL, NULL); + if (crlrsn) + { + if (ASN1_STRING_type(crlrsn) == V_ASN1_ENUMERATED && + ASN1_STRING_length(crlrsn) == 1) + { + *reason = *ASN1_STRING_data(crlrsn); + } + ASN1_STRING_free(crlrsn); + } + } + this->i++; + return TRUE; + } + return FALSE; +} + +METHOD(crl_t, create_enumerator, enumerator_t*, + private_openssl_crl_t *this) +{ + crl_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_crl_enumerate, + .destroy = (void*)free, + }, + .stack = X509_CRL_get_REVOKED(this->crl), + ); + if (!enumerator->stack) + { + free(enumerator); + return enumerator_create_empty(); + } + enumerator->num = sk_X509_EXTENSION_num(enumerator->stack); + return &enumerator->public; +} + +METHOD(crl_t, get_serial, chunk_t, + private_openssl_crl_t *this) +{ + return this->serial; +} + +METHOD(crl_t, get_authKeyIdentifier, chunk_t, + private_openssl_crl_t *this) +{ + return this->authKeyIdentifier; +} + +METHOD(certificate_t, get_type, certificate_type_t, + private_openssl_crl_t *this) +{ + return CERT_X509_CRL; +} + +METHOD(certificate_t, get_subject_or_issuer, identification_t*, + private_openssl_crl_t *this) +{ + return this->issuer; +} + +METHOD(certificate_t, has_subject_or_issuer, id_match_t, + private_openssl_crl_t *this, identification_t *id) +{ + if (id->get_type(id) == ID_KEY_ID && + chunk_equals(this->authKeyIdentifier, id->get_encoding(id))) + { + return ID_MATCH_PERFECT; + } + return this->issuer->matches(this->issuer, id); +} + +METHOD(certificate_t, issued_by, bool, + private_openssl_crl_t *this, certificate_t *issuer) +{ + chunk_t fingerprint, tbs; + public_key_t *key; + x509_t *x509; + bool valid; + + if (issuer->get_type(issuer) != CERT_X509) + { + return FALSE; + } + x509 = (x509_t*)issuer; + if (!(x509->get_flags(x509) & X509_CA)) + { + return FALSE; + } + key = issuer->get_public_key(issuer); + if (!key) + { + return FALSE; + } + if (this->authKeyIdentifier.ptr && key) + { + if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || + !chunk_equals(fingerprint, this->authKeyIdentifier)) + { + return FALSE; + } + } + else + { + if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) + { + return FALSE; + } + } + if (this->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl); + valid = key->verify(key, this->scheme, tbs, + openssl_asn1_str2chunk(this->crl->signature)); + free(tbs.ptr); + key->destroy(key); + return valid; +} + +METHOD(certificate_t, get_public_key, public_key_t*, + private_openssl_crl_t *this) +{ + return NULL; +} + +METHOD(certificate_t, get_validity, bool, + private_openssl_crl_t *this, + time_t *when, time_t *not_before, time_t *not_after) +{ + time_t t = when ? *when : time(NULL); + + if (not_before) + { + *not_before = this->thisUpdate; + } + if (not_after) + { + *not_after = this->nextUpdate; + } + return t <= this->nextUpdate; +} + +METHOD(certificate_t, get_encoding, bool, + private_openssl_crl_t *this, cred_encoding_type_t type, chunk_t *encoding) +{ + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END); +} + +METHOD(certificate_t, equals, bool, + private_openssl_crl_t *this, certificate_t *other) +{ + chunk_t encoding; + bool equal; + + if (&this->public.crl.certificate == other) + { + return TRUE; + } + if (other->equals == (void*)equals) + { /* skip allocation if we have the same implementation */ + return chunk_equals(this->encoding, + ((private_openssl_crl_t*)other)->encoding); + } + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } + equal = chunk_equals(this->encoding, encoding); + free(encoding.ptr); + return equal; +} + +METHOD(certificate_t, get_ref, certificate_t*, + private_openssl_crl_t *this) +{ + ref_get(&this->ref); + return &this->public.crl.certificate; +} + +METHOD(certificate_t, destroy, void, + private_openssl_crl_t *this) +{ + if (ref_put(&this->ref)) + { + if (this->crl) + { + X509_CRL_free(this->crl); + } + DESTROY_IF(this->issuer); + free(this->authKeyIdentifier.ptr); + free(this->serial.ptr); + free(this->encoding.ptr); + free(this); + } +} + +/** + * Create an empty CRL. + */ +static private_openssl_crl_t *create_empty() +{ + private_openssl_crl_t *this; + + INIT(this, + .public = { + .crl = { + .certificate = { + .get_type = _get_type, + .get_subject = _get_subject_or_issuer, + .get_issuer = _get_subject_or_issuer, + .has_subject = _has_subject_or_issuer, + .has_issuer = _has_subject_or_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_serial = _get_serial, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .create_enumerator = _create_enumerator, + }, + }, + .ref = 1, + ); + return this; +} + +/** + * Parse the authKeyIdentifier extension + */ +static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this, + X509_EXTENSION *ext) +{ + AUTHORITY_KEYID *keyid; + + keyid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext); + if (keyid) + { + free(this->authKeyIdentifier.ptr); + this->authKeyIdentifier = chunk_clone( + openssl_asn1_str2chunk(keyid->keyid)); + AUTHORITY_KEYID_free(keyid); + return TRUE; + } + return FALSE; +} + +/** + * Parse the crlNumber extension + */ +static bool parse_crlNumber_ext(private_openssl_crl_t *this, + X509_EXTENSION *ext) +{ + free(this->serial.ptr); + this->serial = chunk_clone( + openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext))); + return this->serial.len != 0; +} + +/** + * Parse X509 CRL extensions + */ +static bool parse_extensions(private_openssl_crl_t *this) +{ + bool ok; + int i, num; + X509_EXTENSION *ext; + STACK_OF(X509_EXTENSION) *extensions; + + extensions = this->crl->crl->extensions; + if (extensions) + { + num = sk_X509_EXTENSION_num(extensions); + for (i = 0; i < num; ++i) + { + ext = sk_X509_EXTENSION_value(extensions, i); + + switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext))) + { + case NID_authority_key_identifier: + ok = parse_authKeyIdentifier_ext(this, ext); + break; + case NID_crl_number: + ok = parse_crlNumber_ext(this, ext); + break; + default: + ok = TRUE; + break; + } + if (!ok) + { + return FALSE; + } + } + } + return TRUE; +} + +/** + * Parse a X509 CRL + */ +static bool parse_crl(private_openssl_crl_t *this) +{ + const unsigned char *ptr = this->encoding.ptr; + + this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len); + if (!this->crl) + { + return FALSE; + } + + if (!chunk_equals( + openssl_asn1_obj2chunk(this->crl->crl->sig_alg->algorithm), + openssl_asn1_obj2chunk(this->crl->sig_alg->algorithm))) + { + return FALSE; + } + this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid( + this->crl->sig_alg->algorithm)); + + this->issuer = openssl_x509_name2id(X509_CRL_get_issuer(this->crl)); + if (!this->issuer) + { + return FALSE; + } + this->thisUpdate = openssl_asn1_to_time(X509_CRL_get_lastUpdate(this->crl)); + this->nextUpdate = openssl_asn1_to_time(X509_CRL_get_nextUpdate(this->crl)); + + return parse_extensions(this); +} + +/** + * Load the CRL. + */ +openssl_crl_t *openssl_crl_load(certificate_type_t type, va_list args) +{ + chunk_t blob = chunk_empty; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + if (blob.ptr) + { + private_openssl_crl_t *this = create_empty(); + + this->encoding = chunk_clone(blob); + if (parse_crl(this)) + { + return &this->public; + } + destroy(this); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.h b/src/libstrongswan/plugins/openssl/openssl_crl.h new file mode 100644 index 000000000..a0837cf50 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_crl.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_crl openssl_crl + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_CRL_H_ +#define OPENSSL_CRL_H_ + +typedef struct openssl_crl_t openssl_crl_t; + +#include <credentials/certificates/crl.h> + +/** + * X.509 Certificate Revocation list implemented with OpenSSL. + */ +struct openssl_crl_t { + + /** + * Implements the crl_t interface. + */ + crl_t crl; +}; + +/** + * Load a X.509 CRL using OpenSSL. + * + * @param type certificate type, CERT_X509_CRL only + * @param args builder_part_t argument list + * @return X.509 CRL, NULL on failure + */ +openssl_crl_t *openssl_crl_load(certificate_type_t type, va_list args); + +#endif /** OPENSSL_CRL_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index faec411cd..a53e8aea0 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -13,6 +13,10 @@ * for more details. */ +#include <openssl/opensslconf.h> + +#ifndef OPENSSL_NO_EC + #include <openssl/ec.h> #include <openssl/objects.h> @@ -331,3 +335,5 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro return &this->public; } +#endif /* OPENSSL_NO_EC */ + diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index bdcfda974..281155913 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -14,6 +14,10 @@ * for more details. */ +#include <openssl/opensslconf.h> + +#ifndef OPENSSL_NO_EC + #include "openssl_ec_private_key.h" #include "openssl_ec_public_key.h" #include "openssl_util.h" @@ -47,7 +51,7 @@ struct private_openssl_ec_private_key_t { }; /* from ec public key */ -bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp); +bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp); /** * Build a signature as in RFC 4754 @@ -217,7 +221,7 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this) * Implementation of private_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_ec_private_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_ec_fingerprint(this->ec, type, fingerprint); } @@ -226,14 +230,14 @@ static bool get_fingerprint(private_openssl_ec_private_key_t *this, * Implementation of private_key_t.get_encoding. */ static bool get_encoding(private_openssl_ec_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; switch (type) { - case KEY_PRIV_ASN1_DER: - case KEY_PRIV_PEM: + case PRIVKEY_ASN1_DER: + case PRIVKEY_PEM: { bool success = TRUE; @@ -241,13 +245,13 @@ static bool get_encoding(private_openssl_ec_private_key_t *this, p = encoding->ptr; i2d_ECPrivateKey(this->ec, &p); - if (type == KEY_PRIV_PEM) + if (type == PRIVKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, - NULL, encoding, KEY_PART_ECDSA_PRIV_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM, + NULL, encoding, CRED_PART_ECDSA_PRIV_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; @@ -296,9 +300,9 @@ static private_openssl_ec_private_key_t *create_empty(void) this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; this->public.interface.equals = private_key_equals; this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; this->public.interface.destroy = (void (*)(private_key_t *this))destroy; @@ -402,4 +406,5 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, } return &this->public; } +#endif /* OPENSSL_NO_EC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index 790a8487d..def36c92f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -14,6 +14,10 @@ * for more details. */ +#include <openssl/opensslconf.h> + +#ifndef OPENSSL_NO_EC + #include "openssl_ec_public_key.h" #include "openssl_util.h" @@ -189,7 +193,7 @@ static size_t get_keysize(private_openssl_ec_public_key_t *this) /** * Calculate fingerprint from a EC_KEY, also used in ec private key. */ -bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) +bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp) { hasher_t *hasher; chunk_t key; @@ -201,12 +205,12 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) } switch (type) { - case KEY_ID_PUBKEY_SHA1: + case KEYID_PUBKEY_SHA1: key = chunk_alloc(i2o_ECPublicKey(ec, NULL)); p = key.ptr; i2o_ECPublicKey(ec, &p); break; - case KEY_ID_PUBKEY_INFO_SHA1: + case KEYID_PUBKEY_INFO_SHA1: key = chunk_alloc(i2d_EC_PUBKEY(ec, NULL)); p = key.ptr; i2d_EC_PUBKEY(ec, &p); @@ -232,7 +236,7 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) * Implementation of private_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_ec_public_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_ec_fingerprint(this->ec, type, fingerprint); } @@ -241,14 +245,14 @@ static bool get_fingerprint(private_openssl_ec_public_key_t *this, * Implementation of private_key_t.get_encoding. */ static bool get_encoding(private_openssl_ec_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; switch (type) { - case KEY_PUB_SPKI_ASN1_DER: - case KEY_PUB_PEM: + case PUBKEY_SPKI_ASN1_DER: + case PUBKEY_PEM: { bool success = TRUE; @@ -256,13 +260,13 @@ static bool get_encoding(private_openssl_ec_public_key_t *this, p = encoding->ptr; i2d_EC_PUBKEY(this->ec, &p); - if (type == KEY_PUB_PEM) + if (type == PUBKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM, - NULL, encoding, KEY_PART_ECDSA_PUB_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PUBKEY_PEM, + NULL, encoding, CRED_PART_ECDSA_PUB_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; @@ -309,9 +313,9 @@ static private_openssl_ec_public_key_t *create_empty() this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; this->public.interface.equals = public_key_equals; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; this->public.interface.destroy = (void (*)(public_key_t *this))destroy; @@ -358,4 +362,5 @@ openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type, } return &this->public; } +#endif /* OPENSSL_NO_EC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index c1545ffb8..31697dcb8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -14,10 +14,12 @@ * for more details. */ -#include <openssl/conf.h> #include <openssl/evp.h> -#include <openssl/engine.h> +#include <openssl/conf.h> #include <openssl/crypto.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif #include "openssl_plugin.h" @@ -34,6 +36,8 @@ #include "openssl_rsa_public_key.h" #include "openssl_ec_private_key.h" #include "openssl_ec_public_key.h" +#include "openssl_x509.h" +#include "openssl_crl.h" typedef struct private_openssl_plugin_t private_openssl_plugin_t; @@ -175,8 +179,6 @@ static void destroy(private_openssl_plugin_t *this) (prf_constructor_t)openssl_sha1_prf_create); lib->crypto->remove_dh(lib->crypto, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->remove_dh(lib->crypto, - (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_rsa_private_key_load); lib->creds->remove_builder(lib->creds, @@ -185,14 +187,24 @@ static void destroy(private_openssl_plugin_t *this) (builder_function_t)openssl_rsa_private_key_connect); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_rsa_public_key_load); +#ifndef OPENSSL_NO_EC + lib->crypto->remove_dh(lib->crypto, + (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_ec_private_key_load); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_ec_private_key_gen); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_ec_public_key_load); +#endif /* OPENSSL_NO_EC */ + lib->creds->remove_builder(lib->creds, + (builder_function_t)openssl_x509_load); + lib->creds->remove_builder(lib->creds, + (builder_function_t)openssl_crl_load); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif /* OPENSSL_NO_ENGINE */ EVP_cleanup(); CONF_modules_free(); @@ -215,9 +227,11 @@ plugin_t *openssl_plugin_create() OPENSSL_config(NULL); OpenSSL_add_all_algorithms(); +#ifndef OPENSSL_NO_ENGINE /* activate support for hardware accelerators */ ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); +#endif /* OPENSSL_NO_ENGINE */ /* crypter */ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, @@ -272,6 +286,7 @@ plugin_t *openssl_plugin_create() (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, (dh_constructor_t)openssl_diffie_hellman_create); +#ifndef OPENSSL_NO_EC lib->crypto->add_dh(lib->crypto, ECP_256_BIT, (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, ECP_384_BIT, @@ -282,6 +297,7 @@ plugin_t *openssl_plugin_create() (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, ECP_192_BIT, (dh_constructor_t)openssl_ec_diffie_hellman_create); +#endif /* OPENSSL_NO_EC */ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, @@ -306,14 +322,24 @@ plugin_t *openssl_plugin_create() (builder_function_t)openssl_rsa_private_key_connect); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, (builder_function_t)openssl_rsa_public_key_load); + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + (builder_function_t)openssl_rsa_public_key_load); - /* ec */ +#ifndef OPENSSL_NO_EC + /* ecdsa */ lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, (builder_function_t)openssl_ec_private_key_load); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, (builder_function_t)openssl_ec_private_key_gen); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, (builder_function_t)openssl_ec_public_key_load); +#endif /* OPENSSL_NO_EC */ + + /* X509 certificates */ + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, + (builder_function_t)openssl_x509_load); + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + (builder_function_t)openssl_crl_load); return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index de751fe89..5817ade9e 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -21,7 +21,9 @@ #include <openssl/evp.h> #include <openssl/rsa.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif /* OPENSSL_NO_ENGINE */ /** * Public exponent to use for key generation. @@ -56,7 +58,7 @@ struct private_openssl_rsa_private_key_t { }; /* implemented in rsa public key */ -bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp); +bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp); /** * Build an EMPSA PKCS1 signature described in PKCS#1 @@ -206,7 +208,7 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this) * Implementation of public_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_rsa_fingerprint(this->rsa, type, fingerprint); } @@ -215,7 +217,7 @@ static bool get_fingerprint(private_openssl_rsa_private_key_t *this, * Implementation of public_key_t.get_encoding. */ static bool get_encoding(private_openssl_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; @@ -225,8 +227,8 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this, } switch (type) { - case KEY_PRIV_ASN1_DER: - case KEY_PRIV_PEM: + case PRIVKEY_ASN1_DER: + case PRIVKEY_PEM: { bool success = TRUE; @@ -234,13 +236,13 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this, p = encoding->ptr; i2d_RSAPrivateKey(this->rsa, &p); - if (type == KEY_PRIV_PEM) + if (type == PRIVKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, - NULL, encoding, KEY_PART_RSA_PRIV_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM, + NULL, encoding, CRED_PART_RSA_PRIV_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; @@ -289,9 +291,9 @@ static private_openssl_rsa_private_key_t *create_empty(void) this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key; this->public.interface.equals = private_key_equals; this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref; this->public.interface.destroy = (void (*) (private_key_t*))destroy; @@ -447,6 +449,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, va_list args) { +#ifndef OPENSSL_NO_ENGINE private_openssl_rsa_private_key_t *this; char *keyid = NULL, *pin = NULL; EVP_PKEY *key; @@ -511,5 +514,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, this->engine = TRUE; return &this->public; +#else /* OPENSSL_NO_ENGINE */ + return NULL; +#endif /* OPENSSL_NO_ENGINE */ } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index ffa575a97..6ac61a65c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -172,7 +172,7 @@ static size_t get_keysize(private_openssl_rsa_public_key_t *this) /** * Calculate fingerprint from a RSA key, also used in rsa private key. */ -bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) +bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp) { hasher_t *hasher; chunk_t key; @@ -184,12 +184,12 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) } switch (type) { - case KEY_ID_PUBKEY_SHA1: + case KEYID_PUBKEY_SHA1: key = chunk_alloc(i2d_RSAPublicKey(rsa, NULL)); p = key.ptr; i2d_RSAPublicKey(rsa, &p); break; - case KEY_ID_PUBKEY_INFO_SHA1: + case KEYID_PUBKEY_INFO_SHA1: key = chunk_alloc(i2d_RSA_PUBKEY(rsa, NULL)); p = key.ptr; i2d_RSA_PUBKEY(rsa, &p); @@ -215,7 +215,7 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) * Implementation of public_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_rsa_fingerprint(this->rsa, type, fingerprint); } @@ -224,14 +224,14 @@ static bool get_fingerprint(private_openssl_rsa_public_key_t *this, * Implementation of public_key_t.get_encoding. */ static bool get_encoding(private_openssl_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; switch (type) { - case KEY_PUB_SPKI_ASN1_DER: - case KEY_PUB_PEM: + case PUBKEY_SPKI_ASN1_DER: + case PUBKEY_PEM: { bool success = TRUE; @@ -239,18 +239,18 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this, p = encoding->ptr; i2d_RSA_PUBKEY(this->rsa, &p); - if (type == KEY_PUB_PEM) + if (type == PUBKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM, - NULL, encoding, KEY_PART_RSA_PUB_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PUBKEY_PEM, + NULL, encoding, CRED_PART_RSA_PUB_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; } - case KEY_PUB_ASN1_DER: + case PUBKEY_ASN1_DER: { *encoding = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL)); p = encoding->ptr; @@ -299,9 +299,9 @@ static private_openssl_rsa_public_key_t *create_empty() this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.equals = public_key_equals; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; this->public.interface.destroy = (void (*)(public_key_t *this))destroy; @@ -345,13 +345,25 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type, this = create_empty(); if (blob.ptr) { - this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr, blob.len); + switch (type) + { + case KEY_ANY: + this->rsa = d2i_RSA_PUBKEY(NULL, (const u_char**)&blob.ptr, + blob.len); + break; + case KEY_RSA: + this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr, + blob.len); + break; + default: + break; + } if (this->rsa) { return &this->public; } } - else if (n.ptr && e.ptr) + else if (n.ptr && e.ptr && type == KEY_RSA) { this->rsa = RSA_new(); this->rsa->n = BN_bin2bn((const u_char*)n.ptr, n.len, NULL); diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h index 9a24e7ee1..384e328e2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h @@ -15,7 +15,7 @@ /** * @defgroup openssl_sha1_prf openssl_sha1_prf - * @{ @ingroup sha1_p + * @{ @ingroup openssl_p */ #ifndef OPENSSL_SHA1_PRF_H_ diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index 55b18a524..99dca3631 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -100,7 +100,6 @@ error: return FALSE; } - /** * Described in header. */ @@ -124,3 +123,85 @@ bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b) return TRUE; } +/** + * Described in header. + */ +chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1) +{ + if (asn1) + { + return chunk_create(asn1->data, asn1->length); + } + return chunk_empty; +} + +/** + * Described in header. + */ +chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1) +{ + if (asn1) + { + return chunk_create(ASN1_STRING_data(asn1), ASN1_STRING_length(asn1)); + } + return chunk_empty; +} + +/** + * Convert a X509 name to a ID_DER_ASN1_DN identification_t + */ +identification_t *openssl_x509_name2id(X509_NAME *name) +{ + if (name) + { + identification_t *id; + chunk_t chunk; + + chunk = openssl_i2chunk(X509_NAME, name); + if (chunk.len) + { + id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk); + free(chunk.ptr); + return id; + } + } + return NULL; +} + +/** + * We can't include <asn1/asn1.h>, as the ASN1_ definitions would clash + * with OpenSSL. Redeclare what we need. + */ +int asn1_known_oid(chunk_t); +time_t asn1_to_time(chunk_t *,int); + +/** + * Described in header. + */ +int openssl_asn1_known_oid(ASN1_OBJECT *obj) +{ + return asn1_known_oid(openssl_asn1_obj2chunk(obj)); +} + +/** + * Described in header. + */ +time_t openssl_asn1_to_time(ASN1_TIME *time) +{ + chunk_t chunk; + + if (time) + { + chunk = openssl_asn1_str2chunk(time); + switch (time->type) + { + case V_ASN1_UTCTIME: + case V_ASN1_GENERALIZEDTIME: + return asn1_to_time(&chunk, time->type); + default: + break; + } + } + DBG1(DBG_LIB, "invalid ASN1 time"); + return 0; +} diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h index 538008f2c..25c692a1a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.h +++ b/src/libstrongswan/plugins/openssl/openssl_util.h @@ -23,6 +23,7 @@ #include <library.h> #include <openssl/bn.h> +#include <openssl/asn1.h> /** * Returns the length in bytes of a field element @@ -37,7 +38,7 @@ * @param hash_type NID of the hash * @param data the chunk of data to hash * @param hash chunk that contains the hash - * @return TRUE on success, FALSE otherwise + * @return TRUE on success, FALSE otherwise */ bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash); @@ -65,4 +66,57 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk); */ bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b); + +/** + * Allocate a chunk using the i2d function of a given object + * + * @param type type of the object + * @param obj object to convert to DER + * @returns allocated chunk of the object, or chunk_empty + */ +#define openssl_i2chunk(type, obj) ({ \ + unsigned char *ptr = NULL; \ + int len = i2d_##type(obj, &ptr); \ + len < 0 ? chunk_empty : chunk_create(ptr, len);}) + +/** + * Convert an OpenSSL ASN1_OBJECT to a chunk. + * + * @param asn1 asn1 object to convert + * @return chunk, pointing into asn1 object + */ +chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1); + +/** + * Convert an OpenSSL ASN1_STRING to a chunk. + * + * @param asn1 asn1 string to convert + * @return chunk, pointing into asn1 string + */ +chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1); + +/** + * Convert an openssl X509_NAME to a identification_t of type ID_DER_ASN1_DN. + * + * @param name name to convert + * @return identification_t, NULL on error + */ +identification_t *openssl_x509_name2id(X509_NAME *name); + +/** + * Check if an ASN1 oid is a an OID known by libstrongswan. + * + * @param obj openssl ASN1 object + * @returns OID, as defined in <asn1/oid.h> + */ +int openssl_asn1_known_oid(ASN1_OBJECT *obj); + +/** + * Convert an OpenSSL ASN1_TIME to a time_t. + * + * @param time openssl ASN1_TIME + * @returns time_t, 0 on error + */ +time_t openssl_asn1_to_time(ASN1_TIME *time); + #endif /** OPENSSL_UTIL_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c new file mode 100644 index 000000000..1c9bb699e --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -0,0 +1,871 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* + * Copyright (C) 2010 secunet Security Networks AG + * Copyright (C) 2010 Thomas Egerer + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> + +#include "openssl_x509.h" +#include "openssl_util.h" + +#include <debug.h> +#include <asn1/oid.h> +#include <utils/linked_list.h> + + +typedef struct private_openssl_x509_t private_openssl_x509_t; + +/** + * Private data of an openssl_x509_t object. + */ +struct private_openssl_x509_t { + + /** + * Public openssl_x509_t interface. + */ + openssl_x509_t public; + + /** + * OpenSSL certificate representation + */ + X509 *x509; + + /** + * DER encoded certificate + */ + chunk_t encoding; + + /** + * SHA1 hash of the certificate + */ + chunk_t hash; + + /** + * X509 flags + */ + x509_flag_t flags; + + /** + * Pathlen constraint + */ + int pathlen; + + /** + * certificate subject + */ + identification_t *subject; + + /** + * certificate issuer + */ + identification_t *issuer; + + /** + * Certificates public key + */ + public_key_t *pubkey; + + /** + * subjectKeyIdentifier as read from cert + */ + chunk_t subjectKeyIdentifier; + + /** + * authorityKeyIdentifier as read from cert + */ + chunk_t authKeyIdentifier; + + /** + * Start time of certificate validity + */ + time_t notBefore; + + /** + * End time of certificate validity + */ + time_t notAfter; + + /** + * Signature scheme of the certificate + */ + signature_scheme_t scheme; + + /** + * subjectAltNames + */ + linked_list_t *subjectAltNames; + + /** + * issuerAltNames + */ + linked_list_t *issuerAltNames; + + /** + * List of CRL URIs + */ + linked_list_t *crl_uris; + + /** + * List of OCSP URIs + */ + linked_list_t *ocsp_uris; + + /** + * References to this cert + */ + refcount_t ref; +}; + +/** + * Convert a GeneralName to an identification_t. + */ +static identification_t *general_name2id(GENERAL_NAME *name) +{ + if (!name) + { + return NULL; + } + switch (name->type) + { + case GEN_EMAIL: + return identification_create_from_encoding(ID_RFC822_ADDR, + openssl_asn1_str2chunk(name->d.rfc822Name)); + case GEN_DNS: + return identification_create_from_encoding(ID_FQDN, + openssl_asn1_str2chunk(name->d.dNSName)); + case GEN_URI: + return identification_create_from_encoding(ID_DER_ASN1_GN_URI, + openssl_asn1_str2chunk(name->d.uniformResourceIdentifier)); + case GEN_IPADD: + { + chunk_t chunk = openssl_asn1_str2chunk(name->d.iPAddress); + if (chunk.len == 4) + { + return identification_create_from_encoding(ID_IPV4_ADDR, chunk); + } + if (chunk.len == 16) + { + return identification_create_from_encoding(ID_IPV6_ADDR, chunk); + } + return NULL; + } + case GEN_DIRNAME : + return openssl_x509_name2id(name->d.directoryName); + default: + return NULL; + } +} + +METHOD(x509_t, get_flags, x509_flag_t, + private_openssl_x509_t *this) +{ + return this->flags; +} + +METHOD(x509_t, get_serial, chunk_t, + private_openssl_x509_t *this) +{ + return openssl_asn1_str2chunk(X509_get_serialNumber(this->x509)); +} + +METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, + private_openssl_x509_t *this) +{ + chunk_t fingerprint; + + if (this->subjectKeyIdentifier.len) + { + return this->subjectKeyIdentifier; + } + if (this->pubkey->get_fingerprint(this->pubkey, KEYID_PUBKEY_SHA1, + &fingerprint)) + { + return fingerprint; + } + return chunk_empty; +} + +METHOD(x509_t, get_authKeyIdentifier, chunk_t, + private_openssl_x509_t *this) +{ + if (this->authKeyIdentifier.len) + { + return this->authKeyIdentifier; + } + return chunk_empty; +} + +METHOD(x509_t, get_pathLenConstraint, int, + private_openssl_x509_t *this) +{ + return this->pathlen; +} + +METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + return this->subjectAltNames->create_enumerator(this->subjectAltNames); +} + +METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + return this->crl_uris->create_enumerator(this->crl_uris); +} + +METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + return this->ocsp_uris->create_enumerator(this->ocsp_uris); +} + +METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + /* TODO */ + return enumerator_create_empty(); +} + +METHOD(certificate_t, get_type, certificate_type_t, + private_openssl_x509_t *this) +{ + return CERT_X509; +} + +METHOD(certificate_t, get_subject, identification_t*, + private_openssl_x509_t *this) +{ + return this->subject; +} + +METHOD(certificate_t, get_issuer, identification_t*, + private_openssl_x509_t *this) +{ + return this->issuer; +} + +METHOD(certificate_t, has_subject, id_match_t, + private_openssl_x509_t *this, identification_t *subject) +{ + identification_t *current; + enumerator_t *enumerator; + id_match_t match, best; + + if (subject->get_type(subject) == ID_KEY_ID) + { + if (chunk_equals(this->hash, subject->get_encoding(subject))) + { + return ID_MATCH_PERFECT; + } + } + best = this->subject->matches(this->subject, subject); + enumerator = create_subjectAltName_enumerator(this); + while (enumerator->enumerate(enumerator, ¤t)) + { + match = current->matches(current, subject); + if (match > best) + { + best = match; + } + } + enumerator->destroy(enumerator); + return best; +} + +METHOD(certificate_t, has_issuer, id_match_t, + private_openssl_x509_t *this, identification_t *issuer) +{ + /* issuerAltNames currently not supported */ + return this->issuer->matches(this->issuer, issuer); +} + +METHOD(certificate_t, issued_by, bool, + private_openssl_x509_t *this, certificate_t *issuer) +{ + public_key_t *key; + bool valid; + x509_t *x509 = (x509_t*)issuer; + chunk_t tbs; + + if (&this->public.x509.interface == issuer) + { + if (this->flags & X509_SELF_SIGNED) + { + return TRUE; + } + } + else + { + if (issuer->get_type(issuer) != CERT_X509) + { + return FALSE; + } + if (!(x509->get_flags(x509) & X509_CA)) + { + return FALSE; + } + if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) + { + return FALSE; + } + } + if (this->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + key = issuer->get_public_key(issuer); + if (!key) + { + return FALSE; + } + tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info); + valid = key->verify(key, this->scheme, tbs, + openssl_asn1_str2chunk(this->x509->signature)); + free(tbs.ptr); + key->destroy(key); + return valid; +} + +METHOD(certificate_t, get_public_key, public_key_t*, + private_openssl_x509_t *this) +{ + return this->pubkey->get_ref(this->pubkey); +} + +METHOD(certificate_t, get_validity, bool, + private_openssl_x509_t *this, + time_t *when, time_t *not_before, time_t *not_after) +{ + time_t t; + + if (when) + { + t = *when; + } + else + { + t = time(NULL); + } + if (not_before) + { + *not_before = this->notBefore; + } + if (not_after) + { + *not_after = this->notAfter; + } + return (t >= this->notBefore && t <= this->notAfter); +} + +METHOD(certificate_t, get_encoding, bool, + private_openssl_x509_t *this, cred_encoding_type_t type, chunk_t *encoding) +{ + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); +} + + +METHOD(certificate_t, equals, bool, + private_openssl_x509_t *this, certificate_t *other) +{ + chunk_t encoding; + bool equal; + + if (this == (private_openssl_x509_t*)other) + { + return TRUE; + } + if (other->get_type(other) != CERT_X509) + { + return FALSE; + } + if (other->equals == (void*)equals) + { /* skip allocation if we have the same implementation */ + encoding = ((private_openssl_x509_t*)other)->encoding; + return chunk_equals(this->encoding, encoding); + } + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } + equal = chunk_equals(this->encoding, encoding); + free(encoding.ptr); + return equal; +} + +METHOD(certificate_t, get_ref, certificate_t*, + private_openssl_x509_t *this) +{ + ref_get(&this->ref); + return &this->public.x509.interface; +} + +METHOD(certificate_t, destroy, void, + private_openssl_x509_t *this) +{ + if (ref_put(&this->ref)) + { + if (this->x509) + { + X509_free(this->x509); + } + DESTROY_IF(this->subject); + DESTROY_IF(this->issuer); + DESTROY_IF(this->pubkey); + free(this->subjectKeyIdentifier.ptr); + free(this->authKeyIdentifier.ptr); + free(this->encoding.ptr); + free(this->hash.ptr); + this->subjectAltNames->destroy_offset(this->subjectAltNames, + offsetof(identification_t, destroy)); + this->issuerAltNames->destroy_offset(this->issuerAltNames, + offsetof(identification_t, destroy)); + this->crl_uris->destroy_function(this->crl_uris, free); + this->ocsp_uris->destroy_function(this->ocsp_uris, free); + free(this); + } +} + +/** + * Create an empty certificate + */ +static private_openssl_x509_t *create_empty() +{ + private_openssl_x509_t *this; + + INIT(this, + .public = { + .x509 = { + .interface = { + .get_type = _get_type, + .get_subject = _get_subject, + .get_issuer = _get_issuer, + .has_subject = _has_subject, + .has_issuer = _has_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_flags = _get_flags, + .get_serial = _get_serial, + .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .get_pathLenConstraint = _get_pathLenConstraint, + .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, + .create_crl_uri_enumerator = _create_crl_uri_enumerator, + .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, + .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + }, + }, + .subjectAltNames = linked_list_create(), + .issuerAltNames = linked_list_create(), + .crl_uris = linked_list_create(), + .ocsp_uris = linked_list_create(), + .pathlen = X509_NO_PATH_LEN_CONSTRAINT, + .ref = 1, + ); + + return this; +} + +/** + * parse an extionsion containing GENERAL_NAMES into a list + */ +static bool parse_generalNames_ext(linked_list_t *list, + X509_EXTENSION *ext) +{ + GENERAL_NAMES *names; + GENERAL_NAME *name; + identification_t *id; + int i, num; + + names = X509V3_EXT_d2i(ext); + if (!names) + { + return FALSE; + } + + num = sk_GENERAL_NAME_num(names); + for (i = 0; i < num; i++) + { + name = sk_GENERAL_NAME_value(names, i); + id = general_name2id(name); + if (id) + { + list->insert_last(list, id); + } + GENERAL_NAME_free(name); + } + sk_GENERAL_NAME_free(names); + return TRUE; +} + +/** + * parse basic constraints + */ +static bool parse_basicConstraints_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + BASIC_CONSTRAINTS *constraints; + + constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext); + if (constraints) + { + if (constraints->ca) + { + this->flags |= X509_CA; + } + if (constraints->pathlen) + { + this->pathlen = ASN1_INTEGER_get(constraints->pathlen); + } + BASIC_CONSTRAINTS_free(constraints); + return TRUE; + } + return FALSE; +} + +/** + * Parse CRL distribution points + */ +static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + CRL_DIST_POINTS *cdps; + DIST_POINT *cdp; + identification_t *id; + char *uri; + int i, j, point_num, name_num; + + cdps = X509V3_EXT_d2i(ext); + if (!cdps) + { + return FALSE; + } + point_num = sk_DIST_POINT_num(cdps); + for (i = 0; i < point_num; i++) + { + cdp = sk_DIST_POINT_value(cdps, i); + if (cdp) + { + if (cdp->distpoint && cdp->distpoint->type == 0 && + cdp->distpoint->name.fullname) + { + name_num = sk_GENERAL_NAME_num(cdp->distpoint->name.fullname); + for (j = 0; j < name_num; j++) + { + id = general_name2id(sk_GENERAL_NAME_value( + cdp->distpoint->name.fullname, j)); + if (id) + { + if (asprintf(&uri, "%Y", id) > 0) + { + this->crl_uris->insert_first(this->crl_uris, uri); + } + id->destroy(id); + } + } + } + DIST_POINT_free(cdp); + } + } + sk_DIST_POINT_free(cdps); + return TRUE; +} + +/** + * Parse authorityInfoAccess with OCSP URIs + */ +static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + AUTHORITY_INFO_ACCESS *infos; + ACCESS_DESCRIPTION *desc; + identification_t *id; + int i, num; + char *uri; + + infos = X509V3_EXT_d2i(ext); + if (!infos) + { + return FALSE; + } + num = sk_ACCESS_DESCRIPTION_num(infos); + for (i = 0; i < num; i++) + { + desc = sk_ACCESS_DESCRIPTION_value(infos, i); + if (desc) + { + if (openssl_asn1_known_oid(desc->method) == OID_OCSP) + { + id = general_name2id(desc->location); + if (id) + { + if (asprintf(&uri, "%Y", id) > 0) + { + this->ocsp_uris->insert_first(this->ocsp_uris, uri); + } + id->destroy(id); + } + } + ACCESS_DESCRIPTION_free(desc); + } + } + sk_ACCESS_DESCRIPTION_free(infos); + return TRUE; +} + +/** + * Parse authorityKeyIdentifier extension + */ +static bool parse_authKeyIdentifier_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + AUTHORITY_KEYID *keyid; + + keyid = (AUTHORITY_KEYID*)X509V3_EXT_d2i(ext); + if (keyid) + { + free(this->authKeyIdentifier.ptr); + this->authKeyIdentifier = chunk_clone( + openssl_asn1_str2chunk(keyid->keyid)); + AUTHORITY_KEYID_free(keyid); + return TRUE; + } + return FALSE; +} + +/** + * Parse subjectKeyIdentifier extension + */ +static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + chunk_t ostr; + + ostr = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)); + /* quick and dirty unwrap of octet string */ + if (ostr.len > 2 && + ostr.ptr[0] == V_ASN1_OCTET_STRING && ostr.ptr[1] == ostr.len - 2) + { + free(this->subjectKeyIdentifier.ptr); + this->subjectKeyIdentifier = chunk_clone(chunk_skip(ostr, 2)); + return TRUE; + } + return FALSE; +} + +/** + * Parse X509 extensions we are interested in + */ +static bool parse_extensions(private_openssl_x509_t *this) +{ + STACK_OF(X509_EXTENSION) *extensions; + int i, num; + + extensions = this->x509->cert_info->extensions; + if (extensions) + { + num = sk_X509_EXTENSION_num(extensions); + + for (i = 0; i < num; i++) + { + X509_EXTENSION *ext; + bool ok; + + ext = sk_X509_EXTENSION_value(extensions, i); + switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext))) + { + case NID_info_access: + ok = parse_authorityInfoAccess_ext(this, ext); + break; + case NID_authority_key_identifier: + ok = parse_authKeyIdentifier_ext(this, ext); + break; + case NID_subject_key_identifier: + ok = parse_subjectKeyIdentifier_ext(this, ext); + break; + case NID_subject_alt_name: + ok = parse_generalNames_ext(this->subjectAltNames, ext); + break; + case NID_issuer_alt_name: + ok = parse_generalNames_ext(this->issuerAltNames, ext); + break; + case NID_basic_constraints: + ok = parse_basicConstraints_ext(this, ext); + break; + case NID_crl_distribution_points: + ok = parse_crlDistributionPoints_ext(this, ext); + break; + default: + ok = TRUE; + break; + } + if (!ok) + { + return FALSE; + } + } + } + return TRUE; +} + +/** + * Parse a DER encoded x509 certificate + */ +static bool parse_certificate(private_openssl_x509_t *this) +{ + const unsigned char *ptr = this->encoding.ptr; + hasher_t *hasher; + chunk_t chunk; + + this->x509 = d2i_X509(NULL, &ptr, this->encoding.len); + if (!this->x509) + { + return FALSE; + } + this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509)); + this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509)); + + switch (openssl_asn1_known_oid(this->x509->cert_info->key->algor->algorithm)) + { + case OID_RSA_ENCRYPTION: + this->pubkey = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_RSA, BUILD_BLOB_ASN1_DER, + openssl_asn1_str2chunk(X509_get0_pubkey_bitstr(this->x509)), + BUILD_END); + break; + case OID_EC_PUBLICKEY: + /* for ECDSA, we need the full subjectPublicKeyInfo, as it contains + * the curve parameters. */ + chunk = openssl_i2chunk(X509_PUBKEY, X509_get_X509_PUBKEY(this->x509)); + this->pubkey = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER, + chunk, BUILD_END); + free(chunk.ptr); + break; + default: + DBG1(DBG_LIB, "unsupported public key algorithm"); + break; + } + if (!this->subject || !this->issuer || !this->pubkey) + { + return FALSE; + } + + this->notBefore = openssl_asn1_to_time(X509_get_notBefore(this->x509)); + this->notAfter = openssl_asn1_to_time(X509_get_notAfter(this->x509)); + + if (!chunk_equals( + openssl_asn1_obj2chunk(this->x509->cert_info->signature->algorithm), + openssl_asn1_obj2chunk(this->x509->sig_alg->algorithm))) + { + return FALSE; + } + this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid( + this->x509->sig_alg->algorithm)); + + if (!parse_extensions(this)) + { + return TRUE; + } + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher) + { + return FALSE; + } + hasher->allocate_hash(hasher, this->encoding, &this->hash); + hasher->destroy(hasher); + + if (issued_by(this, &this->public.x509.interface)) + { + this->flags |= X509_SELF_SIGNED; + } + return TRUE; +} + +openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args) +{ + chunk_t blob = chunk_empty; + x509_flag_t flags = 0; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_X509_FLAG: + flags |= va_arg(args, x509_flag_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (blob.ptr) + { + private_openssl_x509_t *this; + + this = create_empty(); + this->encoding = chunk_clone(blob); + this->flags |= flags; + if (parse_certificate(this)) + { + return &this->public; + } + DBG1(DBG_LIB, "OpenSSL X.509 parsing failed"); + destroy(this); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.h b/src/libstrongswan/plugins/openssl/openssl_x509.h new file mode 100644 index 000000000..52555925a --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_x509.