summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Android.mk3
-rw-r--r--Android.mk.in1
-rw-r--r--Makefile.am2
-rw-r--r--Makefile.in7
-rw-r--r--NEWS44
-rwxr-xr-xconfigure392
-rw-r--r--configure.in41
-rw-r--r--init/Makefile.am6
-rw-r--r--init/Makefile.in620
-rw-r--r--init/systemd/Makefile.am8
-rw-r--r--init/systemd/Makefile.in472
-rw-r--r--init/systemd/strongswan.service.in10
-rw-r--r--man/Makefile.in3
-rw-r--r--man/ipsec.conf.521
-rw-r--r--man/ipsec.conf.5.in19
-rw-r--r--man/ipsec.secrets.52
-rw-r--r--man/strongswan.conf.547
-rw-r--r--man/strongswan.conf.5.in45
-rw-r--r--scripts/Makefile.in3
-rw-r--r--scripts/fetch.c38
-rw-r--r--src/Makefile.in3
-rw-r--r--src/_copyright/Makefile.in3
-rw-r--r--src/_updown/Makefile.in3
-rw-r--r--src/_updown_espmark/Makefile.in3
-rw-r--r--src/charon/Makefile.in3
-rw-r--r--src/charon/charon.c11
-rw-r--r--src/checksum/Makefile.in3
-rw-r--r--src/conftest/Makefile.in3
-rw-r--r--src/conftest/conftest.c2
-rw-r--r--src/conftest/hooks/log_ts.c24
-rw-r--r--src/dumm/Makefile.in3
-rw-r--r--src/dumm/main.c13
-rw-r--r--src/include/Makefile.am2
-rw-r--r--src/include/Makefile.in5
-rw-r--r--src/include/linux/if_alg.h40
-rw-r--r--src/include/linux/xfrm.h13
-rw-r--r--src/ipsec/Makefile.in3
-rw-r--r--src/libcharon/Android.mk11
-rw-r--r--src/libcharon/Makefile.am37
-rw-r--r--src/libcharon/Makefile.in191
-rw-r--r--src/libcharon/bus/listeners/file_logger.c47
-rw-r--r--src/libcharon/bus/listeners/sys_logger.c51
-rw-r--r--src/libcharon/config/proposal.c19
-rw-r--r--src/libcharon/config/proposal.h13
-rw-r--r--src/libcharon/control/controller.c4
-rw-r--r--src/libcharon/daemon.c10
-rw-r--r--src/libcharon/encoding/message.c36
-rw-r--r--src/libcharon/plugins/addrblock/Makefile.in3
-rw-r--r--src/libcharon/plugins/addrblock/addrblock_plugin.c8
-rw-r--r--src/libcharon/plugins/addrblock/addrblock_validator.c6
-rw-r--r--src/libcharon/plugins/android/Makefile.in3
-rw-r--r--src/libcharon/plugins/android/android_plugin.c11
-rw-r--r--src/libcharon/plugins/coupling/Makefile.am16
-rw-r--r--src/libcharon/plugins/coupling/Makefile.in608
-rw-r--r--src/libcharon/plugins/coupling/coupling_plugin.c81
-rw-r--r--src/libcharon/plugins/coupling/coupling_plugin.h42
-rw-r--r--src/libcharon/plugins/coupling/coupling_validator.c258
-rw-r--r--src/libcharon/plugins/coupling/coupling_validator.h49
-rw-r--r--src/libcharon/plugins/dhcp/Makefile.in3
-rw-r--r--src/libcharon/plugins/dhcp/dhcp_plugin.c8
-rw-r--r--src/libcharon/plugins/dhcp/dhcp_socket.c3
-rw-r--r--src/libcharon/plugins/duplicheck/Makefile.am21
-rw-r--r--src/libcharon/plugins/duplicheck/Makefile.in668
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck.c59
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_listener.c262
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_listener.h54
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_notify.c211
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_notify.h51
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_plugin.c94
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_plugin.h42
-rw-r--r--src/libcharon/plugins/eap_aka/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_aka/eap_aka_peer.c122
-rw-r--r--src/libcharon/plugins/eap_aka/eap_aka_plugin.c24
-rw-r--r--src/libcharon/plugins/eap_aka/eap_aka_server.c88
-rw-r--r--src/libcharon/plugins/eap_aka_3gpp2/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c26
-rw-r--r--src/libcharon/plugins/eap_gtc/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_gtc/eap_gtc.c102
-rw-r--r--src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c22
-rw-r--r--src/libcharon/plugins/eap_identity/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_identity/eap_identity.c30
-rw-r--r--src/libcharon/plugins/eap_identity/eap_identity_plugin.c8
-rw-r--r--src/libcharon/plugins/eap_md5/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_md5/eap_md5.c26
-rw-r--r--src/libcharon/plugins/eap_md5/eap_md5_plugin.c8
-rw-r--r--src/libcharon/plugins/eap_mschapv2/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c105
-rw-r--r--src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c24
-rw-r--r--src/libcharon/plugins/eap_peap/Makefile.am21
-rw-r--r--src/libcharon/plugins/eap_peap/Makefile.in617
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap.c213
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap.h59
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_avp.c152
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_avp.h71
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_peer.c256
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_peer.h49
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_plugin.c59
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_plugin.h47
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_server.c432
-rw-r--r--src/libcharon/plugins/eap_peap/eap_peap_server.h49
-rw-r--r--src/libcharon/plugins/eap_radius/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius.c28
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_plugin.c79
-rw-r--r--src/libcharon/plugins/eap_radius/radius_client.c21
-rw-r--r--src/libcharon/plugins/eap_radius/radius_server.c55
-rw-r--r--src/libcharon/plugins/eap_radius/radius_server.h18
-rw-r--r--src/libcharon/plugins/eap_radius/radius_socket.c80
-rw-r--r--src/libcharon/plugins/eap_radius/radius_socket.h8
-rw-r--r--src/libcharon/plugins/eap_sim/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_sim/eap_sim_peer.c143
-rw-r--r--src/libcharon/plugins/eap_sim/eap_sim_plugin.c24
-rw-r--r--src/libcharon/plugins/eap_sim/eap_sim_server.c83
-rw-r--r--src/libcharon/plugins/eap_sim_file/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c51
-rw-r--r--src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c28
-rw-r--r--src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c41
-rw-r--r--src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c28
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/Makefile.am18
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/Makefile.in611
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c392
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.h48
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.c73
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.h41
-rw-r--r--src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c26
-rw-r--r--src/libcharon/plugins/eap_simaka_reauth/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c26
-rw-r--r--src/libcharon/plugins/eap_simaka_sql/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c8
-rw-r--r--src/libcharon/plugins/eap_tls/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_tls/eap_tls.c20
-rw-r--r--src/libcharon/plugins/eap_tls/eap_tls_plugin.c7
-rw-r--r--src/libcharon/plugins/eap_tnc/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_tnc/eap_tnc.c22
-rw-r--r--src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c8
-rw-r--r--src/libcharon/plugins/eap_ttls/Makefile.in3
-rw-r--r--src/libcharon/plugins/eap_ttls/eap_ttls.c22
-rw-r--r--src/libcharon/plugins/eap_ttls/eap_ttls_peer.c49
-rw-r--r--src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c7
-rw-r--r--src/libcharon/plugins/farp/Makefile.in3
-rw-r--r--src/libcharon/plugins/farp/farp_plugin.c8
-rw-r--r--src/libcharon/plugins/ha/Makefile.in3
-rw-r--r--src/libcharon/plugins/ha/ha_child.c4
-rw-r--r--src/libcharon/plugins/ha/ha_dispatcher.c5
-rw-r--r--src/libcharon/plugins/ha/ha_message.c2
-rw-r--r--src/libcharon/plugins/ha/ha_message.h2
-rw-r--r--src/libcharon/plugins/ha/ha_plugin.c8
-rw-r--r--src/libcharon/plugins/led/Makefile.in3
-rw-r--r--src/libcharon/plugins/led/led_plugin.c8
-rw-r--r--src/libcharon/plugins/load_tester/Makefile.in3
-rw-r--r--src/libcharon/plugins/load_tester/load_tester_ipsec.c4
-rw-r--r--src/libcharon/plugins/load_tester/load_tester_plugin.c51
-rw-r--r--src/libcharon/plugins/maemo/Makefile.in3
-rw-r--r--src/libcharon/plugins/maemo/maemo_plugin.c11
-rw-r--r--src/libcharon/plugins/medcli/Makefile.in3
-rw-r--r--src/libcharon/plugins/medcli/medcli_plugin.c26
-rw-r--r--src/libcharon/plugins/medsrv/Makefile.in3
-rw-r--r--src/libcharon/plugins/medsrv/medsrv_plugin.c26
-rw-r--r--src/libcharon/plugins/nm/Makefile.in3
-rw-r--r--src/libcharon/plugins/nm/nm_plugin.c33
-rw-r--r--src/libcharon/plugins/smp/Makefile.in3
-rw-r--r--src/libcharon/plugins/smp/smp.c24
-rw-r--r--src/libcharon/plugins/socket_default/Makefile.in3
-rw-r--r--src/libcharon/plugins/socket_default/socket_default_plugin.c9
-rw-r--r--src/libcharon/plugins/socket_dynamic/Makefile.in3
-rw-r--r--src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c9
-rw-r--r--src/libcharon/plugins/socket_raw/Makefile.in3
-rw-r--r--src/libcharon/plugins/socket_raw/socket_raw_plugin.c9
-rw-r--r--src/libcharon/plugins/sql/Makefile.in3
-rw-r--r--src/libcharon/plugins/sql/sql_plugin.c8
-rw-r--r--src/libcharon/plugins/stroke/Makefile.in3
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c2
-rw-r--r--src/libcharon/plugins/stroke/stroke_control.c193
-rw-r--r--src/libcharon/plugins/stroke/stroke_cred.c17
-rw-r--r--src/libcharon/plugins/stroke/stroke_list.c9
-rw-r--r--src/libcharon/plugins/stroke/stroke_plugin.c8
-rw-r--r--src/libcharon/plugins/stroke/stroke_socket.c4
-rw-r--r--src/libcharon/plugins/tnc_imc/Makefile.in3
-rw-r--r--src/libcharon/plugins/tnc_imc/tnc_imc.c36
-rw-r--r--src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c18
-rw-r--r--src/libcharon/plugins/tnc_imc/tnc_imc_manager.c36
-rw-r--r--src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c14