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_x509 openssl_x509 + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_X509_H_ +#define OPENSSL_X509_H_ + +#include <credentials/certificates/x509.h> + +typedef struct openssl_x509_t openssl_x509_t; + +/** + * X.509 certificate implementation using OpenSSL. + */ +struct openssl_x509_t { + + /** + * Implements x509_t interface. + */ + x509_t x509; +}; + +/** + * Load a X.509 certificate. + * + * This function takes a BUILD_BLOB_ASN1_DER. + * + * @param type certificate type, CERT_X509 only + * @param args builder_part_t argument list + * @return X.509 certificate, NULL on failure + */ +openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args); + +#endif /** OPENSSL_X509_H_ @}*/ diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 84c2ef2fb..adb8f08d1 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 4e39c8f7b..e19a66fa5 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index 65be9501b..a15c3f258 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -528,7 +528,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args) break; } - if (pem.ptr) + if (pem.len) { return load_from_blob(pem, type, subtype, cb, cb_data, flags); } diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 13c99a958..e255d6fd0 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -20,7 +20,7 @@ /** * See header. */ -bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args) { chunk_t asn1; @@ -31,62 +31,81 @@ bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding, switch (type) { - case KEY_PUB_PEM: + case PUBKEY_PEM: label ="PUBLIC KEY"; /* direct PKCS#1 PEM encoding */ - if (key_encoding_args(args, KEY_PART_RSA_PUB_ASN1_DER, - &asn1, KEY_PART_END) || - key_encoding_args(args, KEY_PART_ECDSA_PUB_ASN1_DER, - &asn1, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, + &asn1, CRED_PART_END) || + cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER, + &asn1, CRED_PART_END)) { break; } /* indirect PEM encoding from components */ - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { - if (lib->encoding->encode(lib->encoding, KEY_PUB_SPKI_ASN1_DER, - NULL, &asn1, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_END)) + if (lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, + NULL, &asn1, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END)) { to_free = asn1; break; } } return FALSE; - case KEY_PRIV_PEM: + case PRIVKEY_PEM: label ="RSA PRIVATE KEY"; /* direct PKCS#1 PEM encoding */ - if (key_encoding_args(args, KEY_PART_RSA_PRIV_ASN1_DER, - &asn1, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_PRIV_ASN1_DER, + &asn1, CRED_PART_END)) { break; } /* indirect PEM encoding from components */ - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d, - KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q, - KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2, - KEY_PART_RSA_COEFF, &coeff, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_RSA_PRIV_EXP, &d, + CRED_PART_RSA_PRIME1, &p, CRED_PART_RSA_PRIME2, &q, + CRED_PART_RSA_EXP1, &exp1, CRED_PART_RSA_EXP2, &exp2, + CRED_PART_RSA_COEFF, &coeff, CRED_PART_END)) { - if (lib->encoding->encode(lib->encoding, KEY_PRIV_ASN1_DER, NULL, - &asn1, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d, - KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q, - KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2, - KEY_PART_RSA_COEFF, coeff, KEY_PART_END)) + if (lib->encoding->encode(lib->encoding, PRIVKEY_ASN1_DER, NULL, + &asn1, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d, + CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q, + CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2, + CRED_PART_RSA_COEFF, coeff, CRED_PART_END)) { to_free = asn1; break; } } - if (key_encoding_args(args, KEY_PART_ECDSA_PRIV_ASN1_DER, - &asn1, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_ECDSA_PRIV_ASN1_DER, + &asn1, CRED_PART_END)) { label ="EC PRIVATE KEY"; break; } return FALSE; + case CERT_PEM: + if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER, + &asn1, CRED_PART_END)) + { /* PEM encode x509 certificate */ + label = "CERTIFICATE"; + break; + } + if (cred_encoding_args(args, CRED_PART_X509_CRL_ASN1_DER, + &asn1, CRED_PART_END)) + { /* PEM encode CRL */ + label = "X509 CRL"; + break; + } + if (cred_encoding_args(args, CRED_PART_PKCS10_ASN1_DER, + &asn1, CRED_PART_END)) + { /* PEM encode PKCS10 certificate reqeuest */ + label = "CERTIFICATE REQUEST"; + break; + } default: return FALSE; } diff --git a/src/libstrongswan/plugins/pem/pem_encoder.h b/src/libstrongswan/plugins/pem/pem_encoder.h index a181133b7..d8f05dd73 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.h +++ b/src/libstrongswan/plugins/pem/pem_encoder.h @@ -21,12 +21,12 @@ #ifndef PEM_ENCODER_H_ #define PEM_ENCODER_H_ -#include <credentials/keys/key_encoding.h> +#include <credentials/cred_encoding.h> /** * Encoding from ASN.1 to PEM format. */ -bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args); #endif /** PEM_ENCODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 5d487364f..a5bc5eb39 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c index cd04f3d1a..5b21b46d4 100644 --- a/src/libstrongswan/plugins/pgp/pgp_cert.c +++ b/src/libstrongswan/plugins/pgp/pgp_cert.c @@ -188,28 +188,18 @@ static bool get_validity(private_pgp_cert_t *this, time_t *when, } /** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - time_t this_update, that_update, now = time(NULL); - bool new; - - this->get_validity(this, &now, &this_update, NULL); - that->get_validity(that, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " certificate from %T is %s - existing certificate" - " from %T %s", &this_update, FALSE, new ? "newer" : "not newer", - &that_update, FALSE, new ? "replaced" : "retained"); - return new; -} - -/** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_pgp_cert_t *this) +static bool get_encoding(private_pgp_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_PGP_PKT) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_PGP_CERT, this->encoding, CRED_PART_END); } /** @@ -232,7 +222,10 @@ static bool equals(private_pgp_cert_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_pgp_cert_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_PGP_PKT, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -276,8 +269,7 @@ private_pgp_cert_t *create_empty() this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer; - this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; @@ -365,7 +357,7 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet) else { /* V3 fingerprint is computed by public_key_t class */ - if (!this->key->get_fingerprint(this->key, KEY_ID_PGPV3, + if (!this->key->get_fingerprint(this->key, KEYID_PGPV3, &this->fingerprint)) { return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c index d5c3df590..9043cdb9f 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.c +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c @@ -25,8 +25,8 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args) hasher_t *hasher; chunk_t n, e; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); if (!hasher) @@ -55,12 +55,12 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args) /** * See header. */ -bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding, - va_list args) +bool pgp_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, + va_list args) { switch (type) { - case KEY_ID_PGPV3: + case KEYID_PGPV3: return build_v3_fingerprint(encoding, args); default: return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.h b/src/libstrongswan/plugins/pgp/pgp_encoder.h index 9df143399..b5bc2af44 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.h +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.h @@ -21,12 +21,12 @@ #ifndef PGP_ENCODER_H_ #define PGP_ENCODER_H_ -#include <credentials/keys/key_encoding.h> +#include <credentials/cred_encoding.h> /** * Encoding function for PGP fingerprints. */ -bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pgp_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args); #endif /** PGP_ENCODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 3fdcd0590..947f52d82 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c index e46062d97..6957b2ad1 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c @@ -26,8 +26,8 @@ bool build_pub(chunk_t *encoding, va_list args) { chunk_t n, e; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { *encoding = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_INTEGER, "c", n), @@ -44,8 +44,8 @@ bool build_pub_info(chunk_t *encoding, va_list args) { chunk_t n, e; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { *encoding = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), @@ -65,11 +65,11 @@ bool build_priv(chunk_t *encoding, va_list args) { chunk_t n, e, d, p, q, exp1, exp2, coeff; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d, - KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q, - KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2, - KEY_PART_RSA_COEFF, &coeff, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_RSA_PRIV_EXP, &d, + CRED_PART_RSA_PRIME1, &p, CRED_PART_RSA_PRIME2, &q, + CRED_PART_RSA_EXP1, &exp1, CRED_PART_RSA_EXP2, &exp2, + CRED_PART_RSA_COEFF, &coeff, CRED_PART_END)) { *encoding = asn1_wrap(ASN1_SEQUENCE, "cmmssssss", ASN1_INTEGER_0, @@ -138,20 +138,20 @@ static bool build_sha1(chunk_t *encoding, va_list args) /** * See header. */ -bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pkcs1_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args) { switch (type) { - case KEY_ID_PUBKEY_INFO_SHA1: + case KEYID_PUBKEY_INFO_SHA1: return build_info_sha1(encoding, args); - case KEY_ID_PUBKEY_SHA1: + case KEYID_PUBKEY_SHA1: return build_sha1(encoding, args); - case KEY_PUB_ASN1_DER: + case PUBKEY_ASN1_DER: return build_pub(encoding, args); - case KEY_PUB_SPKI_ASN1_DER: + case PUBKEY_SPKI_ASN1_DER: return build_pub_info(encoding, args); - case KEY_PRIV_ASN1_DER: + case PRIVKEY_ASN1_DER: return build_priv(encoding, args); default: return FALSE; diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h index 11d9f27f2..2eec736f1 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h @@ -21,12 +21,12 @@ #ifndef PKCS1_ENCODER_H_ #define PKCS1_ENCODER_H_ -#include <credentials/keys/key_encoding.h> +#include <credentials/cred_encoding.h> /** * Encoding function for PKCS#1/ASN.1 fingerprints/key formats. */ -bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pkcs1_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args); #endif /** PKCS1_ENCODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index cad279a9d..336d0bc02 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -118,8 +118,7 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, handle = dlopen(file, RTLD_LAZY); if (handle == NULL) { - DBG1(DBG_LIB, "plugin '%s': failed to load '%s' - %s", name, file, - dlerror()); + DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); return NULL; } constructor = dlsym(handle, create); diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 5fe3d58f1..4dc5985cd 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index f149f6379..c50189a8b 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -82,10 +82,10 @@ static id_match_t has_subject(private_pubkey_cert_t *this, { if (subject->get_type(subject) == ID_KEY_ID) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t fingerprint; - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (this->key->get_fingerprint(this->key, type, &fingerprint) && chunk_equals(fingerprint, subject->get_encoding(subject))) @@ -161,25 +161,12 @@ static bool get_validity(private_pubkey_cert_t *this, time_t *when, } /** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - return FALSE; -} - -/** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_pubkey_cert_t *this) +static bool get_encoding(private_pubkey_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - chunk_t encoding; - - if (this->key->get_encoding(this->key, KEY_PUB_ASN1_DER, &encoding)) - { - return encoding; - } - return chunk_empty; + return this->key->get_encoding(this->key, PUBKEY_ASN1_DER, encoding); } /** @@ -221,8 +208,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key) this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding; + this->public.interface.get_encoding = (bool (*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals; this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.destroy = (void (*)(certificate_t *this))destroy; @@ -230,7 +216,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key) this->ref = 1; this->key = key; this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty); - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &fingerprint)) + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fingerprint)) { this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint); } diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 27360aa8c..af929080d 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/revocation/Makefile.am b/src/libstrongswan/plugins/revocation/Makefile.am new file mode 100644 index 000000000..fb6d01926 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-revocation.la +else +plugin_LTLIBRARIES = libstrongswan-revocation.la +endif + +libstrongswan_revocation_la_SOURCES = \ + revocation_plugin.h revocation_plugin.c \ + revocation_validator.h revocation_validator.c + +libstrongswan_revocation_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in new file mode 100644 index 000000000..871566e65 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -0,0 +1,588 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/revocation +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_revocation_la_LIBADD = +am_libstrongswan_revocation_la_OBJECTS = revocation_plugin.lo \ + revocation_validator.lo +libstrongswan_revocation_la_OBJECTS = \ + $(am_libstrongswan_revocation_la_OBJECTS) +libstrongswan_revocation_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_revocation_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_revocation_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_revocation_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_revocation_la_SOURCES) +DIST_SOURCES = $(libstrongswan_revocation_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-revocation.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-revocation.la +libstrongswan_revocation_la_SOURCES = \ + revocation_plugin.h revocation_plugin.c \ + revocation_validator.h revocation_validator.c + +libstrongswan_revocation_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/revocation/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/revocation/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) + $(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_validator.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c new file mode 100644 index 000000000..d352a9583 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "revocation_plugin.h" + +#include <library.h> +#include "revocation_validator.h" + +typedef struct private_revocation_plugin_t private_revocation_plugin_t; + +/** + * private data of revocation_plugin + */ +struct private_revocation_plugin_t { + + /** + * public functions + */ + revocation_plugin_t public; + + /** + * Validator implementation instance. + */ + revocation_validator_t *validator; +}; + +METHOD(plugin_t, destroy, void, + private_revocation_plugin_t *this) +{ + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *revocation_plugin_create() +{ + private_revocation_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .validator = revocation_validator_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.h b/src/libstrongswan/plugins/revocation/revocation_plugin.h new file mode 100644 index 000000000..fb886d53c --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup revocation revocation + * @ingroup plugins + * + * @defgroup revocation_plugin revocation_plugin + * @{ @ingroup revocation + */ + +#ifndef REVOCATION_PLUGIN_H_ +#define REVOCATION_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct revocation_plugin_t revocation_plugin_t; + +/** + * X509 certificate revocation support using CRL and OCSP. + */ +struct revocation_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** REVOCATION_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c new file mode 100644 index 000000000..29d2bc128 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -0,0 +1,587 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "revocation_validator.h" + +#include <debug.h> +#include <credentials/certificates/x509.h> +#include <credentials/certificates/crl.h> +#include <credentials/certificates/ocsp_request.h> +#include <credentials/certificates/ocsp_response.h> +#include <credentials/sets/ocsp_response_wrapper.h> +#include <selectors/traffic_selector.h> + +typedef struct private_revocation_validator_t private_revocation_validator_t; + +/** + * Private data of an revocation_validator_t object. + */ +struct private_revocation_validator_t { + + /** + * Public revocation_validator_t interface. + */ + revocation_validator_t public; +}; + +/** + * Do an OCSP request + */ +static certificate_t *fetch_ocsp(char *url, certificate_t *subject, + certificate_t *issuer) +{ + certificate_t *request, *response; + chunk_t send, receive; + + /* TODO: requestor name, signature */ + request = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, + BUILD_CA_CERT, issuer, + BUILD_CERT, subject, BUILD_END); + if (!request) + { + DBG1(DBG_CFG, "generating ocsp request failed"); + return NULL; + } + + if (!request->get_encoding(request, CERT_ASN1_DER, &send)) + { + DBG1(DBG_CFG, "encoding ocsp request failed"); + request->destroy(request); + return NULL; + } + request->destroy(request); + + DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url); + if (lib->fetcher->fetch(lib->fetcher, url, &receive, + FETCH_REQUEST_DATA, send, + FETCH_REQUEST_TYPE, "application/ocsp-request", + FETCH_END) != SUCCESS) + { + DBG1(DBG_CFG, "ocsp request to %s failed", url); + chunk_free(&send); + return NULL; + } + chunk_free(&send); + + response = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, + BUILD_BLOB_ASN1_DER, receive, BUILD_END); + chunk_free(&receive); + if (!response) + { + DBG1(DBG_CFG, "parsing ocsp response failed"); + return NULL; + } + return response; +} + +/** + * check the signature of an OCSP response + */ +static bool verify_ocsp(ocsp_response_t *response) +{ + certificate_t *issuer, *subject; + identification_t *responder; + ocsp_response_wrapper_t *wrapper; + enumerator_t *enumerator; + bool verified = FALSE; + + wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); + lib->credmgr->add_local_set(lib->credmgr, &wrapper->set); + + subject = &response->certificate; + responder = subject->get_issuer(subject); + enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, + KEY_ANY, responder, FALSE); + while (enumerator->enumerate(enumerator, &issuer, NULL)) + { + if (lib->credmgr->issued_by(lib->credmgr, subject, issuer)) + { + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + verified = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); + wrapper->destroy(wrapper); + return verified; +} + +/** + * Get the better of two OCSP responses, and check for usable OCSP info + */ +static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, + x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) +{ + ocsp_response_t *response; + time_t revocation, this_update, next_update, valid_until; + crl_reason_t reason; + bool revoked = FALSE; + + response = (ocsp_response_t*)cand; + + /* check ocsp signature */ + if (!verify_ocsp(response)) + { + DBG1(DBG_CFG, "ocsp response verification failed"); + cand->destroy(cand); + return best; + } + /* check if response contains our certificate */ + switch (response->get_status(response, subject, issuer, &revocation, &reason, + &this_update, &next_update)) + { + case VALIDATION_REVOKED: + /* subject has been revoked by a valid OCSP response */ + DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", + &revocation, TRUE, crl_reason_names, reason); + revoked = TRUE; + break; + case VALIDATION_GOOD: + /* results in either good or stale */ + break; + default: + case VALIDATION_FAILED: + /* candidate unusable, does not contain our cert */ + DBG1(DBG_CFG, " ocsp response contains no status on our certificate"); + cand->destroy(cand); + return best; + } + + /* select the better of the two responses */ + if (best == NULL || certificate_is_newer(cand, best)) + { + DESTROY_IF(best); + best = cand; + if (best->get_validity(best, NULL, NULL, &valid_until)) + { + DBG1(DBG_CFG, " ocsp response is valid: until %T", + &valid_until, FALSE); + *valid = VALIDATION_GOOD; + if (cache) + { /* cache non-stale only, stale certs get refetched */ + lib->credmgr->cache_cert(lib->credmgr, best); + } + } + else + { + DBG1(DBG_CFG, " ocsp response is stale: since %T", + &valid_until, FALSE); + *valid = VALIDATION_STALE; + } + } + else + { + *valid = VALIDATION_STALE; + cand->destroy(cand); + } + if (revoked) + { /* revoked always counts, even if stale */ + *valid = VALIDATION_REVOKED; + } + return best; +} + +/** + * validate a x509 certificate using OCSP + */ +static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + enumerator_t *enumerator; + cert_validation_t valid = VALIDATION_SKIPPED; + certificate_t *best = NULL, *current; + identification_t *keyid = NULL; + public_key_t *public; + chunk_t chunk; + char *uri = NULL; + + /** lookup cache for valid OCSP responses */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_OCSP_RESPONSE, KEY_ANY, NULL, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); + if (best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached ocsp response"); + break; + } + } + enumerator->destroy(enumerator); + + /* derive the authorityKeyIdentifier from the issuer's public key */ + current = &issuer->interface; + public = current->get_public_key(current); + if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + } + /** fetch from configured OCSP responder URLs */ + if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_OCSP_RESPONSE, keyid); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_ocsp(uri, &subject->interface, &issuer->interface); + if (current) + { + best = get_better_ocsp(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + DESTROY_IF(public); + DESTROY_IF(keyid); + + /* fallback to URL fetching from subject certificate's URIs */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = subject->create_ocsp_uri_enumerator(subject); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_ocsp(uri, &subject->interface, &issuer->interface); + if (current) + { + best = get_better_ocsp(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + /* an uri was found, but no result. switch validation state to failed */ + if (valid == VALIDATION_SKIPPED && uri) + { + valid = VALIDATION_FAILED; + } + if (auth) + { + auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid); + if (valid == VALIDATION_GOOD) + { /* successful OCSP check fulfills also CRL constraint */ + auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); + } + } + DESTROY_IF(best); + return valid; +} + +/** + * fetch a CRL from an URL + */ +static certificate_t* fetch_crl(char *url) +{ + certificate_t *crl; + chunk_t chunk; + + DBG1(DBG_CFG, " fetching crl from '%s' ...", url); + if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS) + { + DBG1(DBG_CFG, "crl fetching failed"); + return NULL; + } + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_BLOB_ASN1_DER, chunk, BUILD_END); + chunk_free(&chunk); + if (!crl) + { + DBG1(DBG_CFG, "crl fetched successfully but parsing failed"); + return NULL; + } + return crl; +} + +/** + * check the signature of an CRL + */ +static bool verify_crl(certificate_t *crl) +{ + certificate_t *issuer; + enumerator_t *enumerator; + bool verified = FALSE; + + enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, + KEY_ANY, crl->get_issuer(crl), FALSE); + while (enumerator->enumerate(enumerator, &issuer, NULL)) + { + if (lib->credmgr->issued_by(lib->credmgr, crl, issuer)) + { + DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + verified = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + return verified; +} + +/** + * Get the better of two CRLs, and check for usable CRL info + */ +static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, + x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) +{ + enumerator_t *enumerator; + time_t revocation, valid_until; + crl_reason_t reason; + chunk_t serial; + crl_t *crl; + + /* check CRL signature */ + if (!verify_crl(cand)) + { + DBG1(DBG_CFG, "crl response verification failed"); + cand->destroy(cand); + return best; + } + + crl = (crl_t*)cand; + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) + { + if (chunk_equals(serial, subject->get_serial(subject))) + { + DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", + &revocation, TRUE, crl_reason_names, reason); + *valid = VALIDATION_REVOKED; + enumerator->destroy(enumerator); + DESTROY_IF(best); + return cand; + } + } + enumerator->destroy(enumerator); + + /* select the better of the two CRLs */ + if (best == NULL || crl_is_newer(crl, (crl_t*)best)) + { + DESTROY_IF(best); + best = cand; + if (best->get_validity(best, NULL, NULL, &valid_until)) + { + DBG1(DBG_CFG, " crl is valid: until %T", &valid_until, FALSE); + *valid = VALIDATION_GOOD; + if (cache) + { /* we cache non-stale crls only, as a stale crls are refetched */ + lib->credmgr->cache_cert(lib->credmgr, best); + } + } + else + { + DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE); + *valid = VALIDATION_STALE; + } + } + else + { + *valid = VALIDATION_STALE; + cand->destroy(cand); + } + return best; +} + +/** + * validate a x509 certificate using CRL + */ +static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + identification_t *keyid = NULL; + certificate_t *best = NULL; + certificate_t *current; + public_key_t *public; + enumerator_t *enumerator; + chunk_t chunk; + char *uri = NULL; + + /* derive the authorityKeyIdentifier from the issuer's public key */ + current = &issuer->interface; + public = current->get_public_key(current); + if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + + /* find a cached crl by authorityKeyIdentifier */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_CRL, KEY_ANY, keyid, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + best = get_better_crl(current, best, subject, issuer, + &valid, FALSE); + if (best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached crl"); + break; + } + } + enumerator->destroy(enumerator); + + /* fallback to fetching crls from credential sets cdps */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_CRL, keyid); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_crl(uri); + if (current) + { + best = get_better_crl(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + keyid->destroy(keyid); + } + DESTROY_IF(public); + + /* fallback to fetching crls from cdps from subject's certificate */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = subject->create_crl_uri_enumerator(subject); + + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_crl(uri); + if (current) + { + best = get_better_crl(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + + /* an uri was found, but no result. switch validation state to failed */ + if (valid == VALIDATION_SKIPPED && uri) + { + valid = VALIDATION_FAILED; + } + if (auth) + { + if (valid == VALIDATION_SKIPPED) + { /* if we skipped CRL validation, we use the result of OCSP for + * constraint checking */ + auth->add(auth, AUTH_RULE_CRL_VALIDATION, + auth->get(auth, AUTH_RULE_OCSP_VALIDATION)); + } + else + { + auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid); + } + } + DESTROY_IF(best); + return valid; +} + +METHOD(cert_validator_t, validate, bool, + private_revocation_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +{ + if (subject->get_type(subject) == CERT_X509 && + issuer->get_type(issuer) == CERT_X509 && + online) + { + DBG1(DBG_CFG, "checking certificate status of \"%Y\"", + subject->get_subject(subject)); + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + /* has already been logged */ + return FALSE; + case VALIDATION_SKIPPED: + DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); + break; + case VALIDATION_FAILED: + DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); + break; + } + switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + /* has already been logged */ + return FALSE; + case VALIDATION_FAILED: + case VALIDATION_SKIPPED: + DBG1(DBG_CFG, "certificate status is not available"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); + break; + } + } + return TRUE; +} + +METHOD(revocation_validator_t, destroy, void, + private_revocation_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +revocation_validator_t *revocation_validator_create() +{ + private_revocation_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.h b/src/libstrongswan/plugins/revocation/revocation_validator.h new file mode 100644 index 000000000..82cbde26b --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup revocation_validator revocation_validator + * @{ @ingroup revocation + */ + +#ifndef REVOCATION_VALIDATOR_H_ +#define REVOCATION_VALIDATOR_H_ + +#include <credentials/cert_validator.h> + +typedef struct revocation_validator_t revocation_validator_t; + +/** + * Certificate validator doing CRL/OCSP checking of X509 certificates. + */ +struct revocation_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a revocation_validator_t. + */ + void (*destroy)(revocation_validator_t *this); +}; + +/** + * Create a revocation_validator instance. + */ +revocation_validator_t *revocation_validator_create(); + +#endif /** REVOCATION_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index dacb5be4b..703764e5e 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 6db4374c8..5e490f2e5 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index cb466ad03..6d81d0d81 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index dbe62c056..20a6db81e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 2bee453cd..f40427f3f 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 95e72789e..ba0357cc4 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -568,7 +568,7 @@ static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this) public = this->signerCert->get_public_key(this->signerCert); if (public) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyIdentifier)) { this->authKeyIdentifier = chunk_clone(keyIdentifier); } @@ -749,7 +749,7 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer) { chunk_t fingerprint; - if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; @@ -813,30 +813,18 @@ static bool get_validity(private_x509_ac_t *this, time_t *when, } /** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(private_x509_ac_t *this, ac_t *that) -{ - certificate_t *this_cert = &this->public.interface.certificate; - certificate_t *that_cert = &that->certificate; - time_t this_update, that_update, now = time(NULL); - bool new; - - this_cert->get_validity(this_cert, &now, &this_update, NULL); - that_cert->get_validity(that_cert, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " attr cert from %T is %s - existing attr cert from %T %s", - &this_update, FALSE, new ? "newer":"not newer", - &that_update, FALSE, new ? "replaced":"retained"); - return new; -} - -/** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_ac_t *this) +static bool get_encoding(private_x509_ac_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_AC_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -855,7 +843,10 @@ static bool equals(private_x509_ac_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -904,8 +895,7 @@ static private_x509_ac_t *create_empty(void) this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding; + this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy; diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index bdbaa8d4a..92b576aa5 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -366,7 +366,17 @@ static identification_t *parse_generalName(chunk_t blob, int level0) id_type = ID_DER_ASN1_DN; break; case GN_OBJ_IP_ADDRESS: - id_type = ID_IPV4_ADDR; + switch (object.len) + { + case 4: + id_type = ID_IPV4_ADDR; + break; + case 16: + id_type = ID_IPV6_ADDR; + break; + default: + break; + } break; case GN_OBJ_OTHER_NAME: if (!parse_otherName(object, parser->get_level(parser)+1)) @@ -1209,28 +1219,18 @@ static bool get_validity(private_x509_cert_t *this, time_t *when, } /** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - time_t this_update, that_update, now = time(NULL); - bool new; - - this->get_validity(this, &now, &this_update, NULL); - that->get_validity(that, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " certificate from %T is %s - existing certificate " - "from %T %s", &this_update, FALSE, new ? "newer":"not newer", - &that_update, FALSE, new ? "replaced":"retained"); - return new; -} - -/** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_cert_t *this) +static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -1253,7 +1253,10 @@ static bool equals(private_x509_cert_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -1281,7 +1284,7 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) chunk_t fingerprint; if (this->public_key->get_fingerprint(this->public_key, - KEY_ID_PUBKEY_SHA1, &fingerprint)) + KEYID_PUBKEY_SHA1, &fingerprint)) { return fingerprint; } @@ -1383,8 +1386,7 @@ static private_x509_cert_t* create_empty(void) this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer; - this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; @@ -1536,7 +1538,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, - KEY_PUB_SPKI_ASN1_DER, &key_info)) + PUBKEY_SPKI_ASN1_DER, &key_info)) { return FALSE; } @@ -1650,7 +1652,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t keyid; if (cert->public_key->get_fingerprint(cert->public_key, - KEY_ID_PUBKEY_SHA1, &keyid)) + KEYID_PUBKEY_SHA1, &keyid)) { subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_SUBJECT_KEY_ID), @@ -1664,7 +1666,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t keyid; - if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid)) + if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid)) { authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index c755d7f63..4bd0470d3 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -26,6 +26,7 @@ typedef struct revoked_t revoked_t; #include <asn1/asn1.h> #include <asn1/asn1_parser.h> #include <credentials/certificates/x509.h> +#include <credentials/keys/private_key.h> #include <utils/linked_list.h> /** @@ -119,6 +120,11 @@ struct private_x509_crl_t { chunk_t signature; /** + * has this CRL been generated + */ + bool generated; + + /** * reference counter */ refcount_t ref; @@ -236,7 +242,7 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_REVOCATION_DATE: revoked = malloc_thing(revoked_t); - revoked->serial = userCertificate; + revoked->serial = chunk_clone(userCertificate); revoked->date = asn1_parse_time(object, level); revoked->reason = CRL_REASON_UNSPECIFIED; this->revoked->insert_last(this->revoked, (void *)revoked); @@ -267,7 +273,6 @@ static bool parse(private_x509_crl_t *this) } else if (extn_oid == OID_AUTHORITY_KEY_ID) { - this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, level, &this->authKeySerialNumber); } @@ -327,52 +332,40 @@ static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2, return TRUE; } -/** - * Implementation of crl_t.get_serial. - */ -static chunk_t get_serial(private_x509_crl_t *this) +METHOD(crl_t, get_serial, chunk_t, + private_x509_crl_t *this) { return this->crlNumber; } -/** - * Implementation of crl_t.get_authKeyIdentifier. - */ -static chunk_t get_authKeyIdentifier(private_x509_crl_t *this) +METHOD(crl_t, get_authKeyIdentifier, chunk_t, + private_x509_crl_t *this) { return this->authKeyIdentifier; } -/** - * Implementation of crl_t.create_enumerator. - */ -static enumerator_t* create_enumerator(private_x509_crl_t *this) +METHOD(crl_t, create_enumerator, enumerator_t*, + private_x509_crl_t *this) { return enumerator_create_filter( this->revoked->create_enumerator(this->revoked), (void*)filter, NULL, NULL); } -/** - * Implementation of certificate_t.get_type - */ -static certificate_type_t get_type(private_x509_crl_t *this) +METHOD(certificate_t, get_type, certificate_type_t, + private_x509_crl_t *this) { return CERT_X509_CRL; } -/** - * Implementation of certificate_t.get_issuer and get_subject - */ -static identification_t* get_issuer(private_x509_crl_t *this) +METHOD(certificate_t, get_issuer, identification_t*, + private_x509_crl_t *this) { return this->issuer; } -/** - * Implementation of certificate_t.has_subject and has_issuer. - */ -static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer) +METHOD(certificate_t, has_issuer, id_match_t, + private_x509_crl_t *this, identification_t *issuer) { if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr && chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer))) @@ -382,10 +375,8 @@ static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer) return this->issuer->matches(this->issuer, issuer); } -/** - * Implementation of certificate_t.issued_by - */ -static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) +METHOD(certificate_t, issued_by, bool, + private_x509_crl_t *this, certificate_t *issuer) { public_key_t *key; signature_scheme_t scheme; @@ -410,7 +401,7 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) { chunk_t fingerprint; - if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; @@ -436,28 +427,22 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) return valid; } -/** - * Implementation of certificate_t.get_public_key - */ -static public_key_t* get_public_key(private_x509_crl_t *this) +METHOD(certificate_t, get_public_key, public_key_t*, + private_x509_crl_t *this) { return NULL; } -/** - * Implementation of certificate_t.asdf - */ -static private_x509_crl_t* get_ref(private_x509_crl_t *this) +METHOD(certificate_t, get_ref, certificate_t*, + private_x509_crl_t *this) { ref_get(&this->ref); - return this; + return &this->public.crl.certificate; } -/** - * Implementation of certificate_t.get_validity. - */ -static bool get_validity(private_x509_crl_t *this, time_t *when, - time_t *not_before, time_t *not_after) +METHOD(certificate_t, get_validity, bool, + private_x509_crl_t *this, time_t *when, + time_t *not_before, time_t *not_after) { time_t t = when ? *when : time(NULL); @@ -472,51 +457,20 @@ static bool get_validity(private_x509_crl_t *this, time_t *when, return (t <= this->nextUpdate); } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(private_x509_crl_t *this, crl_t *that) +METHOD(certificate_t, get_encoding, bool, + private_x509_crl_t *this, cred_encoding_type_t type, chunk_t *encoding) { - chunk_t that_crlNumber = that->get_serial(that); - bool new; - - /* compare crlNumbers if available - otherwise use thisUpdate */ - if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL) + if (type == CERT_ASN1_DER) { - new = chunk_compare(this->crlNumber, that_crlNumber) > 0; - DBG1(DBG_LIB, " crl #%#B is %s - existing crl #%#B %s", - &this->crlNumber, new ? "newer":"not newer", - &that_crlNumber, new ? "replaced":"retained"); - } - else - { - certificate_t *this_cert = &this->public.crl.certificate; - certificate_t *that_cert = &that->certificate; - - time_t this_update, that_update, now = time(NULL); - - this_cert->get_validity(this_cert, &now, &this_update, NULL); - that_cert->get_validity(that_cert, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " crl from %T is %s - existing crl from %T %s", - &this_update, FALSE, new ? "newer":"not newer", - &that_update, FALSE, new ? "replaced":"retained"); + *encoding = chunk_clone(this->encoding); + return TRUE; } - return new; -} - -/** - * Implementation of certificate_t.get_encoding. - */ -static chunk_t get_encoding(private_x509_crl_t *this) -{ - return chunk_clone(this->encoding); + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END); } -/** - * Implementation of certificate_t.equals. - */ -static bool equals(private_x509_crl_t *this, certificate_t *other) +METHOD(certificate_t, equals, bool, + private_x509_crl_t *this, certificate_t *other) { chunk_t encoding; bool equal; @@ -529,23 +483,39 @@ static bool equals(private_x509_crl_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; } /** - * Implementation of certificate_t.destroy + * Destroy a revoked_t entry */ -static void destroy(private_x509_crl_t *this) +static void revoked_destroy(revoked_t *revoked) +{ + free(revoked->serial.ptr); + free(revoked); +} + +METHOD(certificate_t, destroy, void, + private_x509_crl_t *this) { if (ref_put(&this->ref)) { - this->revoked->destroy_function(this->revoked, free); + this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); + if (this->generated) + { + free(this->crlNumber.ptr); + free(this->signature.ptr); + free(this->tbsCertList.ptr); + } free(this); } } @@ -555,34 +525,33 @@ static void destroy(private_x509_crl_t *this) */ static private_x509_crl_t* create_empty(void) { - private_x509_crl_t *this = malloc_thing(private_x509_crl_t); - - this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial; - this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier; - this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator; - this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type; - this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer; - this->public.crl.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer; - this->public.crl.certificate.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_issuer; - this->public.crl.certificate.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer; - this->public.crl.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; - this->public.crl.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; - this->public.crl.certificate.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.crl.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.crl.certificate.get_encoding = (chunk_t (*)(certificate_t*))get_encoding; - this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals; - this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; - this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy; - - this->encoding = chunk_empty; - this->tbsCertList = chunk_empty; - this->issuer = NULL; - this->crlNumber = chunk_empty; - this->revoked = linked_list_create(); - this->authKeyIdentifier = chunk_empty; - this->authKeySerialNumber = chunk_empty; - this->ref = 1; - + private_x509_crl_t *this; + + INIT(this, + .public = { + .crl = { + .certificate = { + .get_type = _get_type, + .get_subject = _get_issuer, + .get_issuer = _get_issuer, + .has_subject = _has_issuer, + .has_issuer = _has_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_serial = _get_serial, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .create_enumerator = _create_enumerator, + }, + }, + .revoked = linked_list_create(), + .ref = 1, + ); return this; } @@ -621,3 +590,166 @@ x509_crl_t *x509_crl_load(certificate_type_t type, va_list args) return NULL; }; +/** + * Read certificate status from enumerator, copy to crl + */ +static void read_revoked(private_x509_crl_t *crl, enumerator_t *enumerator) +{ + revoked_t *revoked; + chunk_t serial; + time_t date; + crl_reason_t reason; + + while (enumerator->enumerate(enumerator, &serial, &date, &reason)) + { + INIT(revoked, + .serial = chunk_clone(serial), + .date = date, + .reason = reason, + ); + crl->revoked->insert_last(crl->revoked, revoked); + } +} + +/** + * Generate CRL encoding, sign CRL + */ +static bool generate(private_x509_crl_t *this, certificate_t *cert, + private_key_t *key, hash_algorithm_t digest_alg) +{ + chunk_t extensions = chunk_empty, certList = chunk_empty, serial; + enumerator_t *enumerator; + crl_reason_t reason; + time_t date; + x509_t *x509; + + x509 = (x509_t*)cert; + + this->issuer = cert->get_issuer(cert); + this->issuer = this->issuer->clone(this->issuer); + + this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); + + /* select signature scheme */ + this->algorithm = hasher_signature_algorithm_to_oid(digest_alg, + key->get_type(key)); + if (this->algorithm == OID_UNKNOWN) + { + return FALSE; + } + + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, &serial, &date, &reason)) + { + chunk_t revoked, entry_ext = chunk_empty; + + if (reason != CRL_REASON_UNSPECIFIED) + { + entry_ext = asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CRL_REASON_CODE), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_ENUMERATED, "c", + chunk_from_chars(reason))))); + } + revoked = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_integer("c", serial), + asn1_from_time(&date, ASN1_UTCTIME), + entry_ext); + certList = chunk_cat("mm", certList, revoked); + } + enumerator->destroy(enumerator); + + extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_AUTHORITY_KEY_ID), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_CONTEXT_S_0, "c", + this->authKeyIdentifier)))), + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CRL_NUMBER), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_integer("c", this->crlNumber)) + ) + )); + + this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", + ASN1_INTEGER_1, + asn1_algorithmIdentifier(this->algorithm), + this->issuer->get_encoding(this->issuer), + asn1_from_time(&this->thisUpdate, ASN1_UTCTIME), + asn1_from_time(&this->nextUpdate, ASN1_UTCTIME), + asn1_wrap(ASN1_SEQUENCE, "m", certList), + extensions); + + if (!key->sign(key, signature_scheme_from_oid(this->algorithm), + this->tbsCertList, &this->signature)) + { + return FALSE; + } + this->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", + this->tbsCertList, + asn1_algorithmIdentifier(this->algorithm), + asn1_bitstring("c", this->signature)); + return TRUE; +} + +/** + * See header. + */ +x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) +{ + hash_algorithm_t digest_alg = HASH_SHA1; + private_x509_crl_t *crl; + certificate_t *cert = NULL; + private_key_t *key = NULL; + + crl = create_empty(); + crl->generated = TRUE; + while (TRUE) + { + builder_part_t part = va_arg(args, builder_part_t); + + switch (part) + { + case BUILD_SIGNING_KEY: + key = va_arg(args, private_key_t*); + continue; + case BUILD_SIGNING_CERT: + cert = va_arg(args, certificate_t*); + continue; + case BUILD_NOT_BEFORE_TIME: + crl->thisUpdate = va_arg(args, time_t); + continue; + case BUILD_NOT_AFTER_TIME: + crl->nextUpdate = va_arg(args, time_t); + continue; + case BUILD_SERIAL: + crl->crlNumber = va_arg(args, chunk_t); + crl->crlNumber = chunk_clone(crl->crlNumber); + continue; + case BUILD_DIGEST_ALG: + digest_alg = va_arg(args, int); + continue; + case BUILD_REVOKED_ENUMERATOR: + read_revoked(crl, va_arg(args, enumerator_t*)); + continue; + case BUILD_END: + break; + default: + destroy(crl); + return NULL; + } + break; + } + + if (key && cert && cert->get_type(cert) == CERT_X509 && + generate(crl, cert, key, digest_alg)) + { + return &crl->public; + } + destroy(crl); + return NULL; +} diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h index 890650162..e8fe74e81 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.h +++ b/src/libstrongswan/plugins/x509/x509_crl.h @@ -46,4 +46,13 @@ struct x509_crl_t { */ x509_crl_t *x509_crl_load(certificate_type_t type, va_list args); +/** + * Generate a X.509 CRL. + * + * @param type certificate type, CERT_X509_CRL only + * @param args builder_part_t argument list + * @return X.509 CRL, NULL on failure + */ +x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args); + #endif /** X509_CRL_H_ @}*/ diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index c835d5dc8..ea02cbab5 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -153,7 +153,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (hasher) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &issuerKeyHash)) { enumerator_t *enumerator; @@ -250,7 +250,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, { int oid; signature_scheme_t scheme; - chunk_t certs, signature; + chunk_t certs, signature, encoding; switch (this->key->get_type(this->key)) { @@ -274,11 +274,11 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, DBG1(DBG_LIB, "creating OCSP signature failed, skipped"); return chunk_empty; } - if (this->cert) + if (this->cert && + this->cert->get_encoding(this->cert, CERT_ASN1_DER, &encoding)) { certs = asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "m", - this->cert->get_encoding(this->cert))); + asn1_wrap(ASN1_SEQUENCE, "m", encoding)); } return asn1_wrap(ASN1_CONTEXT_C_0, "m", asn1_wrap(ASN1_SEQUENCE, "cmm", @@ -413,9 +413,16 @@ static bool get_validity(private_x509_ocsp_request_t *this, time_t *when, /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_ocsp_request_t *this) +static bool get_encoding(private_x509_ocsp_request_t *this, + cred_encoding_type_t type, chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_OCSP_REQ_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -438,7 +445,10 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -486,7 +496,7 @@ static private_x509_ocsp_request_t *create_empty() this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index c70d461df..829f47f81 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -167,7 +167,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, { hasher_t *hasher; identification_t *id; - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t hash, fingerprint; /* check serial first, is cheaper */ @@ -188,7 +188,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, switch (response->hashAlgorithm) { case OID_SHA1: - type = KEY_ID_PUBKEY_SHA1; + type = KEYID_PUBKEY_SHA1; break; default: public->destroy(public); @@ -698,7 +698,7 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer) key = issuer->get_public_key(issuer); if (!key || - !key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + !key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->responderId->get_encoding(this->responderId))) { @@ -764,28 +764,18 @@ static bool get_validity(private_x509_ocsp_response_t *this, time_t *when, } /** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - time_t this_update, that_update, now = time(NULL); - bool new; - - this->get_validity(this, &now, &this_update, NULL); - that->get_validity(that, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " ocsp response from %T is %s - existing ocsp response " - "from %T %s", &this_update, FALSE, new ? "newer" : "not newer", - &that_update, FALSE, new ? "replaced" : "retained"); - return new; -} - -/** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_ocsp_response_t *this) +static bool get_encoding(private_x509_ocsp_response_t *this, + cred_encoding_type_t type, chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -808,7 +798,10 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -855,8 +848,7 @@ static x509_ocsp_response_t *load(chunk_t blob) this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding; + this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy; diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index 1009ec931..bfb0ca621 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -189,19 +189,18 @@ static bool get_validity(private_x509_pkcs10_t *this, time_t *when, } /** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - return FALSE; -} - -/** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_pkcs10_t *this) +static bool get_encoding(private_x509_pkcs10_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_PKCS10_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -224,7 +223,10 @@ static bool equals(private_x509_pkcs10_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_pkcs10_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -357,7 +359,7 @@ static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, i */ static const asn1Object_t certificationRequestObjects[] = { { 0, "certificationRequest", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ - { 1, "certificationRequestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