-rw-r--r--src/libcharon/plugins/tnc_imv/Makefile.in3
-rw-r--r--src/libcharon/plugins/tnc_imv/tnc_imv.c35
-rw-r--r--src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c36
-rw-r--r--src/libcharon/plugins/tnc_imv/tnc_imv_manager.c70
-rw-r--r--src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c14
-rw-r--r--src/libcharon/plugins/tnccs_11/Makefile.in3
-rw-r--r--src/libcharon/plugins/tnccs_11/tnccs_11.c44
-rw-r--r--src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c10
-rw-r--r--src/libcharon/plugins/tnccs_20/Makefile.in3
-rw-r--r--src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c18
-rw-r--r--src/libcharon/plugins/tnccs_20/tnccs_20.c70
-rw-r--r--src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c10
-rw-r--r--src/libcharon/plugins/tnccs_dynamic/Makefile.in3
-rw-r--r--src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c10
-rw-r--r--src/libcharon/plugins/uci/Makefile.in3
-rw-r--r--src/libcharon/plugins/uci/uci_plugin.c34
-rw-r--r--src/libcharon/plugins/unit_tester/Makefile.in3
-rw-r--r--src/libcharon/plugins/unit_tester/unit_tester.c26
-rw-r--r--src/libcharon/plugins/updown/Makefile.in3
-rw-r--r--src/libcharon/plugins/updown/updown_plugin.c26
-rw-r--r--src/libcharon/plugins/whitelist/Makefile.am21
-rw-r--r--src/libcharon/plugins/whitelist/Makefile.in668
-rw-r--r--src/libcharon/plugins/whitelist/whitelist.c190
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_control.c233
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_control.h44
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_listener.c213
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_listener.h87
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_msg.h58
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_plugin.c83
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_plugin.h42
-rw-r--r--src/libcharon/processing/jobs/delete_ike_sa_job.c4
-rw-r--r--src/libcharon/sa/authenticators/eap/eap_method.h21
-rw-r--r--src/libcharon/sa/authenticators/eap/sim_card.h125
-rw-r--r--src/libcharon/sa/authenticators/eap/sim_hooks.h53
-rw-r--r--src/libcharon/sa/authenticators/eap/sim_manager.c298
-rw-r--r--src/libcharon/sa/authenticators/eap/sim_manager.h229
-rw-r--r--src/libcharon/sa/authenticators/eap/sim_provider.h124
-rw-r--r--src/libcharon/sa/authenticators/eap_authenticator.c16
-rw-r--r--src/libcharon/sa/child_sa.c5
-rw-r--r--src/libcharon/sa/ike_sa.c8
-rw-r--r--src/libcharon/sa/ike_sa.h3
-rw-r--r--src/libcharon/sa/task_manager.c21
-rw-r--r--src/libcharon/sa/tasks/child_delete.c1
-rw-r--r--src/libcharon/sa/tasks/child_rekey.c6
-rw-r--r--src/libcharon/sa/tasks/ike_config.c2
-rw-r--r--src/libcharon/sa/tasks/ike_rekey.c202
-rw-r--r--src/libcharon/tnc/imc/imc_manager.h8
-rw-r--r--src/libcharon/tnc/imv/imv_manager.h15
-rw-r--r--src/libcharon/tnc/tnccs/tnccs.h3
-rw-r--r--src/libcharon/tnc/tnccs/tnccs_manager.c40
-rw-r--r--src/libcharon/tnc/tnccs/tnccs_manager.h4
-rw-r--r--src/libfast/Makefile.in3
-rw-r--r--src/libfreeswan/Makefile.in3
-rw-r--r--src/libfreeswan/atoaddr.c24
-rw-r--r--src/libfreeswan/pfkey_v2_debug.c44
-rw-r--r--src/libfreeswan/pfkey_v2_parse.c1
-rw-r--r--src/libfreeswan/satot.c12
-rw-r--r--src/libhydra/Makefile.in3
-rw-r--r--src/libhydra/kernel/kernel_interface.c6
-rw-r--r--src/libhydra/kernel/kernel_interface.h3
-rw-r--r--src/libhydra/kernel/kernel_ipsec.h3
-rw-r--r--src/libhydra/plugins/attr/Makefile.in3
-rw-r--r--src/libhydra/plugins/attr/attr_plugin.c15
-rw-r--r--src/libhydra/plugins/attr/attr_provider.c102
-rw-r--r--src/libhydra/plugins/attr/attr_provider.h5
-rw-r--r--src/libhydra/plugins/attr_sql/Makefile.in3
-rw-r--r--src/libhydra/plugins/attr_sql/attr_sql_plugin.c9
-rw-r--r--src/libhydra/plugins/attr_sql/pool.c19
-rw-r--r--src/libhydra/plugins/attr_sql/pool_attributes.c24
-rw-r--r--src/libhydra/plugins/kernel_klips/Makefile.in3
-rw-r--r--src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c2
-rw-r--r--src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c8
-rw-r--r--src/libhydra/plugins/kernel_netlink/Makefile.in3
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c253
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c144
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c8
-rw-r--r--src/libhydra/plugins/kernel_pfkey/Makefile.in3
-rw-r--r--src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c2
-rw-r--r--src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c8
-rw-r--r--src/libhydra/plugins/kernel_pfroute/Makefile.in3
-rw-r--r--src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c121
-rw-r--r--src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c8
-rw-r--r--src/libhydra/plugins/resolve/Makefile.in3
-rw-r--r--src/libhydra/plugins/resolve/resolve_handler.c4
-rw-r--r--src/libhydra/plugins/resolve/resolve_plugin.c8
-rw-r--r--src/libsimaka/Makefile.in3
-rw-r--r--src/libstrongswan/Android.mk5
-rw-r--r--src/libstrongswan/Makefile.am2
-rw-r--r--src/libstrongswan/Makefile.in17
-rw-r--r--src/libstrongswan/asn1/asn1.c65
-rw-r--r--src/libstrongswan/asn1/oid.c549
-rw-r--r--src/libstrongswan/asn1/oid.h292
-rw-r--r--src/libstrongswan/asn1/oid.txt13
-rw-r--r--src/libstrongswan/chunk.h2
-rw-r--r--src/libstrongswan/credentials/cred_encoding.c7
-rw-r--r--src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c6
-rw-r--r--src/libstrongswan/crypto/crypto_tester.c6
-rw-r--r--src/libstrongswan/crypto/crypto_tester.h2
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords.c141
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords.txt2
-rw-r--r--src/libstrongswan/crypto/transform.c5
-rw-r--r--src/libstrongswan/crypto/transform.h13
-rw-r--r--src/libstrongswan/eap/eap.c21
-rw-r--r--src/libstrongswan/eap/eap.h15
-rw-r--r--src/libstrongswan/fetcher/fetcher.c33
-rw-r--r--src/libstrongswan/fetcher/fetcher.h51
-rw-r--r--src/libstrongswan/fetcher/fetcher_manager.c73
-rw-r--r--src/libstrongswan/fetcher/fetcher_manager.h9
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/aes/aes_crypter.c1
-rw-r--r--src/libstrongswan/plugins/aes/aes_plugin.c12
-rw-r--r--src/libstrongswan/plugins/af_alg/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_crypter.c5
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_crypter.h4
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_hasher.c4
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_hasher.h4
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_ops.c2
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_ops.h2
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_plugin.c16
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_prf.c4
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_prf.h4
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_signer.c4
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_signer.h4
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/agent/agent_plugin.c8
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish_crypter.c1
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish_plugin.c12
-rw-r--r--src/libstrongswan/plugins/ccm/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/ccm/ccm_plugin.c28
-rw-r--r--src/libstrongswan/plugins/constraints/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_plugin.c8
-rw-r--r--src/libstrongswan/plugins/ctr/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/ctr/ctr_plugin.c14
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/curl/curl_fetcher.c46
-rw-r--r--src/libstrongswan/plugins/curl/curl_plugin.c8
-rw-r--r--src/libstrongswan/plugins/des/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/des/des_crypter.c1
-rw-r--r--src/libstrongswan/plugins/des/des_plugin.c16
-rw-r--r--src/libstrongswan/plugins/dnskey/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/dnskey/dnskey_plugin.c8
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c12
-rw-r--r--src/libstrongswan/plugins/gcm/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/gcm/gcm_plugin.c22
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c76
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_plugin.c34
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/hmac/hmac.c4
-rw-r--r--src/libstrongswan/plugins/hmac/hmac_plugin.c40
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/ldap/ldap_fetcher.c3
-rw-r--r--src/libstrongswan/plugins/ldap/ldap_plugin.c8
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/md4/md4_plugin.c12
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/md5/md5_plugin.c12
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/mysql/mysql_plugin.c8
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crypter.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c82
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c2
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/padlock/padlock_aes_crypter.c4
-rw-r--r--src/libstrongswan/plugins/padlock/padlock_plugin.c20
-rw-r--r--src/libstrongswan/plugins/pem/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/pem/pem_plugin.c8
-rw-r--r--src/libstrongswan/plugins/pgp/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/pgp/pgp_plugin.c8
-rw-r--r--src/libstrongswan/plugins/pkcs1/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/pkcs1/pkcs1_builder.c2
-rw-r--r--src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c8
-rw-r--r--src/libstrongswan/plugins/pkcs11/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_manager.c2
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c22
-rw-r--r--src/libstrongswan/plugins/plugin.h16