+ { 1, "certificationRequestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ { 2, "version", ASN1_INTEGER, ASN1_BODY }, /* 2 */ { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 3 */ { 2, "subjectPublicKeyInfo", ASN1_SEQUENCE, ASN1_RAW }, /* 4 */ @@ -369,7 +371,7 @@ static const asn1Object_t certificationRequestObjects[] = { { 4, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 11 */ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 12 */ - { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 13 */
+ { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 13 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; #define PKCS10_CERT_REQUEST_INFO 1 @@ -512,8 +514,7 @@ static private_x509_pkcs10_t* create_empty(void) this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer; - this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; @@ -559,7 +560,7 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, - KEY_PUB_SPKI_ASN1_DER, &key_info)) + PUBKEY_SPKI_ASN1_DER, &key_info)) { return FALSE; } diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index e71c55efc..8391781e2 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -52,6 +52,8 @@ static void destroy(private_x509_plugin_t *this) lib->creds->remove_builder(lib->creds, (builder_function_t)x509_crl_load); lib->creds->remove_builder(lib->creds, + (builder_function_t)x509_crl_gen); + lib->creds->remove_builder(lib->creds, (builder_function_t)x509_ocsp_request_gen); lib->creds->remove_builder(lib->creds, (builder_function_t)x509_ocsp_response_load); @@ -81,6 +83,8 @@ plugin_t *x509_plugin_create() (builder_function_t)x509_ac_load); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, (builder_function_t)x509_crl_load); + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + (builder_function_t)x509_crl_gen); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, (builder_function_t)x509_ocsp_request_gen); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index c49e2b76a..69bba8d6f 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/threading/lock_profiler.h b/src/libstrongswan/threading/lock_profiler.h index b64453ba1..1ae496455 100644 --- a/src/libstrongswan/threading/lock_profiler.h +++ b/src/libstrongswan/threading/lock_profiler.h @@ -63,7 +63,7 @@ static inline void profiler_cleanup(lock_profile_t *profile) { fprintf(stderr, "%d.%03ds / %d times in lock created at:", profile->waited.tv_sec, profile->waited.tv_usec, profile->locked); - profile->backtrace->log(profile->backtrace, stderr); + profile->backtrace->log(profile->backtrace, stderr, TRUE); } profile->backtrace->destroy(profile->backtrace); } diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index 5bba8ec21..a67245194 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -53,7 +53,7 @@ struct private_backtrace_t { /** * Implementation of backtrace_t.log */ -static void log_(private_backtrace_t *this, FILE *file) +static void log_(private_backtrace_t *this, FILE *file, bool detailed) { #ifdef HAVE_BACKTRACE size_t i; @@ -78,7 +78,6 @@ static void log_(private_backtrace_t *this, FILE *file) { ptr = (void*)(this->frames[i] - info.dli_fbase); } - snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", info.dli_fname, ptr); if (info.dli_sname) { fprintf(file, " \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%x) [%p]\n", @@ -90,28 +89,33 @@ static void log_(private_backtrace_t *this, FILE *file) fprintf(file, " \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname, info.dli_fbase, this->frames[i]); } - fprintf(file, " -> \e[32m"); - output = popen(cmd, "r"); - if (output) + if (detailed) { - while (TRUE) + fprintf(file, " -> \e[32m"); + snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", + info.dli_fname, ptr); + output = popen(cmd, "r"); + if (output) { - c = getc(output); - if (c == '\n' || c == EOF) + while (TRUE) { - break; + c = getc(output); + if (c == '\n' || c == EOF) + { + break; + } + fputc(c, file); } - fputc(c, file); + pclose(output); } - pclose(output); - } - else - { -#endif /* HAVE_DLADDR */ - fprintf(file, " %s\n", strings[i]); -#ifdef HAVE_DLADDR + else + { + #endif /* HAVE_DLADDR */ + fprintf(file, " %s\n", strings[i]); + #ifdef HAVE_DLADDR + } + fprintf(file, "\n\e[0m"); } - fprintf(file, "\n\e[0m"); } else { @@ -174,7 +178,7 @@ backtrace_t *backtrace_create(int skip) memcpy(this->frames, frames + skip, frame_count * sizeof(void*)); this->frame_count = frame_count; - this->public.log = (void(*)(backtrace_t*,FILE*))log_; + this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_; this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function; this->public.destroy = (void(*)(backtrace_t*))destroy; diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index c4d4284d1..c6b0ec78f 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -34,8 +34,11 @@ struct backtrace_t { /** * Log the backtrace to a FILE stream. + * + * @param file FILE to log backtrace to + * @param detailed TRUE to resolve line/file using addr2line (slow) */ - void (*log)(backtrace_t *this, FILE *file); + void (*log)(backtrace_t *this, FILE *file, bool detailed); /** * Check if the backtrace contains a frame in a specific function. diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c index 02c225833..dde57dc65 100644 --- a/src/libstrongswan/utils/hashtable.c +++ b/src/libstrongswan/utils/hashtable.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -47,11 +47,13 @@ struct pair_t { */ pair_t *pair_create(void *key, void *value, u_int hash) { - pair_t *this = malloc_thing(pair_t); + pair_t *this; - this->key = key; - this->value = value; - this->hash = hash; + INIT(this, + .key = key, + .value = value, + .hash = hash, + ); return this; } @@ -127,6 +129,11 @@ struct private_enumerator_t { u_int row; /** + * current pair + */ + pair_t *pair; + + /** * enumerator for the current row */ enumerator_t *current; @@ -219,10 +226,8 @@ static void rehash(private_hashtable_t *this) free(old_table); } -/** - * Implementation of hashtable_t.put - */ -static void *put(private_hashtable_t *this, void *key, void *value) +METHOD(hashtable_t, put, void*, + private_hashtable_t *this, void *key, void *value) { void *old_value = NULL; linked_list_t *list; @@ -265,10 +270,8 @@ static void *put(private_hashtable_t *this, void *key, void *value) return old_value; } -/** - * Implementation of hashtable_t.get - */ -static void *get(private_hashtable_t *this, void *key) +METHOD(hashtable_t, get, void*, + private_hashtable_t *this, void *key) { void *value = NULL; linked_list_t *list; @@ -286,10 +289,8 @@ static void *get(private_hashtable_t *this, void *key) return value; } -/** - * Implementation of hashtable_t.remove - */ -static void *remove_(private_hashtable_t *this, void *key) +METHOD(hashtable_t, remove_, void*, + private_hashtable_t *this, void *key) { void *value = NULL; linked_list_t *list; @@ -317,34 +318,44 @@ static void *remove_(private_hashtable_t *this, void *key) return value; } -/** - * Implementation of hashtable_t.get_count - */ -static u_int get_count(private_hashtable_t *this) +METHOD(hashtable_t, remove_at, void, + private_hashtable_t *this, private_enumerator_t *enumerator) +{ + if (enumerator->table == this && enumerator->current) + { + linked_list_t *list; + list = this->table[enumerator->row]; + if (list) + { + list->remove_at(list, enumerator->current); + free(enumerator->pair); + this->count--; + } + } +} + +METHOD(hashtable_t, get_count, u_int, + private_hashtable_t *this) { return this->count; } -/** - * Implementation of private_enumerator_t.enumerator.enumerate. - */ -static bool enumerate(private_enumerator_t *this, void **key, void **value) +METHOD(enumerator_t, enumerate, bool, + private_enumerator_t *this, void **key, void **value) { while (this->row < this->table->capacity) { if (this->current) { - pair_t *pair; - - if (this->current->enumerate(this->current, &pair)) + if (this->current->enumerate(this->current, &this->pair)) { if (key) { - *key = pair->key; + *key = this->pair->key; } if (value) { - *value = pair->value; + *value = this->pair->value; } return TRUE; } @@ -354,7 +365,6 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value) else { linked_list_t *list; - list = this->table->table[this->row]; if (list) { @@ -367,10 +377,8 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value) return FALSE; } -/** - * Implementation of private_enumerator_t.enumerator.destroy. - */ -static void enumerator_destroy(private_enumerator_t *this) +METHOD(enumerator_t, enumerator_destroy, void, + private_enumerator_t *this) { if (this->current) { @@ -379,26 +387,24 @@ static void enumerator_destroy(private_enumerator_t *this) free(this); } -/** - * Implementation of hashtable_t.create_enumerator. - */ -static enumerator_t* create_enumerator(private_hashtable_t *this) +METHOD(hashtable_t, create_enumerator, enumerator_t*, + private_hashtable_t *this) { - private_enumerator_t *enumerator = malloc_thing(private_enumerator_t); + private_enumerator_t *enumerator; - enumerator->enumerator.enumerate = (void*)enumerate; - enumerator->enumerator.destroy = (void*)enumerator_destroy; - enumerator->table = this; - enumerator->row = 0; - enumerator->current = NULL; + INIT(enumerator, + .enumerator = { + .enumerate = (void*)_enumerate, + .destroy = (void*)_enumerator_destroy, + }, + .table = this, + ); return &enumerator->enumerator; } -/** - * Implementation of hashtable_t.destroy - */ -static void destroy(private_hashtable_t *this) +METHOD(hashtable_t, destroy, void, + private_hashtable_t *this) { linked_list_t *list; u_int row; @@ -421,22 +427,21 @@ static void destroy(private_hashtable_t *this) hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals, u_int capacity) { - private_hashtable_t *this = malloc_thing(private_hashtable_t); - - this->public.put = (void*(*)(hashtable_t*,void*,void*))put; - this->public.get = (void*(*)(hashtable_t*,void*))get; - this->public.remove = (void*(*)(hashtable_t*,void*))remove_; - this->public.get_count = (u_int(*)(hashtable_t*))get_count; - this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator; - this->public.destroy = (void(*)(hashtable_t*))destroy; - - this->count = 0; - this->capacity = 0; - this->mask = 0; - this->load_factor = 0; - this->table = NULL; - this->hash = hash; - this->equals = equals; + private_hashtable_t *this; + + INIT(this, + .public = { + .put = _put, + .get = _get, + .remove = _remove_, + .remove_at = (void*)_remove_at, + .get_count = _get_count, + .create_enumerator = _create_enumerator, + .destroy = _destroy, + }, + .hash = hash, + .equals = equals, + ); init_hashtable(this, capacity); diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h index 142ea6329..27aca9b68 100644 --- a/src/libstrongswan/utils/hashtable.h +++ b/src/libstrongswan/utils/hashtable.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -87,9 +87,17 @@ struct hashtable_t { void *(*remove) (hashtable_t *this, void *key); /** + * Removes the key and value pair from the hash table at which the given + * enumerator currently points. + * + * @param enumerator enumerator, from create_enumerator + */ + void (*remove_at) (hashtable_t *this, enumerator_t *enumerator); + + /** * Gets the number of items in the hash table. * - * @return number of items + * @return number of items */ u_int (*get_count) (hashtable_t *this); @@ -106,7 +114,7 @@ struct hashtable_t { * @param hash hash function * @param equals equals function * @param capacity initial capacity - * @return hashtable_t object. + * @return hashtable_t object. */ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals, u_int capacity); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 6a3c3936c..3caeb8f0e 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -50,8 +50,7 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID, "ID_DER_ASN1_GN", "ID_KEY_ID"); ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID, - "ID_DER_ASN1_GN_URI" - "ID_IETF_ATTR_STRING" + "ID_DER_ASN1_GN_URI", "ID_MYID"); ENUM_END(id_type_names, ID_MYID); @@ -297,18 +296,30 @@ static void dntoa(chunk_t dn, char *buf, size_t len) { written = snprintf(buf, len,"%s=", oid_names[oid].name); } + if (written < 0 || written >= len) + { + break; + } buf += written; len -= written; chunk_printable(data, &printable, '?'); written = snprintf(buf, len, "%.*s", printable.len, printable.ptr); chunk_free(&printable); + if (written < 0 || written >= len) + { + break; + } buf += written; len -= written; if (data.ptr + data.len != dn.ptr + dn.len) { written = snprintf(buf, len, ", "); + if (written < 0 || written >= len) + { + break; + } buf += written; len -= written; } @@ -761,7 +772,6 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: - case ID_IETF_ATTR_STRING: chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); chunk_free(&proper); diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index fe5c7d0fd..c463b0274 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -131,11 +131,6 @@ enum id_type_t { ID_DER_ASN1_GN_URI = 201, /** - * IETF Attribute Syntax String (RFC 3281) - */ - ID_IETF_ATTR_STRING = 202, - - /** * Private ID used by the pluto daemon for opportunistic encryption */ ID_MYID = 203, diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 2f8a7187c..0673878a5 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -207,6 +207,7 @@ char *whitelist[] = { "ENGINE_load_builtin_engines", "OPENSSL_config", "ecdsa_check", + "ERR_put_error", /* libgcrypt */ "gcry_control", "gcry_check_version", @@ -233,39 +234,45 @@ static bool is_whitelisted(backtrace_t *backtrace) /** * Report leaks at library destruction */ -void report_leaks() +static void report(private_leak_detective_t *this, bool detailed) { - memory_header_t *hdr; - int leaks = 0, whitelisted = 0; - - for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) + if (lib->leak_detective) { - if (is_whitelisted(hdr->backtrace)) + memory_header_t *hdr; + int leaks = 0, whitelisted = 0; + + for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) { - whitelisted++; + if (is_whitelisted(hdr->backtrace)) + { + whitelisted++; + } + else + { + fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1); + /* skip the first frame, contains leak detective logic */ + hdr->backtrace->log(hdr->backtrace, stderr, detailed); + leaks++; + } } - else + switch (leaks) { - fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1); - /* skip the first frame, contains leak detective logic */ - hdr->backtrace->log(hdr->backtrace, stderr); - leaks++; + case 0: + fprintf(stderr, "No leaks detected"); + break; + case 1: + fprintf(stderr, "One leak detected"); + break; + default: + fprintf(stderr, "%d leaks detected", leaks); + break; } + fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted); } - - switch (leaks) + else { - case 0: - fprintf(stderr, "No leaks detected"); - break; - case 1: - fprintf(stderr, "One leak detected"); - break; - default: - fprintf(stderr, "%d leaks detected", leaks); - break; + fprintf(stderr, "Leak detective disabled\n"); } - fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted); } /** @@ -395,7 +402,7 @@ void free_hook(void *ptr, const void *caller) fprintf(stderr, "freeing invalid memory (%p)", ptr); } backtrace = backtrace_create(3); - backtrace->log(backtrace, stderr); + backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); } else @@ -454,7 +461,7 @@ void *realloc_hook(void *old, size_t bytes, const void *caller) "header magic 0x%x, tail magic 0x%x:\n", old, hdr->magic, tail->magic); backtrace = backtrace_create(3); - backtrace->log(backtrace, stderr); + backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); } /* clear tail magic, allocate, set tail magic */ @@ -487,7 +494,6 @@ static void destroy(private_leak_detective_t *this) if (installed) { uninstall_hooks(); - report_leaks(); } free(this); } @@ -499,6 +505,7 @@ leak_detective_t *leak_detective_create() { private_leak_detective_t *this = malloc_thing(private_leak_detective_t); + this->public.report = (void(*)(leak_detective_t*,bool))report; this->public.destroy = (void(*)(leak_detective_t*))destroy; if (getenv("LEAK_DETECTIVE_DISABLE") == NULL) diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h index 181f8f3db..fa45a6076 100644 --- a/src/libstrongswan/utils/leak_detective.h +++ b/src/libstrongswan/utils/leak_detective.h @@ -23,6 +23,8 @@ typedef struct leak_detective_t leak_detective_t; +#include <library.h> + /** * Leak detective finds leaks and bad frees using malloc hooks. * @@ -34,6 +36,13 @@ typedef struct leak_detective_t leak_detective_t; struct leak_detective_t { /** + * Report leaks to stderr. + * + * @param detailed TRUE to resolve line/filename of leak (slow) + */ + void (*report)(leak_detective_t *this, bool detailed); + + /** * Destroy a leak_detective instance. */ void (*destroy)(leak_detective_t *this); diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 54e2cc11c..63a892ee7 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 2f79ca4d4..415c35e79 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c index e1e4661e0..5948fcfb7 100755 --- a/src/medsrv/controller/peer_controller.c +++ b/src/medsrv/controller/peer_controller.c @@ -139,8 +139,8 @@ static bool parse_public_key(private_peer_controller_t *this, return FALSE; } /* TODO: use get_encoding() with an encoding type */ - if (!public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id) || - !public->get_encoding(public, KEY_PUB_SPKI_ASN1_DER, encoding)) + if (!public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id) || + !public->get_encoding(public, PUBKEY_SPKI_ASN1_DER, encoding)) { request->setf(request, "error=Encoding public key failed."); return FALSE; diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 9f0f96561..578ab7d39 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/openac/openac.c b/src/openac/openac.c index a280192c2..3f28b0ac4 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -501,11 +501,13 @@ int main(int argc, char **argv) } /* write the attribute certificate to file */ - attr_chunk = attr_cert->get_encoding(attr_cert); - if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE)) + if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk)) { - write_serial(serial); - status = 0; + if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE)) + { + write_serial(serial); + status = 0; + } } } else diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index 8eac07afc..99e9bc581 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -7,6 +7,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/pub.c \ commands/req.c \ commands/self.c \ + commands/print.c \ + commands/signcrl.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 522b9e887..8f08777bb 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -55,7 +55,8 @@ am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \ issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \ - self.$(OBJEXT) verify.$(OBJEXT) + self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \ + verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la DEFAULT_INCLUDES = -I.@am__isrc@ @@ -238,6 +239,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/pub.c \ commands/req.c \ commands/self.c \ + commands/print.c \ + commands/signcrl.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -337,9 +340,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/self.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signcrl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@ .c.o: @@ -447,6 +452,34 @@ self.obj: commands/self.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi` +print.o: commands/print.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c + +print.obj: commands/print.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi` + +signcrl.o: commands/signcrl.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c + +signcrl.obj: commands/signcrl.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi` + verify.o: commands/verify.c @am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po diff --git a/src/pki/command.c b/src/pki/command.c index 8f53817f0..b9c35d99b 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -181,7 +181,7 @@ int command_usage(char *error) { for (i = 0; cmds[i].cmd; i++) { - fprintf(out, " pki --%-6s (-%c) %s\n", + fprintf(out, " pki --%-7s (-%c) %s\n", cmds[i].cmd, cmds[i].op, cmds[i].description); } } diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index b2769da54..33d9cf35d 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -20,7 +20,7 @@ */ static int gen() { - key_encoding_type_t form = KEY_PRIV_ASN1_DER; + cred_encoding_type_t form = PRIVKEY_ASN1_DER; key_type_t type = KEY_RSA; u_int size = 0; private_key_t *key; @@ -48,7 +48,7 @@ static int gen() } continue; case 'f': - if (!get_form(arg, &form, FALSE)) + if (!get_form(arg, &form, CRED_PRIVATE_KEY)) { return command_usage("invalid key output format"); } diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index fcd758f87..2002cd555 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -28,6 +28,7 @@ */ static int issue() { + cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; @@ -37,7 +38,7 @@ static int issue() char *error = NULL; identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp; - int lifetime = 1080; + int lifetime = 1095; int pathlen = X509_NO_PATH_LEN_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; @@ -107,7 +108,7 @@ static int issue() case 'p': pathlen = atoi(arg); continue; - case 'f': + case 'e': if (streq(arg, "serverAuth")) { flags |= X509_SERVER_AUTH; @@ -121,6 +122,12 @@ static int issue() flags |= X509_OCSP_SIGNER; } continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'u': cdps->insert_last(cdps, arg); continue; @@ -301,8 +308,7 @@ static int issue() error = "generating certificate failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -352,7 +358,7 @@ static void __attribute__ ((constructor))reg() " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "public key/request file to issue, default: stdin"}, @@ -361,14 +367,15 @@ static void __attribute__ ((constructor))reg() {"cakey", 'k', 1, "CA private key file"}, {"dn", 'd', 1, "distinguished name to include as subject"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1080"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'f', 1, "include extendedKeyUsage flag"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"crl", 'u', 1, "CRL distribution point URI to include"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index c15c1193e..6d2f7b915 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -99,11 +99,11 @@ static int keyid() if (type == CRED_PRIVATE_KEY) { private = cred; - if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &id)) + if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } @@ -112,11 +112,11 @@ static int keyid() else if (type == CRED_PUBLIC_KEY) { public = cred; - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } @@ -131,11 +131,11 @@ static int keyid() fprintf(stderr, "extracting public key from certificate failed"); return 1; } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c new file mode 100644 index 000000000..6d5462783 --- /dev/null +++ b/src/pki/commands/print.c @@ -0,0 +1,368 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pki.h" + +#include <credentials/certificates/certificate.h> +#include <credentials/certificates/x509.h> +#include <selectors/traffic_selector.h> + +#include <time.h> + +/** + * Print public key information + */ +static void print_pubkey(public_key_t *key) +{ + chunk_t chunk; + + printf("pubkey: %N %d bits\n", key_type_names, key->get_type(key), + key->get_keysize(key) * 8); + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + printf("keyid: %#B\n", &chunk); + } + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) + { + printf("subjkey: %#B\n", &chunk); + } +} + +/** + * Print private key information + */ +static void print_key(private_key_t *key) +{ + public_key_t *public; + + public = key->get_public_key(key); + if (public) + { + printf("private key with:\n"); + print_pubkey(public); + public->destroy(public); + } + else + { + printf("extracting public from private key failed\n"); + } +} + +/** + * Print X509 specific certificate information + */ +static void print_x509(x509_t *x509) +{ + enumerator_t *enumerator; + identification_t *id; + traffic_selector_t *block; + chunk_t chunk; + bool first; + char *uri; + int len; + x509_flag_t flags; + + chunk = x509->get_serial(x509); + printf("serial: %#B\n", &chunk); + + first = TRUE; + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("altNames: "); + first = FALSE; + } + else + { + printf(", "); + } + printf("%Y", id); + } + if (!first) + { + printf("\n"); + } + enumerator->destroy(enumerator); + + flags = x509->get_flags(x509); + printf("flags: "); + if (flags & X509_CA) + { + printf("CA "); + } + if (flags & X509_AA) + { + printf("AA "); + } + if (flags & X509_OCSP_SIGNER) + { + printf("OCSP "); + } + if (flags & X509_AA) + { + printf("AA "); + } + if (flags & X509_SERVER_AUTH) + { + printf("serverAuth "); + } + if (flags & X509_CLIENT_AUTH) + { + printf("clientAuth "); + } + if (flags & X509_SELF_SIGNED) + { + printf("self-signed "); + } + printf("\n"); + + first = TRUE; + enumerator = x509->create_crl_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("CRL URIs: %s\n", uri); + first = FALSE; + } + else + { + printf(" %s\n", uri); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_ocsp_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("OCSP URIs: %s\n", uri); + first = FALSE; + } + else + { + printf(" %s\n", uri); + } + } + enumerator->destroy(enumerator); + + len = x509->get_pathLenConstraint(x509); + if (len != X509_NO_PATH_LEN_CONSTRAINT) + { + printf("pathlen: %d\n", len); + } + + chunk = x509->get_authKeyIdentifier(x509); + if (chunk.ptr) + { + printf("authkeyId: %#B\n", &chunk); + } + + chunk = x509->get_subjectKeyIdentifier(x509); + if (chunk.ptr) + { + printf("subjkeyId: %#B\n", &chunk); + } + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + first = TRUE; + printf("addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) + { + if (first) + { + first = FALSE; + } + else + { + printf(", "); + } + printf("%R", block); + } + enumerator->destroy(enumerator); + printf("\n"); + } +} + +/** + * Print certificate information + */ +static void print_cert(certificate_t *cert) +{ + time_t now, notAfter, notBefore; + public_key_t *key; + + now = time(NULL); + + printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); + printf("subject: \"%Y\"\n", cert->get_subject(cert)); + printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); + + cert->get_validity(cert, &now, ¬Before, ¬After); + printf("validity: not before %T, ", ¬Before, FALSE); + if (now < notBefore) + { + printf("not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + printf("ok\n"); + } + printf(" not after %T, ", ¬After, FALSE); + if (now > notAfter) + { + printf("expired (%V ago)\n", &now, ¬After); + } + else + { + printf("ok (expires in %V)\n", &now, ¬After); + } + + switch (cert->get_type(cert)) + { + case CERT_X509: + print_x509((x509_t*)cert); + break; + default: + printf("parsing certificate subtype %N not implemented\n", + certificate_type_names, cert->get_type(cert)); + break; + } + + key = cert->get_public_key(cert); + if (key) + { + print_pubkey(key); + key->destroy(key); + } + else + { + printf("unable to extract public key\n"); + } +} + +/** + * Print a credential in a human readable form + */ +static int print() +{ + credential_type_t type = CRED_CERTIFICATE; + int subtype = CERT_X509; + void *cred; + char *arg, *file = NULL; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 't': + if (streq(arg, "x509")) + { + type = CRED_CERTIFICATE; + subtype = CERT_X509; + } + else if (streq(arg, "pub")) + { + type = CRED_PUBLIC_KEY; + subtype = KEY_ANY; + } + else if (streq(arg, "rsa-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_RSA; + } + else if (streq(arg, "ecdsa-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ECDSA; + } + else + { + return command_usage( "invalid input type"); + } + continue; + case 'i': + file = arg; + continue; + case EOF: + break; + default: + return command_usage("invalid --print option"); + } + break; + } + if (file) + { + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_FROM_FILE, file, BUILD_END); + } + else + { + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_FROM_FD, 0, BUILD_END); + } + if (!cred) + { + fprintf(stderr, "parsing input failed\n"); + return 1; + } + + if (type == CRED_CERTIFICATE) + { + certificate_t *cert = (certificate_t*)cred; + + print_cert(cert); + cert->destroy(cert); + } + if (type == CRED_PUBLIC_KEY) + { + public_key_t *key = (public_key_t*)cred; + + print_pubkey(key); + key->destroy(key); + } + if (type == CRED_PRIVATE_KEY) + { + private_key_t *key = (private_key_t*)cred; + + print_key(key); + key->destroy(key); + } + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) + { print, 'a', "print", + "print a credential in a human readable form", + {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "input file, default: stdin"}, + {"type", 't', 1, "type of credential, default: x509"}, + } + }); +} diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index de0444c1a..fc2614c7d 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -23,7 +23,7 @@ */ static int pub() { - key_encoding_type_t form = KEY_PUB_SPKI_ASN1_DER; + cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER; credential_type_t type = CRED_PRIVATE_KEY; int subtype = KEY_RSA; certificate_t *cert; @@ -67,7 +67,7 @@ static int pub() } continue; case 'f': - if (!get_form(arg, &form, TRUE)) + if (!get_form(arg, &form, CRED_PUBLIC_KEY)) { return command_usage("invalid output format"); } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 8335f2595..a1ae2f515 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -27,6 +27,7 @@ */ static int req() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -81,6 +82,12 @@ static int req() case 'p': challenge_password = chunk_create(arg, strlen(arg)); continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case EOF: break; default: @@ -128,8 +135,7 @@ static int req() error = "generating certificate request failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate request failed"; goto end; @@ -170,7 +176,7 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--password challengePassword]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, @@ -179,6 +185,7 @@ static void __attribute__ ((constructor))reg() {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); } diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index d283daa6a..71776c745 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -26,6 +26,7 @@ */ static int self() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -34,7 +35,7 @@ static int self() char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL; identification_t *id = NULL; linked_list_t *san, *ocsp; - int lifetime = 1080; + int lifetime = 1095; int pathlen = X509_NO_PATH_LEN_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; @@ -100,6 +101,26 @@ static int self() case 'p': pathlen = atoi(arg); continue; + case 'e': + if (streq(arg, "serverAuth")) + { + flags |= X509_SERVER_AUTH; + } + else if (streq(arg, "clientAuth")) + { + flags |= X509_CLIENT_AUTH; + } + else if (streq(arg, "ocspSigning")) + { + flags |= X509_OCSP_SIGNER; + } + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'o': ocsp->insert_last(ocsp, arg); continue; @@ -179,8 +200,7 @@ static int self() error = "generating certificate failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -225,19 +245,22 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--flag serverAuth|clientAuth|ocspSigning]+", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, {"type", 't', 1, "type of input key, default: rsa"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1080"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c new file mode 100644 index 000000000..b7163a153 --- /dev/null +++ b/src/pki/commands/signcrl.c @@ -0,0 +1,382 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <time.h> + +#include "pki.h" + +#include <debug.h> +#include <utils/linked_list.h> +#include <credentials/certificates/certificate.h> +#include <credentials/certificates/x509.h> +#include <credentials/certificates/crl.h> + + +/** + * Entry for a revoked certificate + */ +typedef struct { + chunk_t serial; + crl_reason_t reason; + time_t date; +} revoked_t; + +/** + * Add a revocation to the list + */ +static void add_revoked(linked_list_t *list, + chunk_t serial, crl_reason_t reason, time_t date) +{ + revoked_t *revoked; + + INIT(revoked, + .serial = chunk_clone(serial), + .reason = reason, + .date = date, + ); + list->insert_last(list, revoked); +} + +/** + * Destroy a reason entry + */ +static void revoked_destroy(revoked_t *revoked) +{ + free(revoked->serial.ptr); + free(revoked); +} + +/** + * Filter for revoked enumerator + */ +static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2, + time_t *date, void *p3, crl_reason_t *reason) +{ + *serial = (*revoked)->serial; + *date = (*revoked)->date; + *reason = (*revoked)->reason; + return TRUE; +} + +/** + * Extract the serial of a certificate, write it into buf + */ +static int read_serial(char *file, char *buf, int buflen) +{ + certificate_t *cert; + x509_t *x509; + chunk_t serial; + + x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + cert = &x509->interface; + if (!cert) + { + return -1; + } + serial = x509->get_serial(x509); + if (serial.len == 0 || serial.len > buflen) + { + cert->destroy(cert); + return -2; + } + memcpy(buf, serial.ptr, serial.len); + cert->destroy(cert); + return serial.len; +} + +/** + * Sign a CRL + */ +static int sign_crl() +{ + cred_encoding_type_t form = CERT_ASN1_DER; + private_key_t *private = NULL; + public_key_t *public = NULL; + certificate_t *ca = NULL, *crl = NULL; + crl_t *lastcrl = NULL; + x509_t *x509; + hash_algorithm_t digest = HASH_SHA1; + char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; + char serial[512], crl_serial[8]; + int serial_len = 0; + crl_reason_t reason = CRL_REASON_UNSPECIFIED; + time_t thisUpdate, nextUpdate, date = time(NULL); + int lifetime = 15; + linked_list_t *list; + enumerator_t *enumerator, *lastenum = NULL; + chunk_t encoding = chunk_empty; + + list = linked_list_create(); + + memset(crl_serial, 0, sizeof(crl_serial)); + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + goto usage; + case 'g': + digest = get_digest(arg); + if (digest == HASH_UNKNOWN) + { + error = "invalid --digest type"; + goto usage; + } + continue; + case 'c': + cacert = arg; + continue; + case 'k': + cakey = arg; + continue; + case 'a': + lastupdate = arg; + continue; + case 'l': + lifetime = atoi(arg); + if (!lifetime) + { + error = "invalid lifetime"; + goto usage; + } + continue; + case 'z': + serial_len = read_serial(arg, serial, sizeof(serial)); + if (serial_len < 0) + { + snprintf(serial, sizeof(serial), + "parsing certificate '%s' failed", arg); + error = serial; + goto error; + } + add_revoked(list, chunk_create(serial, serial_len), reason, date); + date = time(NULL); + serial_len = 0; + reason = CRL_REASON_UNSPECIFIED; + continue; + case 's': + { + chunk_t chunk; + int hex_len; + + hex_len = strlen(arg); + if ((hex_len / 2) + (hex_len % 2) > sizeof(serial)) + { + error = "invalid serial"; + goto usage; + } + chunk = chunk_from_hex(chunk_create(arg, hex_len), serial); + serial_len = chunk.len; + add_revoked(list, chunk_create(serial, serial_len), reason, date); + date = time(NULL); + serial_len = 0; + reason = CRL_REASON_UNSPECIFIED; + continue; + } + case 'r': + if (streq(arg, "key-compromise")) + { + reason = CRL_REASON_KEY_COMPROMISE; + } + else if (streq(arg, "ca-compromise")) + { + reason = CRL_REASON_CA_COMPROMISE; + } + else if (streq(arg, "affiliation-changed")) + { + reason = CRL_REASON_AFFILIATION_CHANGED; + } + else if (streq(arg, "superseded")) + { + reason = CRL_REASON_SUPERSEDED; + } + else if (streq(arg, "cessation-of-operation")) + { + reason = CRL_REASON_CESSATION_OF_OPERATON; + } + else if (streq(arg, "certificate-hold")) + { + reason = CRL_REASON_CERTIFICATE_HOLD; + } + else + { + return command_usage( "invalid revocation reason"); + } + continue; + case 'd': + date = atol(arg); + if (!date) + { + error = "invalid date"; + goto usage; + } + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; + case EOF: + break; + default: + error = "invalid --signcrl option"; + goto usage; + } + break; + } + + if (!cacert) + { + error = "--cacert is required"; + goto usage; + } + if (!cakey) + { + error = "--cakey is required"; + goto usage; + } + + ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, cacert, BUILD_END); + if (!ca) + { + error = "parsing CA certificate failed"; + goto error; + } + x509 = (x509_t*)ca; + if (!