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c111
-rw-r--r--src/libstrongswan/plugins/plugin_loader.h12
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/pubkey/pubkey_plugin.c8
-rw-r--r--src/libstrongswan/plugins/random/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/random/random_plugin.c14
-rw-r--r--src/libstrongswan/plugins/revocation/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/revocation/revocation_plugin.c8
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/sha1/sha1_plugin.c14
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/sha2/sha2_plugin.c18
-rw-r--r--src/libstrongswan/plugins/soup/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/soup/soup_fetcher.c55
-rw-r--r--src/libstrongswan/plugins/soup/soup_plugin.c8
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/sqlite/sqlite_plugin.c8
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors/des.c2
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c8
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c8
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_response.c2
-rw-r--r--src/libstrongswan/plugins/x509/x509_plugin.c8
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.in3
-rw-r--r--src/libstrongswan/plugins/xcbc/xcbc.c4
-rw-r--r--src/libstrongswan/plugins/xcbc/xcbc_plugin.c18
-rw-r--r--src/libstrongswan/processing/jobs/callback_job.c59
-rw-r--r--src/libstrongswan/processing/jobs/callback_job.h17
-rw-r--r--src/libstrongswan/processing/processor.c80
-rw-r--r--src/libstrongswan/processing/scheduler.c57
-rw-r--r--src/libstrongswan/settings.c113
-rw-r--r--src/libstrongswan/settings.h16
-rw-r--r--src/libstrongswan/threading/thread.c19
-rw-r--r--src/libstrongswan/utils.c10
-rw-r--r--src/libstrongswan/utils.h45
-rw-r--r--src/libstrongswan/utils/backtrace.c2
-rw-r--r--src/libstrongswan/utils/host.c1
-rw-r--r--src/libstrongswan/utils/identification.c54
-rw-r--r--src/libstrongswan/utils/leak_detective.c2
-rw-r--r--src/libstrongswan/utils/linked_list.c1
-rw-r--r--src/libtls/Makefile.in3
-rw-r--r--src/libtls/tls.c7
-rw-r--r--src/libtls/tls.h8
-rw-r--r--src/libtls/tls_crypto.c1
-rw-r--r--src/libtls/tls_eap.c148
-rw-r--r--src/libtls/tls_eap.h18
-rw-r--r--src/libtls/tls_peer.c82
-rw-r--r--src/libtls/tls_writer.c8
-rw-r--r--src/manager/Makefile.in3
-rw-r--r--src/medsrv/Makefile.in3
-rw-r--r--src/openac/Makefile.in3
-rwxr-xr-xsrc/openac/openac.c14
-rw-r--r--src/pki/Makefile.in3
-rw-r--r--src/pki/commands/req.c3
-rw-r--r--src/pki/commands/signcrl.c6
-rw-r--r--src/pluto/Makefile.in3
-rw-r--r--src/pluto/adns.c1
-rw-r--r--src/pluto/alg_info.c4
-rw-r--r--src/pluto/connections.c6
-rw-r--r--src/pluto/crl.c7
-rw-r--r--src/pluto/demux.c13
-rw-r--r--src/pluto/fetch.c5
-rw-r--r--src/pluto/ike_alg.c4
-rw-r--r--src/pluto/ipsec_doi.c185
-rw-r--r--src/pluto/kernel.c6
-rw-r--r--src/pluto/kernel_alg.c6
-rw-r--r--src/pluto/keys.c1
-rw-r--r--src/pluto/log.c17
-rw-r--r--src/pluto/modecfg.c25
-rw-r--r--src/pluto/ocsp.c2
-rw-r--r--src/pluto/plugins/xauth/Makefile.in3
-rw-r--r--src/pluto/plugins/xauth/xauth_plugin.c23
-rw-r--r--src/pluto/plutomain.c5
-rw-r--r--src/pluto/spdb.c4
-rw-r--r--src/pluto/state.c32
-rw-r--r--src/scepclient/Makefile.in3
-rw-r--r--src/scepclient/scepclient.c7
-rw-r--r--src/starter/Makefile.in3
-rw-r--r--src/starter/args.c1
-rw-r--r--src/starter/interfaces.c1
-rw-r--r--src/starter/invokecharon.c2
-rw-r--r--src/starter/starter.c4
-rw-r--r--src/starter/starterstroke.c2
-rw-r--r--src/stroke/Makefile.in3
-rw-r--r--src/stroke/stroke.c2
-rw-r--r--src/stroke/stroke_msg.h8
-rw-r--r--src/whack/Makefile.in3
-rw-r--r--src/whack/whack.c1
-rw-r--r--testing/Makefile.in3
-rwxr-xr-xtesting/do-tests.in54
-rwxr-xr-xtesting/scripts/build-umlrootfs15
-rwxr-xr-xtesting/testing.conf11
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/description.txt4
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat11
-rwxr-xr-xtesting/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf11
-rwxr-xr-xtesting/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/posttest.dat2
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/pretest.dat5
-rw-r--r--testing/tests/af-alg-ikev1/alg-camellia/test.conf22
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/description.txt12
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/evaltest.dat10
-rwxr-xr-xtesting/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf16
-rwxr-xr-xtesting/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf15
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/posttest.dat6
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/pretest.dat9
-rw-r--r--testing/tests/af-alg-ikev1/rw-cert/test.conf21
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/description.txt4
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat11
-rwxr-xr-xtesting/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/posttest.dat4
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/pretest.dat7
-rw-r--r--testing/tests/af-alg-ikev2/alg-camellia/test.conf21
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/description.txt12
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/evaltest.dat10
-rwxr-xr-xtesting/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf12
-rwxr-xr-xtesting/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/posttest.dat6
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/pretest.dat9
-rw-r--r--testing/tests/af-alg-ikev2/rw-cert/test.conf21
-rw-r--r--testing/tests/ha/both-active/evaltest.dat14
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/description.txt10
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/pretest.dat10
-rw-r--r--testing/tests/ikev2/rw-eap-peap-md5/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt8
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat10
-rw-r--r--testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/description.txt8
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat21
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf18
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf120
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default44
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel32
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users2
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables84
-rwxr-xr-xtesting/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/posttest.dat7
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/pretest.dat11
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy40
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-11/pretest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat8
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy40
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-20/pretest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat10
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config2
-rw-r--r--testing/tests/ikev2/rw-whitelist/description.txt3
-rw-r--r--testing/tests/ikev2/rw-whitelist/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf10
-rw-r--r--testing/tests/ikev2/rw-whitelist/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-whitelist/pretest.dat15
-rw-r--r--testing/tests/ikev2/rw-whitelist/test.conf21
587 files changed, 16577 insertions, 3216 deletions
diff --git a/Android.mk b/Android.mk
index 4c90f6340..d3188974d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -53,8 +53,9 @@ strongswan_CFLAGS := \
-DUSE_VSTR \
-DROUTING_TABLE=0 \
-DROUTING_TABLE_PRIO=220 \
- -DVERSION=\"4.5.1\" \
+ -DVERSION=\"4.5.2\" \
-DPLUGINS='"$(strongswan_PLUGINS)"' \
+ -DPLUGINDIR=\"/system/bin/ipsec\" \
-DIPSEC_DIR=\"/system/bin\" \
-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
-DSTRONGSWAN_CONF=\"/system/etc/strongswan.conf\" \
diff --git a/Android.mk.in b/Android.mk.in
index 1ad0b27fe..d1bec5a29 100644
--- a/Android.mk.in
+++ b/Android.mk.in
@@ -55,6 +55,7 @@ strongswan_CFLAGS := \
-DROUTING_TABLE_PRIO=220 \
-DVERSION=\"@PACKAGE_VERSION@\" \
-DPLUGINS='"$(strongswan_PLUGINS)"' \
+ -DPLUGINDIR=\"/system/bin/ipsec\" \
-DIPSEC_DIR=\"/system/bin\" \
-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
-DSTRONGSWAN_CONF=\"/system/etc/strongswan.conf\" \
diff --git a/Makefile.am b/Makefile.am
index cba5048b1..4757c8c7a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = src man testing
+SUBDIRS = src man init testing
if USE_SCRIPTS
SUBDIRS += scripts
diff --git a/Makefile.in b/Makefile.in
index eba785b0c..b2a4a2ef9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -73,7 +73,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
distdir dist dist-all distcheck
ETAGS = etags
CTAGS = ctags
-DIST_SUBDIRS = src man testing scripts
+DIST_SUBDIRS = src man init testing scripts
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
@@ -250,6 +250,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -273,6 +275,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -280,7 +283,7 @@ top_srcdir = @top_srcdir@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-SUBDIRS = src man testing $(am__append_1)
+SUBDIRS = src man init testing $(am__append_1)
ACLOCAL_AMFLAGS = -I m4/config
EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
CLEANFILES = Doxyfile
diff --git a/NEWS b/NEWS
index 42af2d37f..cc18e08f3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,47 @@
+strongswan-4.5.2
+----------------
+
+- The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
+ whitelist. Any connection attempt of peers not whitelisted will get rejected.
+ The 'ipsec whitelist' utility provides a simple command line frontend for
+ whitelist administration.
+
+- The duplicheck plugin provides a specialized form of duplicate checking,
+ doing a liveness check on the old SA and optionally notify a third party
+ application about detected duplicates.
+
+- The coupling plugin permanently couples two or more devices by limiting
+ authentication to previously used certificates.
+
+- In the case that the peer config and child config don't have the same name
+ (usually in SQL database defined connections), ipsec up|route <peer config>
+ starts|routes all associated child configs and ipsec up|route <child config>
+ only starts|routes the specific child config.
+
+- fixed the encoding and parsing of X.509 certificate policy statements (CPS).
+
+- Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
+ pcsc-lite based SIM card backend.
+
+- The eap-peap plugin implements the EAP PEAP protocol. Interoperates
+ successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
+
+- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
+ all plugins to reload. Currently only the eap-radius and the attr plugins
+ support configuration reloading.
+
+- Added userland support to the IKEv2 daemon for Extended Sequence Numbers
+ support coming with Linux 2.6.39. To enable ESN on a connection, add
+ the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence
+ numbers only ('noesn'), and the same value is used if no ESN mode is
+ specified. To negotiate ESN support with the peer, include both, e.g.
+ esp=aes128-sha1-esn-noesn.
+
+- In addition to ESN, Linux 2.6.39 gained support for replay windows larger
+ than 32 packets. The new global strongswan.conf option 'charon.replay_window'
+ configures the size of the replay window, in packets.
+
+
strongswan-4.5.1
----------------
diff --git a/configure b/configure
index b0b1cdc60..61c23e78a 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for strongSwan 4.5.1.
+# Generated by GNU Autoconf 2.67 for strongSwan 4.5.2.
#
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -698,8 +698,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='strongSwan'
PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.5.1'
-PACKAGE_STRING='strongSwan 4.5.1'
+PACKAGE_VERSION='4.5.2'
+PACKAGE_STRING='strongSwan 4.5.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -841,6 +841,8 @@ USE_EAP_RADIUS_FALSE
USE_EAP_RADIUS_TRUE
USE_EAP_TNC_FALSE
USE_EAP_TNC_TRUE
+USE_EAP_PEAP_FALSE
+USE_EAP_PEAP_TRUE
USE_EAP_TTLS_FALSE
USE_EAP_TTLS_TRUE
USE_EAP_TLS_FALSE
@@ -863,12 +865,20 @@ USE_EAP_SIMAKA_PSEUDONYM_FALSE
USE_EAP_SIMAKA_PSEUDONYM_TRUE
USE_EAP_SIMAKA_SQL_FALSE
USE_EAP_SIMAKA_SQL_TRUE
+USE_EAP_SIM_PCSC_FALSE
+USE_EAP_SIM_PCSC_TRUE
USE_EAP_SIM_FILE_FALSE
USE_EAP_SIM_FILE_TRUE
USE_EAP_SIM_FALSE
USE_EAP_SIM_TRUE
+USE_COUPLING_FALSE
+USE_COUPLING_TRUE
+USE_DUPLICHECK_FALSE
+USE_DUPLICHECK_TRUE
USE_LED_FALSE
USE_LED_TRUE
+USE_WHITELIST_FALSE
+USE_WHITELIST_TRUE
USE_HA_FALSE
USE_HA_TRUE
USE_LOAD_TESTER_FALSE
@@ -982,6 +992,8 @@ pluto_plugins
libcharon_plugins
nm_LIBS
nm_CFLAGS
+pcsclite_LIBS
+pcsclite_CFLAGS
dbusservicedir
maemo_LIBS
maemo_CFLAGS
@@ -1055,6 +1067,9 @@ CFLAGS
CC
ipsecgroup
ipsecuser
+systemdsystemunitdir
+HAVE_SYSTEMD_FALSE
+HAVE_SYSTEMD_TRUE
routing_table_prio
routing_table
linux_headers
@@ -1148,6 +1163,7 @@ with_routing_table
with_routing_table_prio
with_capabilities
with_mpz_powm_sec
+with_systemdsystemunitdir
with_xauth_module
with_user
with_group
@@ -1191,6 +1207,7 @@ enable_unit_tests
enable_load_tester
enable_eap_sim
enable_eap_sim_file
+enable_eap_sim_pcsc
enable_eap_simaka_sql
enable_eap_simaka_pseudonym
enable_eap_simaka_reauth
@@ -1202,6 +1219,7 @@ enable_eap_aka_3gpp2
enable_eap_mschapv2
enable_eap_tls
enable_eap_ttls
+enable_eap_peap
enable_eap_tnc
enable_eap_radius
enable_tnc_imc
@@ -1252,7 +1270,10 @@ enable_android
enable_maemo
enable_nm
enable_ha
+enable_whitelist
enable_led
+enable_duplicheck
+enable_coupling
enable_vstr
enable_monolithic
enable_dependency_tracking
@@ -1286,6 +1307,8 @@ gtk_CFLAGS
gtk_LIBS
maemo_CFLAGS
maemo_LIBS
+pcsclite_CFLAGS
+pcsclite_LIBS
nm_CFLAGS
nm_LIBS'
@@ -1830,7 +1853,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures strongSwan 4.5.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.5.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1900,7 +1923,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of strongSwan 4.5.1:";;
+ short | recursive ) echo "Configuration of strongSwan 4.5.2:";;
esac
cat <<\_ACEOF
@@ -1958,6 +1981,8 @@ Optional Features:
--enable-load-tester enable load testing plugin for IKEv2 daemon.
--enable-eap-sim enable SIM authentication module for EAP.
--enable-eap-sim-file enable EAP-SIM backend based on a triplet file.
+ --enable-eap-sim-pcsc enable EAP-SIM backend based on a smartcard reader.
+ Requires libpcsclite.
--enable-eap-simaka-sql enable EAP-SIM/AKA backend based on a
triplet/quintuplet SQL database.
--enable-eap-simaka-pseudonym
@@ -1974,6 +1999,7 @@ Optional Features:
--enable-eap-mschapv2 enable EAP MS-CHAPv2 authentication module.
--enable-eap-tls enable EAP TLS authentication module.
--enable-eap-ttls enable EAP TTLS authentication module.
+ --enable-eap-peap enable EAP PEAP authentication module.
--enable-eap-tnc enable EAP TNC trusted network connect module.
--enable-eap-radius enable RADIUS proxy authentication module.
--enable-tnc-imc enable TNC IMC module.
@@ -2037,8 +2063,13 @@ Optional Features:
--enable-maemo enable Maemo specific plugin.
--enable-nm enable NetworkManager plugin.
--enable-ha enable high availability cluster plugin.
+ --enable-whitelist enable peer identity whitelisting plugin.
--enable-led enable plugin to control LEDs on IKEv2 activity
using the Linux kernel LED subsystem.
+ --enable-duplicheck advanced duplicate checking plugin using liveness
+ checks.
+ --enable-coupling enable IKEv2 plugin to couple peer certificates
+ permanently to authentication.
--enable-vstr enforce using the Vstr string library to replace
glibc-like printf hooks.
--enable-monolithic build monolithic version of libstrongswan that
@@ -2089,6 +2120,9 @@ Optional Packages:
values are "libcap" and "native" (default: no).
--with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
libgmp, if available (default: yes).
+ --with-systemdsystemunitdir=arg
+ directory for systemd service files (default:
+ $systemdsystemunitdir_default).
--with-xauth-module=lib set the path to the XAUTH module
--with-user=user change user of the daemons to "user" after startup
(default is "root").