(x509->get_flags(x509) & X509_CA)) + { + error = "CA certificate misses CA basicConstraint"; + goto error; + } + public = ca->get_public_key(ca); + if (!public) + { + error = "extracting CA certificate public key failed"; + goto error; + } + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + public->get_type(public), + BUILD_FROM_FILE, cakey, BUILD_END); + if (!private) + { + error = "parsing CA private key failed"; + goto error; + } + if (!private->belongs_to(private, public)) + { + error = "CA private key does not match CA certificate"; + goto error; + } + + thisUpdate = time(NULL); + nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; + + if (lastupdate) + { + lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, lastupdate, BUILD_END); + if (!lastcrl) + { + error = "loading lastUpdate CRL failed"; + goto error; + } + memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, + min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); + lastenum = lastcrl->create_enumerator(lastcrl); + } + + chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); + + enumerator = enumerator_create_filter(list->create_enumerator(list), + (void*)filter, NULL, NULL); + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, + BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), + BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, + BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest, + lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum, + BUILD_END); + enumerator->destroy(enumerator); + DESTROY_IF(lastenum); + DESTROY_IF((certificate_t*)lastcrl); + + if (!crl) + { + error = "generating CRL failed"; + goto error; + } + if (!crl->get_encoding(crl, form, &encoding)) + { + error = "encoding CRL failed"; + goto error; + } + if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1) + { + error = "writing CRL failed"; + goto error; + } + +error: + DESTROY_IF(public); + DESTROY_IF(private); + DESTROY_IF(ca); + DESTROY_IF(crl); + free(encoding.ptr); + list->destroy_function(list, (void*)revoked_destroy); + if (error) + { + fprintf(stderr, "%s\n", error); + return 1; + } + return 0; + +usage: + list->destroy_function(list, (void*)revoked_destroy); + return command_usage(error); +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + sign_crl, 'c', "signcrl", + "issue a CRL using a CA certificate and key", + {"--cacert file --cakey file --lifetime days", + "[ [--reason key-compromise|ca-compromise|affiliation-changed|", + " superseded|cessation-of-operation|certificate-hold]", + " [--date timestamp]", + " --cert file | --serial hex ]*", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, + {"cert", 'z', 1, "certificate file to revoke"}, + {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, + {"reason", 'r', 1, "reason for certificate revocation"}, + {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, + } + }); +} diff --git a/src/pki/pki.c b/src/pki/pki.c index 0912d5051..d5dd03fa0 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -21,26 +21,59 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, key_encoding_type_t *type, bool pub) +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type) { if (streq(form, "der")) { - /* der encoded keys usually contain the complete SubjectPublicKeyInfo */ - *type = pub ? KEY_PUB_SPKI_ASN1_DER : KEY_PRIV_ASN1_DER; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_ASN1_DER; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_ASN1_DER; + return TRUE; + case CRED_PUBLIC_KEY: + /* der encoded keys usually contain the complete + * SubjectPublicKeyInfo */ + *enc = PUBKEY_SPKI_ASN1_DER; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pem")) { - *type = pub ? KEY_PUB_PEM : KEY_PRIV_PEM; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_PEM; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PEM; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PEM; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pgp")) { - *type = pub ? KEY_PUB_PGP : KEY_PRIV_PGP; + switch (type) + { + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PGP; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PGP; + return TRUE; + default: + return FALSE; + } } - else - { - return FALSE; - } - return TRUE; + return FALSE; } /** diff --git a/src/pki/pki.h b/src/pki/pki.h index 01b103c8f..9c145cdc0 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -29,7 +29,7 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, key_encoding_type_t *type, bool pub); +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type); /** * Convert a digest string to a hash algorithm diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index a264e642e..9f631ca28 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -37,6 +37,7 @@ nat_traversal.c nat_traversal.h \ ocsp.c ocsp.h \ packet.c packet.h \ pkcs7.c pkcs7.h \ +pluto.c pluto.h \ plutomain.c \ rcv_whack.c rcv_whack.h \ server.c server.h \ @@ -47,7 +48,8 @@ timer.c timer.h \ vendor.c vendor.h \ virtual.c virtual.h \ whack_attribute.c whack_attribute.h \ -xauth.c xauth.h \ +xauth/xauth_manager.c xauth/xauth_manager.h \ +xauth/xauth_provider.h xauth/xauth_verifier.h \ x509.c x509.h \ builder.c builder.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h @@ -67,12 +69,12 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/whack -AM_CFLAGS = \ +AM_CFLAGS = -rdynamic \ -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ --DPLUGINS=\""${pluto_plugins}\"" \ +-DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ -DPLUTO -DKLIPS -DDEBUG @@ -87,7 +89,12 @@ _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) +CLEANFILES = ipsec.secrets.5 dist_man_MANS = pluto.8 ipsec.secrets.5 +EXTRA_DIST = ipsec.secrets.5.in + +# compile options +################# # This compile option activates the sending of a strongSwan VID if USE_VENDORID @@ -114,10 +121,25 @@ if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD endif -if USE_CAPABILITIES +if USE_LIBCAP pluto_LDADD += -lcap endif if USE_THREADS AM_CFLAGS += -DTHREADS endif + +# build optional plugins +######################## + +SUBDIRS = . + +if USE_XAUTH + SUBDIRS += plugins/xauth +endif + +ipsec.secrets.5 : ipsec.secrets.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 47be9acf7..41fc4927e 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -40,6 +40,9 @@ build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) +# compile options +################# + # This compile option activates the sending of a strongSwan VID @USE_VENDORID_TRUE@am__append_1 = -DVENDORID @@ -54,8 +57,9 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD -@USE_CAPABILITIES_TRUE@am__append_6 = -lcap +@USE_LIBCAP_TRUE@am__append_6 = -lcap @USE_THREADS_TRUE@am__append_7 = -DTHREADS +@USE_XAUTH_TRUE@am__append_8 = plugins/xauth subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -91,11 +95,11 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \ kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \ lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \ nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \ - pkcs7.$(OBJEXT) plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) \ - server.$(OBJEXT) smartcard.$(OBJEXT) spdb.$(OBJEXT) \ - state.$(OBJEXT) timer.$(OBJEXT) vendor.$(OBJEXT) \ - virtual.$(OBJEXT) whack_attribute.$(OBJEXT) xauth.$(OBJEXT) \ - x509.$(OBJEXT) builder.$(OBJEXT) + pkcs7.$(OBJEXT) pluto.$(OBJEXT) plutomain.$(OBJEXT) \ + rcv_whack.$(OBJEXT) server.$(OBJEXT) smartcard.$(OBJEXT) \ + spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \ + vendor.$(OBJEXT) virtual.$(OBJEXT) whack_attribute.$(OBJEXT) \ + xauth_manager.$(OBJEXT) x509.$(OBJEXT) builder.$(OBJEXT) pluto_OBJECTS = $(am_pluto_OBJECTS) pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \ @@ -116,6 +120,13 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES) DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES) +RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ + html-recursive info-recursive install-data-recursive \ + install-dvi-recursive install-exec-recursive \ + install-html-recursive install-info-recursive \ + install-pdf-recursive install-ps-recursive install-recursive \ + installcheck-recursive installdirs-recursive pdf-recursive \ + ps-recursive uninstall-recursive am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -141,9 +152,40 @@ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags +DIST_SUBDIRS = . plugins/xauth DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ @@ -332,6 +374,7 @@ nat_traversal.c nat_traversal.h \ ocsp.c ocsp.h \ packet.c packet.h \ pkcs7.c pkcs7.h \ +pluto.c pluto.h \ plutomain.c \ rcv_whack.c rcv_whack.h \ server.c server.h \ @@ -342,7 +385,8 @@ timer.c timer.h \ vendor.c vendor.h \ virtual.c virtual.h \ whack_attribute.c whack_attribute.h \ -xauth.c xauth.h \ +xauth/xauth_manager.c xauth/xauth_manager.h \ +xauth/xauth_provider.h xauth/xauth_verifier.h \ x509.c x509.h \ builder.c builder.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h @@ -358,10 +402,10 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/whack -AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ +AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ - -DPLUGINS=\""${pluto_plugins}\"" \ + -DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \ -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \ $(am__append_1) $(am__append_2) $(am__append_3) \ @@ -373,8 +417,14 @@ _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) +CLEANFILES = ipsec.secrets.5 dist_man_MANS = pluto.8 ipsec.secrets.5 -all: all-am +EXTRA_DIST = ipsec.secrets.5.in + +# build optional plugins +######################## +SUBDIRS = . $(am__append_8) +all: all-recursive .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -497,6 +547,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pluto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@ @@ -508,7 +559,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack_attribute.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_manager.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -531,6 +582,20 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +xauth_manager.o: xauth/xauth_manager.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.o -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xauth/xauth_manager.c' object='xauth_manager.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c + +xauth_manager.obj: xauth/xauth_manager.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.obj -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xauth/xauth_manager.c' object='xauth_manager.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -613,6 +678,76 @@ uninstall-man8: echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } +# This directory's subdirectories are mostly independent; you can cd +# into them and run `make' without going through this Makefile. +# To change the values of `make' variables: instead of editing Makefiles, +# (1) if the variable is set in `config.status', edit `config.status' +# (which will cause the Makefiles to be regenerated when you run `make'); +# (2) otherwise, pass the desired values on the `make' command line. +$(RECURSIVE_TARGETS): + @fail= failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +$(RECURSIVE_CLEAN_TARGETS): + @fail= failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + rev=''; for subdir in $$list; do \ + if test "$$subdir" = "."; then :; else \ + rev="$$subdir $$rev"; \ + fi; \ + done; \ + rev="$$rev ."; \ + target=`echo $@ | sed s/-recursive//`; \ + for subdir in $$rev; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done && test -z "$$fail" +tags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + done +ctags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + done + ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -623,10 +758,23 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) mkid -fID $$unique tags: TAGS -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) set x; \ here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ @@ -645,7 +793,7 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ fi; \ fi ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -708,22 +856,51 @@ distdir: $(DISTFILES) || exit 1; \ fi; \ done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done check-am: all-am -check: check-am +check: check-recursive all-am: Makefile $(PROGRAMS) $(MANS) -installdirs: +installdirs: installdirs-recursive +installdirs-am: for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -installcheck: installcheck-am +installcheck: installcheck-recursive install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ @@ -732,6 +909,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -740,72 +918,72 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -clean: clean-am +clean: clean-recursive clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \ mostlyclean-am -distclean: distclean-am +distclean: distclean-recursive -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags -dvi: dvi-am +dvi: dvi-recursive dvi-am: -html: html-am +html: html-recursive html-am: -info: info-am +info: info-recursive info-am: install-data-am: install-ipsecPROGRAMS install-man -install-dvi: install-dvi-am +install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: -install-html: install-html-am +install-html: install-html-recursive install-html-am: -install-info: install-info-am +install-info: install-info-recursive install-info-am: install-man: install-man5 install-man8 -install-pdf: install-pdf-am +install-pdf: install-pdf-recursive install-pdf-am: -install-ps: install-ps-am +install-ps: install-ps-recursive install-ps-am: installcheck-am: -maintainer-clean: maintainer-clean-am +maintainer-clean: maintainer-clean-recursive -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic -mostlyclean: mostlyclean-am +mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool -pdf: pdf-am +pdf: pdf-recursive pdf-am: -ps: ps-am +ps: ps-recursive ps-am: @@ -813,27 +991,35 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-man uninstall-man: uninstall-man5 uninstall-man8 -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-ipsecPROGRAMS clean-libtool ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man5 install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ + install-am install-strip tags-recursive + +.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ + all all-am check check-am clean clean-generic \ + clean-ipsecPROGRAMS clean-libtool ctags ctags-recursive \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-ipsecPROGRAMS install-man install-man5 \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-recursive uninstall uninstall-am \ uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \ uninstall-man8 plutomain.o : $(top_builddir)/config.status +ipsec.secrets.5 : ipsec.secrets.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/pluto/ac.c b/src/pluto/ac.c index 3ee05d213..3339d91fb 100644 --- a/src/pluto/ac.c +++ b/src/pluto/ac.c @@ -141,7 +141,7 @@ static void ac_add_cert(certificate_t *cert) if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) && chunk_equals(hSerial, ac_old->get_holderSerial(ac_old))) { - if (cert->is_newer(cert, cert_old)) + if (certificate_is_newer(cert, cert_old)) { acerts->remove_at(acerts, enumerator); cert_old->destroy(cert_old); diff --git a/src/pluto/certs.c b/src/pluto/certs.c index 8bce4c5c2..24e8ffb27 100644 --- a/src/pluto/certs.c +++ b/src/pluto/certs.c @@ -318,11 +318,11 @@ void list_pgp_end_certs(bool utc) key_type_names, key->get_type(key), key->get_keysize(key) * BITS_PER_BYTE, has_private_key(cert)? ", has private key" : ""); - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid)) { whack_log(RC_COMMENT, " keyid: %#B", &keyid); } - if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid)) + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid)) { whack_log(RC_COMMENT, " subjkey: %#B", &keyid); } diff --git a/src/pluto/connections.c b/src/pluto/connections.c index dd193042a..e1f47f2d6 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -63,6 +63,7 @@ #include "nat_traversal.h" #include "virtual.h" #include "whack_attribute.h" +#include "modecfg.h" static void flush_pending_by_connection(connection_t *c); /* forward */ @@ -294,8 +295,10 @@ void release_connection(connection_t *c, bool relations) void delete_connection(connection_t *c, bool relations) { - connection_t *old_cur_connection - = cur_connection == c? NULL : cur_connection; + modecfg_attribute_t *ca; + connection_t *old_cur_connection; + + old_cur_connection = cur_connection == c? NULL : cur_connection; #ifdef DEBUG lset_t old_cur_debugging = cur_debugging; #endif @@ -366,14 +369,29 @@ void delete_connection(connection_t *c, bool relations) /* release virtual IP address lease if any */ if (c->spd.that.modecfg && c->spd.that.pool && - !isanyaddr(&c->spd.that.host_srcip)) + !c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { - host_t *vip; - - vip = host_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_srcip); hydra->attributes->release_address(hydra->attributes, c->spd.that.pool, - vip, c->spd.that.id); - vip->destroy(vip); + c->spd.that.host_srcip, c->spd.that.id); + } + + /* release requested attributes if any */ + if (c->requested) + { + c->requested->destroy_function(c->requested, + (void*)modecfg_attribute_destroy); + } + + /* release other attributes if any */ + if (c->attributes) + { + while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS) + { + hydra->attributes->release(hydra->attributes, ca->handler, + c->spd.that.id, ca->type, ca->value); + modecfg_attribute_destroy(ca); + } + c->attributes->destroy(c->attributes); } if (c->kind != CK_GOING_AWAY) @@ -386,14 +404,17 @@ void delete_connection(connection_t *c, bool relations) cur_debugging = old_cur_debugging; #endif free(c->name); + DESTROY_IF(c->xauth_identity); DESTROY_IF(c->spd.this.id); DESTROY_IF(c->spd.this.ca); DESTROY_IF(c->spd.this.groups); + DESTROY_IF(c->spd.this.host_srcip); free(c->spd.this.updown); free(c->spd.this.pool); DESTROY_IF(c->spd.that.id); DESTROY_IF(c->spd.that.ca); DESTROY_IF(c->spd.that.groups); + DESTROY_IF(c->spd.that.host_srcip); free(c->spd.that.updown); free(c->spd.that.pool); if (c->requested_ca) @@ -656,7 +677,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this, subnettot(&this->client, 0, client, sizeof(client)); } } - else if (this->modecfg && isanyaddr(&this->host_srcip)) + else if (this->modecfg && this->host_srcip->is_anyaddr(this->host_srcip)) { /* we are mode config client, or a server with a pool */ client_sep = "==="; @@ -738,9 +759,14 @@ static size_t format_connection(char *buf, size_t buf_len, static void unshare_connection_strings(connection_t *c) { c->name = clone_str(c->name); + if (c->xauth_identity) + { + c->xauth_identity = c->xauth_identity->clone(c->xauth_identity); + } c->spd.this.id = c->spd.this.id->clone(c->spd.this.id); c->spd.this.pool = clone_str(c->spd.this.pool); c->spd.this.updown = clone_str(c->spd.this.updown); + c->spd.this.host_srcip = c->spd.this.host_srcip->clone(c->spd.this.host_srcip); scx_share(c->spd.this.sc); cert_share(c->spd.this.cert); if (c->spd.this.ca) @@ -754,6 +780,7 @@ static void unshare_connection_strings(connection_t *c) c->spd.that.id = c->spd.that.id->clone(c->spd.that.id); c->spd.that.pool = clone_str(c->spd.that.pool); c->spd.that.updown = clone_str(c->spd.that.updown); + c->spd.that.host_srcip = c->spd.that.host_srcip->clone(c->spd.that.host_srcip); scx_share(c->spd.that.sc); cert_share(c->spd.that.cert); if (c->spd.that.ca) @@ -902,7 +929,7 @@ static bool extract_end(struct end *dst, const whack_end_t *src, /* the rest is simple copying of corresponding fields */ dst->host_addr = src->host_addr; dst->host_nexthop = src->host_nexthop; - dst->host_srcip = src->host_srcip; + dst->host_srcip = host_create_from_sockaddr((sockaddr_t*)&src->host_srcip); dst->has_natip = src->has_natip; dst->client = src->client; dst->protocol = src->protocol; @@ -927,10 +954,14 @@ static bool extract_end(struct end *dst, const whack_end_t *src, /* if host sourceip is defined but no client is present * behind the host then set client to sourceip/32 */ - if (addrbytesptr(&dst->host_srcip, NULL) && - !isanyaddr(&dst->host_srcip) && !dst->has_natip && !dst->has_client) + if (!dst->host_srcip->is_anyaddr(dst->host_srcip) && + !dst->has_natip && !dst->has_client) { - err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client); + ip_address addr; + err_t ugh; + + addr = *(ip_address*)dst->host_srcip->get_sockaddr(dst->host_srcip); + ugh = addrtosubnet(&addr, &dst->client); if (ugh) { @@ -1110,6 +1141,12 @@ void add_connection(const whack_message_t *wm) } } + if (wm->xauth_identity) + { + c->xauth_identity + = identification_create_from_string(wm->xauth_identity); + } + c->sa_ike_life_seconds = wm->sa_ike_life_seconds; c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds; c->sa_rekey_margin = wm->sa_rekey_margin; @@ -1211,7 +1248,8 @@ void add_connection(const whack_message_t *wm) c->spd.that.modecfg = TRUE; c->spd.that.has_client = FALSE; /* reset the host_srcip so that it gets assigned in modecfg */ - anyaddr(AF_INET, &c->spd.that.host_srcip); + DESTROY_IF(c->spd.that.host_srcip); + c->spd.that.host_srcip = host_create_any(AF_INET); } if (c->ikev1) @@ -3046,7 +3084,8 @@ void ISAKMP_SA_established(connection_t *c, so_serial_t serial) /* the connection is now oriented so that we are able to determine * whether we are a mode config server with a virtual IP to send. */ - if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip) + if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip) && + !c->spd.that.has_natip) { c->spd.that.modecfg = TRUE; } @@ -3693,8 +3732,10 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp, } else { + host_t *vip = c->spd.that.host_srcip; + if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg && - subnetisaddr(peer_net, &c->spd.that.host_srcip))) + subnetisaddr(peer_net, (ip_address*)vip->get_sockaddr(vip)))) { continue; } diff --git a/src/pluto/connections.h b/src/pluto/connections.h index 66aea1541..b67f0b562 100644 --- a/src/pluto/connections.h +++ b/src/pluto/connections.h @@ -1,6 +1,6 @@ /* information about connections between hosts and clients * Copyright (C) 1998-2001 D. Hugh Redelmeier - * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil + * Copyright (C) 2009-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -18,6 +18,7 @@ #include <sys/queue.h> +#include <utils/host.h> #include <utils/linked_list.h> #include <utils/identification.h> #include <credentials/ietf_attributes/ietf_attributes.h> @@ -131,10 +132,8 @@ struct virtual_t; struct end { identification_t *id; - ip_address - host_addr, - host_nexthop, - host_srcip; + ip_address host_addr, host_nexthop; + host_t *host_srcip; ip_subnet client; bool is_left; @@ -184,6 +183,8 @@ struct connection { unsigned long sa_rekey_fuzz; unsigned long sa_keying_tries; + identification_t *xauth_identity; /* XAUTH identity */ + /* RFC 3706 DPD */ time_t dpd_delay; time_t dpd_timeout; @@ -226,6 +227,8 @@ struct connection { connection_t *hp_next; /* host pair list link */ connection_t *ac_next; /* all connections list link */ linked_list_t *requested_ca; /* collected certificate requests */ + linked_list_t *requested; /* requested attributes with handlers */ + linked_list_t *attributes; /* configuration attributes with handlers */ bool got_certrequest; }; diff --git a/src/pluto/constants.h b/src/pluto/constants.h index e9567c07a..790bbefa6 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -543,45 +543,6 @@ extern enum_names attr_msg_type_names; extern enum_names modecfg_attr_names; -/* XAUTH attribute values */ -#define XAUTH_TYPE 16520 -#define XAUTH_USER_NAME 16521 -#define XAUTH_USER_PASSWORD 16522 -#define XAUTH_PASSCODE 16523 -#define XAUTH_MESSAGE 16524 -#define XAUTH_CHALLENGE 16525 -#define XAUTH_DOMAIN 16526 -#define XAUTH_STATUS 16527 -#define XAUTH_NEXT_PIN 16528 -#define XAUTH_ANSWER 16529 - -#define XAUTH_BASE XAUTH_TYPE - -extern enum_names xauth_attr_names; - -/* ISAKMP mode config attributes specific to Microsoft */ -#define INTERNAL_IP4_SERVER 23456 -#define INTERNAL_IP6_SERVER 23457 - -extern enum_names microsoft_attr_names; - -/* ISAKMP mode config attributes specific to the Unity vendor ID */ -#define UNITY_BANNER 28672 -#define UNITY_SAVE_PASSWD 28673 -#define UNITY_DEF_DOMAIN 28674 -#define UNITY_SPLITDNS_NAME 28675 -#define UNITY_SPLIT_INCLUDE 28676 -#define UNITY_NATT_PORT 28677 -#define UNITY_LOCAL_LAN 28678 -#define UNITY_PFS 28679 -#define UNITY_FW_TYPE 28680 -#define UNITY_BACKUP_SERVERS 28681 -#define UNITY_DDNS_HOSTNAME 28682 - -#define UNITY_BASE UNITY_BANNER - -extern enum_names unity_attr_names; - /* XAUTH authentication types */ #define XAUTH_TYPE_GENERIC 0 #define XAUTH_TYPE_CHAP 1 diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 84fe77554..c8fb107d5 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -159,7 +159,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) { certificate_t *old_cert_crl = oldcrl->crl; - if (cert_crl->is_newer(cert_crl, old_cert_crl)) + if (crl_is_newer((crl_t*)cert_crl, (crl_t*)old_cert_crl)) { /* keep any known CRL distribution points */ add_distribution_points(x509crl->distributionPoints, @@ -202,9 +202,11 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex); free(hex.ptr); - encoding = cert_crl->get_encoding(cert_crl); - chunk_write(encoding, buf, "crl", 022, TRUE); - free(encoding.ptr); + if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding)) + { + chunk_write(encoding, buf, "crl", 022, TRUE); + free(encoding.ptr); + } } /* is the fetched crl valid? */ @@ -313,7 +315,7 @@ void check_crls(void) certificate_t *cert_crl = x509crl->crl; crl_t *crl = (crl_t*)cert_crl; identification_t *issuer = cert_crl->get_issuer(cert_crl); - chunk_t authKeyID = crl->get_authKeyIdentifier(crl); + chunk_t authKeyID = crl->get_authKeyIdentifier(crl); cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate); time_left = nextUpdate - now; @@ -353,7 +355,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, char *point; ca = get_ca_info(issuer, authKeyID); - + *revocationDate = UNDEFINED_TIME; *revocationReason = CRL_REASON_UNSPECIFIED; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index fad1450cd..617353c6c 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1215,7 +1215,7 @@ read_packet(struct msg_digest *md) /* ignore IKEv2 packets - they will be handled by charon */ if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET - && md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION) + && (md->packet_pbs.start[IKEV2_VERSION_OFFSET] & 0xF0) == IKEV2_VERSION) { DBG(DBG_CONTROLMORE, DBG_log(" ignoring IKEv2 packet") diff --git a/src/pluto/demux.h b/src/pluto/demux.h index 2161bbd02..6ce53c14f 100644 --- a/src/pluto/demux.h +++ b/src/pluto/demux.h @@ -12,9 +12,12 @@ * for more details. */ +#ifndef _DEMUX_H +#define _DEMUX_H + #include "packet.h" +#include "state.h" -struct state; /* forward declaration of tag */ extern void init_demux(void); extern bool send_packet(struct state *st, const char *where); extern void comm_handle(const struct iface *ifp); @@ -90,3 +93,5 @@ typedef stf_status state_transition_fn(struct msg_digest *md); extern void complete_state_transition(struct msg_digest **mdp, stf_status result); extern void free_md_pool(void); + +#endif /* _DEMUX_H */ diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c index ec56b8530..4f8e4ebf4 100644 --- a/src/pluto/dnskey.c +++ b/src/pluto/dnskey.c @@ -424,7 +424,7 @@ static err_t process_txt_rr_body(u_char *str, bool doit, public_key_t *key = gi.key->public_key; if (gi.gw_key_present && - key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid)) + key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid)) { DBG_log("gateway for %s is %s with key %#B", client_id, gi.gw_id, &keyid); diff --git a/src/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5 index 3cce4d3f8..6c39f86e1 100644 --- a/src/pluto/ipsec.secrets.5 +++ b/src/pluto/ipsec.secrets.5 @@ -1,148 +1,116 @@ -.TH IPSEC.SECRETS 5 "28 March 1999" +.TH IPSEC.SECRETS 5 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION The file \fIipsec.secrets\fP holds a table of secrets. -These secrets are used by \fIipsec_pluto\fP(8), the FreeS/WAN Internet Key -Exchange daemon, to authenticate other hosts. -Currently there are two kinds of secrets: preshared secrets and -.\" the private part of DSS keys. -RSA private keys. +These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons +pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. .LP It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others. .LP The file is a sequence of entries and include directives. -Here is an example. Each entry or directive must start at the -left margin, but if it continues beyond a single line, each continuation -line must be indented. +Here is an example. .LP .RS .nf -# sample /etc/ipsec.secrets file for 10.1.0.1 -10.1.0.1 10.2.0.1: PSK "secret shared by two hosts" +# /etc/ipsec.secrets - strongSwan IPsec secrets file +192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" -# an entry may be split across lines, -# but indentation matters -www.xs4all.nl @www.kremvax.ru -\ \ \ \ 10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5" +: RSA moonKey.pem -.\" # Private part of our DSS key, in base 64, -.\" # as generated by BIND 8.2.1's dnskeygen. -.\" # Since this is the default key for this host, -.\" # there is no need to specify indices. -.\" : DSS 0siMs0N/hfRoCBMXA6plPtuv58/+c= -# an RSA private key. -# note that the lines are too wide for a -# man page, so ... has been substituted for -# the truncated part -@my.com: rsa { -\ \ \ \ Modulus:\ 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt... -\ \ \ \ PublicExponent:\ 0sAw== -\ \ \ \ PrivateExponent:\ 0shlGbVR1m8Z+7rhzSyenCaBN... -\ \ \ \ Prime1:\ 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l... -\ \ \ \ Prime2:\ 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0... -\ \ \ \ Exponent1:\ 0soaXj85ihM5M2inVf/NfHmtLutVz4r... -\ \ \ \ Exponent2:\ 0sjdAL9VFizF+BKU4ohguJFzOd55OG6... -\ \ \ \ Coefficient:\ 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ... -\ \ \ \ } +alice@strongswan.org : EAP "x3.dEhgN" -include ipsec.*.secrets # get secrets from other files +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" + +# get secrets from other files +include ipsec.*.secrets .fi .RE .LP -Each entry in the file is a list of indices, followed by a secret. -The two parts are separated by a colon (\fB:\fP) that is -followed by whitespace or a newline. For compatability -with the previous form of this file, if the key part is just a -double-quoted string the colon may be left out. +Each entry in the file is a list of optional ID selectors, followed by a secret. +The two parts are separated by a colon (\fB:\fP) that is surrounded +by whitespace. If no ID selectors are specified the line must start with a +colon. .LP -An index is an IP address, or a Fully Qualified Domain Name, user@FQDN, +A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, \fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded -(or in any of the forms supported by the FreeS/WAN \fIipsec_ttoaddr\fP(3) -routine). In many cases it is a bad idea to use domain names because +when the file is loaded. +In many cases it is a bad idea to use domain names because the name server may not be running or may be insecure. To denote a Fully Qualified Domain Name (as opposed to an IP address denoted by its domain name), precede the name with an at sign (\fB@\fP). .LP -Matching IDs with indices is fairly straightforward: they have to be +Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a ``Road Warrior'' connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP -address, an index of \fB%any\fP will match the peer's IP address if IPV4 +address, a selector of \fB%any\fP will match the peer's IP address if IPV4 and \fB%any6\fP will match a the peer's IP address if IPV6. Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of \fB%any\fP. .LP -An additional complexity +In IKEv1 an additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address. .LP To authenticate a connection between two hosts, the entry that most specifically matches the host and peer IDs is used. An entry with no -index will match any host and peer. More specifically, an entry with one index will -match a host and peer if the index matches the host's ID (the peer isn't -considered). Still more specifically, an entry with multiple indices will match a host and -peer if the host ID and peer ID each match one of the indices. If the key -is for an asymmetric authentication technique (i.e. a public key -system such as RSA), an entry with multiple indices will match a host -and peer even if only the host ID matches an index (it is presumed that the -multiple indices are all identities of the host). +selectors will match any host and peer. More specifically, an entry with one +selector will match a host and peer if the selector matches the host's ID (the +peer isn't considered). Still more specifically, an entry with multiple +selectors will match a host and peer if the host ID and peer ID each match one +of the selectors. If the key is for an asymmetric authentication technique +(i.e. a public key system such as RSA), an entry with multiple selectors will +match a host and peer even if only the host ID matches a selector (it is +presumed that the selectors are all identities of the host). It is acceptable for two entries to be the best match as long as they agree about the secret or private key. .LP Authentication by preshared secret requires that both systems find the identical secret (the secret is not actually transmitted by the IKE -protocol). If both the host and peer appear in the index list, the +protocol). If both the host and peer appear in the selector list, the same entry will be suitable for both systems so verbatim copying between systems can be used. This naturally extends to larger groups -sharing the same secret. Thus multiple-index entries are best for PSK +sharing the same secret. Thus multiple-selector entries are best for PSK authentication. .LP -Authentication by RSA Signatures requires that each host have its own private -key. A host could reasonably use a different private keys +Authentication by public key systems such as RSA requires that each host +have its own private key. A host could reasonably use a different private keys for different interfaces and for different peers. But it would not -be normal to share entries between systems. Thus thus no-index and -one-index forms of entry often make sense for RSA Signature authentication. -.LP -The key part of an entry may start with a token indicating the kind of -key. ``RSA'' signifies RSA private key and ``PSK'' signifies -PreShared Key (case is ignored). For compatability with previous -forms of this file, PSK is the default. -.LP -A preshared secret is most conveniently represented as a sequence of -characters, delimited by the double-quote -character (\fB"\fP). The sequence cannot contain a newline or -double-quote. Strictly speaking, the secret is actually the sequence -of bytes that is used in the file to represent the sequence of -characters (excluding the delimiters). -A preshared secret may also be represented, without quotes, in any form supported by -\fIipsec_ttodata\fP(3). -.LP -An RSA private key is a composite of eight generally large numbers. The notation -used is a brace-enclosed list of field name and value pairs (see the example above). -A suitable key, in a suitable format, may be generated by \fIipsec_rsasigkey\fP(8). -The structure is very similar to that used by BIND 8.2.2 or later, but note that -the numbers must have a ``0s'' prefix if they are in base 64. The order of -the fields is fixed. -.LP -The first token an entry must start in -the first column of its line. Subsequent tokens must be -separated by whitespace, -except for a colon token, which only needs to be followed by whitespace. -A newline is taken as whitespace, but every -line of an entry after the first must be indented. -.LP -Whitespace at the end of a line is ignored (except in the 0t -notation for a key). At the start of line or +be normal to share entries between systems. Thus thus no-selector and +one-selector forms of entry often make sense for public key authentication. +.LP +The key part of an entry must start with a token indicating the kind of +key. The following types of secrets are currently supported: +.TP +.B PSK +defines a pre-shared key +.TP +.B RSA +defines an RSA private key +.TP +.B ECDSA +defines an ECDSA private key +.TP +.B EAP +defines EAP credentials +.TP +.B XAUTH +defines XAUTH credentials +.TP +.B PIN +defines a smartcard PIN +.LP +Details on each type of secret are given below. +.LP +Whitespace at the end of a line is ignored. At the start of a line or after whitespace, \fB#\fP and the following text up to the end of the -line is treated as a comment. Within entries, all lines must be -indented (except for lines with no tokens). -Outside entries, no line may be indented (this is to make sure that -the file layout reflects its structure). +line is treated as a comment. .LP An include directive causes the contents of the named file to be processed before continuing with the current file. The filename is subject to @@ -153,23 +121,55 @@ directory containing the current file is prepended to the name. The include directive is a line that starts with the word \fBinclude\fP, followed by whitespace, followed by the filename (which must not contain whitespace). +.SS TYPES OF SECRETS +.TP +.B [ <selectors> ] : PSK <secret> +A preshared secret is most conveniently represented as a sequence of +characters, delimited by double-quote characters (\fB"\fP). +The sequence cannot contain a newline or double-quote. +Strictly speaking, the secret is actually the sequence +of bytes that is used in the file to represent the sequence of +characters (excluding the delimiters). +.TP +.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] +.TQ +.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] +For the private key file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the private key file is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemons to ask the user for the password +whenever it is required to decrypt the key. +.TP +.B <user id> : EAP <secret> +As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters, +delimited by double-quote characters (\fB"\fP). +.br +\fBEAP\fP secrets are IKEv2 only. +.TP +.B : XAUTH <username> <password> +\fBXAUTH\fP secrets are IKEv1 only. +.TP +.B : PIN <smartcard selector> <pin code> | %prompt +The format +.B "%smartcard[<slot nr>[:<key id>]]" +is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1, +instead of specifying the pin code statically, +.B %prompt +can be specified, which causes the pluto daemon to ask the user for the pin +code. +.LP + .SH FILES /etc/ipsec.secrets .SH SEE ALSO -The rest of the FreeS/WAN distribution, in particular \fIipsec.conf\fP(5), -\fIipsec\fP(8), -\fIipsec_newhostkey\fP(8), -\fIipsec_rsasigkey\fP(8), -\fIipsec_showhostkey\fP(8), -\fIipsec_auto\fP(8) \fB\-\-rereadsecrets\fP, -and \fIipsec_pluto\fP(8) \fB\-\-listen\fP,. +\fIipsec\fP(8) .br -BIND 8.2.2 or later, ftp://ftp.isc.org/isc/bind/src/ .SH HISTORY -Designed for the FreeS/WAN project -<http://www.freeswan.org> -by D. Hugh Redelmeier. +Originally written for the FreeS/WAN project by D. Hugh Redelmeier. +Updated and extended for the strongSwan project <http://www.strongswan.org> by +Tobias Brunner and Andreas Steffen. .SH BUGS If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/src/pluto/ipsec.secrets.5.in b/src/pluto/ipsec.secrets.5.in new file mode 100644 index 000000000..adb915e4d --- /dev/null +++ b/src/pluto/ipsec.secrets.5.in @@ -0,0 +1,175 @@ +.TH IPSEC.SECRETS 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec.secrets \- secrets for IKE/IPsec authentication +.SH DESCRIPTION +The file \fIipsec.secrets\fP holds a table of secrets. +These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons +pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. +.LP +It is vital that these secrets be protected. The file should be owned +by the super-user, +and its permissions should be set to block all access by others. +.LP +The file is a sequence of entries and include directives. +Here is an example. +.LP +.RS +.nf +# /etc/ipsec.secrets - strongSwan IPsec secrets file +192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" + +: RSA moonKey.pem + +alice@strongswan.org : EAP "x3.dEhgN" + +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" + +# get secrets from other files +include ipsec.*.secrets +.fi +.RE +.LP +Each entry in the file is a list of optional ID selectors, followed by a secret. +The two parts are separated by a colon (\fB:\fP) that is surrounded +by whitespace. If no ID selectors are specified the line must start with a +colon. +.LP +A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, +\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written +in the familiar dotted quad form or as a domain name to be looked up +when the file is loaded. +In many cases it is a bad idea to use domain names because +the name server may not be running or may be insecure. To denote a +Fully Qualified Domain Name (as opposed to an IP address denoted by +its domain name), precede the name with an at sign (\fB@\fP). +.LP +Matching IDs with selectors is fairly straightforward: they have to be +equal. In the case of a ``Road Warrior'' connection, if an equal +match is not found for the Peer's ID, and it is in the form of an IP +address, a selector of \fB%any\fP will match the peer's IP address if IPV4 +and \fB%any6\fP will match a the peer's IP address if IPV6. +Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of +\fB%any\fP. +.LP +In IKEv1 an additional complexity +arises in the case of authentication by preshared secret: the +responder will need to look up the secret before the Peer's ID payload has +been decoded, so the ID used will be the IP address. +.LP +To authenticate a connection between two hosts, the entry that most +specifically matches the host and peer IDs is used. An entry with no +selectors will match any host and peer. More specifically, an entry with one +selector will match a host and peer if the selector matches the host's ID (the +peer isn't considered). Still more specifically, an entry with multiple +selectors will match a host and peer if the host ID and peer ID each match one +of the selectors. If the key is for an asymmetric authentication technique +(i.e. a public key system such as RSA), an entry with multiple selectors will +match a host and peer even if only the host ID matches a selector (it is +presumed that the selectors are all identities of the host). +It is acceptable for two entries to be the best match as +long as they agree about the secret or private key. +.LP +Authentication by preshared secret requires that both systems find the +identical secret (the secret is not actually transmitted by the IKE +protocol). If both the host and peer appear in the selector list, the +same entry will be suitable for both systems so verbatim copying +between systems can be used. This naturally extends to larger groups +sharing the same secret. Thus multiple-selector entries are best for PSK +authentication. +.LP +Authentication by public key systems such as RSA requires that each host +have its own private key. A host could reasonably use a different private keys +for different interfaces and for different peers. But it would not +be normal to share entries between systems. Thus thus no-selector and +one-selector forms of entry often make sense for public key authentication. +.LP +The key part of an entry must start with a token indicating the kind of +key. The following types of secrets are currently supported: +.TP +.B PSK +defines a pre-shared key +.TP +.B RSA +defines an RSA private key +.TP +.B ECDSA +defines an ECDSA private key +.TP +.B EAP +defines EAP credentials +.TP +.B XAUTH +defines XAUTH credentials +.TP +.B PIN +defines a smartcard PIN +.LP +Details on each type of secret are given below. +.LP +Whitespace at the end of a line is ignored. At the start of a line or +after whitespace, \fB#\fP and the following text up to the end of the +line is treated as a comment. +.LP +An include directive causes the contents of the named file to be processed +before continuing with the current file. The filename is subject to +``globbing'' as in \fIsh\fP(1), so every file with a matching name +is processed. Includes may be nested to a modest +depth (10, currently). If the filename doesn't start with a \fB/\fP, the +directory containing the current file is prepended to the name. The +include directive is a line that starts with the word \fBinclude\fP, +followed by whitespace, followed by the filename (which must not contain +whitespace). +.SS TYPES OF SECRETS +.TP +.B [ <selectors> ] : PSK <secret> +A preshared secret is most conveniently represented as a sequence of +characters, delimited by double-quote characters (\fB"\fP). +The sequence cannot contain a newline or double-quote. +Strictly speaking, the secret is actually the sequence +of bytes that is used in the file to represent the sequence of +characters (excluding the delimiters). +.TP +.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] +.TQ +.