@@ -2128,6 +2162,10 @@ Some influential environment variables:
maemo_CFLAGS
C compiler flags for maemo, overriding pkg-config
maemo_LIBS linker flags for maemo, overriding pkg-config
+ pcsclite_CFLAGS
+ C compiler flags for pcsclite, overriding pkg-config
+ pcsclite_LIBS
+ linker flags for pcsclite, overriding pkg-config
nm_CFLAGS C compiler flags for nm, overriding pkg-config
nm_LIBS linker flags for nm, overriding pkg-config
@@ -2197,7 +2235,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-strongSwan configure 4.5.1
+strongSwan configure 4.5.2
generated by GNU Autoconf 2.67
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2673,7 +2711,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 4.5.1, which was
+It was created by strongSwan $as_me 4.5.2, which was
generated by GNU Autoconf 2.67. Invocation command line was
$ $0 $@
@@ -3488,7 +3526,7 @@ fi
# Define the identity of the package.
PACKAGE='strongswan'
- VERSION='4.5.1'
+ VERSION='4.5.2'
cat >>confdefs.h <<_ACEOF
@@ -3909,6 +3947,29 @@ fi
+if test -n "$PKG_CONFIG"; then
+ systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
+fi
+
+# Check whether --with-systemdsystemunitdir was given.
+if test "${with_systemdsystemunitdir+set}" = set; then :
+ withval=$with_systemdsystemunitdir; systemdsystemunitdir="$withval"
+else
+ systemdsystemunitdir=$systemdsystemunitdir_default
+
+fi
+
+
+ if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
+ HAVE_SYSTEMD_TRUE=
+ HAVE_SYSTEMD_FALSE='#'
+else
+ HAVE_SYSTEMD_TRUE='#'
+ HAVE_SYSTEMD_FALSE=
+fi
+
+
+
# Check whether --with-xauth-module was given.
if test "${with_xauth_module+set}" = set; then :
@@ -4561,6 +4622,21 @@ else
fi
+# Check whether --enable-eap-sim-pcsc was given.
+if test "${enable_eap_sim_pcsc+set}" = set; then :
+ enableval=$enable_eap_sim_pcsc; eap_sim_pcsc_given=true
+ if test x$enableval = xyes; then
+ eap_sim_pcsc=true
+ else
+ eap_sim_pcsc=false
+ fi
+else
+ eap_sim_pcsc=false
+ eap_sim_pcsc_given=false
+
+fi
+
+
# Check whether --enable-eap-simaka-sql was given.
if test "${enable_eap_simaka_sql+set}" = set; then :
enableval=$enable_eap_simaka_sql; eap_simaka_sql_given=true
@@ -4726,6 +4802,21 @@ else
fi
+# Check whether --enable-eap-peap was given.
+if test "${enable_eap_peap+set}" = set; then :
+ enableval=$enable_eap_peap; eap_peap_given=true
+ if test x$enableval = xyes; then
+ eap_peap=true
+ else
+ eap_peap=false
+ fi
+else
+ eap_peap=false
+ eap_peap_given=false
+
+fi
+
+
# Check whether --enable-eap-tnc was given.
if test "${enable_eap_tnc+set}" = set; then :
enableval=$enable_eap_tnc; eap_tnc_given=true
@@ -5476,6 +5567,21 @@ else
fi
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+ enableval=$enable_whitelist; whitelist_given=true
+ if test x$enableval = xyes; then
+ whitelist=true
+ else
+ whitelist=false
+ fi
+else
+ whitelist=false
+ whitelist_given=false
+
+fi
+
+
# Check whether --enable-led was given.
if test "${enable_led+set}" = set; then :
enableval=$enable_led; led_given=true
@@ -5491,6 +5597,36 @@ else
fi
+# Check whether --enable-duplicheck was given.
+if test "${enable_duplicheck+set}" = set; then :
+ enableval=$enable_duplicheck; duplicheck_given=true
+ if test x$enableval = xyes; then
+ duplicheck=true
+ else
+ duplicheck=false
+ fi
+else
+ duplicheck=false
+ duplicheck_given=false
+
+fi
+
+
+# Check whether --enable-coupling was given.
+if test "${enable_coupling+set}" = set; then :
+ enableval=$enable_coupling; coupling_given=true
+ if test x$enableval = xyes; then
+ coupling=true
+ else
+ coupling=false
+ fi
+else
+ coupling=false
+ coupling_given=false
+
+fi
+
+
# Check whether --enable-vstr was given.
if test "${enable_vstr+set}" = set; then :
enableval=$enable_vstr; vstr_given=true
@@ -7873,13 +8009,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:7876: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:8012: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:7879: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:8015: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:7882: output\"" >&5)
+ (eval echo "\"\$as_me:8018: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
@@ -9084,7 +9220,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 9087 "configure"' > conftest.$ac_ext
+ echo '#line 9223 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -10346,11 +10482,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10349: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10485: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:10353: \$? = $ac_status" >&5
+ echo "$as_me:10489: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -10685,11 +10821,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10688: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10824: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:10692: \$? = $ac_status" >&5
+ echo "$as_me:10828: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -10790,11 +10926,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10793: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10929: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:10797: \$? = $ac_status" >&5
+ echo "$as_me:10933: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -10845,11 +10981,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10848: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10984: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:10852: \$? = $ac_status" >&5
+ echo "$as_me:10988: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -13229,7 +13365,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 13232 "configure"
+#line 13368 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -13325,7 +13461,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 13328 "configure"
+#line 13464 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -13974,7 +14110,7 @@ if test x$eap_sim = xtrue; then
simaka=true;
fi
-if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
tls=true;
fi
@@ -14813,12 +14949,13 @@ fi
done
-for ac_header in sys/sockio.h
+for ac_header in sys/sockio.h glob.h
do :
- ac_fn_c_check_header_mongrel "$LINENO" "sys/sockio.h" "ac_cv_header_sys_sockio_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_sockio_h" = x""yes; then :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_SYS_SOCKIO_H 1
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
fi
@@ -16302,6 +16439,100 @@ fi
fi
+if test x$eap_sim_pcsc = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcsclite" >&5
+$as_echo_n "checking for pcsclite... " >&6; }
+
+if test -n "$pcsclite_CFLAGS"; then
+ pkg_cv_pcsclite_CFLAGS="$pcsclite_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcsclite\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libpcsclite") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_pcsclite_CFLAGS=`$PKG_CONFIG --cflags "libpcsclite" 2>/dev/null`
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+if test -n "$pcsclite_LIBS"; then
+ pkg_cv_pcsclite_LIBS="$pcsclite_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcsclite\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libpcsclite") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_pcsclite_LIBS=`$PKG_CONFIG --libs "libpcsclite" 2>/dev/null`
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+ _pkg_short_errors_supported=yes
+else
+ _pkg_short_errors_supported=no
+fi
+ if test $_pkg_short_errors_supported = yes; then
+ pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libpcsclite" 2>&1`
+ else
+ pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors "libpcsclite" 2>&1`
+ fi
+ # Put the nasty error message in config.log where it belongs
+ echo "$pcsclite_PKG_ERRORS" >&5
+
+ as_fn_error $? "Package requirements (libpcsclite) were not met:
+
+$pcsclite_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables pcsclite_CFLAGS
+and pcsclite_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables pcsclite_CFLAGS
+and pcsclite_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5 ; }
+else
+ pcsclite_CFLAGS=$pkg_cv_pcsclite_CFLAGS
+ pcsclite_LIBS=$pkg_cv_pcsclite_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+fi
+
if test x$nm = xtrue; then
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnm-glib\""; } >&5
@@ -17146,6 +17377,12 @@ if test x$eap_sim_file = xtrue; then
fi
+if test x$eap_sim_pcsc = xtrue; then
+ c_plugins=${c_plugins}" eap-sim-pcsc"
+ libcharon_plugins=${libcharon_plugins}" eap-sim-pcsc"
+
+ fi
+
if test x$eap_simaka_sql = xtrue; then
c_plugins=${c_plugins}" eap-simaka-sql"
libcharon_plugins=${libcharon_plugins}" eap-simaka-sql"
@@ -17212,6 +17449,12 @@ if test x$eap_ttls = xtrue; then
fi
+if test x$eap_peap = xtrue; then
+ c_plugins=${c_plugins}" eap-peap"
+ libcharon_plugins=${libcharon_plugins}" eap-peap"
+
+ fi
+
if test x$eap_tnc = xtrue; then
c_plugins=${c_plugins}" eap-tnc"
libcharon_plugins=${libcharon_plugins}" eap-tnc"
@@ -17284,12 +17527,30 @@ if test x$ha = xtrue; then
fi
+if test x$whitelist = xtrue; then
+ c_plugins=${c_plugins}" whitelist"
+ libcharon_plugins=${libcharon_plugins}" whitelist"
+
+ fi
+
if test x$led = xtrue; then
c_plugins=${c_plugins}" led"
libcharon_plugins=${libcharon_plugins}" led"
fi
+if test x$duplicheck = xtrue; then
+ c_plugins=${c_plugins}" duplicheck"
+ libcharon_plugins=${libcharon_plugins}" duplicheck"
+
+ fi
+
+if test x$coupling = xtrue; then
+ c_plugins=${c_plugins}" coupling"
+ libcharon_plugins=${libcharon_plugins}" coupling"
+
+ fi
+
if test x$maemo = xtrue; then
c_plugins=${c_plugins}" maemo"
libcharon_plugins=${libcharon_plugins}" maemo"
@@ -17724,6 +17985,14 @@ else
USE_HA_FALSE=
fi
+ if test x$whitelist = xtrue; then
+ USE_WHITELIST_TRUE=
+ USE_WHITELIST_FALSE='#'
+else
+ USE_WHITELIST_TRUE='#'
+ USE_WHITELIST_FALSE=
+fi
+
if test x$led = xtrue; then
USE_LED_TRUE=
USE_LED_FALSE='#'
@@ -17732,6 +18001,22 @@ else
USE_LED_FALSE=
fi
+ if test x$duplicheck = xtrue; then
+ USE_DUPLICHECK_TRUE=
+ USE_DUPLICHECK_FALSE='#'
+else
+ USE_DUPLICHECK_TRUE='#'
+ USE_DUPLICHECK_FALSE=
+fi
+
+ if test x$coupling = xtrue; then
+ USE_COUPLING_TRUE=
+ USE_COUPLING_FALSE='#'
+else
+ USE_COUPLING_TRUE='#'
+ USE_COUPLING_FALSE=
+fi
+
if test x$eap_sim = xtrue; then
USE_EAP_SIM_TRUE=
USE_EAP_SIM_FALSE='#'
@@ -17748,6 +18033,14 @@ else
USE_EAP_SIM_FILE_FALSE=
fi
+ if test x$eap_sim_pcsc = xtrue; then
+ USE_EAP_SIM_PCSC_TRUE=
+ USE_EAP_SIM_PCSC_FALSE='#'
+else
+ USE_EAP_SIM_PCSC_TRUE='#'
+ USE_EAP_SIM_PCSC_FALSE=
+fi
+
if test x$eap_simaka_sql = xtrue; then
USE_EAP_SIMAKA_SQL_TRUE=
USE_EAP_SIMAKA_SQL_FALSE='#'
@@ -17836,6 +18129,14 @@ else
USE_EAP_TTLS_FALSE=
fi
+ if test x$eap_peap = xtrue; then
+ USE_EAP_PEAP_TRUE=
+ USE_EAP_PEAP_FALSE='#'
+else
+ USE_EAP_PEAP_TRUE='#'
+ USE_EAP_PEAP_FALSE=
+fi
+
if test x$eap_tnc = xtrue; then
USE_EAP_TNC_TRUE=
USE_EAP_TNC_FALSE='#'
@@ -18248,7 +18549,7 @@ fi
-ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -18392,6 +18693,10 @@ else
am__EXEEXT_FALSE=
fi
+if test -z "${HAVE_SYSTEMD_TRUE}" && test -z "${HAVE_SYSTEMD_FALSE}"; then
+ as_fn_error $? "conditional \"HAVE_SYSTEMD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
as_fn_error $? "conditional \"AMDEP\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18597,10 +18902,22 @@ if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
as_fn_error $? "conditional \"USE_HA\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
+ as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_LED_TRUE}" && test -z "${USE_LED_FALSE}"; then
as_fn_error $? "conditional \"USE_LED\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_DUPLICHECK_TRUE}" && test -z "${USE_DUPLICHECK_FALSE}"; then
+ as_fn_error $? "conditional \"USE_DUPLICHECK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_COUPLING_TRUE}" && test -z "${USE_COUPLING_FALSE}"; then
+ as_fn_error $? "conditional \"USE_COUPLING\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
as_fn_error $? "conditional \"USE_EAP_SIM\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18609,6 +18926,10 @@ if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; th
as_fn_error $? "conditional \"USE_EAP_SIM_FILE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_EAP_SIM_PCSC_TRUE}" && test -z "${USE_EAP_SIM_PCSC_FALSE}"; then
+ as_fn_error $? "conditional \"USE_EAP_SIM_PCSC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_EAP_SIMAKA_SQL_TRUE}" && test -z "${USE_EAP_SIMAKA_SQL_FALSE}"; then
as_fn_error $? "conditional \"USE_EAP_SIMAKA_SQL\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -18653,6 +18974,10 @@ if test -z "${USE_EAP_TTLS_TRUE}" && test -z "${USE_EAP_TTLS_FALSE}"; then
as_fn_error $? "conditional \"USE_EAP_TTLS\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_EAP_PEAP_TRUE}" && test -z "${USE_EAP_PEAP_FALSE}"; then
+ as_fn_error $? "conditional \"USE_EAP_PEAP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_EAP_TNC_TRUE}" && test -z "${USE_EAP_TNC_FALSE}"; then
as_fn_error $? "conditional \"USE_EAP_TNC\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19257,7 +19582,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by strongSwan $as_me 4.5.1, which was
+This file was extended by strongSwan $as_me 4.5.2, which was
generated by GNU Autoconf 2.67. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -19314,7 +19639,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-strongSwan config.status 4.5.1
+strongSwan config.status 4.5.2
configured by $0, generated by GNU Autoconf 2.67,
with options \\"\$ac_cs_config\\"
@@ -19691,6 +20016,8 @@ do
"libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
"man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
+ "init/Makefile") CONFIG_FILES="$CONFIG_FILES init/Makefile" ;;
+ "init/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd/Makefile" ;;
"src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
"src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
"src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
@@ -19752,12 +20079,14 @@ do
"src/libcharon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_gtc/Makefile" ;;
"src/libcharon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim/Makefile" ;;
"src/libcharon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim_file/Makefile" ;;
+ "src/libcharon/plugins/eap_sim_pcsc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim_pcsc/Makefile" ;;
"src/libcharon/plugins/eap_simaka_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_sql/Makefile" ;;
"src/libcharon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_pseudonym/Makefile" ;;
"src/libcharon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_reauth/Makefile" ;;
"src/libcharon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_mschapv2/Makefile" ;;
"src/libcharon/plugins/eap_tls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tls/Makefile" ;;
"src/libcharon/plugins/eap_ttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_ttls/Makefile" ;;
+ "src/libcharon/plugins/eap_peap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_peap/Makefile" ;;
"src/libcharon/plugins/eap_tnc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tnc/Makefile" ;;
"src/libcharon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_radius/Makefile" ;;
"src/libcharon/plugins/tnc_imc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imc/Makefile" ;;
@@ -19777,7 +20106,10 @@ do
"src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;;
"src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
"src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+ "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
"src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
+ "src/libcharon/plugins/duplicheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/duplicheck/Makefile" ;;
+ "src/libcharon/plugins/coupling/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/coupling/Makefile" ;;
"src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
"src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
"src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
diff --git a/configure.in b/configure.in
index 823456239..0bfb8287b 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
dnl initialize & set some vars
dnl ===========================
-AC_INIT(strongSwan,4.5.1)
+AC_INIT(strongSwan,4.5.2)
AM_INIT_AUTOMAKE(tar-ustar)
AC_CONFIG_MACRO_DIR([m4/config])
PKG_PROG_PKG_CONFIG
@@ -43,6 +43,13 @@ ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing tabl
ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
+if test -n "$PKG_CONFIG"; then
+ systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
+fi
+ARG_WITH_SET([systemdsystemunitdir], [$systemdsystemunitdir_default], [directory for systemd service files])
+AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno])
+AC_SUBST(systemdsystemunitdir)
+
AC_ARG_WITH(
[xauth-module],
AS_HELP_STRING([--with-xauth-module=lib],[set the path to the XAUTH module]),
@@ -105,6 +112,7 @@ ARG_ENABL_SET([unit-tests], [enable unit tests on IKEv2 daemon startup.])
ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.])
ARG_ENABL_SET([eap-sim], [enable SIM authentication module for EAP.])
ARG_ENABL_SET([eap-sim-file], [enable EAP-SIM backend based on a triplet file.])
+ARG_ENABL_SET([eap-sim-pcsc], [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
ARG_ENABL_SET([eap-simaka-reauth], [enable EAP-SIM/AKA reauthentication data storage plugin.])
@@ -116,6 +124,7 @@ ARG_ENABL_SET([eap-aka-3gpp2], [enable EAP AKA backend implementing 3GPP2 algor
ARG_ENABL_SET([eap-mschapv2], [enable EAP MS-CHAPv2 authentication module.])
ARG_ENABL_SET([eap-tls], [enable EAP TLS authentication module.])
ARG_ENABL_SET([eap-ttls], [enable EAP TTLS authentication module.])
+ARG_ENABL_SET([eap-peap], [enable EAP PEAP authentication module.])
ARG_ENABL_SET([eap-tnc], [enable EAP TNC trusted network connect module.])
ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.])
ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
@@ -166,7 +175,10 @@ ARG_ENABL_SET([android], [enable Android specific plugin.])
ARG_ENABL_SET([maemo], [enable Maemo specific plugin.])
ARG_ENABL_SET([nm], [enable NetworkManager plugin.])
ARG_ENABL_SET([ha], [enable high availability cluster plugin.])
+ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.])
ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
+ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.])
+ARG_ENABL_SET([coupling], [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
ARG_ENABL_SET([vstr], [enforce using the Vstr string library to replace glibc-like printf hooks.])
ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
@@ -224,7 +236,7 @@ if test x$eap_sim = xtrue; then
simaka=true;
fi
-if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
tls=true;
fi
@@ -345,7 +357,7 @@ AC_CHECK_FUNCS(prctl)
AC_CHECK_FUNCS(mallinfo)
-AC_CHECK_HEADERS(sys/sockio.h)
+AC_CHECK_HEADERS(sys/sockio.h glob.h)
AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
@@ -622,6 +634,12 @@ if test x$maemo = xtrue; then
AC_SUBST(dbusservicedir)
fi
+if test x$eap_sim_pcsc = xtrue; then
+ PKG_CHECK_MODULES(pcsclite, [libpcsclite])
+ AC_SUBST(pcsclite_CFLAGS)
+ AC_SUBST(pcsclite_LIBS)
+fi
+
if test x$nm = xtrue; then
PKG_CHECK_EXISTS([libnm-glib],
[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn])],
@@ -751,6 +769,7 @@ ADD_PLUGIN([updown], [c libcharon])
ADD_PLUGIN([eap-identity], [c libcharon])
ADD_PLUGIN([eap-sim], [c libcharon])
ADD_PLUGIN([eap-sim-file], [c libcharon])
+ADD_PLUGIN([eap-sim-pcsc], [c libcharon])
ADD_PLUGIN([eap-simaka-sql], [c libcharon])
ADD_PLUGIN([eap-simaka-pseudonym], [c libcharon])
ADD_PLUGIN([eap-simaka-reauth], [c libcharon])
@@ -762,6 +781,7 @@ ADD_PLUGIN([eap-mschapv2], [c libcharon])
ADD_PLUGIN([eap-radius], [c libcharon])
ADD_PLUGIN([eap-tls], [c libcharon])
ADD_PLUGIN([eap-ttls], [c libcharon])
+ADD_PLUGIN([eap-peap], [c libcharon])
ADD_PLUGIN([eap-tnc], [c libcharon])
ADD_PLUGIN([tnccs-20], [c libcharon])
ADD_PLUGIN([tnccs-11], [c libcharon])
@@ -774,7 +794,10 @@ ADD_PLUGIN([nm], [c libcharon])
ADD_PLUGIN([dhcp], [c libcharon])
ADD_PLUGIN([android], [c libcharon])
ADD_PLUGIN([ha], [c libcharon])
+ADD_PLUGIN([whitelist], [c libcharon])
ADD_PLUGIN([led], [c libcharon])
+ADD_PLUGIN([duplicheck], [c libcharon])
+ADD_PLUGIN([coupling], [c libcharon])
ADD_PLUGIN([maemo], [c libcharon])
ADD_PLUGIN([uci], [c libcharon])
ADD_PLUGIN([addrblock], [c libcharon])
@@ -853,9 +876,13 @@ AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue)
AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
+AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
AM_CONDITIONAL(USE_LED, test x$led = xtrue)
+AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
+AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
@@ -867,6 +894,7 @@ AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
@@ -948,6 +976,8 @@ dnl ==============================
AC_OUTPUT(
Makefile
man/Makefile
+ init/Makefile
+ init/systemd/Makefile
src/Makefile
src/include/Makefile
src/libstrongswan/Makefile
@@ -1009,12 +1039,14 @@ AC_OUTPUT(
src/libcharon/plugins/eap_gtc/Makefile
src/libcharon/plugins/eap_sim/Makefile
src/libcharon/plugins/eap_sim_file/Makefile
+ src/libcharon/plugins/eap_sim_pcsc/Makefile
src/libcharon/plugins/eap_simaka_sql/Makefile
src/libcharon/plugins/eap_simaka_pseudonym/Makefile
src/libcharon/plugins/eap_simaka_reauth/Makefile
src/libcharon/plugins/eap_mschapv2/Makefile
src/libcharon/plugins/eap_tls/Makefile
src/libcharon/plugins/eap_ttls/Makefile
+ src/libcharon/plugins/eap_peap/Makefile
src/libcharon/plugins/eap_tnc/Makefile
src/libcharon/plugins/eap_radius/Makefile
src/libcharon/plugins/tnc_imc/Makefile
@@ -1034,7 +1066,10 @@ AC_OUTPUT(
src/libcharon/plugins/addrblock/Makefile
src/libcharon/plugins/uci/Makefile
src/libcharon/plugins/ha/Makefile
+ src/libcharon/plugins/whitelist/Makefile
src/libcharon/plugins/led/Makefile
+ src/libcharon/plugins/duplicheck/Makefile
+ src/libcharon/plugins/coupling/Makefile
src/libcharon/plugins/android/Makefile
src/libcharon/plugins/maemo/Makefile
src/libcharon/plugins/stroke/Makefile
diff --git a/init/Makefile.am b/init/Makefile.am
new file mode 100644
index 000000000..69439a10a
--- /dev/null
+++ b/init/Makefile.am
@@ -0,0 +1,6 @@
+
+SUBDIRS =
+
+if HAVE_SYSTEMD
+ SUBDIRS += systemd
+endif
diff --git a/init/Makefile.in b/init/Makefile.in
new file mode 100644
index 000000000..19896b49b
--- /dev/null
+++ b/init/Makefile.in
@@ -0,0 +1,620 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@HAVE_SYSTEMD_TRUE@am__append_1 = systemd
+subdir = init
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+ html-recursive info-recursive install-data-recursive \
+ install-dvi-recursive install-exec-recursive \
+ install-html-recursive install-info-recursive \
+ install-pdf-recursive install-ps-recursive install-recursive \
+ installcheck-recursive installdirs-recursive pdf-recursive \
+ ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
+ distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+ $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+ distdir
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = systemd
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+ dir0=`pwd`; \
+ sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+ sed_rest='s,^[^/]*/*,,'; \
+ sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+ sed_butlast='s,/*[^/]*$$,,'; \
+ while test -n "$$dir1"; do \
+ first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+ if test "$$first" != "."; then \
+ if test "$$first" = ".."; then \
+ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+ else \
+ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+ if test "$$first2" = "$$first"; then \
+ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+ else \
+ dir2="../$$dir2"; \
+ fi; \
+ dir0="$$dir0"/"$$first"; \
+ fi; \
+ fi; \
+ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+ done; \
+ reldir="$$dir2"
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+SUBDIRS = $(am__append_1)
+all: all-recursive
+
+.SUFFIXES:
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu init/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu init/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+# (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+ @fail= failcom='exit 1'; \
+ for f in x $$MAKEFLAGS; do \
+ case $$f in \
+ *=* | --[!k]*);; \
+ *k*) failcom='fail=yes';; \
+ esac; \
+ done; \
+ dot_seen=no; \
+ target=`echo $@ | sed s/-recursive//`; \
+ list='$(SUBDIRS)'; for subdir in $$list; do \
+ echo "Making $$target in $$subdir"; \
+ if test "$$subdir" = "."; then \
+ dot_seen=yes; \
+ local_target="$$target-am"; \
+ else \
+ local_target="$$target"; \
+ fi; \
+ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+ || eval $$failcom; \
+ done; \
+ if test "$$dot_seen" = "no"; then \
+ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+ fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+ @fail= failcom='exit 1'; \
+ for f in x $$MAKEFLAGS; do \
+ case $$f in \
+ *=* | --[!k]*);; \
+ *k*) failcom='fail=yes';; \
+ esac; \
+ done; \
+ dot_seen=no; \
+ case "$@" in \
+ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+ *) list='$(SUBDIRS)' ;; \
+ esac; \
+ rev=''; for subdir in $$list; do \
+ if test "$$subdir" = "."; then :; else \
+ rev="$$subdir $$rev"; \
+ fi; \
+ done; \
+ rev="$$rev ."; \
+ target=`echo $@ | sed s/-recursive//`; \
+ for subdir in $$rev; do \
+ echo "Making $$target in $$subdir"; \
+ if test "$$subdir" = "."; then \
+ local_target="$$target-am"; \
+ else \
+ local_target="$$target"; \
+ fi; \
+ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+ || eval $$failcom; \
+ done && test -z "$$fail"
+tags-recursive:
+ list='$(SUBDIRS)'; for subdir in $$list; do \
+ test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+ done
+ctags-recursive:
+ list='$(SUBDIRS)'; for subdir in $$list; do \
+ test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+ done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+ include_option=--etags-include; \
+ empty_fix=.; \
+ else \
+ include_option=--include; \
+ empty_fix=; \
+ fi; \
+ list='$(SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ test ! -f $$subdir/TAGS || \
+ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+ fi; \
+ done; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+ @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ test -d "$(distdir)/$$subdir" \
+ || $(MKDIR_P) "$(distdir)/$$subdir" \
+ || exit 1; \
+ fi; \
+ done
+ @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+ $(am__relativize); \
+ new_distdir=$$reldir; \
+ dir1=$$subdir; dir2="$(top_distdir)"; \
+ $(am__relativize); \
+ new_top_distdir=$$reldir; \
+ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+ ($(am__cd) $$subdir && \
+ $(MAKE) $(AM_MAKEFLAGS) \
+ top_distdir="$$new_top_distdir" \
+ distdir="$$new_distdir" \
+ am__remove_distdir=: \
+ am__skip_length_check=: \
+ am__skip_mode_fix=: \
+ distdir) \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-recursive
+all-am: Makefile
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+ -rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+html-am:
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-recursive
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-recursive
+
+install-html-am:
+
+install-info: install-info-recursive
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-pdf-am:
+
+install-ps: install-ps-recursive
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+ install-am install-strip tags-recursive
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+ all all-am check check-am clean clean-generic clean-libtool \
+ ctags ctags-recursive distclean distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs installdirs-am maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+ uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
new file mode 100644
index 000000000..e2bbfc451
--- /dev/null
+++ b/init/systemd/Makefile.am
@@ -0,0 +1,8 @@
+
+EXTRA_DIST = strongswan.service.in
+CLEANFILES = strongswan.service
+
+systemdsystemunit_DATA = strongswan.service
+
+strongswan.service : strongswan.service.in
+ sed -e "s:@SBINDIR@:$(sbindir):" $(srcdir)/$@.in > $@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
new file mode 100644
index 000000000..ebd41134e
--- /dev/null
+++ b/init/systemd/Makefile.in
@@ -0,0 +1,472 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = init/systemd