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] +For the private key file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the private key file is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemons to ask the user for the password +whenever it is required to decrypt the key. +.TP +.B <user id> : EAP <secret> +As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters, +delimited by double-quote characters (\fB"\fP). +.br +\fBEAP\fP secrets are IKEv2 only. +.TP +.B : XAUTH <username> <password> +\fBXAUTH\fP secrets are IKEv1 only. +.TP +.B : PIN <smartcard selector> <pin code> | %prompt +The format +.B "%smartcard[<slot nr>[:<key id>]]" +is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1, +instead of specifying the pin code statically, +.B %prompt +can be specified, which causes the pluto daemon to ask the user for the pin +code. +.LP + +.SH FILES +/etc/ipsec.secrets +.SH SEE ALSO +\fIipsec.conf\fP(5), +\fIipsec\fP(8) +.br +.SH HISTORY +Originally written for the FreeS/WAN project by D. Hugh Redelmeier. +Updated and extended for the strongSwan project <http://www.strongswan.org> by +Tobias Brunner and Andreas Steffen. +.SH BUGS +If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; +if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 34c42e294..4a6a7c872 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -260,7 +260,7 @@ static linked_list_t* collect_rw_ca_candidates(struct msg_digest *md) { new_entry = FALSE; break; - } + } } enumerator->destroy(enumerator); @@ -702,7 +702,7 @@ void accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p) { struct isakmp_delete *d = &(p->payload.delete); - identification_t *this_id, *that_id; + identification_t *this_id = NULL, *that_id = NULL; ip_address peer_addr; size_t sizespi; int i; @@ -1568,7 +1568,7 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr) s->tried_cnt++; scheme = oakley_to_signature_scheme(s->st->st_oakley.auth); - pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid); + pub_key->get_fingerprint(pub_key, KEYID_PUBKEY_INFO_SHA1, &keyid); if (pub_key->verify(pub_key, scheme, s->hash, s->sig)) { @@ -1944,27 +1944,34 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa, bool has_client = c->spd.this.has_client || c->spd.that.has_client || c->spd.this.protocol || c->spd.that.protocol || c->spd.this.port || c->spd.that.port; - bool send_natoa = FALSE; u_int8_t np = ISAKMP_NEXT_NONE; + connection_t *ph1_c = isakmp_sa->st_connection; if (c->spd.this.modecfg && !c->spd.this.has_client && - isanyaddr(&c->spd.this.host_srcip)) + c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip)) { - connection_t *ph1_c = isakmp_sa->st_connection; + host_t * ph1_srcip = ph1_c->spd.this.host_srcip; - if (ph1_c->spd.this.modecfg && !isanyaddr(&ph1_c->spd.this.host_srcip)) + if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip)) { - char srcip[ADDRTOT_BUF]; - - c->spd.this.host_srcip = ph1_c->spd.this.host_srcip; + c->spd.this.host_srcip->destroy(c->spd.this.host_srcip); + c->spd.this.host_srcip = ph1_srcip->clone(ph1_srcip); c->spd.this.client = ph1_c->spd.this.client; c->spd.this.has_client = TRUE; - addrtot(&c->spd.this.host_srcip, 0, srcip, sizeof(srcip)); - plog("inheriting virtual IP source address %s from ModeCfg", srcip); + plog("inheriting virtual IP source address %H from ModeCfg", ph1_srcip); } } + if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) && + ph1_c->xauth_identity && !c->xauth_identity) + { + DBG(DBG_CONTROL, + DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity) + ) + c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity); + } + st->st_whack_sock = whack_sock; st->st_connection = c; set_cur_state(st); /* we must reset before exit */ @@ -3535,7 +3542,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) struct state *const st = md->st; pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs; pb_stream id_pbs; /* ID Payload; also used for hash calculation */ - + connection_t *c = st->st_connection; certpolicy_t cert_policy = c->spd.this.sendcert; cert_t *mycert = c->spd.this.cert; @@ -3638,7 +3645,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) } if (send_cert) { - bool success; + bool success = FALSE; chunk_t cert_encoding; pb_stream cert_pbs; @@ -3650,9 +3657,12 @@ stf_status main_inR2_outI3(struct msg_digest *md) { return STF_INTERNAL_ERROR; } - cert_encoding = mycert->cert->get_encoding(mycert->cert); - success = out_chunk(cert_encoding, &cert_pbs, "CERT"); - free(cert_encoding.ptr); + if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER, + &cert_encoding)) + { + success = out_chunk(cert_encoding, &cert_pbs, "CERT"); + free(cert_encoding.ptr); + } if (!success) { return STF_INTERNAL_ERROR; @@ -4079,7 +4089,7 @@ main_inI3_outR3_tail(struct msg_digest *md } if (send_cert) { - bool success; + bool success = FALSE; chunk_t cert_encoding; pb_stream cert_pbs; struct isakmp_cert cert_hd; @@ -4091,9 +4101,12 @@ main_inI3_outR3_tail(struct msg_digest *md { return STF_INTERNAL_ERROR; } - cert_encoding = mycert->cert->get_encoding(mycert->cert); - success = out_chunk(cert_encoding, &cert_pbs, "CERT"); - free(cert_encoding.ptr); + if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER, + &cert_encoding)) + { + success = out_chunk(cert_encoding, &cert_pbs, "CERT"); + free(cert_encoding.ptr); + } if (!success) { return STF_INTERNAL_ERROR; @@ -4888,23 +4901,32 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, /* Plain Road Warrior: * instantiate, carrying over authenticated peer ID */ + host_t *vip = c->spd.that.host_srcip; + p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port , his_net, c->spd.that.id); - /* inherit any virtual IP assigned by a Mode Config exchange */ + /* inherit any virtual IP assigned by a Mode Config exchange */ if (p->spd.that.modecfg && c->spd.that.modecfg && - subnetisaddr(his_net, &c->spd.that.host_srcip)) + subnetisaddr(his_net, (ip_address*)vip->get_sockaddr(vip))) { - char srcip[ADDRTOT_BUF]; - DBG(DBG_CONTROL, - addrtot(&c->spd.that.host_srcip, 0, srcip, sizeof(srcip)); - DBG_log("inheriting virtual IP source address %s from ModeCfg", srcip) + DBG_log("inheriting virtual IP source address %H from ModeCfg", vip) ) - p->spd.that.host_srcip = c->spd.that.host_srcip; + p->spd.that.host_srcip->destroy(p->spd.that.host_srcip); + p->spd.that.host_srcip = vip->clone(vip); p->spd.that.client = c->spd.that.client; p->spd.that.has_client = TRUE; } + + if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) && + c->xauth_identity && !p->xauth_identity) + { + DBG(DBG_CONTROL, + DBG_log("inheriting XAUTH identity %Y", c->xauth_identity) + ) + p->xauth_identity = c->xauth_identity->clone(c->xauth_identity); + } } } #ifdef DEBUG diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index ee22fb55e..dd7ed8893 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -464,9 +464,11 @@ static bool do_command(connection_t *c, struct spd_route *sr, peerclientnet_str[ADDRTOT_BUF], peerclientmask_str[ADDRTOT_BUF], peerca_str[BUF_LEN], + xauth_id_str[BUF_LEN] = "", secure_myid_str[BUF_LEN] = "", secure_peerid_str[BUF_LEN] = "", - secure_peerca_str[BUF_LEN] = ""; + secure_peerca_str[BUF_LEN] = "", + secure_xauth_id_str[BUF_LEN] = ""; ip_address ta; pubkey_list_t *p; @@ -483,16 +485,14 @@ static bool do_command(connection_t *c, struct spd_route *sr, strncat(nexthop_str, "' ", sizeof(nexthop_str)); } - if (addrbytesptr(&sr->this.host_srcip, NULL) - && !isanyaddr(&sr->this.host_srcip)) + if (!sr->this.host_srcip->is_anyaddr(sr->this.host_srcip)) { char *n; strcpy(srcip_str, "PLUTO_MY_SOURCEIP='"); n = srcip_str + strlen(srcip_str); - - addrtot(&sr->this.host_srcip, 0 - ,n , sizeof(srcip_str)-strlen(srcip_str)); + snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", + sr->this.host_srcip); strncat(srcip_str, "' ", sizeof(srcip_str)); } @@ -505,6 +505,16 @@ static bool do_command(connection_t *c, struct spd_route *sr, maskof(&sr->this.client, &ta); addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str)); + if (c->xauth_identity && + c->xauth_identity->get_type(c->xauth_identity) != ID_ANY) + { + snprintf(xauth_id_str, sizeof(xauth_id_str), "%Y", c->xauth_identity); + escape_metachar(xauth_id_str, secure_xauth_id_str, + sizeof(secure_xauth_id_str)); + snprintf(xauth_id_str, sizeof(xauth_id_str), "PLUTO_XAUTH_ID='%s' ", + secure_xauth_id_str); + } + addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str)); snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id); escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str)); @@ -562,6 +572,7 @@ static bool do_command(connection_t *c, struct spd_route *sr, "PLUTO_PEER_PROTOCOL='%u' " "PLUTO_PEER_CA='%s' " "%s" /* optional PLUTO_MY_SRCIP */ + "%s" /* optional PLUTO_XAUTH_ID */ "%s" /* actual script */ , verb, verb_suffix , c->name @@ -585,6 +596,7 @@ static bool do_command(connection_t *c, struct spd_route *sr, , sr->that.protocol , secure_peerca_str , srcip_str + , xauth_id_str , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown)) { loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 8cf28ace1..6db757ba7 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -53,25 +53,26 @@ #include "whack.h" /* for RC_LOG_SERIOUS */ #include "timer.h" #include "fetch.h" -#include "xauth.h" const char *shared_secrets_file = SHARED_SECRETS_FILE; -typedef struct id_list id_list_t; -struct id_list { - identification_t *id; - id_list_t *next; +typedef enum secret_kind_t secret_kind_t; + +enum secret_kind_t { + SECRET_PSK, + SECRET_PUBKEY, + SECRET_XAUTH, + SECRET_PIN }; -typedef struct secret secret_t; +typedef struct secret_t secret_t; -struct secret { - id_list_t *ids; - enum PrivateKeyKind kind; +struct secret_t { + linked_list_t *ids; + secret_kind_t kind; union { chunk_t preshared_secret; - xauth_t xauth_secret; private_key_t *private_key; smartcard_t *smartcard; } u; @@ -92,12 +93,11 @@ static void free_public_key(pubkey_t *pk) secret_t *secrets = NULL; -/* find the struct secret associated with the combination of - * me and the peer. We match the Id (if none, the IP address). - * Failure is indicated by a NULL. +/** + * Find the secret associated with the combination of me and the peer. */ -static const secret_t* get_secret(const connection_t *c, - enum PrivateKeyKind kind, bool asym) +const secret_t* match_secret(identification_t *my_id, identification_t *his_id, + secret_kind_t kind) { enum { /* bits */ match_default = 0x01, @@ -106,128 +106,92 @@ static const secret_t* get_secret(const connection_t *c, }; unsigned int best_match = 0; - secret_t *best = NULL; - secret_t *s; - identification_t *my_id, *his_id; + secret_t *s, *best = NULL; - /* is there a certificate assigned to this connection? */ - if (kind == PPK_PUBKEY && c->spd.this.cert) + for (s = secrets; s != NULL; s = s->next) { - certificate_t *certificate = c->spd.this.cert->cert; + unsigned int match = 0; - public_key_t *pub_key = certificate->get_public_key(certificate); - - for (s = secrets; s != NULL; s = s->next) + if (s->kind != kind) { - if (s->kind == kind && - s->u.private_key->belongs_to(s->u.private_key, pub_key)) - { - best = s; - break; /* we have found the private key - no sense in searching further */ - } + continue; } - pub_key->destroy(pub_key); - return best; - } - - my_id = c->spd.this.id; - - if (his_id_was_instantiated(c)) - { - /* roadwarrior: replace him with 0.0.0.0 */ - his_id = identification_create_from_string("%any"); - } - else if (kind == PPK_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) && - ((c->kind == CK_TEMPLATE && - c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) || - (c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id)))) - { - /* roadwarrior: replace him with 0.0.0.0 */ - his_id = identification_create_from_string("%any"); - } - else - { - his_id = c->spd.that.id->clone(c->spd.that.id); - } - for (s = secrets; s != NULL; s = s->next) - { - if (s->kind == kind) + if (s->ids->get_count(s->ids) == 0) + { + /* a default (signified by lack of ids): + * accept if no more specific match found + */ + match = match_default; + } + else { - unsigned int match = 0; + /* check if both ends match ids */ + enumerator_t *enumerator; + identification_t *id; - if (s->ids == NULL) - { - /* a default (signified by lack of ids): - * accept if no more specific match found - */ - match = match_default; - } - else + enumerator = s->ids->create_enumerator(s->ids); + while (enumerator->enumerate(enumerator, &id)) { - /* check if both ends match ids */ - id_list_t *i; - - for (i = s->ids; i != NULL; i = i->next) + if (my_id->equals(my_id, id)) { - if (my_id->equals(my_id, i->id)) - { - match |= match_me; - } - if (his_id->equals(his_id, i->id)) - { - match |= match_him; - } + match |= match_me; } - - /* If our end matched the only id in the list, - * default to matching any peer. - * A more specific match will trump this. - */ - if (match == match_me && s->ids->next == NULL) + if (his_id->equals(his_id, id)) { - match |= match_default; + match |= match_him; } } + enumerator->destroy(enumerator); - switch (match) + /* If our end matched the only id in the list, + * default to matching any peer. + * A more specific match will trump this. + */ + if (match == match_me && s->ids->get_count(s->ids) == 1) { + match |= match_default; + } + } + + switch (match) + { case match_me: /* if this is an asymmetric (eg. public key) system, * allow this-side-only match to count, even if * there are other ids in the list. */ - if (!asym) + if (kind != SECRET_PUBKEY) { break; } /* FALLTHROUGH */ - case match_default: /* default all */ - case match_me | match_default: /* default peer */ - case match_me | match_him: /* explicit */ + case match_default: /* default all */ + case match_me | match_default: /* default peer */ + case match_me | match_him: /* explicit */ if (match == best_match) { - /* two good matches are equally good: - * do they agree? - */ + /* two good matches are equally good: do they agree? */ bool same = FALSE; switch (kind) { - case PPK_PSK: - same = s->u.preshared_secret.len == best->u.preshared_secret.len - && memeq(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len); + case SECRET_PSK: + case SECRET_XAUTH: + same = chunk_equals(s->u.preshared_secret, + best->u.preshared_secret); break; - case PPK_PUBKEY: - same = s->u.private_key->equals(s->u.private_key, best->u.private_key); + case SECRET_PUBKEY: + same = s->u.private_key->equals(s->u.private_key, + best->u.private_key); break; default: bad_case(kind); } if (!same) { - loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:" - " first secret used"); + loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with " + "distinct secrets match endpoints: first secret used"); best = s; /* list is backwards: take latest in list */ } } @@ -237,9 +201,63 @@ static const secret_t* get_secret(const connection_t *c, best_match = match; best = s; } - } } } + return best; +} + +/** + * Retrieves an XAUTH secret primarily based on the user ID and + * secondarily based on the server ID + */ +bool get_xauth_secret(identification_t *user, identification_t *server, + chunk_t *secret) +{ + const secret_t *s; + + s = match_secret(user, server, SECRET_XAUTH); + if (s) + { + *secret = chunk_clone(s->u.preshared_secret); + return TRUE; + } + else + { + *secret = chunk_empty; + return FALSE; + } +} + +/** + * We match the ID (if none, the IP address). Failure is indicated by a NULL. + */ +static const secret_t* get_secret(const connection_t *c, secret_kind_t kind) +{ + identification_t *my_id, *his_id; + const secret_t *best; + + my_id = c->spd.this.id; + + if (his_id_was_instantiated(c)) + { + /* roadwarrior: replace him with 0.0.0.0 */ + his_id = identification_create_from_string("%any"); + } + else if (kind == SECRET_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) && + ((c->kind == CK_TEMPLATE && + c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) || + (c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id)))) + { + /* roadwarrior: replace him with 0.0.0.0 */ + his_id = identification_create_from_string("%any"); + } + else + { + his_id = c->spd.that.id->clone(c->spd.that.id); + } + + best = match_secret(my_id, his_id, kind); + his_id->destroy(his_id); return best; } @@ -250,7 +268,7 @@ static const secret_t* get_secret(const connection_t *c, */ const chunk_t* get_preshared_secret(const connection_t *c) { - const secret_t *s = get_secret(c, PPK_PSK, FALSE); + const secret_t *s = get_secret(c, SECRET_PSK); DBG(DBG_PRIVATE, if (s == NULL) @@ -272,7 +290,7 @@ bool has_private_key(cert_t *cert) for (s = secrets; s != NULL; s = s->next) { - if (s->kind == PPK_PUBKEY && + if (s->kind == SECRET_PUBKEY && s->u.private_key->belongs_to(s->u.private_key, pub_key)) { has_key = TRUE; @@ -295,7 +313,7 @@ private_key_t* get_x509_private_key(const cert_t *cert) for (s = secrets; s != NULL; s = s->next) { - if (s->kind == PPK_PUBKEY && + if (s->kind == SECRET_PUBKEY && s->u.private_key->belongs_to(s->u.private_key, public_key)) { private_key = s->u.private_key; @@ -311,9 +329,33 @@ private_key_t* get_x509_private_key(const cert_t *cert) */ private_key_t* get_private_key(const connection_t *c) { - const secret_t *s = get_secret(c, PPK_PUBKEY, TRUE); + const secret_t *s, *best = NULL; + + /* is a certificate assigned to this connection? */ + if (c->spd.this.cert) + { + certificate_t *certificate; + public_key_t *pub_key; - return s == NULL? NULL : s->u.private_key; + certificate = c->spd.this.cert->cert; + pub_key = certificate->get_public_key(certificate); + + for (s = secrets; s != NULL; s = s->next) + { + if (s->kind == SECRET_PUBKEY && + s->u.private_key->belongs_to(s->u.private_key, pub_key)) + { + best = s; + break; /* found the private key - no sense in searching further */ + } + } + pub_key->destroy(pub_key); + } + else + { + best = get_secret(c, SECRET_PUBKEY); + } + return best ? best->u.private_key : NULL; } /* digest a secrets file @@ -556,120 +598,6 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd) } /** - * Process xauth secret read from ipsec.secrets - */ -static err_t process_xauth(secret_t *s) -{ - chunk_t user_name; - - s->kind = PPK_XAUTH; - - if (!shift()) - return "missing xauth user name"; - if (*tok == '"' || *tok == '\'') /* quoted user name */ - { - user_name.ptr = tok + 1; - user_name.len = flp->cur - tok - 2; - } - else - { - user_name.ptr = tok; - user_name.len = flp->cur - tok; - } - plog(" loaded xauth credentials of user '%.*s'" - , user_name.len - , user_name.ptr); - s->u.xauth_secret.user_name = chunk_clone(user_name); - - if (!shift()) - return "missing xauth user password"; - return process_psk_secret(&s->u.xauth_secret.user_password); -} - -/** - * Get XAUTH secret from chained secrets lists - * only one entry is currently supported - */ -static bool xauth_get_secret(xauth_t *xauth_secret) -{ - secret_t *s; - bool found = FALSE; - - for (s = secrets; s != NULL; s = s->next) - { - if (s->kind == PPK_XAUTH) - { - if (found) - { - plog("found multiple xauth secrets - first selected"); - } - else - { - found = TRUE; - *xauth_secret = s->u.xauth_secret; - } - } - } - return found; -} - -/** - * find a matching secret - */ -static bool xauth_verify_secret(const xauth_peer_t *peer, - const xauth_t *xauth_secret) -{ - bool found = FALSE; - secret_t *s; - - for (s = secrets; s != NULL; s = s->next) - { - if (s->kind == PPK_XAUTH) - { - if (!chunk_equals(xauth_secret->user_name, s->u.xauth_secret.user_name)) - { - continue; - } - found = TRUE; - if (chunk_equals(xauth_secret->user_password, s->u.xauth_secret.user_password)) - { - return TRUE; - } - } - } - plog("xauth user '%.*s' %s" - , xauth_secret->user_name.len, xauth_secret->user_name.ptr - , found? "sent wrong password":"not found"); - return FALSE; -} - -/** - * the global xauth_module struct is defined here - */ -xauth_module_t xauth_module; - -/** - * Assign the default xauth functions to any null function pointers - */ -void xauth_defaults(void) -{ - if (xauth_module.get_secret == NULL) - { - DBG(DBG_CONTROL, - DBG_log("xauth module: using default get_secret() function") - ) - xauth_module.get_secret = xauth_get_secret; - } - if (xauth_module.verify_secret == NULL) - { - DBG(DBG_CONTROL, - DBG_log("xauth module: using default verify_secret() function") - ) - xauth_module.verify_secret = xauth_verify_secret; - } -}; - -/** * Process pin read from ipsec.secrets or prompted for it using whack */ static err_t process_pin(secret_t *s, int whackfd) @@ -677,7 +605,7 @@ static err_t process_pin(secret_t *s, int whackfd) smartcard_t *sc; const char *pin_status = "no pin"; - s->kind = PPK_PIN; + s->kind = SECRET_PIN; /* looking for the smartcard keyword */ if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0) @@ -748,57 +676,69 @@ static err_t process_pin(secret_t *s, int whackfd) return NULL; } -static void log_psk(secret_t *s) +static void log_psk(char *label, secret_t *s) { int n = 0; char buf[BUF_LEN]; - id_list_t *id_list = s->ids; + enumerator_t *enumerator; + identification_t *id; - if (id_list == NULL) + if (s->ids->get_count(s->ids) == 0) { n = snprintf(buf, BUF_LEN, "%%any"); } else { - do + enumerator = s->ids->create_enumerator(s->ids); + while(enumerator->enumerate(enumerator, &id)) { - n += snprintf(buf + n, BUF_LEN - n, "%Y ", id_list->id); + n += snprintf(buf + n, BUF_LEN - n, "%Y ", id); if (n >= BUF_LEN) { n = BUF_LEN - 1; break; } - id_list = id_list->next; } - while (id_list); + enumerator->destroy(enumerator); } - plog(" loaded shared key for %.*s", n, buf); + plog(" loaded %s secret for %.*s", label, n, buf); } static void process_secret(secret_t *s, int whackfd) { err_t ugh = NULL; - s->kind = PPK_PSK; /* default */ + s->kind = SECRET_PSK; /* default */ if (*tok == '"' || *tok == '\'') { + log_psk("PSK", s); + /* old PSK format: just a string */ - log_psk(s); ugh = process_psk_secret(&s->u.preshared_secret); } else if (tokeqword("psk")) { + log_psk("PSK", s); + /* preshared key: quoted string or ttodata format */ - log_psk(s); ugh = !shift()? "unexpected end of record in PSK" : process_psk_secret(&s->u.preshared_secret); } + else if (tokeqword("xauth")) + { + s->kind = SECRET_XAUTH; + log_psk("XAUTH", s); + + /* xauth secret: quoted string or ttodata format */ + ugh = !shift()? "unexpected end of record in XAUTH" + : process_psk_secret(&s->u.preshared_secret); + } else if (tokeqword("rsa")) { /* RSA key: the fun begins. * A braced list of keyword and value pairs. */ - s->kind = PPK_PUBKEY; + s->kind = SECRET_PUBKEY; if (!shift()) { ugh = "bad RSA key syntax"; @@ -814,7 +754,7 @@ static void process_secret(secret_t *s, int whackfd) } else if (tokeqword("ecdsa")) { - s->kind = PPK_PUBKEY; + s->kind = SECRET_PUBKEY; if (!shift()) { ugh = "bad ECDSA key syntax"; @@ -824,10 +764,6 @@ static void process_secret(secret_t *s, int whackfd) ugh = process_keyfile(&s->u.private_key, KEY_ECDSA, whackfd); } } - else if (tokeqword("xauth")) - { - ugh = process_xauth(s); - } else if (tokeqword("pin")) { ugh = process_pin(s, whackfd); @@ -919,8 +855,8 @@ static void process_secret_records(int whackfd) secret_t *s = malloc_thing(secret_t); zero(s); - s->ids = NULL; - s->kind = PPK_PSK; /* default */ + s->ids = linked_list_create(); + s->kind = SECRET_PSK; /* default */ s->u.preshared_secret = chunk_empty; s->next = NULL; @@ -941,14 +877,10 @@ static void process_secret_records(int whackfd) } else { - /* an id - * See RFC2407 IPsec Domain of Interpretation 4.6.2 - */ - id_list_t *i = malloc_thing(id_list_t); + identification_t *id; - i->id = identification_create_from_string(tok); - i->next = s->ids; - s->ids = i; + id = identification_create_from_string(tok); + s->ids->insert_last(s->ids, id); if (!shift()) { @@ -1035,32 +967,23 @@ void free_preshared_secrets(void) for (s = secrets; s != NULL; s = ns) { - id_list_t *i, *ni; - ns = s->next; - for (i = s->ids; i != NULL; i = ni) - { - ni = i->next; - i->id->destroy(i->id); - free(i); - } + s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); + switch (s->kind) { - case PPK_PSK: - free(s->u.preshared_secret.ptr); - break; - case PPK_PUBKEY: - DESTROY_IF(s->u.private_key); - break; - case PPK_XAUTH: - free(s->u.xauth_secret.user_name.ptr); - free(s->u.xauth_secret.user_password.ptr); - break; - case PPK_PIN: - scx_release(s->u.smartcard); - break; - default: - bad_case(s->kind); + case SECRET_PSK: + case SECRET_XAUTH: + free(s->u.preshared_secret.ptr); + break; + case SECRET_PUBKEY: + DESTROY_IF(s->u.private_key); + break; + case SECRET_PIN: + scx_release(s->u.smartcard); + break; + default: + bad_case(s->kind); } free(s); } @@ -1315,7 +1238,7 @@ void add_public_key_from_cert(cert_t *cert , time_t until, /* insert all subjectAltNames from X.509 certificates */ enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) + while (enumerator->enumerate(enumerator, &id)) { if (id->get_type(id) != ID_ANY) { @@ -1404,7 +1327,7 @@ void list_public_keys(bool utc) public->get_keysize(public) * BITS_PER_BYTE, &key->until_time, utc, check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE)); - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { whack_log(RC_COMMENT," keyid: %#B", &keyid); } diff --git a/src/pluto/keys.h b/src/pluto/keys.h index d856c0009..73cc21392 100644 --- a/src/pluto/keys.h +++ b/src/pluto/keys.h @@ -21,6 +21,7 @@ #include <credentials/keys/public_key.h> #include "certs.h" +#include "connections.h" #ifndef SHARED_SECRETS_FILE # define SHARED_SECRETS_FILE IPSEC_CONFDIR "/ipsec.secrets" @@ -31,20 +32,12 @@ const char *shared_secrets_file; extern void load_preshared_secrets(int whackfd); extern void free_preshared_secrets(void); -enum PrivateKeyKind { - PPK_PSK, - PPK_PUBKEY, - PPK_XAUTH, - PPK_PIN -}; - extern void xauth_defaults(void); -/* forward declaration */ -struct connection; - -extern const chunk_t *get_preshared_secret(const struct connection *c); -extern private_key_t *get_private_key(const struct connection *c); +extern bool get_xauth_secret(identification_t *user, identification_t *server, + chunk_t *secret); +extern const chunk_t *get_preshared_secret(const connection_t *c); +extern private_key_t *get_private_key(const connection_t *c); extern private_key_t *get_x509_private_key(const cert_t *cert); /* public key machinery */ diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index 0c4f2bd6b..0d0cd899c 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -2,7 +2,7 @@ * Copyright (C) 2001-2002 Colubris Networks * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc. * Copyright (C) 2003-2004 Xelerance Corporation - * Copyright (C) 2006-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil + * Copyright (C) 2006-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -27,7 +27,7 @@ #include <library.h> #include <hydra.h> -#include <attributes/attributes.h> +#include <utils/linked_list.h> #include <crypto/prfs/prf.h> #include "constants.h" @@ -40,106 +40,121 @@ #include "crypto.h" #include "modecfg.h" #include "whack.h" -#include "xauth.h" +#include "pluto.h" #define MAX_XAUTH_TRIES 3 -#define DNS_SERVER_MAX 2 -#define NBNS_SERVER_MAX 2 -#define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \ - | LELEM(INTERNAL_IP4_NETMASK) \ - | LELEM(INTERNAL_IP4_DNS) \ - | LELEM(INTERNAL_IP4_NBNS) \ - | LELEM(APPLICATION_VERSION) \ - | LELEM(INTERNAL_IP6_DNS) \ - | LELEM(INTERNAL_IP6_NBNS) \ - ) +#define DEFAULT_UNITY_BANNER "Welcome to strongSwan - the Linux VPN Solution!\n" -#define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) ) +/** + * Creates a modecfg_attribute_t object + */ +static modecfg_attribute_t *modecfg_attribute_create(configuration_attribute_type_t type, + chunk_t value) +{ + modecfg_attribute_t *this; -#define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n" + this = malloc_thing(modecfg_attribute_t); + this->type = ((u_int16_t)type) & 0x7FFF; + this->is_tv = FALSE; + this->value = chunk_clone(value); + this->handler = NULL; -/* - * Addresses assigned (usually via ModeCfg) to the Initiator - */ -typedef struct internal_addr internal_addr_t; + return this; +} -struct internal_addr +/** + * Creates a modecfg_attribute_t object coded in TV format + */ +static modecfg_attribute_t *modecfg_attribute_create_tv(configuration_attribute_type_t type, + size_t value) { - lset_t attr_set; - lset_t xauth_attr_set; - lset_t unity_attr_set; - - /* ModeCfg variables */ - ip_address ipaddr; - ip_address dns[DNS_SERVER_MAX]; - ip_address nbns[NBNS_SERVER_MAX]; + modecfg_attribute_t *this; - char *unity_banner; + this = modecfg_attribute_create(type, chunk_empty); + this->value.len = value; + this->is_tv = TRUE; - /* XAUTH variables */ - u_int16_t xauth_type; - xauth_t xauth_secret; - bool xauth_status; -}; + return this; +} /** - * Initialize an internal_addr struct + * Destroys a modecfg_attribute_t object */ -static void init_internal_addr(internal_addr_t *ia) +void modecfg_attribute_destroy(modecfg_attribute_t *this) { - int i; + free(this->value.ptr); + free(this); +} - ia->attr_set = LEMPTY; - ia->xauth_attr_set = LEMPTY; - ia->xauth_secret.user_name = chunk_empty; - ia->xauth_secret.user_password = chunk_empty; - ia->xauth_type = XAUTH_TYPE_GENERIC; - ia->xauth_status = XAUTH_STATUS_FAIL; - ia->unity_attr_set = LEMPTY; - ia->unity_banner = NULL; +/** + * Get attributes to be sent to client + */ +static void get_attributes(connection_t *c, linked_list_t *ca_list) +{ + configuration_attribute_type_t type; + identification_t *client_id; + modecfg_attribute_t *ca; + enumerator_t *enumerator; + chunk_t value; + host_t *vip = NULL, *requested_vip = NULL; + bool want_unity_banner = FALSE; + int family; - anyaddr(AF_INET, &ia->ipaddr); +#ifdef CISCO_QUIRKS + /* always send banner in ModeCfg push mode */ + if (ca_list->get_count(ca_list) == 0) + { + want_unity_banner = TRUE; + } +#endif - /* initialize DNS server information */ - for (i = 0; i < DNS_SERVER_MAX; i++) + /* scan list of requested attributes in ModeCfg pull mode */ + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) { - anyaddr(AF_INET, &ia->dns[i]); + switch (ca->type) + { + case INTERNAL_IP4_ADDRESS: + case INTERNAL_IP6_ADDRESS: + { + int family; + + family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6; + requested_vip = (ca->value.len) ? + host_create_from_chunk(family, ca->value, 0) : + host_create_any(family); + plog("peer requested virtual IP %H", requested_vip); + break; + } +#ifdef CISCO_QUIRKS + case UNITY_BANNER: + want_unity_banner = TRUE; + break; +#endif + default: + break; + } + modecfg_attribute_destroy(ca); } - /* initialize NBNS server information */ - for (i = 0; i < NBNS_SERVER_MAX; i++) + if (requested_vip == NULL) { - anyaddr(AF_INET, &ia->nbns[i]); + requested_vip = host_create_any(AF_INET); } -} -/** - * Get internal IP address for a connection - */ -static void get_internal_addr(connection_t *c, host_t *requested_vip, - internal_addr_t *ia) -{ - int dns_idx = 0, nbns_idx = 0; - enumerator_t *enumerator; - configuration_attribute_type_t type; - chunk_t value; - host_t *vip = NULL; + client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id; - if (isanyaddr(&c->spd.that.host_srcip)) + /* if no virtual IP has been assigned yet - acquire one */ + if (c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { if (c->spd.that.pool) { vip = hydra->attributes->acquire_address(hydra->attributes, - c->spd.that.pool, c->spd.that.id, - requested_vip); + c->spd.that.pool, client_id, requested_vip); if (vip) { - chunk_t addr = vip->get_address(vip); - - plog("assigning virtual IP %H to peer", vip); - initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr); - + c->spd.that.host_srcip->destroy(c->spd.that.host_srcip); + c->spd.that.host_srcip = vip; } } else @@ -147,132 +162,184 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip, plog("no virtual IP found"); } } - else - { - ia->ipaddr = c->spd.that.host_srcip; - vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr); - plog("assigning virtual IP %H to peer", vip); - } - if (!isanyaddr(&ia->ipaddr)) /* We got an IP address, send it */ + requested_vip->destroy(requested_vip); + + /* if we have a virtual IP address - send it */ + if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { - c->spd.that.host_srcip = ia->ipaddr; - c->spd.that.client.addr = ia->ipaddr; - c->spd.that.client.maskbits = 32; + vip = c->spd.that.host_srcip; + plog("assigning virtual IP %H to peer", vip); + family = vip->get_family(vip); + ca = modecfg_attribute_create((family == AF_INET) ? + INTERNAL_IP4_ADDRESS : + INTERNAL_IP6_ADDRESS, + vip->get_address(vip)); + ca_list->insert_last(ca_list, ca); + + /* set the remote client subnet to virtual IP */ + c->spd.that.client.addr = *(ip_address*)vip->get_sockaddr(vip); + c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; c->spd.that.has_client = TRUE; - - ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS) - | LELEM(INTERNAL_IP4_NETMASK); } /* assign attributes from registered providers */ enumerator = hydra->attributes->create_responder_enumerator(hydra->attributes, - c->spd.that.id, vip); + c->spd.that.pool, client_id, vip); while (enumerator->enumerate(enumerator, &type, &value)) { - err_t ugh; - host_t *server; - sa_family_t family = AF_INET; + ca = modecfg_attribute_create(type, value); + ca_list->insert_last(ca_list, ca); + if (type == UNITY_BANNER) + { + want_unity_banner = FALSE; + } + } + enumerator->destroy(enumerator); + + if (want_unity_banner) + { + ca = modecfg_attribute_create(UNITY_BANNER, + chunk_create(DEFAULT_UNITY_BANNER, + strlen(DEFAULT_UNITY_BANNER))); + ca_list->insert_last(ca_list, ca); + } +} + +/** + * Set srcip and client subnet to internal IP address + */ +static bool set_attributes(connection_t *c, linked_list_t *ca_list) +{ + host_t *vip, *srcip; + modecfg_attribute_t *ca, *ca_handler; + enumerator_t *enumerator; + bool vip_set = FALSE; + + enumerator = ca_list->create_enumerator(ca_list); + while (enumerator->enumerate(enumerator, &ca)) + { + int family = AF_INET6; + attribute_handler_t *handler = NULL; + enumerator_t *e; - switch (type) + switch (ca->type) { - case INTERNAL_IP6_DNS: - family = AF_INET6; - /* fallthrough */ - case INTERNAL_IP4_DNS: - if (dns_idx >= DNS_SERVER_MAX) + case INTERNAL_IP4_ADDRESS: + family = AF_INET; + /* fall */ + case INTERNAL_IP6_ADDRESS: + if (ca->value.len == 0) { - plog("exceeded the maximum number of %d DNS servers", - DNS_SERVER_MAX); - break; + vip = host_create_any(family); } - ugh = initaddr(value.ptr, value.len, family, &ia->dns[dns_idx]); - if (ugh) + else { - plog("error in DNS server address: %s", ugh); - break; + /* skip prefix byte in IPv6 payload*/ + if (family == AF_INET6) + { + ca->value.len = 16; + } + vip = host_create_from_chunk(family, ca->value, 0); } - server = host_create_from_chunk(family, value, 0); - plog("assigning DNS server %H to peer", server); - server->destroy(server); - - /* differentiate between IP4 and IP6 in modecfg_build_msg() */ - ia->attr_set |= LELEM(INTERNAL_IP4_DNS); - dns_idx++; - break; - - case INTERNAL_IP6_NBNS: - family = AF_INET6; - /* fallthrough */ - case INTERNAL_IP4_NBNS: - if (nbns_idx >= NBNS_SERVER_MAX) + if (vip) { - plog("exceeded the maximum number of %d NBNS servers", - NBNS_SERVER_MAX); - break; - } - ugh = initaddr(value.ptr, value.len, family, &ia->nbns[nbns_idx]); - if (ugh) + srcip = c->spd.this.host_srcip; + + if (srcip->is_anyaddr(srcip) || srcip->equals(srcip, vip)) + { + plog("setting virtual IP source address to %H", vip); + } + else + { + plog("replacing virtual IP source address %H by %H", + srcip, vip); + } + srcip->destroy(srcip); + c->spd.this.host_srcip = vip; + + /* setting client subnet to vip/32 */ + addrtosubnet((ip_address*)vip->get_sockaddr(vip), + &c->spd.this.client); + setportof(0, &c->spd.this.client.addr); + c->spd.this.has_client = TRUE; + + vip_set = TRUE; + } + continue; + case APPLICATION_VERSION: +#ifdef CISCO_QUIRKS + case UNITY_BANNER: +#endif + if (ca->value.len > 0) { - plog("error in NBNS server address: %s", ugh); - break; + DBG(DBG_PARSING | DBG_CONTROLMORE, + DBG_log(" '%.*s'", ca->value.len, ca->value.ptr) + ) } - server = host_create_from_chunk(family, value, 0); - plog("assigning NBNS server %H to peer", server); - server->destroy(server); - - /* differentiate between IP4 and IP6 in modecfg_build_msg() */ - ia->attr_set |= LELEM(INTERNAL_IP4_NBNS); - nbns_idx++; break; - default: break; } - } - enumerator->destroy(enumerator); - DESTROY_IF(vip); -} - -/** - * Set srcip and client subnet to internal IP address - */ -static bool set_internal_addr(connection_t *c, internal_addr_t *ia) -{ - if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS) - && !isanyaddr(&ia->ipaddr)) - { - if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0 - || isanyaddr(&c->spd.this.host_srcip) - || sameaddr(&c->spd.this.host_srcip, &ia->ipaddr)) + /* find the first handler which requested this attribute */ + e = c->requested->create_enumerator(c->requested); + while (e->enumerate(e, &ca_handler)) { - char srcip[ADDRTOT_BUF]; - - addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip)); - plog("setting virtual IP source address to %s", srcip); + if (ca_handler->type == ca->type) + { + handler = ca_handler->handler; + break; + } } - else + e->destroy(e); + + /* and pass it to the handle function */ + handler = hydra->attributes->handle(hydra->attributes, + c->spd.that.id, handler, ca->type, ca->value); + if (handler) { - char old_srcip[ADDRTOT_BUF]; - char new_srcip[ADDRTOT_BUF]; + ca_handler = modecfg_attribute_create(ca->type, ca->value); + ca_handler->handler = handler; - addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip)); - addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip)); - plog("replacing virtual IP source address %s by %s" - , old_srcip, new_srcip); + if (c->attributes == NULL) + { + c->attributes = linked_list_create(); + } + c->attributes->insert_last(c->attributes, ca_handler); } + } + enumerator->destroy(enumerator); + c->requested->destroy_function(c->requested, (void*)modecfg_attribute_destroy); + c->requested = NULL; + return vip_set; +} - /* setting srcip */ - c->spd.this.host_srcip = ia->ipaddr; +/** + * Register configuration attribute handlers + */ +static void register_attribute_handlers(connection_t *c) +{ + configuration_attribute_type_t type; + modecfg_attribute_t *ca; + chunk_t value; + attribute_handler_t *handler; + enumerator_t *enumerator; - /* setting client subnet to srcip/32 */ - addrtosubnet(&ia->ipaddr, &c->spd.this.client); - setportof(0, &c->spd.this.client.addr); - c->spd.this.has_client = TRUE; - return TRUE; + /* add configuration attributes requested by handlers */ + if (c->requested == NULL) + { + c->requested = linked_list_create(); } - return FALSE; + enumerator = hydra->attributes->create_initiator_enumerator( + hydra->attributes,c->spd.that.id, c->spd.this.host_srcip); + while (enumerator->enumerate(enumerator, &handler, &type, &value)) + { + ca = modecfg_attribute_create(type, value); + ca->handler = handler; + c->requested->insert_last(c->requested, ca); + } + enumerator->destroy(enumerator); } /** @@ -307,218 +374,53 @@ static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof, * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS) */ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, - u_int16_t msg_type, - internal_addr_t *ia, + u_int16_t msg_type, linked_list_t *ca_list, u_int16_t ap_id) { u_char *r_hash_start, *r_hashval; + struct isakmp_mode_attr attrh; + struct isakmp_attribute attr; + pb_stream strattr,attrval; + enumerator_t *enumerator; + modecfg_attribute_t *ca; START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR); - /* ATTR out */ + attrh.isama_np = ISAKMP_NEXT_NONE; + attrh.isama_type = msg_type; + attrh.isama_identifier = ap_id; + + if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) { - struct isakmp_mode_attr attrh; - struct isakmp_attribute attr; - pb_stream strattr,attrval; - int attr_type, dns_attr_type, nbns_attr_type; - int dns_idx, nbns_idx; - bool dont_advance; - bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY; - bool is_unity_attr_set = ia->unity_attr_set != LEMPTY; - lset_t attr_set = ia->attr_set; - - attrh.isama_np = ISAKMP_NEXT_NONE; - attrh.isama_type = msg_type; - attrh.isama_identifier = ap_id; - - if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) + return STF_INTERNAL_ERROR; + } + + enumerator = ca_list->create_enumerator(ca_list); + while (enumerator->enumerate(enumerator, &ca)) + { + DBG(DBG_CONTROLMORE, + DBG_log("building %N attribute", configuration_attribute_type_names, ca->type) + ) + if (ca->is_tv) { - return STF_INTERNAL_ERROR; + attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TV; + attr.isaat_lv = ca->value.len; + out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval); } - attr_type = 0; - dns_idx = 0; - nbns_idx = 0; - - while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set) + else { - if (attr_set == LEMPTY) - { - if (is_xauth_attr_set) - { - attr_set = ia->xauth_attr_set; - attr_type = XAUTH_BASE; - is_xauth_attr_set = FALSE; - } - else - { - attr_set = ia->unity_attr_set; - attr_type = UNITY_BASE; - is_unity_attr_set = FALSE; - } - } - - dont_advance = FALSE; - - if (attr_set & 1) - { - const u_char *byte_ptr; - u_int len; - - /* ISAKMP attr out */ - if (attr_type == XAUTH_TYPE) - { - attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV; - attr.isaat_lv = ia->xauth_type; - } - else if (attr_type == XAUTH_STATUS) - { - attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV; - attr.isaat_lv = ia->xauth_status; - } - else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx])) - { - dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ? - INTERNAL_IP4_DNS : INTERNAL_IP6_DNS; - attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV; - - } - else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx])) - { - nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ? - INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS; - attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV; - - } - else - { - attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV; - } - out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval); + char buf[BUF_LEN]; - switch (attr_type) - { - case INTERNAL_IP4_ADDRESS: - if (!isanyaddr(&ia->ipaddr)) - { - len = addrbytesptr(&ia->ipaddr, &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP4_addr"); - } - break; - case INTERNAL_IP4_NETMASK: - { - u_int mask; -#if 0 - char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe}; - int t,m=st->st_connection->that.host_addr.maskbit; - for (t=0; t<4; t++) - { - if (m < 8) - mask[t] = bits[m]; - else - mask[t] = 0xff; - m -= 8; - } -#endif - if (st->st_connection->spd.this.client.maskbits == 0) - { - mask = 0; - } - else - { - mask = 0xffffffff * 1; - out_raw(&mask, 4, &attrval, "IP4_mask"); - } - } - break; - case INTERNAL_IP4_SUBNET: - { - char mask[4]; - char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe}; - int t; - int m = st->st_connection->spd.this.client.maskbits; - - for (t = 0; t < 4; t++) - { - mask[t] = (m < 8) ? bits[m] : 0xff; - m -= 8; - if (m < 0) - { - m = 0; - } - } - len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP4_subnet"); - out_raw(mask, sizeof(mask), &attrval, "IP4_submsk"); - } - break; - case INTERNAL_IP4_DNS: - case INTERNAL_IP6_DNS: - if (!isanyaddr(&ia->dns[dns_idx])) - { - len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP_dns"); - } - if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx])) - { - dont_advance = TRUE; - } - break; - case INTERNAL_IP4_NBNS: - case INTERNAL_IP6_NBNS: - if (!isanyaddr(&ia->nbns[nbns_idx])) - { - len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP_nbns"); - } - if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx])) - { - dont_advance = TRUE; - } - break; - case XAUTH_TYPE: - break; - case XAUTH_USER_NAME: - if (ia->xauth_secret.user_name.ptr != NULL) - { - out_raw(ia->xauth_secret.user_name.ptr - , ia->xauth_secret.user_name.len - , &attrval, "xauth_user_name"); - } - break; - case XAUTH_USER_PASSWORD: - if (ia->xauth_secret.user_password.ptr != NULL) - { - out_raw(ia->xauth_secret.user_password.ptr - , ia->xauth_secret.user_password.len - , &attrval, "xauth_user_password"); - } - break; - case XAUTH_STATUS: - break; - case UNITY_BANNER: - if (ia->unity_banner != NULL) - { - out_raw(ia->unity_banner - , strlen(ia->unity_banner) - , &attrval, "UNITY_BANNER"); - } - break; - default: - plog("attempt to send unsupported mode cfg attribute %s." - , enum_show(&modecfg_attr_names, attr_type)); - break; - } - close_output_pbs(&attrval); - } - if (!dont_advance) - { - attr_type++; - attr_set >>= 1; - } + attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TLV; + out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval); + snprintf(buf, BUF_LEN, "%N", configuration_attribute_type_names, ca->type); + out_raw(ca->value.ptr, ca->value.len, &attrval, buf); } - close_message(&strattr); + close_output_pbs(&attrval); } - + enumerator->destroy(enumerator); + close_message(&strattr); + modecfg_hash(r_hashval, r_hash_start, rbody->cur, st); close_message(rbody); encrypt_message(rbody, st); @@ -529,7 +431,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, * Send ModeCfg message */ static stf_status modecfg_send_msg(struct state *st, int isama_type, - internal_addr_t *ia) + linked_list_t *ca_list) { pb_stream msg; pb_stream rbody; @@ -561,12 +463,8 @@ static stf_status modecfg_send_msg(struct state *st, int isama_type, } } - /* ATTR out */ - modecfg_build_msg(st, &rbody - , isama_type - , ia - , 0 /* XXX isama_id */ - ); + /* ATTR out with isama_id of 0 */ + modecfg_build_msg(st, &rbody, isama_type, ca_list, 0); free(st->st_tpacket.ptr); st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg)); @@ -586,221 +484,157 @@ static stf_status modecfg_send_msg(struct state *st, int isama_type, /** * Parse a ModeCfg attribute payload */ -static stf_status modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia) +static stf_status modecfg_parse_attributes(pb_stream *attrs, linked_list_t *ca_list) { struct isakmp_attribute attr; pb_stream strattr; - err_t ugh; - char buf[BUF_LEN]; - int dns_idx = 0; - int nbns_idx = 0; + u_int16_t attr_type; + u_int16_t attr_len; + chunk_t attr_chunk; + modecfg_attribute_t *ca; while (pbs_left(attrs) >= sizeof(struct isakmp_attribute)) { - u_int16_t attr_type; - u_int16_t attr_len; - if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr)) { return STF_FAIL; } attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK; attr_len = attr.isaat_lv; + DBG(DBG_CONTROLMORE, + DBG_log("processing %N attribute", + configuration_attribute_type_names, attr_type) + ) switch (attr_type) { - case INTERNAL_IP4_ADDRESS: - if (attr_len == 4) - { - ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr); - if (ugh != NULL) - { - plog("received invalid virtual IPv4 address: %s", ugh); - } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP4_DNS: - if (attr_len == 4 && dns_idx < DNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->dns[dns_idx]); - if (ugh != NULL) - { - plog("received invalid IPv4 DNS server address: %s", ugh); - } - else - { - addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN); - plog("received IPv4 DNS server address %s", buf); - dns_idx++; - } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP4_NBNS: - if (attr_len == 4 && nbns_idx < NBNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]); - if (ugh != NULL) + case INTERNAL_IP4_ADDRESS: + case INTERNAL_IP4_NETMASK: + case INTERNAL_IP4_DNS: + case INTERNAL_IP4_NBNS: + case INTERNAL_ADDRESS_EXPIRY: + case INTERNAL_IP4_DHCP: + if (attr_len != 4 && attr_len != 0) { - plog("received invalid IPv4 NBNS server address: %s", ugh); + goto error; } - else + break; + case INTERNAL_IP4_SUBNET: + if (attr_len != 8 && attr_len != 0) { - addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN); - plog("received IPv4 NBNS server address %s", buf); - nbns_idx++; + goto error; } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP6_DNS: - if (attr_len == 16 && dns_idx < DNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->dns[dns_idx]); - if (ugh != NULL) + break; + case INTERNAL_IP6_NETMASK: + case INTERNAL_IP6_DNS: + case INTERNAL_IP6_NBNS: + case INTERNAL_IP6_DHCP: + if (attr_len != 16 && attr_len != 0) { - plog("received invalid IPv6 DNS server address: %s", ugh); + goto error; } - else + break; + case INTERNAL_IP6_ADDRESS: + if (attr_len != 17 && attr_len != 16 && attr_len != 0) { - addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN); - plog("received IPv6 DNS server address %s", buf); - dns_idx++; + goto error; } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP6_NBNS: - if (attr_len == 16 && nbns_idx < NBNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]); - if (ugh != NULL) + break; + case INTERNAL_IP6_SUBNET: + if (attr_len != 17 && attr_len != 0) { - plog("received invalid IPv6 NBNS server address: %s", ugh); + goto error; } - else + break; + case SUPPORTED_ATTRIBUTES: + if (attr_len % 2) { - addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN); - plog("received IPv6 NBNS server address %s", buf); - nbns_idx++; + goto error; } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP4_NETMASK: - case INTERNAL_IP4_SUBNET: - case INTERNAL_ADDRESS_EXPIRY: - case INTERNAL_IP4_DHCP: - case INTERNAL_IP6_ADDRESS: - case INTERNAL_IP6_NETMASK: - case INTERNAL_IP6_DHCP: - case SUPPORTED_ATTRIBUTES: - case INTERNAL_IP6_SUBNET: - ia->attr_set |= LELEM(attr_type); - break; - case APPLICATION_VERSION: - if (attr_len > 0) - { - DBG(DBG_PARSING, - DBG_log(" '%.*s'", attr_len, strattr.cur) - ) - } - ia->attr_set |= LELEM(attr_type); - break; - case XAUTH_TYPE: - ia->xauth_type = attr.isaat_lv; - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_USER_NAME: - ia->xauth_secret.user_name = chunk_create(strattr.cur, attr_len); - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_USER_PASSWORD: - ia->xauth_secret.user_password = chunk_create(strattr.cur, attr_len); - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_STATUS: - ia->xauth_status = attr.isaat_lv; - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_MESSAGE: - if (attr_len > 0) - { - DBG(DBG_PARSING, - DBG_log(" '%.*s'", attr_len, strattr.cur) - ) - } - /* fall through to set attribute flag */ - case XAUTH_PASSCODE: - case XAUTH_CHALLENGE: - case XAUTH_DOMAIN: - case XAUTH_NEXT_PIN: - case XAUTH_ANSWER: - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case UNITY_DDNS_HOSTNAME: - if (attr_len > 0) - { - DBG(DBG_PARSING, - DBG_log(" '%.*s'", attr_len, strattr.cur) - ) - } - /* fall through to set attribute flag */ - case UNITY_BANNER: - case UNITY_SAVE_PASSWD: - case UNITY_DEF_DOMAIN: - case UNITY_SPLITDNS_NAME: - case UNITY_SPLIT_INCLUDE: - case UNITY_NATT_PORT: - case UNITY_LOCAL_LAN: - case UNITY_PFS: - case UNITY_FW_TYPE: - case UNITY_BACKUP_SERVERS: - ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE); - break; - default: - plog("unsupported ModeCfg attribute %s received." - , enum_show(&modecfg_attr_names, attr_type)); - break; + break; + case APPLICATION_VERSION: + break; + /* XAUTH attributes */ + case XAUTH_TYPE: + case XAUTH_STATUS: + case XAUTH_USER_NAME: + case XAUTH_USER_PASSWORD: + case XAUTH_PASSCODE: + case XAUTH_MESSAGE: + case XAUTH_CHALLENGE: + case XAUTH_DOMAIN: + case XAUTH_NEXT_PIN: + case XAUTH_ANSWER: + break; + /* Microsoft attributes */ + case INTERNAL_IP4_SERVER: + case INTERNAL_IP6_SERVER: + break; + /* Cisco Unity attributes */ + case UNITY_BANNER: + case UNITY_SAVE_PASSWD: + case UNITY_DEF_DOMAIN: + case UNITY_SPLITDNS_NAME: + case UNITY_SPLIT_INCLUDE: + case UNITY_NATT_PORT: + case UNITY_LOCAL_LAN: + case UNITY_PFS: + case UNITY_FW_TYPE: + case UNITY_BACKUP_SERVERS: + case UNITY_DDNS_HOSTNAME: + break; + default: + plog("unknown attribute type (%u)", attr_type); + continue; } + + /* add attribute */ + if (attr.isaat_af_type & ISAKMP_ATTR_AF_TV) + { + ca = modecfg_attribute_create_tv(attr_type, attr_len); + } + else + { + attr_chunk = chunk_create(strattr.cur, attr_len); + ca = modecfg_attribute_create(attr_type, attr_chunk); + } + ca_list->insert_last(ca_list, ca); } return STF_OK; + +error: + plog("%N attribute has invalid size of %u octets", + configuration_attribute_type_names, attr_type, attr_len); + return STF_FAIL; } /** * Parse a ModeCfg message */ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type, - u_int16_t *isama_id, internal_addr_t *ia) + u_int16_t *isama_id, linked_list_t *ca_list) { + modecfg_attribute_t *ca; struct state *const st = md->st; struct payload_digest *p; stf_status stat; st->st_msgid = md->hdr.isa_msgid; - CHECK_QUICK_HASH(md, modecfg_hash(hash_val - , hash_pbs->roof - , md->message_pbs.roof, st) - , "MODECFG-HASH", "ISAKMP_CFG_MSG"); + CHECK_QUICK_HASH(md, modecfg_hash(hash_val, hash_pbs->roof, + md->message_pbs.roof, st), "MODECFG-HASH", "ISAKMP_CFG_MSG"); /* process the ModeCfg payloads received */ for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next) { - internal_addr_t ia_candidate; - - init_internal_addr(&ia_candidate); - if (p->payload.attribute.isama_type == isama_type) { *isama_id = p->payload.attribute.isama_identifier; - stat = modecfg_parse_attributes(&p->pbs, &ia_candidate); + stat = modecfg_parse_attributes(&p->pbs, ca_list); if (stat == STF_OK) { /* return with a valid set of attributes */ - *ia = ia_candidate; return STF_OK; } } @@ -810,34 +644,61 @@ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type, , enum_name(&attr_msg_type_names, isama_type) , enum_name(&attr_msg_type_names, p->payload.attribute.isama_type)); - stat = modecfg_parse_attributes(&p->pbs, &ia_candidate); + stat = modecfg_parse_attributes(&p->pbs, ca_list); } + + /* abort if a parsing error occurred */ if (stat != STF_OK) { + ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy); return stat; } + + /* discard the parsed attributes and look for another payload */ + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {} } return STF_IGNORE; } /** - * Send ModeCfg request message from client to server in pull mode + * Used in ModeCfg pull mode on the client (initiator) + * called in demux.c + * client -> CFG_REQUEST + * STF_OK transitions to STATE_MODE_CFG_I1 */ stf_status modecfg_send_request(struct state *st) { connection_t *c = st->st_connection; stf_status stat; - internal_addr_t ia; - - init_internal_addr(&ia); - - ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS) - | LELEM(INTERNAL_IP4_NETMASK); - ia.ipaddr = c->spd.this.host_srcip; + modecfg_attribute_t *ca; + enumerator_t *enumerator; + int family; + chunk_t value; + host_t *vip; + linked_list_t *ca_list = linked_list_create(); + + vip = c->spd.this.host_srcip; + value = vip->is_anyaddr(vip) ? chunk_empty : vip->get_address(vip); + family = vip->get_family(vip); + ca = modecfg_attribute_create((family == AF_INET) ? + INTERNAL_IP4_ADDRESS : INTERNAL_IP6_ADDRESS, + value); + ca_list->insert_last(ca_list, ca); + + register_attribute_handlers(c); + enumerator = c->requested->create_enumerator(c->requested); + while (enumerator->enumerate(enumerator, &ca)) + { + ca = modecfg_attribute_create(ca->type, chunk_empty); + ca_list->insert_last(ca_list, ca); + } + enumerator->destroy(enumerator); plog("sending ModeCfg request"); + st->st_state = STATE_MODE_CFG_I1; - stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia); + stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat == STF_OK) { st->st_modecfg.started = TRUE; @@ -845,53 +706,37 @@ stf_status modecfg_send_request(struct state *st) return stat; } -/* STATE_MODE_CFG_R0: - * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP) - * - * used in ModeCfg pull mode, on the server (responder) +/** + * Used in ModeCfg pull mode on the server (responder) + * called in demux.c from STATE_MODE_CFG_R0 + * server <- CFG_REQUEST + * server -> CFG_REPLY + * STF_OK transitions to STATE_MODE_CFG_R0 */ stf_status modecfg_inR0(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; - bool want_unity_banner; stf_status stat, stat_build; - host_t *requested_vip; + linked_list_t *ca_list = linked_list_create(); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); + plog("parsing ModeCfg request"); + + stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - if (ia.attr_set & LELEM(INTERNAL_IP4_ADDRESS)) - { - requested_vip = host_create_from_sockaddr((sockaddr_t*)&ia.ipaddr); - } - else - { - requested_vip = host_create_any(AF_INET); - } - plog("peer requested virtual IP %H", requested_vip); - - want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY; - init_internal_addr(&ia); - get_internal_addr(st->st_connection, requested_vip, &ia); - requested_vip->destroy(requested_vip); - - if (want_unity_banner) - { - ia.unity_banner = UNITY_BANNER_STR; - ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE); - } + /* build the CFG_REPLY */ + get_attributes(st->st_connection, ca_list); plog("sending ModeCfg reply"); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_REPLY - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY, + ca_list, isama_id); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); + if (stat_build != STF_OK) { return stat_build; @@ -900,53 +745,50 @@ stf_status modecfg_inR0(struct msg_digest *md) return STF_OK; } -/* STATE_MODE_CFG_I1: - * HDR*, HASH, ATTR(REPLY=IP) - * - * used in ModeCfg pull mode, on the client (initiator) +/** + * Used in ModeCfg pull mode on the client (initiator) + * called in demux.c from STATE_MODE_CFG_I1 + * client <- CFG_REPLY + * STF_OK transitions to STATE_MODE_CFG_I2 */ stf_status modecfg_inI1(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat; + linked_list_t *ca_list = linked_list_create(); plog("parsing ModeCfg reply"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia); + st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list); st->st_msgid = 0; + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); return STF_OK; } - /** - * Send ModeCfg set message from server to client in push mode + * Used in ModeCfg push mode on the server (responder) + * called in demux.c + * server -> CFG_SET + * STF_OK transitions to STATE_MODE_CFG_R3 */ stf_status modecfg_send_set(struct state *st) { stf_status stat; - internal_addr_t ia; - host_t *vip; + linked_list_t *ca_list = linked_list_create(); - init_internal_addr(&ia); - vip = host_create_any(AF_INET); - get_internal_addr(st->st_connection, vip, &ia); - vip->destroy(vip); -#ifdef CISCO_QUIRKS - ia.unity_banner = UNITY_BANNER_STR; - ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE); -#endif + plog("sending ModeCfg set"); - plog("sending ModeCfg set"); + get_attributes(st->st_connection, ca_list); st->st_state = STATE_MODE_CFG_R3; - stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); + stat = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat == STF_OK) { st->st_modecfg.started = TRUE; @@ -954,41 +796,64 @@ stf_status modecfg_send_set(struct state *st) return stat; } -/* STATE_MODE_CFG_I0: - * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) - * - * used in ModeCfg push mode, on the client (initiator). +/** + * Used in ModeCfg push mode on the client (initiator) + * called in demux.c from STATE_MODE_CFG_I0 + * client <- CFG_SET + * client -> CFG_ACK + * STF_OK transitions to STATE_MODE_CFG_I3 */ stf_status modecfg_inI0(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; - lset_t attr_set, unity_attr_set; stf_status stat, stat_build; + modecfg_attribute_t *ca; + linked_list_t *ca_list, *ca_ack_list; plog("parsing ModeCfg set"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia); + ca_list = linked_list_create(); + stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia); + register_attribute_handlers(st->st_connection); + st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list); /* prepare ModeCfg ack which sends zero length attributes */ - attr_set = ia.attr_set; - unity_attr_set = ia.unity_attr_set; - init_internal_addr(&ia); - ia.attr_set = attr_set & SUPPORTED_ATTR_SET; - ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET; + ca_ack_list = linked_list_create(); + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) + { + switch (ca->type) + { + case INTERNAL_IP4_ADDRESS: + case INTERNAL_IP4_DNS: + case INTERNAL_IP4_NBNS: + case APPLICATION_VERSION: + case INTERNAL_IP6_ADDRESS: + case INTERNAL_IP6_DNS: + case INTERNAL_IP6_NBNS: +#ifdef CISCO_QUIRKS + case UNITY_BANNER: +#endif + /* supported attributes */ + ca->value.len = 0; + ca_ack_list->insert_last(ca_ack_list, ca); + break; + default: + /* unsupportd attributes */ + modecfg_attribute_destroy(ca); + } + } + ca_list->destroy(ca_list); plog("sending ModeCfg ack"); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_ACK - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK, + ca_ack_list, isama_id); + ca_ack_list->destroy_function(ca_ack_list, (void *)modecfg_attribute_destroy); if (stat_build != STF_OK) { return stat_build; @@ -997,21 +862,23 @@ stf_status modecfg_inI0(struct msg_digest *md) return STF_OK; } -/* STATE_MODE_CFG_R3: - * HDR*, HASH, ATTR(ACK,OK) - * - * used in ModeCfg push mode, on the server (responder) +/** + * Used in ModeCfg push mode on the server (responder) + * called in demux.c from STATE_MODE_CFG_R3 + * server <- CFG_ACK + * STF_OK transitions to STATE_MODE_CFG_R4 */ stf_status modecfg_inR3(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat; + linked_list_t *ca_list = linked_list_create(); plog("parsing ModeCfg ack"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat != STF_OK) { return stat; @@ -1021,20 +888,26 @@ stf_status modecfg_inR3(struct msg_digest *md) } /** - * Send XAUTH credentials request (username + password) + * Used on the XAUTH server (responder) + * called in demux.c + * server -> CFG_REQUEST + * STF_OK transitions to STATE_XAUTH_R1 */ stf_status xauth_send_request(struct state *st) { stf_status stat; - internal_addr_t ia; + modecfg_attribute_t *ca; + linked_list_t *ca_list = linked_list_create(); - init_internal_addr(&ia); - ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) - | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); + ca = modecfg_attribute_create(XAUTH_USER_NAME, chunk_empty); + ca_list->insert_last(ca_list, ca); + ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, chunk_empty); + ca_list->insert_last(ca_list, ca); plog("sending XAUTH request"); st->st_state = STATE_XAUTH_R1; - stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia); + stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat == STF_OK) { st->st_xauth.started = TRUE; @@ -1042,53 +915,87 @@ stf_status xauth_send_request(struct state *st) return stat; } -/* STATE_XAUTH_I0: - * HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) - * - * used on the XAUTH client (initiator) +/** + * Used on the XAUTH client (initiator) + * called in demux.c from STATE_XAUTH_I0 + * client <- CFG_REQUEST + * client -> CFG_REPLY + * STF_OK transitions to STATE_XAUTH_I1 */ stf_status xauth_inI0(struct msg_digest *md) { struct state *const st = md->st; + connection_t *c = st->st_connection; u_int16_t isama_id; - internal_addr_t ia; stf_status stat, stat_build; - bool xauth_type_present; + modecfg_attribute_t *ca; + bool xauth_user_name_present = FALSE; + bool xauth_user_password_present = FALSE; + bool xauth_type_present = FALSE; + chunk_t xauth_user_name, xauth_user_password; + identification_t *user_id; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH request"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - /* check XAUTH attributes */ - xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY; - - if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC) + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) { - plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type)); - stat = STF_FAIL; + switch (ca->type) + { + case XAUTH_TYPE: + if (ca->value.len != XAUTH_TYPE_GENERIC) + { + plog("xauth type %s is not supported", + enum_name(&xauth_type_names, ca->value.len)); + stat = STF_FAIL; + } + else + { + xauth_type_present = TRUE; + } + break; + case XAUTH_USER_NAME: + xauth_user_name_present = TRUE; + break; + case XAUTH_USER_PASSWORD: + xauth_user_password_present = TRUE; + break; + case XAUTH_MESSAGE: + if (ca->value.len) + { + DBG(DBG_PARSING | DBG_CONTROLMORE, + DBG_log(" '%.*s'", ca->value.len, ca->value.ptr) + ) + } + break; + default: + break; + } + modecfg_attribute_destroy(ca); } - else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY) + + if (!xauth_user_name_present) { plog("user name attribute is missing in XAUTH request"); stat = STF_FAIL; } - else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY) + if (!xauth_user_password_present) { plog("user password attribute is missing in XAUTH request"); stat = STF_FAIL; } /* prepare XAUTH reply */ - init_internal_addr(&ia); - if (stat == STF_OK) { /* get user credentials using a plugin function */ - if (!xauth_module.get_secret(&ia.xauth_secret)) + if (!pluto->xauth->get_secret(pluto->xauth, c, &xauth_user_password)) { plog("xauth user credentials not found"); stat = STF_FAIL; @@ -1096,35 +1003,42 @@ stf_status xauth_inI0(struct msg_digest *md) } if (stat == STF_OK) { + /* insert xauth type if present */ + if (xauth_type_present) + { + ca = modecfg_attribute_create_tv(XAUTH_TYPE, XAUTH_TYPE_GENERIC); + ca_list->insert_last(ca_list, ca); + } + + /* insert xauth user name */ + user_id = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id; + xauth_user_name = user_id->get_encoding(user_id); DBG(DBG_CONTROL, - DBG_log("my xauth user name is '%.*s'" - , ia.xauth_secret.user_name.len - , ia.xauth_secret.user_name.ptr) + DBG_log("my xauth user name is '%.*s'", xauth_user_name.len, + xauth_user_name.ptr) ) + ca = modecfg_attribute_create(XAUTH_USER_NAME, xauth_user_name); + ca_list->insert_last(ca_list, ca); + + /* insert xauth user password */ DBG(DBG_PRIVATE, - DBG_log("my xauth user password is '%.*s'" - , ia.xauth_secret.user_password.len - , ia.xauth_secret.user_password.ptr) + DBG_log("my xauth user password is '%.*s'", xauth_user_password.len, + xauth_user_password.ptr) ) - ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) - | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); - if (xauth_type_present) - { - ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE); - } + ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, xauth_user_password); + ca_list->insert_last(ca_list, ca); + chunk_clear(&xauth_user_password); } else { - ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE); - ia.xauth_status = XAUTH_STATUS_FAIL; + ca = modecfg_attribute_create_tv(XAUTH_STATUS, XAUTH_STATUS_FAIL); + ca_list->insert_last(ca_list, ca); } plog("sending XAUTH reply"); - - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_REPLY - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY, + ca_list, isama_id); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat_build != STF_OK) { return stat_build; @@ -1147,79 +1061,105 @@ stf_status xauth_inI0(struct msg_digest *md) } } -/* STATE_XAUTH_R1: - * HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS) - * - * used on the XAUTH server (responder) +/** + * Used on the XAUTH server (responder) + * called in demux.c from STATE_XAUTH_R1 + server <- CFG_REPLY + server -> CFG_SET + STF_OK transitions to STATE_XAUTH_R2 */ stf_status xauth_inR1(struct msg_digest *md) { struct state *const st = md->st; + connection_t *c = st->st_connection; u_int16_t isama_id; - internal_addr_t ia; stf_status stat, stat_build; + chunk_t xauth_user_name, xauth_user_password; + int xauth_status = XAUTH_STATUS_OK; + modecfg_attribute_t *ca; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH reply"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list); if (stat != STF_OK) { return stat; } + /* initialize xauth_secret */ + xauth_user_name = chunk_empty; + xauth_user_password = chunk_empty; + + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) + { + switch (ca->type) + { + case XAUTH_STATUS: + xauth_status = ca->value.len; + break; + case XAUTH_USER_NAME: + xauth_user_name = chunk_clone(ca->value); + break; + case XAUTH_USER_PASSWORD: + xauth_user_password = chunk_clone(ca->value); + break; + default: + break; + } + modecfg_attribute_destroy(ca); + } /* did the client return an XAUTH FAIL status? */ - if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY) + if (xauth_status == XAUTH_STATUS_FAIL) { plog("received FAIL status in XAUTH reply"); /* client is not able to do XAUTH, delete ISAKMP SA */ + free(xauth_user_name.ptr); + free(xauth_user_password.ptr); delete_state(st); + ca_list->destroy(ca_list); return STF_IGNORE; } /* check XAUTH reply */ - if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY) + if (xauth_user_name.ptr == NULL) { plog("user name attribute is missing in XAUTH reply"); st->st_xauth.status = FALSE; } - else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY) + else if (xauth_user_password.ptr == NULL) { plog("user password attribute is missing in XAUTH reply"); st->st_xauth.status = FALSE; } else { - xauth_peer_t peer; - - peer.conn_name = st->st_connection->name; - addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address)); - snprintf(peer.id, sizeof(peer.id), "%Y", - md->st->st_connection->spd.that.id); - DBG(DBG_CONTROL, - DBG_log("peer xauth user name is '%.*s'" - , ia.xauth_secret.user_name.len - , ia.xauth_secret.user_name.ptr) + DBG_log("peer xauth user name is '%.*s'", xauth_user_name.len, + xauth_user_name.ptr) ) + DESTROY_IF(c->xauth_identity); + c->xauth_identity = identification_create_from_data(xauth_user_name); + DBG(DBG_PRIVATE, - DBG_log("peer xauth user password is '%.*s'" - , ia.xauth_secret.user_password.len - , ia.xauth_secret.user_password.ptr) + DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len, + xauth_user_password.ptr) ) /* verify the user credentials using a plugin function */ - st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret); + st->st_xauth.status = pluto->xauth->verify_secret(pluto->xauth, c, + xauth_user_password); plog("extended authentication %s", st->st_xauth.status? "was successful":"failed"); } - - /* prepare XAUTH set which sends the authentication status */ - init_internal_addr(&ia); - ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE); - ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL; - - plog("sending XAUTH status:"); - - stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); + chunk_clear(&xauth_user_name); + chunk_clear(&xauth_user_password); + + plog("sending XAUTH status"); + xauth_status = (st->st_xauth.status) ? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL; + ca = modecfg_attribute_create_tv(XAUTH_STATUS, xauth_status); + ca_list->insert_last(ca_list, ca); + stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat_build != STF_OK) { return stat_build; @@ -1227,20 +1167,23 @@ stf_status xauth_inR1(struct msg_digest *md) return STF_OK; } -/* STATE_XAUTH_I1: - * HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK) - * - * used on the XAUTH client (initiator) +/** + * Used on the XAUTH client (initiator) + * called in demux.c from STATE_XAUTH_I1 + * client <- CFG_SET + * client -> CFG_ACK + * STF_OK transitions to STATE_XAUTH_I2 */ stf_status xauth_inI1(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat, stat_build; + modecfg_attribute_t *ca; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH status"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list); if (stat != STF_OK) { /* notification payload - not exactly the right choice, but okay */ @@ -1248,15 +1191,21 @@ stf_status xauth_inI1(struct msg_digest *md) return stat; } - st->st_xauth.status = ia.xauth_status; + st->st_xauth.status = FALSE; + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) + { + if (ca->type == XAUTH_STATUS) + { + st->st_xauth.status = (ca->value.len == XAUTH_STATUS_OK); + } + modecfg_attribute_destroy(ca); + } plog("extended authentication %s", st->st_xauth.status? "was successful":"failed"); plog("sending XAUTH ack"); - init_internal_addr(&ia); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_ACK - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK, ca_list, isama_id); + ca_list->destroy(ca_list); + if (stat_build != STF_OK) { return stat_build; @@ -1278,25 +1227,27 @@ stf_status xauth_inI1(struct msg_digest *md) } } -/* STATE_XAUTH_R2: - * HDR*, ATTR(STATUS), HASH --> Done - * - * used on the XAUTH server (responder) +/** + * Used on the XAUTH server (responder) + * called in demux.c from STATE_XAUTH_R2 + * server <- CFG_ACK + * STF_OK transitions to STATE_XAUTH_R3 */ stf_status xauth_inR2(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH ack"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list); if (stat != STF_OK) { return stat; } + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); st->st_msgid = 0; if (st->st_xauth.status) { @@ -1307,4 +1258,5 @@ stf_status xauth_inR2(struct msg_digest *md) delete_state(st); return STF_IGNORE; } + } diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h index bc1443012..7adf18682 100644 --- a/src/pluto/modecfg.h +++ b/src/pluto/modecfg.h @@ -16,8 +16,41 @@ #ifndef _MODECFG_H #define _MODECFG_H -struct state; -struct msg_digest; +#include <chunk.h> +#include <attributes/attribute_handler.h> + +#include "state.h" +#include "demux.h" + +typedef struct modecfg_attribute_t modecfg_attribute_t; + +/** + * Defines a modecfg_attribute_t object. + */ +struct modecfg_attribute_t { + /** + * Type of the attribute. + */ + u_int16_t type; + + /** + * Attribute is coded as TV + */ + bool is_tv; + + /** + * Attribute value as chunk. + */ + chunk_t value; + + /** + * Attribute handler. + */ + attribute_handler_t *handler; +}; + +/* Destroys a modecfg_attribute_t object */ +extern void modecfg_attribute_destroy(modecfg_attribute_t *this); /* ModeConfig pull mode start function */ extern stf_status modecfg_send_request(struct state *st); diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index b1f558ebf..8a351be6d 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -621,7 +621,7 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests, } else { - whack_log(RC_COMMENT, " serial: %#B, %s, until %T %s", + whack_log(RC_COMMENT, " serial: %#B, %s, until %T %s", &certinfo->serialNumber, cert_status_names[certinfo->status], &certinfo->nextUpdate, utc, @@ -767,7 +767,7 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc) */ static chunk_t build_signature(chunk_t tbsRequest) { - chunk_t sigdata, cert, certs; + chunk_t sigdata, cert, certs = chunk_empty; if (ocsp_requestor_sc) { @@ -786,10 +786,12 @@ static chunk_t build_signature(chunk_t tbsRequest) } /* include our certificate */ - cert = ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert); - certs = asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "m", cert)); - + if (ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert, + CERT_ASN1_DER, &cert)) + { + certs = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_SEQUENCE, "m", cert)); + } /* build signature comprising algorithm, signature and cert */ return asn1_wrap(ASN1_CONTEXT_C_0, "m" , asn1_wrap(ASN1_SEQUENCE, "mmm" @@ -1013,7 +1015,7 @@ static bool valid_ocsp_response(response_t *res) { plog("certificate is invalid (valid from %T to %T)", ¬_before, FALSE, ¬_after, FALSE); - + unlock_authcert_list("valid_ocsp_response"); return FALSE; } @@ -1154,7 +1156,7 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res) break; } x509 = (x509_t*)cert->cert; - + if ((x509->get_flags(x509) & X509_OCSP_SIGNER) && trust_authcert_candidate(cert, NULL)) { diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c index b24ef1a8c..c0fd041a7 100644 --- a/src/pluto/pkcs7.c +++ b/src/pluto/pkcs7.c @@ -591,7 +591,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes, contentInfo_t pkcs7Data, signedData; chunk_t authenticatedAttributes = chunk_empty; chunk_t encryptedDigest = chunk_empty; - chunk_t signerInfo, cInfo, signature; + chunk_t signerInfo, cInfo, signature, encoding = chunk_empty;; signature_scheme_t scheme = signature_scheme_from_oid(digest_alg); if (attributes.ptr) @@ -622,12 +622,13 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes, pkcs7Data.content = (data.ptr == NULL)? chunk_empty : asn1_simple_object(ASN1_OCTET_STRING, data); + cert->get_encoding(cert, CERT_ASN1_DER, &encoding); signedData.type = OID_PKCS7_SIGNED_DATA; signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm" , ASN1_INTEGER_1 , asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg)) , pkcs7_build_contentInfo(&pkcs7Data) - , asn1_wrap(ASN1_CONTEXT_C_0, "m", cert->get_encoding(cert)) + , asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding) , asn1_wrap(ASN1_SET, "m", signerInfo)); cInfo = pkcs7_build_contentInfo(&signedData); diff --git a/src/pluto/plugins/xauth/Makefile.am b/src/pluto/plugins/xauth/Makefile.am new file mode 100644 index 000000000..354325b35 --- /dev/null +++ b/src/pluto/plugins/xauth/Makefile.am @@ -0,0 +1,15 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \ + -I$(top_srcdir)/src/pluto + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-xauth.la + +libstrongswan_xauth_la_SOURCES = \ + xauth_plugin.h xauth_plugin.c \ + xauth_default_provider.c xauth_default_provider.h \ + xauth_default_verifier.c xauth_default_verifier.h + +libstrongswan_xauth_la_LDFLAGS = -module -avoid-version diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in new file mode 100644 index 000000000..13749e5af --- /dev/null +++ b/src/pluto/plugins/xauth/Makefile.in @@ -0,0 +1,577 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/pluto/plugins/xauth +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(plugin_LTLIBRARIES) +libstrongswan_xauth_la_LIBADD = +am_libstrongswan_xauth_la_OBJECTS = xauth_plugin.lo \ + xauth_default_provider.lo xauth_default_verifier.lo +libstrongswan_xauth_la_OBJECTS = $(am_libstrongswan_xauth_la_OBJECTS) +libstrongswan_xauth_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_xauth_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_xauth_la_SOURCES) +DIST_SOURCES = $(libstrongswan_xauth_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \ + -I$(top_srcdir)/src/pluto + +AM_CFLAGS = -rdynamic +plugin_LTLIBRARIES = libstrongswan-xauth.la +libstrongswan_xauth_la_SOURCES = \ + xauth_plugin.h xauth_plugin.c \ + xauth_default_provider.c xauth_default_provider.h \ + xauth_default_verifier.c xauth_default_verifier.h + +libstrongswan_xauth_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-xauth.la: $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_DEPENDENCIES) + $(libstrongswan_xauth_la_LINK) -rpath $(plugindir) $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_provider.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_verifier.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-pluginLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-pluginLTLIBRARIES \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/pluto/plugins/xauth/xauth_default_provider.c b/src/pluto/plugins/xauth/xauth_default_provider.c new file mode 100644 index 000000000..77c5facc4 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_provider.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <keys.h> + +#include "xauth_default_provider.h" + +typedef struct private_xauth_default_provider_t private_xauth_default_provider_t; + +/** + * private data of xauth_default_provider + */ +struct private_xauth_default_provider_t { + + /** + * public functions + */ + xauth_provider_t public; +}; + +METHOD(xauth_provider_t, get_secret, bool, + private_xauth_default_provider_t *this, connection_t *c, chunk_t *secret) +{ + identification_t *user, *server; + + server = c->spd.that.id; + user = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id; + + return get_xauth_secret(user, server, secret); +} + +METHOD(xauth_provider_t, destroy, void, + private_xauth_default_provider_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +xauth_provider_t *xauth_default_provider_create() +{ + private_xauth_default_provider_t *this; + + INIT(this, + .public = { + .get_secret = _get_secret, + .destroy = _destroy, + } + ); + + return &this->public; +} + diff --git a/src/pluto/plugins/xauth/xauth_default_provider.h b/src/pluto/plugins/xauth/xauth_default_provider.h new file mode 100644 index 000000000..ff1a91d16 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_provider.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_default_provider xauth_default_provider + * @{ @ingroup xauth + */ + +#ifndef XAUTH_DEFAULT_PROVIDER_H_ +#define XAUTH_DEFAULT_PROVIDER_H_ + +#include <xauth/xauth_provider.h> + + +/** + * Create an xauth_default_provider instance. + */ +xauth_provider_t *xauth_default_provider_create(); + +#endif /** XAUTH_DEFAULT_PROVIDER_H_ @}*/ + diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.c b/src/pluto/plugins/xauth/xauth_default_verifier.c new file mode 100644 index 000000000..776f77134 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_verifier.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <keys.h> + +#include "xauth_default_verifier.h" + +typedef struct private_xauth_default_verifier_t private_xauth_default_verifier_t; + +/** + * private data of xauth_default_verifier + */ +struct private_xauth_default_verifier_t { + + /** + * public functions + */ + xauth_verifier_t public; +}; + +METHOD(xauth_verifier_t, verify_secret, bool, + private_xauth_default_verifier_t *this, connection_t *c, chunk_t secret) +{ + identification_t *user, *server; + chunk_t xauth_secret; + bool success = FALSE; + + server = c->spd.this.id; + user = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id; + + if (get_xauth_secret(user, server, &xauth_secret)) + { + success = chunk_equals(secret, xauth_secret); + chunk_clear(&xauth_secret); + } + return success; +} + +METHOD(xauth_verifier_t, destroy, void, + private_xauth_default_verifier_t *this) +{ + free(this); +} + + +/* + * Described in header. + */ +xauth_verifier_t *xauth_default_verifier_create() +{ + private_xauth_default_verifier_t *this; + + INIT(this, + .public = { + .verify_secret = _verify_secret, + .destroy = _destroy, + } + ); + + return &this->public; +} + diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.h b/src/pluto/plugins/xauth/xauth_default_verifier.h new file mode 100644 index 000000000..e5814d7b4 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_verifier.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_default_verifier xauth_default_verifier + * @{ @ingroup xauth + */ + +#ifndef XAUTH_DEFAULT_VERIFIER_H_ +#define XAUTH_DEFAULT_VERIFIER_H_ + +#include <xauth/xauth_verifier.h> + + +/** + * Create an xauth_default_verifier instance. + */ +xauth_verifier_t *xauth_default_verifier_create(); + +#endif /** XAUTH_DEFAULT_VERIFIER_H_ @}*/ + diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c new file mode 100644 index 000000000..74e16eacd --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_plugin.c @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <pluto.h> + +#include "xauth_plugin.h" +#include "xauth_default_provider.h" +#include "xauth_default_verifier.h" +/** + * Implementation of plugin_t.destroy + */ +static void destroy(xauth_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *xauth_plugin_create() +{ + xauth_plugin_t *this = malloc_thing(xauth_plugin_t); + + this->plugin.destroy = (void(*)(plugin_t*))destroy; + + pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create()); + pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create()); + + return &this->plugin; +} + diff --git a/src/pluto/plugins/xauth/xauth_plugin.h b/src/pluto/plugins/xauth/xauth_plugin.h new file mode 100644 index 000000000..4f14828d2 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth xauth + * @ingroup pplugins + * + * @defgroup xauth_plugin xauth_plugin + * @{ @ingroup xauth + */ + +#ifndef XAUTH_PLUGIN_H_ +#define XAUTH_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct xauth_plugin_t xauth_plugin_t; + +/** + * XAUTH plugin + */ +struct xauth_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** XAUTH_PLUGIN_H_ @}*/ diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c new file mode 100644 index 000000000..e9c7c316b --- /dev/null +++ b/src/pluto/pluto.c @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pluto.h" + +#include <debug.h> + +typedef struct private_pluto_t private_pluto_t; + +/** + * Private additions to pluto_t. + */ +struct private_pluto_t { + + /** + * Public members of pluto_t. + */ + pluto_t public; +}; + +/** + * Single instance of pluto_t. + */ +pluto_t *pluto; + +/** + * Described in header. + */ +void pluto_deinit() +{ + private_pluto_t *this = (private_pluto_t*)pluto; + this->public.xauth->destroy(this->public.xauth); + free(this); + pluto = NULL; +} + +/** + * Described in header. + */ +bool pluto_init(char *file) +{ + private_pluto_t *this; + + INIT(this, + .public = { + .xauth = xauth_manager_create(), + }, + ); + pluto = &this->public; + + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pluto", file)) + { + DBG1(DBG_LIB, "integrity check of pluto failed"); + return FALSE; + } + return TRUE; +} + diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h new file mode 100644 index 000000000..37e6e3f33 --- /dev/null +++ b/src/pluto/pluto.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pluto pluto + * + * @defgroup xauth xauth + * @ingroup pluto + * + * @defgroup pplugins plugins + * @ingroup pluto + * + * @addtogroup pluto + * @{ + */ + +#ifndef PLUTO_H_ +#define PLUTO_H_ + +typedef struct pluto_t pluto_t; + +#include <xauth/xauth_manager.h> + +#include <library.h> + +/** + * Pluto daemon support object. + */ +struct pluto_t { + + /** + * manager for payload attributes + */ + xauth_manager_t *xauth; +}; + +/** + * The single instance of pluto_t. + * + * Set between calls to pluto_init() and pluto_deinit() calls. + */ +extern pluto_t *pluto; + +/** + * Initialize pluto. + * + * @return FALSE if integrity check failed + */ +bool pluto_init(char *file); + +/** + * Deinitialize pluto. + */ +void pluto_deinit(void); + +#endif /** PLUTO_H_ @}*/ + diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index aa04594bc..89123bb8a 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -33,7 +33,9 @@ #include <grp.h> #ifdef CAPABILITIES +#ifdef HAVE_SYS_CAPABILITY_H #include <sys/capability.h> +#endif /* HAVE_SYS_CAPABILITY_H */ #endif /* CAPABILITIES */ #include <freeswan.h> @@ -68,7 +70,6 @@ #include "ocsp.h" #include "crl.h" #include "fetch.h" -#include "xauth.h" #include "crypto.h" #include "nat_traversal.h" #include "virtual.h" @@ -76,6 +77,7 @@ #include "vendor.h" #include "builder.h" #include "whack_attribute.h" +#include "pluto.h" static void usage(const char *mess) { @@ -258,7 +260,6 @@ int main(int argc, char **argv) char *virtual_private = NULL; int lockfd; #ifdef CAPABILITIES - cap_t caps; int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE }; #endif /* CAPABILITIES */ @@ -268,18 +269,18 @@ int main(int argc, char **argv) library_deinit(); exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); } - if (lib->integrity && - !lib->integrity->check_file(lib->integrity, "pluto", argv[0])) + if (!libhydra_init("pluto")) { - fprintf(stderr, "integrity check of pluto failed\n"); + libhydra_deinit(); library_deinit(); - exit(SS_RC_DAEMON_INTEGRITY); + exit(SS_RC_INITIALIZATION_FAILED); } - if (!libhydra_init("pluto")) + if (!pluto_init(argv[0])) { + pluto_deinit(); libhydra_deinit(); library_deinit(); - exit(SS_RC_INITIALIZATION_FAILED); + exit(SS_RC_DAEMON_INTEGRITY); } options = options_create(); @@ -677,7 +678,6 @@ int main(int argc, char **argv) init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); init_virtual_ip(virtual_private); scx_init(pkcs11_module_path, pkcs11_init_args); - xauth_init(); init_states(); init_demux(); init_kernel(); @@ -717,18 +717,41 @@ int main(int argc, char **argv) } #endif -#ifdef CAPABILITIES - caps = cap_init(); - cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET); - cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET); - cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET); - if (cap_set_proc(caps) != 0) +#ifdef CAPABILITIES_LIBCAP + { + cap_t caps; + caps = cap_init(); + cap_set_flag(caps, CAP_EFFECTIVE, countof(keep), keep, CAP_SET); + cap_set_flag(caps, CAP_INHERITABLE, countof(keep), keep, CAP_SET); + cap_set_flag(caps, CAP_PERMITTED, countof(keep), keep, CAP_SET); + if (cap_set_proc(caps) != 0) + { + plog("unable to drop daemon capabilities"); + abort(); + } + cap_free(caps); + } +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE { - plog("unable to drop daemon capabilities"); - abort(); + struct __user_cap_data_struct caps = { .effective = 0 }; + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION, + }; + int i; + for (i = 0; i < countof(keep); i++) + { + caps.effective |= 1 << keep[i]; + caps.permitted |= 1 << keep[i]; + caps.inheritable |= 1 << keep[i]; + } + if (capset(&header, &caps) != 0) + { + plog("unable to drop daemon capabilities"); + abort(); + } } - cap_free(caps); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_NATIVE */ /* loading X.509 CA certificates */ load_authcerts("ca", CA_CERT_PATH, X509_CA); @@ -771,7 +794,6 @@ void exit_pluto(int status) free_ifaces(); ac_finalize(); /* free X.509 attribute certificates */ scx_finalize(); /* finalize and unload PKCS #11 module */ - xauth_finalize(); /* finalize and unload XAUTH module */ stop_adns(); free_md_pool(); free_crypto(); @@ -781,6 +803,7 @@ void exit_pluto(int status) free_builder(); delete_lock(); options->destroy(options); + pluto_deinit(); lib->plugins->unload(lib->plugins); libhydra_deinit(); library_deinit(); diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index bf5ccb10c..c140095f0 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -329,6 +329,7 @@ void whack_handle(int whackctlfd) || !unpack_str(&msg.sc_data) /* string 26 */ || !unpack_str(&msg.whack_lease_ip) /* string 27 */ || !unpack_str(&msg.whack_lease_id) /* string 28 */ + || !unpack_str(&msg.xauth_identity) /* string 29 */ || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ { ugh = "message from whack contains bad string"; diff --git a/src/pluto/state.h b/src/pluto/state.h index 35ffe5a5b..c4e8db485 100644 --- a/src/pluto/state.h +++ b/src/pluto/state.h @@ -14,6 +14,9 @@ * for more details. */ +#ifndef _STATE_H +#define _STATE_H + #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> @@ -270,3 +273,5 @@ extern void fmt_state(bool all, struct state *st, time_t n , char *state_buf, size_t state_buf_len , char *state_buf2, size_t state_buf_len2); extern void delete_states_by_peer(ip_address *peer); + +#endif /* _STATE_H */ diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 0a29830ea..2b8681246 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -393,6 +393,10 @@ void list_x509cert_chain(const char *caption, cert_t* cert, { written = snprintf(pos, len, ", %Y", id); } + if (written < 0 || written >= len) + { + break; + } pos += written; len -= written; } @@ -427,11 +431,11 @@ void list_x509cert_chain(const char *caption, cert_t* cert, cert->smartcard ? ", on smartcard" : (has_private_key(cert)? ", has private key" : "")); - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid)) { whack_log(RC_COMMENT, " keyid: %#B", &keyid); } - if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &subjkey)) + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &subjkey)) { whack_log(RC_COMMENT, " subjkey: %#B", &subjkey); } diff --git a/src/pluto/x509.h b/src/pluto/x509.h index e904618b3..3101724a6 100644 --- a/src/pluto/x509.h +++ b/src/pluto/x509.h @@ -26,6 +26,8 @@ #include "constants.h" #include "certs.h" +#define X509_MAX_PATH_LEN 7 + extern bool same_keyid(chunk_t a, chunk_t b); extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm, certificate_t *issuer_cert); diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c deleted file mode 100644 index 2086a92cc..000000000 --- a/src/pluto/xauth.c +++ /dev/null @@ -1,77 +0,0 @@ -/* Initialization and finalization of the dynamic XAUTH module - * Copyright (C) 2006 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <dlfcn.h> - -#include <freeswan.h> - -#include "constants.h" -#include "defs.h" -#include "xauth.h" -#include "keys.h" -#include "log.h" - -void -xauth_init(void) -{ -#ifdef XAUTH_DEFAULT_LIB - xauth_module.handle = dlopen(XAUTH_DEFAULT_LIB, RTLD_NOW); - - if (xauth_module.handle != NULL) - { - DBG(DBG_CONTROL, - DBG_log("xauth module '%s' loading'", XAUTH_DEFAULT_LIB) - ) - xauth_module.get_secret = (bool (*) (const xauth_t*)) - dlsym(xauth_module.handle, "get_secret"); - DBG(DBG_CONTROL, - if (xauth_module.get_secret != NULL) - { - DBG_log("xauth module: found get_secret() function"); - } - ) - xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*)) - dlsym(xauth_module.handle, "verify_secret"); - DBG(DBG_CONTROL, - if (xauth_module.verify_secret != NULL) - { - DBG_log("xauth module: found verify_secret() function"); - } - ) - } -#endif - /* any null function pointers will be filled in by default functions */ - xauth_defaults(); -} - -void -xauth_finalize(void) -{ -#ifdef XAUTH_DEFAULT_LIB - if (xauth_module.handle != NULL) - { - if (dlclose(xauth_module.handle)) - { - plog("failed to unload xauth module"); - } - else - { - DBG(DBG_CONTROL, - DBG_log("xauth module unloaded") - ) - } - } -#endif -} diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h deleted file mode 100644 index 23cae3ed8..000000000 --- a/src/pluto/xauth.h +++ /dev/null @@ -1,48 +0,0 @@ -/* Interface definition of the XAUTH server and|or client module - * Copyright (C) 2006 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _XAUTH_H -#define _XAUTH_H - -#include <freeswan.h> -#include "defs.h" - -/* XAUTH credentials */ - -struct chunk_t; - -typedef struct { - char *conn_name; - char id[BUF_LEN]; - char ip_address[ADDRTOT_BUF]; -} xauth_peer_t; - -typedef struct { - chunk_t user_name; - chunk_t user_password; -} xauth_t; - -typedef struct { - void *handle; - bool (*get_secret) (xauth_t *xauth_secret); - bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret); -} xauth_module_t; - -extern xauth_module_t xauth_module; - -extern void xauth_init(void); -extern void xauth_finalize(void); - -#endif /* _XAUTH_H */ diff --git a/src/pluto/xauth/xauth_manager.c b/src/pluto/xauth/xauth_manager.c new file mode 100644 index 000000000..2e57ccefa --- /dev/null +++ b/src/pluto/xauth/xauth_manager.c @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_manager.h" + +typedef struct private_xauth_manager_t private_xauth_manager_t; + +/** + * private data of xauth_manager + */ +struct private_xauth_manager_t { + + /** + * public functions + */ + xauth_manager_t public; + + /** + * list of registered secret providers + */ + linked_list_t *providers; + + /** + * list of registered secret verifiers + */ + linked_list_t *verifiers; +}; + +METHOD(xauth_manager_t, get_secret, bool, + private_xauth_manager_t *this, connection_t *c, chunk_t *secret) +{ + xauth_provider_t *provider; + enumerator_t *enumerator; + bool success = FALSE; + + *secret = chunk_empty; + + enumerator = this->providers->create_enumerator(this->providers); + while (enumerator->enumerate(enumerator, &provider)) + { + if (provider->get_secret(provider, c, secret)) + { + success = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return success; +} + +METHOD(xauth_manager_t, verify_secret, bool, + private_xauth_manager_t *this, connection_t *c, chunk_t secret) +{ + xauth_verifier_t *verifier; + enumerator_t *enumerator; + bool success = FALSE; + + enumerator = this->verifiers->create_enumerator(this->verifiers); + while (enumerator->enumerate(enumerator, &verifier)) + { + if (verifier->verify_secret(verifier, c, secret)) + { + success = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return success; +} + +METHOD(xauth_manager_t, add_provider, void, + private_xauth_manager_t *this, xauth_provider_t *provider) +{ + this->providers->insert_last(this->providers, provider); +} + +METHOD(xauth_manager_t, add_verifier, void, + private_xauth_manager_t *this, xauth_verifier_t *verifier) +{ + this->verifiers->insert_last(this->verifiers, verifier); +} + +METHOD(xauth_manager_t, destroy, void, + private_xauth_manager_t *this) +{ + this->providers->destroy_offset(this->providers, + offsetof(xauth_provider_t, destroy)); + this->verifiers->destroy_offset(this->verifiers, + offsetof(xauth_verifier_t, destroy)); + free(this); +} + +/* + * Described in header. + */ +xauth_manager_t *xauth_manager_create() +{ + private_xauth_manager_t *this; + + INIT(this, + .public = { + .get_secret = _get_secret, + .verify_secret = _verify_secret, + .add_provider = _add_provider, + .add_verifier = _add_verifier, + .destroy = _destroy, + } + ); + + this->providers = linked_list_create(); + this->verifiers = linked_list_create(); + + return &this->public; +} + diff --git a/src/pluto/xauth/xauth_manager.h b/src/pluto/xauth/xauth_manager.h new file mode 100644 index 000000000..843eb2ff0 --- /dev/null +++ b/src/pluto/xauth/xauth_manager.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_manager xauth_manager + * @{ @ingroup xauth + */ + +#ifndef XAUTH_MANAGER_H_ +#define XAUTH_MANAGER_H_ + +#include "xauth_provider.h" +#include "xauth_verifier.h" + +typedef struct xauth_manager_t xauth_manager_t; + +/** + * An xauth_manager registers xauth_providers and xauth_verifiers. + */ +struct xauth_manager_t { + + /** + * Register an xauth_provider + * + * @param provider xauth_provider to be registered + */ + void (*add_provider)(xauth_manager_t *this, xauth_provider_t *provider); + + /** + * Register an xauth_verifier + * + * @param verifier xauth_verifier to be registered + */ + void (*add_verifier)(xauth_manager_t *this, xauth_verifier_t *verifier); + + /** + * Use registered providers to retrieve an XAUTH user secret + * based on connection information. + * + * @param c connection information + * @param secret secret if found, chunk_empty otherwise + * @return TRUE if a matching secret was found + */ + bool (*get_secret)(xauth_manager_t *this, connection_t *c, chunk_t *secret); + + /** + * Use registered verifiers to verify an XAUTH user secret + * based on connection information + * + * @param c connection information + * @param secret secret to be compared + * @return TRUE if secret matches + */ + bool (*verify_secret)(xauth_manager_t *this, connection_t *c, chunk_t secret); + + /** + * Destroy an xauth_verifier instance. + */ + void (*destroy)(xauth_manager_t *this); +}; + +/** + * Create an xauth_manager instance. + */ +xauth_manager_t *xauth_manager_create(); + +#endif /** XAUTH_MANAGER_H_ @}*/ + diff --git a/src/pluto/xauth/xauth_provider.h b/src/pluto/xauth/xauth_provider.h new file mode 100644 index 000000000..90adbff50 --- /dev/null +++ b/src/pluto/xauth/xauth_provider.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_provider xauth_provider + * @{ @ingroup xauth + */ + +#ifndef XAUTH_PROVIDER_H_ +#define XAUTH_PROVIDER_H_ + +#include <library.h> + +#include <connections.h> + +typedef struct xauth_provider_t xauth_provider_t; + +/** + * An xauth provider retrieves xauth user secrets on the client side. + */ +struct xauth_provider_t { + + /** + * Retrieve an XAUTH user secret based on connection information. + * + * @param c connection information + * @param secret secret if found, chunk_empty otherwise + * @return TRUE if a matching secret was found + */ + bool (*get_secret)(xauth_provider_t *this, connection_t *c, chunk_t *secret); + + /** + * Destroy an xauth_provider instance. + */ + void (*destroy)(xauth_provider_t *this); +}; + +/** + * Create an xauth_provider instance. + */ +xauth_provider_t *xauth_provider_create(); + +#endif /** XAUTH_PROVIDER_H_ @}*/ + diff --git a/src/pluto/xauth/xauth_verifier.h b/src/pluto/xauth/xauth_verifier.h new file mode 100644 index 000000000..7c9ff3a7f --- /dev/null +++ b/src/pluto/xauth/xauth_verifier.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_verifier xauth_verifier + * @{ @ingroup xauth + */ + +#ifndef XAUTH_VERIFIER_H_ +#define XAUTH_VERIFIER_H_ + +#include <library.h> + +#include <connections.h> + +typedef struct xauth_verifier_t xauth_verifier_t; + +/** + * An xauth verifier verifies xauth user secrets on the server side. + */ +struct xauth_verifier_t { + + /** + * Verify an XAUTH user secret base on connection information + * + * @param c connection information + * @param secret secret to be compared + * @return TRUE if secret matches + */ + bool (*verify_secret)(xauth_verifier_t *this, connection_t *c, chunk_t secret); + + /** + * Destroy an xauth_verifier instance. + */ + void (*destroy)(xauth_verifier_t *this); +}; + +/** + * Create an xauth_verifier instance. + */ +xauth_verifier_t *xauth_verifier_create(); + +#endif /** XAUTH_VERIFIER_H_ @}*/ + diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index db930756a..7832e5f66 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 598705636..29f6eab70 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -281,7 +281,7 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, bool msb_set; u_char *pos; - key->get_encoding(key, KEY_PUB_ASN1_DER, &keyEncoding); + key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding); keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 385f6f328..5c32bbdef 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -398,7 +398,7 @@ int main(int argc, char **argv) transID = chunk_empty; fingerprint = chunk_empty; encoding = chunk_empty; - pkcs10_encoding = chunk_empty; + pkcs10_encoding = chunk_empty; issuerAndSubject = chunk_empty; challengePassword = chunk_empty; getCertInitial = chunk_empty; @@ -866,7 +866,7 @@ int main(int argc, char **argv) { exit_scepclient("generating pkcs10 request failed"); } - pkcs10_encoding = pkcs10_req->get_encoding(pkcs10_req); + pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding); fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding); plog(" fingerprint: %s", fingerprint.ptr); } @@ -900,7 +900,7 @@ int main(int argc, char **argv) DBG(DBG_CONTROL, DBG_log("building pkcs1 object:") ) - if (!private_key->get_encoding(private_key, KEY_PRIV_ASN1_DER, &pkcs1) || + if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) || !chunk_write(pkcs1, path, "pkcs1", 0066, force)) { exit_scepclient("could not write pkcs1 file '%s'", path); @@ -941,8 +941,7 @@ int main(int argc, char **argv) { char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self); - encoding = x509_signer->get_encoding(x509_signer); - if (!encoding.ptr) + if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding)) { exit_scepclient("encoding certificate failed"); } @@ -964,7 +963,7 @@ int main(int argc, char **argv) */ { char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc); - + x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, BUILD_END); if (!x509_ca_enc) @@ -1138,8 +1137,8 @@ int main(int argc, char **argv) { exit_scepclient("multiple certs received, only first stored"); } - encoding = cert->get_encoding(cert); - if (!chunk_write(encoding, path, "requested cert", 0022, force)) + if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || + !chunk_write(encoding, path, "requested cert", 0022, force)) { exit_scepclient("could not write cert file '%s'", path); } diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index a235013f2..9813a0c06 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -23,8 +23,9 @@ AM_CFLAGS = \ -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in dist_man_MANS = ipsec.conf.5 starter.8 +CLEANFILES = ipsec.conf.5 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -38,6 +39,15 @@ if USE_CHARON AM_CFLAGS += -DSTART_CHARON endif +if USE_LOAD_WARNING + AM_CFLAGS += -DLOAD_WARNING +endif + +ipsec.conf.5: ipsec.conf.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 11449f465..d06c8974d 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -37,6 +37,7 @@ host_triplet = @host@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON +@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING subdir = src/starter DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -285,10 +286,11 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ - $(am__append_2) + $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in dist_man_MANS = ipsec.conf.5 starter.8 +CLEANFILES = ipsec.conf.5 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -618,6 +620,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -719,6 +722,11 @@ uninstall-man: uninstall-man5 uninstall-man8 uninstall-man8 +ipsec.conf.5: ipsec.conf.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/args.c b/src/starter/args.c index 512f2f46f..ab6b60509 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -230,9 +230,14 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, + { ARG_STR, offsetof(starter_conn_t, xauth_identity), NULL }, { ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool }, { ARG_STR, offsetof(starter_conn_t, me_mediated_by), NULL }, { ARG_STR, offsetof(starter_conn_t, me_peerid), NULL }, + { ARG_UINT, offsetof(starter_conn_t, reqid), NULL }, + { ARG_MISC, 0, NULL /* KW_MARK */ }, + { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, + { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, diff --git a/src/starter/cmp.c b/src/starter/cmp.c index 33a057b44..0727cf5f0 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -66,6 +66,10 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) VARCMP(policy); VARCMP(addr_family); VARCMP(tunnel_addr_family); + VARCMP(mark_in.value); + VARCMP(mark_in.mask); + VARCMP(mark_out.value); + VARCMP(mark_in.mask); if (!starter_cmp_end(&c1->left, &c2->left)) return FALSE; diff --git a/src/starter/confread.c b/src/starter/confread.c index e9b9028d5..399e17844 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end, } } +static bool handle_mark(char *value, mark_t *mark) +{ + char *pos, *endptr; + + pos = strchr(value, '/'); + if (pos) + { + *pos = '\0'; + mark->mask = strtoul(pos+1, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark mask: %s", pos+1); + return FALSE; + } + } + else + { + mark->mask = 0xffffffff; + } + if (value == '\0') + { + mark->value = 0; + } + else + { + mark->value = strtoul(value, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark value: %s", value); + return FALSE; + } + } + return TRUE; +} + /* * parse a conn section */ @@ -671,6 +706,26 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } break; } + case KW_MARK: + if (!handle_mark(kw->value, &conn->mark_in)) + { + cfg->err++; + break; + } + conn->mark_out = conn->mark_in; + break; + case KW_MARK_IN: + if (!handle_mark(kw->value, &conn->mark_in)) + { + cfg->err++; + } + break; + case KW_MARK_OUT: + if (!handle_mark(kw->value, &conn->mark_out)) + { + cfg->err++; + } + break; case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 199fab642..5e4356ea3 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -95,6 +95,13 @@ struct also { also_t *next; }; +typedef struct mark_t mark_t; + +struct mark_t{ + u_int32_t value; + u_int32_t mask; +}; + typedef struct starter_conn starter_conn_t; struct starter_conn { @@ -110,6 +117,7 @@ struct starter_conn { u_int32_t eap_type; u_int32_t eap_vendor; char *eap_identity; + char *xauth_identity; lset_t policy; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; @@ -120,6 +128,9 @@ struct starter_conn { u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; + u_int32_t reqid; + mark_t mark_in; + mark_t mark_out; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 4cb1cb0fc..b1ae15825 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "27 Jun 2007" +.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -7,9 +7,9 @@ The optional file specifies most configuration and control information for the strongSwan IPsec subsystem. -(The major exception is secrets for authentication; +The major exception is secrets for authentication; see -.IR ipsec.secrets (5).) +.IR ipsec.secrets (5). Its contents are not security-sensitive. .PP The file is a text file, consisting of one or more @@ -61,8 +61,8 @@ indicates what type of section follows, and .I name is an arbitrary name which distinguishes the section from others of the same type. -(Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens.) +Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens. All subsequent non-empty lines which begin with white space are part of the section; comments within a section must begin with white space too. @@ -169,12 +169,12 @@ conn snt A note on terminology: There are two kinds of communications going on: transmission of user IP packets, and gateway-to-gateway negotiations for keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 and -'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA'. -strongSwan currently uses two separate keying daemons. Pluto handles -all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol. -Charon does not support all keywords yet. +The path to control the connection is called 'ISAKMP SA' in IKEv1 +and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel +level data path, is called 'IPsec SA' or 'Child SA'. +strongSwan currently uses two separate keying daemons. \fIpluto\fP handles +all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 +protocol. .PP To avoid trivial editing of the configuration file to suit it to each system involved in a connection, @@ -189,7 +189,17 @@ Which participant is considered or .I right is arbitrary; -IPsec figures out which one it is being run on based on internal information. +for every connection description an attempt is made to figure out whether +the local endpoint should act as the +.I left +or +.I right +endpoint. This is done by matching the IP addresses defined for both endpoints +with the IP addresses assigned to local network interfaces. If a match is found +then the role (left or right) that matches is going to be considered local. +If no match is found during startup, +.I left +is considered local. This permits using identical connection specifications on both ends. There are cases where there is no symmetry; a good convention is to use @@ -230,7 +240,8 @@ acceptable values are .B esp (the default) and .BR ah . -The IKEv2 daemon currently supports only ESP. +.br +The IKEv2 daemon currently supports ESP only. .TP .B authby how the two security gateways should authenticate each other; @@ -255,6 +266,11 @@ and .B xauthrsasig that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.BR eap , +which indicates an initiator to request EAP authentication. The EAP method +to use is selected by the server (see +.BR eap ). This parameter is deprecated for IKEv2 connections, as two peers do not need to agree on an authentication method. Use the .B leftauth @@ -263,13 +279,12 @@ parameter instead to define authentication methods in IKEv2. .B auto what operation, if any, should be done automatically at IPsec startup; currently-accepted values are -.B add -, -.B route -, +.BR add , +.BR route , .B start and -.BR ignore . +.B ignore +(the default). .B add loads a connection without starting it. .B route @@ -305,7 +320,6 @@ A value of .B no prevents IPsec from proposing compression; a proposal to compress will still be accepted. -IKEv2 does not support IP compression yet. .TP .B dpdaction controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where @@ -317,13 +331,12 @@ liveliness of the IPsec peer. The values and .B restart all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted ( -.B clear -), put in the hold state ( -.B hold -) or restarted ( -.B restart -). +are stopped and unrouted +.RB ( clear ), +put in the hold state +.RB ( hold ) +or restarted +.RB ( restart ). For IKEv1, the default is .B none which disables the active sending of R_U_THERE notifications. @@ -332,9 +345,8 @@ in order to signal the readiness to act passively as a responder if the peer wants to use DPD. For IKEv2, .B none does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default ( -.B clear -). +it has the same meaning as the default +.RB ( clear ). .TP .B dpddelay defines the period time interval with which R_U_THERE messages/INFORMATIONAL @@ -354,47 +366,70 @@ not send or receive any traffic. Currently supported in IKEv2 connections only. .TP .B eap defines the EAP type to propose as server if the client requests EAP -authentication. This parameter is deprecated in the favour of +authentication. Currently supported values are +.B aka +for EAP-AKA, +.B gtc +for EAP-GTC, +.B md5 +for EAP-MD5, +.B mschapv2 +for EAP-MS-CHAPv2, +.B radius +for the EAP-RADIUS proxy and +.B sim +for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a +definition in the form +.B eap=type-vendor +(e.g. eap=7-12345) can be used to specify vendor specific EAP types. +This parameter is deprecated in the favour of .B leftauth. To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, set -.B eap=radius +.BR eap=radius . .TP .B eap_identity defines the identity the client uses to reply to a EAP Identity request. If defined on the EAP server, the defined identity will be used as peer identity during EAP authentication. The special value .B %identity -uses the EAP Identity method to ask the client for a EAP identity. If not +uses the EAP Identity method to ask the client for an EAP identity. If not defined, the IKEv2 identity will be used as EAP identity. .TP .B esp -ESP encryption/authentication algorithm to be used +comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g. -.B 3des-md5 -(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup -and rekeying include a separate diffe hellman exchange (IKEv2 only). +.BR 3des-md5 . +The notation is +.BR encryption-integrity-[dh-group] . +.br +If +.B dh-group +is specified, CHILD_SA setup and rekeying include a separate diffe hellman +exchange (IKEv2 only). .TP .B forceencaps Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to hurdle restrictive firewalls. To enforce the peer to +This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked (IKEv2 only). .TP .B ike -IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g. -.B aes128-sha1-modp2048 -(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals -may be included, such as +comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms +to be used, e.g. +.BR aes128-sha1-modp2048 . +The notation is +.BR encryption-integrity-dhgroup . +In IKEv2, multiple algorithms and proposals may be included, such as .B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. .TP .B ikelifetime -how long the keying channel of a connection ('ISAKMP/IKE SA') +how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated. .TP .B installpolicy decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful co-existence e.g. with +charon daemon for a given connection. Allows peaceful cooperation e.g. with the Mobile IPv6 daemon mip6d who wants to control the kernel policies. Acceptable values are .B yes @@ -412,8 +447,8 @@ daemon, unaffected from the .B keyexchange setting. The default value .B ike -currently behaves exactly as -.B ikev1. +currently is a synonym for +.BR ikev1 . .TP .B keyingtries how many attempts (a whole number or \fB%forever\fP) should be made to @@ -430,35 +465,51 @@ synonym for .TP .B left (required) -the IP address of the left participant's public-network interface, -in any form accepted by -.IR ttoaddr (3) +the IP address of the left participant's public-network interface or one of several magic values. If it is .BR %defaultroute , .B left will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time). -(Either +of the default-route interface (as determined at IPsec startup time and +during configuration update). +Either .B left or .B right may be .BR %defaultroute , -but not both.) -The value -.B %any -signifies an address to be filled in (by automatic keying) during -negotiation. The prefix +but not both. +The prefix .B % in front of a fully-qualified domain name or an IP address will implicitly set .B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or update time -then +If the domain name cannot be resolved into an IP address at IPsec startup or +update time then .B left=%any and .B leftallowany=no will be assumed. + +In case of an IKEv2 connection, the value +.B %any +for the local endpoint signifies an address to be filled in (by automatic +keying) during negotiation. If the local peer initiates the connection setup +the routing table will be queried to determine the correct local IP address. +In case the local peer is responding to a connection setup then any IP address +that is assigned to a local interface will be accepted. +.br +Note that specifying +.B %any +for the local endpoint is not supported by the IKEv1 pluto daemon. + +If +.B %any +is used for the remote endpoint it literally means any IP address. + +Please note that with the usage of wildcards multiple connection descriptions +might match a given incoming connection attempt. The most specific description +is used in that case. .TP .B leftallowany a modifier for @@ -466,8 +517,8 @@ a modifier for , making it behave as .B %any although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or -update time. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec +startup or update time. Acceptable values are .B yes and @@ -475,7 +526,8 @@ and (the default). .TP .B leftauth -Authentication method to use (local) or require (remote) in this connection. +Authentication method to use locally (left) or require from the remote (right) +side. This parameter is supported in IKEv2 only. Acceptable values are .B pubkey for public key authentication (RSA/ECDSA), @@ -486,19 +538,20 @@ to (require the) use of the Extensible Authentication Protocol. In the case of .B eap, an optional EAP method can be appended. Currently defined methods are -.B eap-aka, eap-sim, eap-gtc, eap-md5 +.BR eap-aka , +.BR eap-gtc , +.BR eap-md5 , +.B eap-mschapv2 and -.B eap-mschapv2. +.BR eap-sim . Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific EAP methods are defined in the form .B eap-type-vendor -(e.g. -.B eap-7-12345 -). +.RB "(e.g. " eap-7-12345 ). .TP .B leftauth2 Same as -.B leftauth, +.BR leftauth , but defines an additional authentication exchange. IKEv2 supports multiple authentication rounds using "Multiple Authentication Exchanges" defined in RFC4739. This allows, for example, separated authentication @@ -515,8 +568,8 @@ Same as but for the second authentication round (IKEv2 only). .TP .B leftcert -the path to the left participant's X.509 certificate. The file can be coded either in -PEM or DER format. OpenPGP certificates are supported as well. +the path to the left participant's X.509 certificate. The file can be encoded +either in PEM or DER format. OpenPGP certificates are supported as well. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP are accepted. By default .B leftcert @@ -571,9 +624,11 @@ a comma separated list of group names. If the .B leftgroups parameter is present then the peer must be a member of at least one of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has been -issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. Attribute certificates are not supported in IKEv2 yet. +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has +been issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts/\fP. +.br +Attribute certificates are not supported in IKEv2 yet. .TP .B lefthostaccess inserts a pair of INPUT and OUTPUT iptables rules using the default @@ -587,15 +642,10 @@ and (the default). .TP .B leftid -how -the left participant -should be identified for authentication; +how the left participant should be identified for authentication; defaults to .BR left . -Can be an IP address (in any -.IR ttoaddr (3) -syntax) -or a fully-qualified domain name preceded by +Can be an IP address or a fully-qualified domain name preceded by .B @ (which is used as a literal string and not resolved). .TP @@ -606,14 +656,18 @@ identity to use for a second authentication for the left participant .TP .B leftikeport UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with port floating to -4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port +IKEv2 connections only. If unspecified, port 500 is used with the port floating +to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port different from the default additionally requires a socket implementation that listens to this port. .TP .B leftnexthop -this parameter is not needed any more because the NETKEY IPsec stack does -not require explicit routing entries for the traffic to be tunneled. +this parameter is usually not needed any more because the NETKEY IPsec stack +does not require explicit routing entries for the traffic to be tunneled. If +.B leftsourceip +is used with IKEv1 then +.B leftnexthop +must still be set in order for the source routes to work properly. .TP .B leftprotoport restrict the traffic selector to a single protocol and/or port. @@ -656,35 +710,34 @@ or or .BR yes , and -.BR ifasked . +.BR ifasked , +the latter meaning that the peer must send a certificate request payload in +order to get a certificate in return. .TP .B leftsourceip The internal source IP to use in a tunnel, also known as virtual IP. If the -value is +value is one of the synonyms .BR %modeconfig , .BR %modecfg , .BR %config , or -.B %cfg, -an address is requested from the peer. In IKEv2, a defined address is requested, -but the server may change it. If the server does not support it, the address -is enforced. +.BR %cfg , +an address is requested from the peer. In IKEv2, a statically defined address +is also requested, since the server may change it. .TP .B rightsourceip The internal source IP to use in a tunnel for the remote peer. If the value is .B %config -on the responder side, the initiator must propose a address which is then echoed -back. The IKEv2 daemon also supports address pools expressed as +on the responder side, the initiator must propose an address which is then +echoed back. Also supported are address pools expressed as \fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR -, where \fIpoolname\fR is the name of the IP address pool used for the lookup. +or the use of an external IP address pool using %\fIpoolname\fR, +where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP .B leftsubnet private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR -(actually, any form acceptable to -.IR ttosubnet (3)); +\fInetwork\fB/\fInetmask\fR; if omitted, essentially assumed to be \fIleft\fB/32\fR, signifying that the left end of the connection goes to the left participant only. When using IKEv2, the configured subnet of the peers may differ, the @@ -710,8 +763,8 @@ See .IR pluto (8) for details. Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only. Routing is not support and will be -implemented directly into Charon. +script to insert firewall rules only, since routing has been implemented +directly into charon. .TP .B lifebytes the number of bytes transmitted over an IPsec SA before it expires (IKEv2 @@ -768,6 +821,25 @@ begin; acceptable values as for .BR 9m ). Relevant only locally, other end need not agree on it. .TP +.B mark +sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound +IPsec SAs and policies (IKEv2 only). If the mask is missing then a default +mask of +.B 0xffffffff +is assumed. +.TP +.B mark_in +sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mark_out +sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP .B mobike enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are .B yes @@ -786,7 +858,9 @@ and .B pull (the default). Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. +payload in pull mode. Cisco VPN gateways usually operate in +.B push +mode. .TP .B pfs whether Perfect Forward Secrecy of keys is desired on the connection's @@ -825,7 +899,7 @@ and .BR no . The two ends need not agree, but while a value of .B no -prevents Pluto/Charon from requesting renegotiation, +prevents pluto/charon from requesting renegotiation, it does not prevent responding to renegotiation requested from the other end, so .B no @@ -863,6 +937,9 @@ Relevant only locally, other end need not agree on it. synonym for .BR margintime . .TP +.B reqid +sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). +.TP .B type the type of the connection; currently the accepted values are @@ -879,12 +956,12 @@ signifying that no IPsec processing should be done at all; signifying that packets should be discarded; and .BR reject , signifying that packets should be discarded and a diagnostic ICMP returned. -Charon currently supports +The IKEv2 daemon charon currently supports .BR tunnel , .BR transport , and .BR tunnel_proxy -connection types, only . +connection types, only. .TP .B xauth specifies the role in the XAUTH protocol if activated by @@ -928,8 +1005,7 @@ of this connection will be used as peer ID. .SH "CA SECTIONS" This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). These parameters are not -supported in IKEv2 yet. +parameters to a Certification Authority (CA). .TP 10 .B auto currently can have either the value @@ -964,6 +1040,7 @@ synonym for .TP .B ocspuri2 defines an alternative OCSP URI. Currently used by IKEv2 only. +.TP .B certuribase defines the base URI for the Hash and URL feature supported by IKEv2. Instead of exchanging complete certificates, IKEv2 allows to send an URI @@ -974,9 +1051,7 @@ At present, the only .B config section known to the IPsec software is the one named .BR setup , -which contains information used when the software is being started -(see -.IR starter (8)). +which contains information used when the software is being started. Here's an example: .PP .ne 8 @@ -1234,21 +1309,6 @@ must be used to denote no interfaces. .B overridemtu value that the MTU of the ipsec\fIn\fR interface(s) should be set to, overriding IPsec's (large) default. -.SH CHOOSING A CONNECTION -.PP -When choosing a connection to apply to an outbound packet caught with a -.BR %trap, -the system prefers the one with the most specific eroute that -includes the packet's source and destination IP addresses. -Source subnets are examined before destination subnets. -For initiating, only routed connections are considered. For responding, -unrouted but added connections are considered. -.PP -When choosing a connection to use to respond to a negotiation which -doesn't match an ordinary conn, an opportunistic connection -may be instantiated. Eventually, its instance will be /32 -> /32, but -for earlier stages of the negotiation, there will not be enough -information about the client subnets to complete the instantiation. .SH FILES .nf /etc/ipsec.conf @@ -1259,12 +1319,11 @@ information about the client subnets to complete the instantiation. /etc/ipsec.d/crls .SH SEE ALSO -ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3) +ipsec(8), pluto(8), starter(8) .SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -Extended for the strongSwan project -<http://www.strongswan.org> -by Andreas Steffen. IKEv2-specific features by Martin Willi. +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project <http://www.strongswan.org> by +Tobias Brunner, Andreas Steffen and Martin Willi. .SH BUGS .PP If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in new file mode 100644 index 000000000..3d2940a66 --- /dev/null +++ b/src/starter/ipsec.conf.5.in @@ -0,0 +1,1330 @@ +.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec.conf \- IPsec configuration and connections +.SH DESCRIPTION +The optional +.I ipsec.conf +file +specifies most configuration and control information for the +strongSwan IPsec subsystem. +The major exception is secrets for authentication; +see +.IR ipsec.secrets (5). +Its contents are not security-sensitive. +.PP +The file is a text file, consisting of one or more +.IR sections . +White space followed by +.B # +followed by anything to the end of the line +is a comment and is ignored, +as are empty lines which are not within a section. +.PP +A line which contains +.B include +and a file name, separated by white space, +is replaced by the contents of that file, +preceded and followed by empty lines. +If the file name is not a full pathname, +it is considered to be relative to the directory containing the +including file. +Such inclusions can be nested. +Only a single filename may be supplied, and it may not contain white space, +but it may include shell wildcards (see +.IR sh (1)); +for example: +.PP +.B include +.B "ipsec.*.conf" +.PP +The intention of the include facility is mostly to permit keeping +information on connections, or sets of connections, +separate from the main configuration file. +This permits such connection descriptions to be changed, +copied to the other security gateways involved, etc., +without having to constantly extract them from the configuration +file and then insert them back into it. +Note also the +.B also +parameter (described below) which permits splitting a single logical +section (e.g. a connection description) into several actual sections. +.PP +A section +begins with a line of the form: +.PP +.I type +.I name +.PP +where +.I type +indicates what type of section follows, and +.I name +is an arbitrary name which distinguishes the section from others +of the same type. +Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens. +All subsequent non-empty lines +which begin with white space are part of the section; +comments within a section must begin with white space too. +There may be only one section of a given type with a given name. +.PP +Lines within the section are generally of the form +.PP +\ \ \ \ \ \fIparameter\fB=\fIvalue\fR +.PP +(note the mandatory preceding white space). +There can be white space on either side of the +.BR = . +Parameter names follow the same syntax as section names, +and are specific to a section type. +Unless otherwise explicitly specified, +no parameter name may appear more than once in a section. +.PP +An empty +.I value +stands for the system default value (if any) of the parameter, +i.e. it is roughly equivalent to omitting the parameter line entirely. +A +.I value +may contain white space only if the entire +.I value +is enclosed in double quotes (\fB"\fR); +a +.I value +cannot itself contain a double quote, +nor may it be continued across more than one line. +.PP +Numeric values are specified to be either an ``integer'' +(a sequence of digits) or a ``decimal number'' +(sequence of digits optionally followed by `.' and another sequence of digits). +.PP +There is currently one parameter which is available in any type of +section: +.TP +.B also +the value is a section name; +the parameters of that section are appended to this section, +as if they had been written as part of it. +The specified section must exist, must follow the current one, +and must have the same section type. +(Nesting is permitted, +and there may be more than one +.B also +in a single section, +although it is forbidden to append the same section more than once.) +.PP +A section with name +.B %default +specifies defaults for sections of the same type. +For each parameter in it, +any section of that type which does not have a parameter of the same name +gets a copy of the one from the +.B %default +section. +There may be multiple +.B %default +sections of a given type, +but only one default may be supplied for any specific parameter name, +and all +.B %default +sections of a given type must precede all non-\c +.B %default +sections of that type. +.B %default +sections may not contain the +.B also +parameter. +.PP +Currently there are three types of sections: +a +.B config +section specifies general configuration information for IPsec, a +.B conn +section specifies an IPsec connection, while a +.B ca +section specifies special properties of a certification authority. +.SH "CONN SECTIONS" +A +.B conn +section contains a +.IR "connection specification" , +defining a network connection to be made using IPsec. +The name given is arbitrary, and is used to identify the connection. +Here's a simple example: +.PP +.ne 10 +.nf +.ft B +.ta 1c +conn snt + left=192.168.0.1 + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.1.0.0/16 + keyingtries=%forever + auto=add +.ft +.fi +.PP +A note on terminology: There are two kinds of communications going on: +transmission of user IP packets, and gateway-to-gateway negotiations for +keying, rekeying, and general control. +The path to control the connection is called 'ISAKMP SA' in IKEv1 +and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel +level data path, is called 'IPsec SA' or 'Child SA'. +strongSwan currently uses two separate keying daemons. \fIpluto\fP handles +all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 +protocol. +.PP +To avoid trivial editing of the configuration file to suit it to each system +involved in a connection, +connection specifications are written in terms of +.I left +and +.I right +participants, +rather than in terms of local and remote. +Which participant is considered +.I left +or +.I right +is arbitrary; +for every connection description an attempt is made to figure out whether +the local endpoint should act as the +.I left +or +.I right +endpoint. This is done by matching the IP addresses defined for both endpoints +with the IP addresses assigned to local network interfaces. If a match is found +then the role (left or right) that matches is going to be considered local. +If no match is found during startup, +.I left +is considered local. +This permits using identical connection specifications on both ends. +There are cases where there is no symmetry; a good convention is to +use +.I left +for the local side and +.I right +for the remote side (the first letters are a good mnemonic). +.PP +Many of the parameters relate to one participant or the other; +only the ones for +.I left +are listed here, but every parameter whose name begins with +.B left +has a +.B right +counterpart, +whose description is the same but with +.B left +and +.B right +reversed. +.PP +Parameters are optional unless marked '(required)'. +.SS "CONN PARAMETERS" +Unless otherwise noted, for a connection to work, +in general it is necessary for the two ends to agree exactly +on the values of these parameters. +.TP 14 +.B ah +AH authentication algorithm to be used +for the connection, e.g. +.B hmac-md5. +.TP +.B auth +whether authentication should be done as part of +ESP encryption, or separately using the AH protocol; +acceptable values are +.B esp +(the default) and +.BR ah . +.br +The IKEv2 daemon currently supports ESP only. +.TP +.B authby +how the two security gateways should authenticate each other; +acceptable values are +.B secret +or +.B psk +for pre-shared secrets, +.B pubkey +(the default) for public key signatures as well as the synonyms +.B rsasig +for RSA digital signatures and +.B ecdsasig +for Elliptic Curve DSA signatures. +.B never +can be used if negotiation is never to be attempted or accepted (useful for +shunt-only conns). +Digital signatures are superior in every way to shared secrets. +IKEv1 additionally supports the values +.B xauthpsk +and +.B xauthrsasig +that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode +based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.BR eap , +which indicates an initiator to request EAP authentication. The EAP method +to use is selected by the server (see +.BR eap ). +This parameter is deprecated for IKEv2 connections, as two peers do not need +to agree on an authentication method. Use the +.B leftauth +parameter instead to define authentication methods in IKEv2. +.TP +.B auto +what operation, if any, should be done automatically at IPsec startup; +currently-accepted values are +.BR add , +.BR route , +.B start +and +.B ignore +(the default). +.B add +loads a connection without starting it. +.B route +loads a connection and installs kernel traps. If traffic is detected between +.B leftsubnet +and +.B rightsubnet +, a connection is established. +.B start +loads a connection and brings it up immediatly. +.B ignore +ignores the connection. This is equal to delete a connection from the config +file. +Relevant only locally, other end need not agree on it +(but in general, for an intended-to-be-permanent connection, +both ends should use +.B auto=start +to ensure that any reboot causes immediate renegotiation). +.TP +.B compress +whether IPComp compression of content is proposed on the connection +(link-level compression does not work on encrypted data, +so to be effective, compression must be done \fIbefore\fR encryption); +acceptable values are +.B yes +and +.B no +(the default). A value of +.B yes +causes IPsec to propose both compressed and uncompressed, +and prefer compressed. +A value of +.B no +prevents IPsec from proposing compression; +a proposal to compress will still be accepted. +.TP +.B dpdaction +controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where +R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) +are periodically sent in order to check the +liveliness of the IPsec peer. The values +.BR clear , +.BR hold , +and +.B restart +all activate DPD. If no activity is detected, all connections with a dead peer +are stopped and unrouted +.RB ( clear ), +put in the hold state +.RB ( hold ) +or restarted +.RB ( restart ). +For IKEv1, the default is +.B none +which disables the active sending of R_U_THERE notifications. +Nevertheless pluto will always send the DPD Vendor ID during connection set up +in order to signal the readiness to act passively as a responder if the peer +wants to use DPD. For IKEv2, +.B none +does't make sense, since all messages are used to detect dead peers. If specified, +it has the same meaning as the default +.RB ( clear ). +.TP +.B dpddelay +defines the period time interval with which R_U_THERE messages/INFORMATIONAL +exchanges are sent to the peer. These are only sent if no other traffic is +received. In IKEv2, a value of 0 sends no additional INFORMATIONAL +messages and uses only standard messages (such as those to rekey) to detect +dead peers. +.TP +.B dpdtimeout +defines the timeout interval, after which all connections to a peer are deleted +in case of inactivity. This only applies to IKEv1, in IKEv2 the default +retransmission timeout applies, as every exchange is used to detect dead peers. +.TP +.B inactivity +defines the timeout interval, after which a CHILD_SA is closed if it did +not send or receive any traffic. Currently supported in IKEv2 connections only. +.TP +.B eap +defines the EAP type to propose as server if the client requests EAP +authentication. Currently supported values are +.B aka +for EAP-AKA, +.B gtc +for EAP-GTC, +.B md5 +for EAP-MD5, +.B mschapv2 +for EAP-MS-CHAPv2, +.B radius +for the EAP-RADIUS proxy and +.B sim +for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a +definition in the form +.B eap=type-vendor +(e.g. eap=7-12345) can be used to specify vendor specific EAP types. +This parameter is deprecated in the favour of +.B leftauth. + +To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, +set +.BR eap=radius . +.TP +.B eap_identity +defines the identity the client uses to reply to a EAP Identity request. +If defined on the EAP server, the defined identity will be used as peer +identity during EAP authentication. The special value +.B %identity +uses the EAP Identity method to ask the client for an EAP identity. If not +defined, the IKEv2 identity will be used as EAP identity. +.TP +.B esp +comma-separated list of ESP encryption/authentication algorithms to be used +for the connection, e.g. +.BR 3des-md5 . +The notation is +.BR encryption-integrity-[dh-group] . +.br +If +.B dh-group +is specified, CHILD_SA setup and rekeying include a separate diffe hellman +exchange (IKEv2 only). +.TP +.B forceencaps +Force UDP encapsulation for ESP packets even if no NAT situation is detected. +This may help to surmount restrictive firewalls. In order to force the peer to +encapsulate packets, NAT detection payloads are faked (IKEv2 only). +.TP +.B ike +comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms +to be used, e.g. +.BR aes128-sha1-modp2048 . +The notation is +.BR encryption-integrity-dhgroup . +In IKEv2, multiple algorithms and proposals may be included, such as +.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. +.TP +.B ikelifetime +how long the keying channel of a connection (ISAKMP or IKE SA) +should last before being renegotiated. +.TP +.B installpolicy +decides whether IPsec policies are installed in the kernel by the IKEv2 +charon daemon for a given connection. Allows peaceful cooperation e.g. with +the Mobile IPv6 daemon mip6d who wants to control the kernel policies. +Acceptable values are +.B yes +(the default) and +.BR no . +.TP +.B keyexchange +method of key exchange; +which protocol should be used to initialize the connection. Connections marked with +.B ikev1 +are initiated with pluto, those marked with +.B ikev2 +with charon. An incoming request from the remote peer is handled by the correct +daemon, unaffected from the +.B keyexchange +setting. The default value +.B ike +currently is a synonym for +.BR ikev1 . +.TP +.B keyingtries +how many attempts (a whole number or \fB%forever\fP) should be made to +negotiate a connection, or a replacement for one, before giving up +(default +.BR %forever ). +The value \fB%forever\fP +means 'never give up'. +Relevant only locally, other end need not agree on it. +.TP +.B keylife +synonym for +.BR lifetime . +.TP +.B left +(required) +the IP address of the left participant's public-network interface +or one of several magic values. +If it is +.BR %defaultroute , +.B left +will be filled in automatically with the local address +of the default-route interface (as determined at IPsec startup time and +during configuration update). +Either +.B left +or +.B right +may be +.BR %defaultroute , +but not both. +The prefix +.B % +in front of a fully-qualified domain name or an IP address will implicitly set +.B leftallowany=yes. +If the domain name cannot be resolved into an IP address at IPsec startup or +update time then +.B left=%any +and +.B leftallowany=no +will be assumed. + +In case of an IKEv2 connection, the value +.B %any +for the local endpoint signifies an address to be filled in (by automatic +keying) during negotiation. If the local peer initiates the connection setup +the routing table will be queried to determine the correct local IP address. +In case the local peer is responding to a connection setup then any IP address +that is assigned to a local interface will be accepted. +.br +Note that specifying +.B %any +for the local endpoint is not supported by the IKEv1 pluto daemon. + +If +.B %any +is used for the remote endpoint it literally means any IP address. + +Please note that with the usage of wildcards multiple connection descriptions +might match a given incoming connection attempt. The most specific description +is used in that case. +.TP +.B leftallowany +a modifier for +.B left +, making it behave as +.B %any +although a concrete IP address has been assigned. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec +startup or update time. +Acceptable values are +.B yes +and +.B no +(the default). +.TP +.B leftauth +Authentication method to use locally (left) or require from the remote (right) +side. +This parameter is supported in IKEv2 only. Acceptable values are +.B pubkey +for public key authentication (RSA/ECDSA), +.B psk +for pre-shared key authentication and +.B eap +to (require the) use of the Extensible Authentication Protocol. In the case +of +.B eap, +an optional EAP method can be appended. Currently defined methods are +.BR eap-aka , +.BR eap-gtc , +.BR eap-md5 , +.B eap-mschapv2 +and +.BR eap-sim . +Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific +EAP methods are defined in the form +.B eap-type-vendor +.RB "(e.g. " eap-7-12345 ). +.TP +.B leftauth2 +Same as +.BR leftauth , +but defines an additional authentication exchange. IKEv2 supports multiple +authentication rounds using "Multiple Authentication Exchanges" defined +in RFC4739. This allows, for example, separated authentication +of host and user (IKEv2 only). +.TP +.B leftca +the distinguished name of a certificate authority which is required to +lie in the trust path going from the left participant's certificate up +to the root certification authority. +.TP +.B leftca2 +Same as +.B leftca, +but for the second authentication round (IKEv2 only). +.TP +.B leftcert +the path to the left participant's X.509 certificate. The file can be encoded +either in PEM or DER format. OpenPGP certificates are supported as well. +Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP +are accepted. By default +.B leftcert +sets +.B leftid +to the distinguished name of the certificate's subject and +.B leftca +to the distinguished name of the certificate's issuer. +The left participant's ID can be overriden by specifying a +.B leftid +value which must be certified by the certificate, though. +.TP +.B leftcert2 +Same as +.B leftcert, +but for the second authentication round (IKEv2 only). +.TP +.B leftfirewall +whether the left participant is doing forwarding-firewalling +(including masquerading) using iptables for traffic from \fIleftsubnet\fR, +which should be turned off (for traffic to the other subnet) +once the connection is established; +acceptable values are +.B yes +and +.B no +(the default). +May not be used in the same connection description with +.BR leftupdown . +Implemented as a parameter to the default \fBipsec _updown\fR script. +See notes below. +Relevant only locally, other end need not agree on it. + +If one or both security gateways are doing forwarding firewalling +(possibly including masquerading), +and this is specified using the firewall parameters, +tunnels established with IPsec are exempted from it +so that packets can flow unchanged through the tunnels. +(This means that all subnets connected in this manner must have +distinct, non-overlapping subnet address blocks.) +This is done by the default \fBipsec _updown\fR script (see +.IR pluto (8)). + +In situations calling for more control, +it may be preferable for the user to supply his own +.I updown +script, +which makes the appropriate adjustments for his system. +.TP +.B leftgroups +a comma separated list of group names. If the +.B leftgroups +parameter is present then the peer must be a member of at least one +of the groups defined by the parameter. Group membership must be certified +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has +been issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts/\fP. +.br +Attribute certificates are not supported in IKEv2 yet. +.TP +.B lefthostaccess +inserts a pair of INPUT and OUTPUT iptables rules using the default +\fBipsec _updown\fR script, thus allowing access to the host itself +in the case where the host's internal interface is part of the +negotiated client subnet. +Acceptable values are +.B yes +and +.B no +(the default). +.TP +.B leftid +how the left participant should be identified for authentication; +defaults to +.BR left . +Can be an IP address or a fully-qualified domain name preceded by +.B @ +(which is used as a literal string and not resolved). +.TP +.B leftid2 +identity to use for a second authentication for the left participant +(IKEv2 only); defaults to +.BR leftid . +.TP +.B leftikeport +UDP port the left participant uses for IKE communication. Currently supported in +IKEv2 connections only. If unspecified, port 500 is used with the port floating +to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port +different from the default additionally requires a socket implementation that +listens to this port. +.TP +.B leftnexthop +this parameter is usually not needed any more because the NETKEY IPsec stack +does not require explicit routing entries for the traffic to be tunneled. If +.B leftsourceip +is used with IKEv1 then +.B leftnexthop +must still be set in order for the source routes to work properly. +.TP +.B leftprotoport +restrict the traffic selector to a single protocol and/or port. +Examples: +.B leftprotoport=tcp/http +or +.B leftprotoport=6/80 +or +.B leftprotoport=udp +.TP +.B leftrsasigkey +the left participant's +public key for RSA signature authentication, +in RFC 2537 format using +.IR ttodata (3) +encoding. +The magic value +.B %none +means the same as not specifying a value (useful to override a default). +The value +.B %cert +(the default) +means that the key is extracted from a certificate. +The identity used for the left participant +must be a specific host, not +.B %any +or another magic value. +.B Caution: +if two connection descriptions +specify different public keys for the same +.BR leftid , +confusion and madness will ensue. +.TP +.B leftsendcert +Accepted values are +.B never +or +.BR no , +.B always +or +.BR yes , +and +.BR ifasked , +the latter meaning that the peer must send a certificate request payload in +order to get a certificate in return. +.TP +.B leftsourceip +The internal source IP to use in a tunnel, also known as virtual IP. If the +value is one of the synonyms +.BR %modeconfig , +.BR %modecfg , +.BR %config , +or +.BR %cfg , +an address is requested from the peer. In IKEv2, a statically defined address +is also requested, since the server may change it. +.TP +.B rightsourceip +The internal source IP to use in a tunnel for the remote peer. If the +value is +.B %config +on the responder side, the initiator must propose an address which is then +echoed back. Also supported are address pools expressed as +\fInetwork\fB/\fInetmask\fR +or the use of an external IP address pool using %\fIpoolname\fR, +where \fIpoolname\fR is the name of the IP address pool used for the lookup. +.TP +.B leftsubnet +private subnet behind the left participant, expressed as +\fInetwork\fB/\fInetmask\fR; +if omitted, essentially assumed to be \fIleft\fB/32\fR, +signifying that the left end of the connection goes to the left participant +only. When using IKEv2, the configured subnet of the peers may differ, the +protocol narrows it to the greatest common subnet. Further, IKEv2 supports +multiple subnets separated by commas. IKEv1 only interprets the first subnet +of such a definition. +.TP +.B leftsubnetwithin +the peer can propose any subnet or single IP address that fits within the +range defined by +.BR leftsubnetwithin. +Not relevant for IKEv2, as subnets are narrowed. +.TP +.B leftupdown +what ``updown'' script to run to adjust routing and/or firewalling +when the status of the connection +changes (default +.BR "ipsec _updown" ). +May include positional parameters separated by white space +(although this requires enclosing the whole string in quotes); +including shell metacharacters is unwise. +See +.IR pluto (8) +for details. +Relevant only locally, other end need not agree on it. IKEv2 uses the updown +script to insert firewall rules only, since routing has been implemented +directly into charon. +.TP +.B lifebytes +the number of bytes transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifepackets +the number of packets transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifetime +how long a particular instance of a connection +(a set of encryption/authentication keys for user packets) should last, +from successful negotiation to expiry; +acceptable values are an integer optionally followed by +.BR s +(a time in seconds) +or a decimal number followed by +.BR m , +.BR h , +or +.B d +(a time +in minutes, hours, or days respectively) +(default +.BR 1h , +maximum +.BR 24h ). +Normally, the connection is renegotiated (via the keying channel) +before it expires (see +.BR margintime ). +The two ends need not exactly agree on +.BR lifetime , +although if they do not, +there will be some clutter of superseded connections on the end +which thinks the lifetime is longer. +.TP +.B marginbytes +how many bytes before IPsec SA expiry (see +.BR lifebytes ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B marginpackets +how many packets before IPsec SA expiry (see +.BR lifepackets ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B margintime +how long before connection expiry or keying-channel expiry +should attempts to +negotiate a replacement +begin; acceptable values as for +.B lifetime +(default +.BR 9m ). +Relevant only locally, other end need not agree on it. +.TP +.B mark +sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound +IPsec SAs and policies (IKEv2 only). If the mask is missing then a default +mask of +.B 0xffffffff +is assumed. +.TP +.B mark_in +sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mark_out +sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mobike +enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are +.B yes +(the default) and +.BR no . +If set to +.BR no , +the IKEv2 charon daemon will not actively propose MOBIKE as initiator and +ignore the MOBIKE_SUPPORTED notify as responder. +.TP +.B modeconfig +defines which mode is used to assign a virtual IP. +Accepted values are +.B push +and +.B pull +(the default). +Currently relevant for IKEv1 only since IKEv2 always uses the configuration +payload in pull mode. Cisco VPN gateways usually operate in +.B push +mode. +.TP +.B pfs +whether Perfect Forward Secrecy of keys is desired on the connection's +keying channel +(with PFS, penetration of the key-exchange protocol +does not compromise keys negotiated earlier); +acceptable values are +.B yes +(the default) +and +.BR no. +IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying +PFS is enforced by defining a Diffie-Hellman modp group in the +.B esp +parameter. +.TP +.B pfsgroup +defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode +differing from the DH group used for IKEv1 Main Mode (IKEv1 only). +.TP +.B reauth +whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, +reauthentication is always done. In IKEv2, a value of +.B no +rekeys without uninstalling the IPsec SAs, a value of +.B yes +(the default) creates a new IKE_SA from scratch and tries to recreate +all IPsec SAs. +.TP +.B rekey +whether a connection should be renegotiated when it is about to expire; +acceptable values are +.B yes +(the default) +and +.BR no . +The two ends need not agree, but while a value of +.B no +prevents pluto/charon from requesting renegotiation, +it does not prevent responding to renegotiation requested from the other end, +so +.B no +will be largely ineffective unless both ends agree on it. +.TP +.B rekeyfuzz +maximum percentage by which +.BR marginbytes , +.B marginpackets +and +.B margintime +should be randomly increased to randomize rekeying intervals +(important for hosts with many connections); +acceptable values are an integer, +which may exceed 100, +followed by a `%' +(defaults to +.BR 100% ). +The value of +.BR marginTYPE , +after this random increase, +must not exceed +.B lifeTYPE +(where TYPE is one of +.IR bytes , +.I packets +or +.IR time ). +The value +.B 0% +will suppress randomization. +Relevant only locally, other end need not agree on it. +.TP +.B rekeymargin +synonym for +.BR margintime . +.TP +.B reqid +sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). +.TP +.B type +the type of the connection; currently the accepted values +are +.B tunnel +(the default) +signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; +.BR transport , +signifying host-to-host transport mode; +.BR transport_proxy , +signifying the special Mobile IPv6 transport proxy mode; +.BR passthrough , +signifying that no IPsec processing should be done at all; +.BR drop , +signifying that packets should be discarded; and +.BR reject , +signifying that packets should be discarded and a diagnostic ICMP returned. +The IKEv2 daemon charon currently supports +.BR tunnel , +.BR transport , +and +.BR tunnel_proxy +connection types, only. +.TP +.B xauth +specifies the role in the XAUTH protocol if activated by +.B authby=xauthpsk +or +.B authby=xauthrsasig. +Accepted values are +.B server +and +.B client +(the default). + +.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" +The following parameters are relevant to IKEv2 Mediation Extension +operation only. +.TP 14 +.B mediation +whether this connection is a mediation connection, ie. whether this +connection is used to mediate other connections. Mediation connections +create no child SA. Acceptable values are +.B no +(the default) and +.BR yes . +.TP +.B mediated_by +the name of the connection to mediate this connection through. If given, +the connection will be mediated through the named mediation connection. +The mediation connection must set +.BR mediation=yes . +.TP +.B me_peerid +ID as which the peer is known to the mediation server, ie. which the other +end of this connection uses as its +.B leftid +on its connection to the mediation server. This is the ID we request the +mediation server to mediate us with. If +.B me_peerid +is not given, the +.B rightid +of this connection will be used as peer ID. + +.SH "CA SECTIONS" +This are optional sections that can be used to assign special +parameters to a Certification Authority (CA). +.TP 10 +.B auto +currently can have either the value +.B ignore +or +.B add +. +.TP +.B cacert +defines a path to the CA certificate either relative to +\fI/etc/ipsec.d/cacerts\fP or as an absolute path. +.TP +.B crluri +defines a CRL distribution point (ldap, http, or file URI) +.TP +.B crluri1 +synonym for +.B crluri. +.TP +.B crluri2 +defines an alternative CRL distribution point (ldap, http, or file URI) +.TP +.B ldaphost +defines an ldap host. Currently used by IKEv1 only. +.TP +.B ocspuri +defines an OCSP URI. +.TP +.B ocspuri1 +synonym for +.B ocspuri. +.TP +.B ocspuri2 +defines an alternative OCSP URI. Currently used by IKEv2 only. +.TP +.B certuribase +defines the base URI for the Hash and URL feature supported by IKEv2. +Instead of exchanging complete certificates, IKEv2 allows to send an URI +that resolves to the DER encoded certificate. The certificate URIs are built +by appending the SHA1 hash of the DER encoded certificates to this base URI. +.SH "CONFIG SECTIONS" +At present, the only +.B config +section known to the IPsec software is the one named +.BR setup , +which contains information used when the software is being started. +Here's an example: +.PP +.ne 8 +.nf +.ft B +.ta 1c +config setup + plutodebug=all + crlcheckinterval=10m + strictcrlpolicy=yes +.ft +.fi +.PP +Parameters are optional unless marked ``(required)''. +The currently-accepted +.I parameter +names in a +.B config +.B setup +section affecting both daemons are: +.TP 14 +.B cachecrls +certificate revocation lists (CRLs) fetched via http or ldap will be cached in +\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification +authority's public key. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B charonstart +whether to start the IKEv2 Charon daemon or not. +Accepted values are +.B yes +or +.BR no . +The default is +.B yes +if starter was compiled with IKEv2 support. +.TP +.B dumpdir +in what directory should things started by \fBipsec starter\fR +(notably the Pluto and Charon daemons) be allowed to dump core? +The empty value (the default) means they are not +allowed to. +This feature is currently not yet supported by \fBipsec starter\fR. +.TP +.B plutostart +whether to start the IKEv1 Pluto daemon or not. +Accepted values are +.B yes +or +.BR no . +The default is +.B yes +if starter was compiled with IKEv1 support. +.TP +.B strictcrlpolicy +defines if a fresh CRL must be available in order for the peer authentication based +on RSA signatures to succeed. +Accepted values are +.B yes +and +.B no +(the default). +IKEv2 additionally recognizes +.B ifuri +which reverts to +.B yes +if at least one CRL URI is defined and to +.B no +if no URI is known. +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +The IKEv2 daemon also accepts the value +.B replace +wich is identical to +.B yes +and the value +.B keep +to reject new IKE_SA setups and keep the duplicate established earlier. +.PP +The following +.B config section +parameters are used by the IKEv1 Pluto daemon only: +.TP +.B crlcheckinterval +interval in seconds. CRL fetching is enabled if the value is greater than zero. +Asynchronous, periodic checking for fresh CRLs is currently done by the +IKEv1 Pluto daemon only. +.TP +.B keep_alive +interval in seconds between NAT keep alive packets, the default being 20 seconds. +.TP +.B nat_traversal +activates NAT traversal by accepting source ISAKMP ports different from udp/500 and +being able of floating to udp/4500 if a NAT situation is detected. +Accepted values are +.B yes +and +.B no +(the default). +Used by IKEv1 only, NAT traversal always being active in IKEv2. +.TP +.B nocrsend +no certificate request payloads will be sent. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11initargs +non-standard argument string for PKCS#11 C_Initialize() function; +required by NSS softoken. +.TP +.B pkcs11module +defines the path to a dynamically loadable PKCS #11 library. +.TP +.B pkcs11keepstate +PKCS #11 login sessions will be kept during the whole lifetime of the keying +daemon. Useful with pin-pad smart card readers. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11proxy +Pluto will act as a PKCS #11 proxy accessible via the whack interface. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B plutodebug +how much Pluto debugging output should be logged. +An empty value, +or the magic value +.BR none , +means no debugging output (the default). +The magic value +.B all +means full output. +Otherwise only the specified types of output +(a quoted list, names without the +.B \-\-debug\- +prefix, +separated by white space) are enabled; +for details on available debugging types, see +.IR pluto (8). +.TP +.B plutostderrlog +Pluto will not use syslog, but rather log to stderr, and redirect stderr +to the argument file. +.TP +.B postpluto +shell command to run after starting Pluto +(e.g., to remove a decrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B prepluto +shell command to run before starting Pluto +(e.g., to decrypt an encrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B virtual_private +defines private networks using a wildcard notation. +.PP +The following +.B config section +parameters are used by the IKEv2 Charon daemon only: +.TP +.B charondebug +how much Charon debugging output should be logged. +A comma separated list containing type level/pairs may +be specified, e.g: +.B dmn 3, ike 1, net -1. +Acceptable values for types are +.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib +and the level is one of +.B -1, 0, 1, 2, 3, 4 +(for silent, audit, control, controlmore, raw, private). +.PP +The following +.B config section +parameters only make sense if the KLIPS IPsec stack +is used instead of the default NETKEY stack of the Linux 2.6 kernel: +.TP +.B fragicmp +whether a tunnel's need to fragment a packet should be reported +back with an ICMP message, +in an attempt to make the sender lower his PMTU estimate; +acceptable values are +.B yes +(the default) +and +.BR no . +.TP +.B hidetos +whether a tunnel packet's TOS field should be set to +.B 0 +rather than copied from the user packet inside; +acceptable values are +.B yes +(the default) +and +.BR no +.TP +.B interfaces +virtual and physical interfaces for IPsec to use: +a single +\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated +by white space, or +.BR %none . +One of the pairs may be written as +.BR %defaultroute , +which means: find the interface \fId\fR that the default route points to, +and then act as if the value was ``\fBipsec0=\fId\fR''. +.B %defaultroute +is the default; +.B %none +must be used to denote no interfaces. +.TP +.B overridemtu +value that the MTU of the ipsec\fIn\fR interface(s) should be set to, +overriding IPsec's (large) default. +.SH FILES +.nf +/etc/ipsec.conf +/etc/ipsec.d/aacerts +/etc/ipsec.d/acerts +/etc/ipsec.d/cacerts +/etc/ipsec.d/certs +/etc/ipsec.d/crls + +.SH SEE ALSO +ipsec(8), pluto(8), starter(8) +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project <http://www.strongswan.org> by +Tobias Brunner, Andreas Steffen and Martin Willi. +.SH BUGS +.PP +If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP +will fail. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index df39f0dc7..1d7cae00b 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 121 +#define TOTAL_KEYWORDS 126 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 11 -#define MAX_HASH_VALUE 230 -/* maximum key range = 220, duplicates = 0 */ +#define MIN_HASH_VALUE 20 +#define MAX_HASH_VALUE 220 +/* maximum key range = 201, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 26, - 75, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 2, 231, 25, 231, 40, - 61, 2, 114, 24, 3, 2, 231, 101, 2, 96, - 48, 35, 23, 231, 4, 10, 3, 69, 25, 231, - 2, 18, 16, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231 + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 35, + 77, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 8, 221, 31, 221, 20, + 28, 5, 75, 26, 88, 5, 221, 97, 5, 50, + 39, 67, 29, 221, 7, 13, 6, 89, 15, 221, + 5, 24, 7, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221 }; register int hval = len; @@ -128,7 +128,6 @@ static const struct kw_entry wordlist[] = {"right", KW_RIGHT}, {"lifetime", KW_KEYLIFE}, {"leftcert", KW_LEFTCERT,}, - {"reauth", KW_REAUTH}, {"leftfirewall", KW_LEFTFIREWALL}, {"leftsendcert", KW_LEFTSENDCERT}, {"rightikeport", KW_RIGHTIKEPORT}, @@ -137,142 +136,147 @@ static const struct kw_entry wordlist[] = {"leftgroups", KW_LEFTGROUPS}, {"rekey", KW_REKEY}, {"rightsubnet", KW_RIGHTSUBNET}, + {"crluri", KW_CRLURI}, {"rightsendcert", KW_RIGHTSENDCERT}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"xauth", KW_XAUTH}, - {"leftallowany", KW_LEFTALLOWANY}, + {"reqid", KW_REQID}, + {"rightcert", KW_RIGHTCERT}, + {"certuribase", KW_CERTURIBASE}, {"esp", KW_ESP}, + {"leftallowany", KW_LEFTALLOWANY}, + {"rightid", KW_RIGHTID}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"leftnexthop", KW_LEFTNEXTHOP}, {"lifebytes", KW_LIFEBYTES}, {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"rightauth", KW_RIGHTAUTH}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, {"rightprotoport", KW_RIGHTPROTOPORT}, + {"rightgroups", KW_RIGHTGROUPS}, {"plutostart", KW_PLUTOSTART}, {"strictcrlpolicy", KW_STRICTCRLPOLICY}, {"lifepackets", KW_LIFEPACKETS}, - {"rightgroups", KW_RIGHTGROUPS}, {"rightsourceip", KW_RIGHTSOURCEIP}, {"eap", KW_EAP}, - {"crluri", KW_CRLURI}, - {"hidetos", KW_HIDETOS}, - {"rightcert", KW_RIGHTCERT}, - {"certuribase", KW_CERTURIBASE}, - {"leftca", KW_LEFTCA}, - {"leftnatip", KW_LEFTNATIP}, - {"rightallowany", KW_RIGHTALLOWANY}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"also", KW_ALSO}, - {"packetdefault", KW_PACKETDEFAULT}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"rightid", KW_RIGHTID}, {"cacert", KW_CACERT}, {"rightca", KW_RIGHTCA}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftid", KW_LEFTID}, {"crluri1", KW_CRLURI}, - {"inactivity", KW_INACTIVITY}, + {"ldapbase", KW_LDAPBASE}, + {"leftca", KW_LEFTCA}, + {"leftnatip", KW_LEFTNATIP}, + {"rightallowany", KW_RIGHTALLOWANY}, {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"xauth_identity", KW_XAUTH_IDENTITY}, + {"inactivity", KW_INACTIVITY}, + {"packetdefault", KW_PACKETDEFAULT}, {"installpolicy", KW_INSTALLPOLICY}, - {"leftauth", KW_LEFTAUTH}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, {"leftupdown", KW_LEFTUPDOWN}, - {"leftsubnet", KW_LEFTSUBNET}, {"rightnatip", KW_RIGHTNATIP}, - {"ocspuri", KW_OCSPURI}, {"rightnexthop", KW_RIGHTNEXTHOP}, + {"cachecrls", KW_CACHECRLS}, + {"dpddelay", KW_DPDDELAY}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"mediated_by", KW_MEDIATED_BY}, + {"me_peerid", KW_ME_PEERID}, + {"plutodebug", KW_PLUTODEBUG}, + {"eap_identity", KW_EAP_IDENTITY}, {"leftcert2", KW_LEFTCERT2,}, {"rightid2", KW_RIGHTID2}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"compress", KW_COMPRESS}, - {"ldapbase", KW_LDAPBASE}, - {"auth", KW_AUTH}, - {"postpluto", KW_POSTPLUTO}, - {"charonstart", KW_CHARONSTART}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"rightfirewall", KW_RIGHTFIREWALL}, + {"ocspuri", KW_OCSPURI}, + {"also", KW_ALSO}, + {"mediation", KW_MEDIATION}, {"ike", KW_IKE}, + {"dpdaction", KW_DPDACTION}, + {"rekeymargin", KW_REKEYMARGIN}, + {"compress", KW_COMPRESS}, {"ldaphost", KW_LDAPHOST}, - {"leftca2", KW_LEFTCA2}, - {"dpddelay", KW_DPDDELAY}, - {"ocspuri1", KW_OCSPURI}, - {"rightauth2", KW_RIGHTAUTH2}, - {"eap_identity", KW_EAP_IDENTITY}, - {"leftikeport", KW_LEFTIKEPORT}, - {"plutodebug", KW_PLUTODEBUG}, - {"cachecrls", KW_CACHECRLS}, - {"charondebug", KW_CHARONDEBUG}, + {"leftsubnet", KW_LEFTSUBNET}, {"crluri2", KW_CRLURI2}, {"rightca2", KW_RIGHTCA2}, - {"mediated_by", KW_MEDIATED_BY}, + {"leftsourceip", KW_LEFTSOURCEIP}, {"rightcert2", KW_RIGHTCERT2}, - {"leftid", KW_LEFTID}, - {"auto", KW_AUTO}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"rightfirewall", KW_RIGHTFIREWALL}, - {"authby", KW_AUTHBY}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"uniqueids", KW_UNIQUEIDS}, - {"prepluto", KW_PREPLUTO}, - {"keep_alive", KW_KEEP_ALIVE}, + {"pfs", KW_PFS}, + {"leftid2", KW_LEFTID2}, + {"dpdtimeout", KW_DPDTIMEOUT}, + {"leftikeport", KW_LEFTIKEPORT}, + {"leftca2", KW_LEFTCA2}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"xauth", KW_XAUTH}, + {"rightauth2", KW_RIGHTAUTH2}, + {"mark_in", KW_MARK_IN}, {"mobike", KW_MOBIKE}, - {"overridemtu", KW_OVERRIDEMTU}, + {"margintime", KW_REKEYMARGIN}, {"dumpdir", KW_DUMPDIR}, - {"dpdaction", KW_DPDACTION}, - {"rekeyfuzz", KW_REKEYFUZZ}, - {"leftid2", KW_LEFTID2}, - {"keyingtries", KW_KEYINGTRIES}, - {"pfs", KW_PFS}, - {"nocrsend", KW_NOCRSEND}, + {"ocspuri1", KW_OCSPURI}, {"keyexchange", KW_KEYEXCHANGE}, - {"leftauth2", KW_LEFTAUTH2}, - {"mediation", KW_MEDIATION}, - {"rekeymargin", KW_REKEYMARGIN}, - {"ocspuri2", KW_OCSPURI2}, - {"pkcs11module", KW_PKCS11MODULE}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"me_peerid", KW_ME_PEERID}, - {"forceencaps", KW_FORCEENCAPS}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {"pkcs11proxy", KW_PKCS11PROXY}, - {"margintime", KW_REKEYMARGIN}, - {"interfaces", KW_INTERFACES}, {"fragicmp", KW_FRAGICMP}, + {"rightauth", KW_RIGHTAUTH}, + {"interfaces", KW_INTERFACES}, {"marginbytes", KW_MARGINBYTES}, {"marginpackets", KW_MARGINPACKETS}, - {"dpdtimeout", KW_DPDTIMEOUT}, + {"nocrsend", KW_NOCRSEND}, + {"keep_alive", KW_KEEP_ALIVE}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"keyingtries", KW_KEYINGTRIES}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"uniqueids", KW_UNIQUEIDS}, + {"mark_out", KW_MARK_OUT}, + {"charonstart", KW_CHARONSTART}, {"klipsdebug", KW_KLIPSDEBUG}, - {"modeconfig", KW_MODECONFIG}, - {"pfsgroup", KW_PFSGROUP}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, + {"forceencaps", KW_FORCEENCAPS}, + {"authby", KW_AUTHBY}, + {"postpluto", KW_POSTPLUTO}, + {"pkcs11module", KW_PKCS11MODULE}, + {"ocspuri2", KW_OCSPURI2}, + {"hidetos", KW_HIDETOS}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"mark", KW_MARK}, + {"charondebug", KW_CHARONDEBUG}, + {"leftauth2", KW_LEFTAUTH2}, + {"overridemtu", KW_OVERRIDEMTU}, + {"pkcs11initargs", KW_PKCS11INITARGS}, {"keylife", KW_KEYLIFE}, - {"ikelifetime", KW_IKELIFETIME} + {"auto", KW_AUTO}, + {"ikelifetime", KW_IKELIFETIME}, + {"reauth", KW_REAUTH}, + {"leftauth", KW_LEFTAUTH}, + {"pkcs11proxy", KW_PKCS11PROXY}, + {"prepluto", KW_PREPLUTO}, + {"pfsgroup", KW_PFSGROUP}, + {"auth", KW_AUTH}, + {"modeconfig", KW_MODECONFIG} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, 0, -1, -1, 1, -1, 2, 3, 4, -1, - 5, 6, -1, 7, 8, -1, -1, 9, 10, 11, - 12, -1, 13, -1, 14, 15, 16, -1, 17, -1, - 18, 19, 20, 21, -1, 22, 23, -1, 24, 25, - 26, 27, 28, 29, 30, -1, -1, 31, 32, 33, - 34, 35, 36, 37, 38, -1, 39, 40, -1, 41, - -1, -1, -1, 42, 43, -1, 44, 45, 46, 47, - 48, 49, -1, 50, 51, 52, 53, 54, 55, 56, - 57, 58, 59, -1, -1, 60, -1, -1, 61, -1, - -1, 62, -1, -1, 63, 64, -1, -1, 65, 66, - -1, 67, 68, 69, -1, -1, 70, -1, 71, 72, - 73, -1, -1, -1, 74, -1, 75, -1, 76, 77, - 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, - 88, 89, 90, 91, 92, 93, -1, 94, 95, -1, - 96, -1, -1, -1, 97, -1, 98, 99, 100, -1, - -1, 101, 102, -1, 103, -1, -1, 104, 105, -1, - 106, -1, 107, -1, 108, -1, -1, -1, -1, 109, - -1, 110, -1, -1, 111, -1, -1, -1, -1, 112, - 113, -1, 114, 115, -1, -1, -1, -1, 116, -1, - 117, -1, -1, 118, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, 119, -1, -1, -1, - 120 + 0, -1, -1, 1, -1, -1, -1, -1, 2, 3, + -1, -1, 4, 5, -1, 6, 7, -1, -1, 8, + 9, 10, 11, 12, 13, 14, -1, 15, 16, -1, + 17, 18, 19, 20, -1, 21, 22, 23, -1, -1, + 24, 25, 26, 27, 28, 29, -1, 30, 31, 32, + 33, 34, 35, -1, 36, -1, -1, 37, 38, 39, + 40, 41, 42, 43, -1, 44, 45, 46, 47, -1, + 48, -1, 49, 50, 51, 52, 53, 54, 55, -1, + 56, 57, 58, 59, 60, 61, 62, 63, -1, 64, + 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, + 75, -1, 76, 77, 78, 79, -1, -1, 80, 81, + 82, -1, 83, 84, -1, 85, 86, 87, 88, 89, + 90, -1, 91, -1, 92, -1, 93, 94, 95, -1, + -1, 96, 97, -1, 98, 99, -1, -1, -1, -1, + -1, -1, 100, -1, 101, -1, 102, -1, -1, -1, + 103, 104, -1, -1, 105, -1, -1, 106, 107, 108, + 109, 110, 111, -1, 112, 113, -1, 114, 115, 116, + -1, 117, -1, 118, 119, 120, 121, -1, -1, -1, + 122, -1, -1, -1, -1, -1, -1, -1, 123, -1, + -1, -1, 124, -1, -1, -1, -1, -1, -1, -1, + 125 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 6c3907a6a..25d2ce4b9 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -93,12 +93,17 @@ typedef enum { KW_INACTIVITY, KW_MODECONFIG, KW_XAUTH, + KW_XAUTH_IDENTITY, KW_MEDIATION, KW_MEDIATED_BY, KW_ME_PEERID, + KW_REQID, + KW_MARK, + KW_MARK_IN, + KW_MARK_OUT, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_ME_PEERID +#define KW_CONN_LAST KW_MARK_OUT /* ca section keywords */ KW_CA_NAME, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 12037a685..fcdc60cff 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -84,9 +84,14 @@ dpdaction, KW_DPDACTION inactivity, KW_INACTIVITY modeconfig, KW_MODECONFIG xauth, KW_XAUTH +xauth_identity, KW_XAUTH_IDENTITY mediation, KW_MEDIATION mediated_by, KW_MEDIATED_BY me_peerid, KW_ME_PEERID +reqid, KW_REQID +mark, KW_MARK +mark_in, KW_MARK_IN +mark_out, KW_MARK_OUT cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE diff --git a/src/starter/starter.c b/src/starter/starter.c index 50ef9c07b..c3ba54f1d 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -241,6 +241,7 @@ int main (int argc, char **argv) time_t last_reload; bool no_fork = FALSE; bool attach_gdb = FALSE; + bool load_warning = FALSE; /* global variables defined in log.h */ log_to_stderr = TRUE; @@ -300,6 +301,21 @@ int main (int argc, char **argv) plog("Starting strongSwan "VERSION" IPsec [starter]..."); +#ifdef LOAD_WARNING + load_warning = TRUE; +#endif + + if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning)) + { + if (lib->settings->get_str(lib->settings, "charon.load", NULL) || + lib->settings->get_str(lib->settings, "pluto.load", NULL)) + { + plog("!! Your strongswan.conf contains manual plugin load options for"); + plog("!! pluto and/or charon. This is recommended for experts only, see"); + plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad"); + } + } + /* verify that we can start */ if (getuid() != 0) { diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index d877661ec..9c69ab9e5 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -269,6 +269,11 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.ikeme.mediation = conn->me_mediation; msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); + msg.add_conn.reqid = conn->reqid; + msg.add_conn.mark_in.value = conn->mark_in.value; + msg.add_conn.mark_in.mask = conn->mark_in.mask; + msg.add_conn.mark_out.value = conn->mark_out.value; + msg.add_conn.mark_out.mask = conn->mark_out.mask; starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 527142a4e..58034d96b 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -93,6 +93,7 @@ static int send_whack_msg (whack_message_t *msg) || !pack_str(&msg->sc_data, &str_next, &str_roof) || !pack_str(&msg->whack_lease_ip, &str_next, &str_roof) || !pack_str(&msg->whack_lease_id, &str_next, &str_roof) + || !pack_str(&msg->xauth_identity, &str_next, &str_roof) || (str_roof - str_next < msg->keyval.len)) { plog("send_wack_msg(): can't pack strings"); @@ -285,6 +286,12 @@ int starter_whack_add_conn(starter_conn_t *conn) msg.sa_rekey_fuzz = conn->sa_rekey_fuzz; msg.sa_keying_tries = conn->sa_keying_tries; msg.policy = conn->policy; + msg.xauth_identity = conn->xauth_identity; + msg.reqid = conn->reqid; + msg.mark_in.value = conn->mark_in.value; + msg.mark_in.mask = conn->mark_in.mask; + msg.mark_out.value = conn->mark_out.value; + msg.mark_out.mask = conn->mark_out.mask; /* * Make sure the IKEv2-only policy bits are unset for IKEv1 connections diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 4353928b5..c7f264730 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index ffc67039e..a36cc9038 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -227,6 +227,7 @@ struct stroke_msg_t { time_t inactivity; int proxy_mode; int install_policy; + u_int32_t reqid; crl_policy_t crl_policy; int unique; @@ -255,6 +256,10 @@ struct stroke_msg_t { char *mediated_by; char *peerid; } ikeme; + struct { + u_int32_t value; + u_int32_t mask; + } mark_in, mark_out; stroke_end_t me, other; } add_conn; diff --git a/src/strongswan.conf b/src/strongswan.conf index 0ec4ae9ef..0d82dedfa 100644 --- a/src/strongswan.conf +++ b/src/strongswan.conf @@ -4,30 +4,27 @@ charon { # number of worker threads in charon threads = 16 - - # plugins to load in charon - # load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke - + + # send strongswan vendor ID? + # send_vendor_id = yes + plugins { sql { # loglevel to log into sql database loglevel = -1 - + # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } } - + # ... } pluto { - # plugins to load in pluto - # load = aes des sha1 md5 sha2 hmac gmp random pubkey - } libstrongswan { diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 098e5110e..d163f2b58 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/whack/whack.c b/src/whack/whack.c index 5f986108b..643e4be04 100644 --- a/src/whack/whack.c +++ b/src/whack/whack.c @@ -1804,6 +1804,7 @@ int main(int argc, char **argv) || !pack_str(&msg.sc_data) /* string 26 */ || !pack_str(&msg.whack_lease_ip) /* string 27 */ || !pack_str(&msg.whack_lease_id) /* string 28 */ + || !pack_str(&msg.xauth_identity) /* string 29 */ || str_roof - next_str < (ptrdiff_t)msg.keyval.len) diag("too many bytes of strings to fit in message to pluto"); diff --git a/src/whack/whack.h b/src/whack/whack.h index b495d3489..f8e6a9a88 100644 --- a/src/whack/whack.h +++ b/src/whack/whack.h @@ -48,7 +48,7 @@ typedef enum { */ #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24) -#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26) +#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 30) typedef struct whack_end whack_end_t; @@ -129,6 +129,14 @@ struct whack_message { time_t dpd_timeout; dpd_action_t dpd_action; + + /* Assign optional fixed reqid and xfrm marks to IPsec SA */ + u_int32_t reqid; + struct { + u_int32_t value; + u_int32_t mask; + } mark_in, mark_out; + /* note that each end contains string 2/5.id, string 3/6 cert, * and string 4/7 updown */ @@ -214,30 +222,40 @@ struct whack_message { int inbase, outbase; char *sc_data; + /* XAUTH user identity */ + char *xauth_identity; + /* space for strings (hope there is enough room): * Note that pointers don't travel on wire. - * 1 connection name [name_len] - * 2 left's name [left.host.name.len] + * 1 connection name + * 2 left's id * 3 left's cert * 4 left's ca * 5 left's groups * 6 left's updown - * 7 right's name [left.host.name.len] - * 8 right's cert - * 9 right's ca - * 10 right's groups - * 11 right's updown - * 12 keyid - * 13 myid - * 14 cacert - * 15 ldaphost - * 16 ldapbase - * 17 crluri - * 18 crluri2 - * 19 ocspuri - * 20 ike - " 21 esp - * 22 rsa_data + * 7 left's source ip + * 8 left's virtual ip ranges + * 9 right's id + * 10 right's cert + * 11 right's ca + * 12 right's groups + * 13 right's updown + * 14 right's source ip + * 15 right's virtual ip ranges + * 16 keyid + * 17 myid + * 18 cacert + * 19 ldaphost + * 20 ldapbase + * 21 crluri + * 22 crluri2 + * 23 ocspuri + * 24 ike + * 25 esp + * 26 smartcard data + * 27 whack leases ip argument + * 28 whack leases id argument + * 29 xauth identity * plus keyval (limit: 8K bits + overhead), a chunk. */ size_t str_size; |