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+SOURCES =
+DIST_SOURCES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(systemdsystemunitdir)"
+DATA = $(systemdsystemunit_DATA)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+EXTRA_DIST = strongswan.service.in
+CLEANFILES = strongswan.service
+systemdsystemunit_DATA = strongswan.service
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu init/systemd/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu init/systemd/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+install-systemdsystemunitDATA: $(systemdsystemunit_DATA)
+ @$(NORMAL_INSTALL)
+ test -z "$(systemdsystemunitdir)" || $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)"
+ @list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdsystemunitdir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdsystemunitdir)" || exit $$?; \
+ done
+
+uninstall-systemdsystemunitDATA:
+ @$(NORMAL_UNINSTALL)
+ @list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ test -n "$$files" || exit 0; \
+ echo " ( cd '$(DESTDIR)$(systemdsystemunitdir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(systemdsystemunitdir)" && rm -f $$files
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(DATA)
+installdirs:
+ for dir in "$(DESTDIR)$(systemdsystemunitdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+ -rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-systemdsystemunitDATA
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-systemdsystemunitDATA
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+ distclean distclean-generic distclean-libtool distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-ps install-ps-am install-strip \
+ install-systemdsystemunitDATA installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+ ps ps-am uninstall uninstall-am \
+ uninstall-systemdsystemunitDATA
+
+
+strongswan.service : strongswan.service.in
+ sed -e "s:@SBINDIR@:$(sbindir):" $(srcdir)/$@.in > $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
new file mode 100644
index 000000000..e8dc5e819
--- /dev/null
+++ b/init/systemd/strongswan.service.in
@@ -0,0 +1,10 @@
+[Unit]
+Description=strongSwan IPsec
+After=syslog.target
+
+[Service]
+ExecStart=@SBINDIR@/ipsec start --nofork
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/man/Makefile.in b/man/Makefile.in
index f0d8cde7d..679e3464b 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -219,6 +219,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -242,6 +244,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 1b74fab08..b36a7ece7 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan"
+.TH IPSEC.CONF 5 "2010-10-19" "4.5.2" "strongSwan"
.SH NAME
ipsec.conf \- IPsec configuration and connections
.SH DESCRIPTION
@@ -409,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used
for the connection, e.g.
.BR aes128-sha256 .
The notation is
-.BR encryption-integrity-[dh-group] .
+.BR encryption-integrity[-dhgroup][-esnmodes] .
.br
If
.B dh-group
is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
+exchange (IKEv2 only). Valid
+.B esnmodes
+(IKEv2 only) are
+.B esn
+and
+.B noesn.
+Specifying both negotiates Extended Sequence number support with the peer,
+the defaut is
+.B noesn.
.TP
.BR forceencaps " = yes | " no
force UDP encapsulation for ESP packets even if no NAT situation is detected.
@@ -1035,8 +1043,11 @@ is not given, the
of this connection will be used as peer ID.
.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+These are optional sections that can be used to assign special
+parameters to a Certification Authority (CA). Because the daemons
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+there is no need to explicitly add them with a CA section, unless you
+want to assign special parameters (like a CRL) to a CA.
.TP
.BR also " = <name>"
includes ca section
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 9a789acef..295100444 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -409,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used
for the connection, e.g.
.BR aes128-sha256 .
The notation is
-.BR encryption-integrity-[dh-group] .
+.BR encryption-integrity[-dhgroup][-esnmodes] .
.br
If
.B dh-group
is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
+exchange (IKEv2 only). Valid
+.B esnmodes
+(IKEv2 only) are
+.B esn
+and
+.B noesn.
+Specifying both negotiates Extended Sequence number support with the peer,
+the defaut is
+.B noesn.
.TP
.BR forceencaps " = yes | " no
force UDP encapsulation for ESP packets even if no NAT situation is detected.
@@ -1035,8 +1043,11 @@ is not given, the
of this connection will be used as peer ID.
.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+These are optional sections that can be used to assign special
+parameters to a Certification Authority (CA). Because the daemons
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+there is no need to explicitly add them with a CA section, unless you
+want to assign special parameters (like a CRL) to a CA.
.TP
.BR also " = <name>"
includes ca section
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 3eb60afcf..993b2ad10 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan"
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.2" "strongSwan"
.SH NAME
ipsec.secrets \- secrets for IKE/IPsec authentication
.SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 2e58a87d0..e1e4dbe91 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.2" "strongSwan"
.SH NAME
strongswan.conf \- strongSwan configuration file
.SH DESCRIPTION
@@ -204,6 +204,9 @@ Delay request messages
.BR charon.receive_delay_type " [0]"
Specific IKEv2 message type to delay, 0 for any
.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+.TP
.BR charon.retransmit_base " [1.8]"
Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
.TP
@@ -257,6 +260,9 @@ Derive user-defined MAC address from hash of IKEv2 identity
.BR charon.plugins.dhcp.server " [255.255.255.255]"
DHCP server unicast or broadcast IP address
.TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+enable loaded duplicheck plugin
+.TP
.BR charon.plugins.eap-aka.request_identity " [yes]"
.TP
@@ -265,6 +271,29 @@ DHCP server unicast or broadcast IP address
.TP
.BR charon.plugins.eap-gtc.pam_service " [login]"
PAM service to be used for authentication
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP-PEAP packet
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+
.TP
.BR charon.plugins.eap-radius.class_group " [no]"
Use the
@@ -284,7 +313,7 @@ If the RADIUS
attribute with value
.B ESP
is received, use the
-.I filter_id
+.I filter_id
attribute sent in the RADIUS-Accept message as group membership information that
is compared to the groups specified in the
.B rightgroups
@@ -339,18 +368,27 @@ Maximum size of an EAP-TLS packet
.BR charon.plugins.eap-tls.max_message_count " [32]"
Maximum number of processed EAP-TLS packets
.TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
.BR charon.plugins.eap-tnc.fragment_size " [50000]"
Maximum size of an EAP-TNC packet
.TP
.BR charon.plugins.eap-tnc.max_message_count " [10]"
Maximum number of processed EAP-TNC packets
.TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
.BR charon.plugins.eap-ttls.fragment_size " [1024]"
Maximum size of an EAP-TTLS packet
.TP
.BR charon.plugins.eap-ttls.max_message_count " [32]"
Maximum number of processed EAP-TTLS packets
.TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
.BR charon.plugins.eap-ttls.phase2_method " [md5]"
Phase2 EAP client authentication method
.TP
@@ -382,7 +420,7 @@ Request peer authentication based on a client certificate
.TP
.BR charon.plugins.ha.remote
-
+
.TP
.BR charon.plugins.ha.resync " [yes]"
@@ -425,6 +463,9 @@ TNC IMC configuration directory
.TP
.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
TNC IMV configuration directory
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+enable loaded whitelist plugin
.SS libstrongswan section
.TP
.BR libstrongswan.crypto_test.bench " [no]"
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 47aa6d552..2d7475225 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -204,6 +204,9 @@ Delay request messages
.BR charon.receive_delay_type " [0]"
Specific IKEv2 message type to delay, 0 for any
.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+.TP
.BR charon.retransmit_base " [1.8]"
Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
.TP
@@ -257,6 +260,9 @@ Derive user-defined MAC address from hash of IKEv2 identity
.BR charon.plugins.dhcp.server " [255.255.255.255]"
DHCP server unicast or broadcast IP address
.TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+enable loaded duplicheck plugin
+.TP
.BR charon.plugins.eap-aka.request_identity " [yes]"
.TP
@@ -265,6 +271,29 @@ DHCP server unicast or broadcast IP address
.TP
.BR charon.plugins.eap-gtc.pam_service " [login]"
PAM service to be used for authentication
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP-PEAP packet
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+
.TP
.BR charon.plugins.eap-radius.class_group " [no]"
Use the
@@ -284,7 +313,7 @@ If the RADIUS
attribute with value
.B ESP
is received, use the
-.I filter_id
+.I filter_id
attribute sent in the RADIUS-Accept message as group membership information that
is compared to the groups specified in the
.B rightgroups
@@ -339,18 +368,27 @@ Maximum size of an EAP-TLS packet
.BR charon.plugins.eap-tls.max_message_count " [32]"
Maximum number of processed EAP-TLS packets
.TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
.BR charon.plugins.eap-tnc.fragment_size " [50000]"
Maximum size of an EAP-TNC packet
.TP
.BR charon.plugins.eap-tnc.max_message_count " [10]"
Maximum number of processed EAP-TNC packets
.TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
.BR charon.plugins.eap-ttls.fragment_size " [1024]"
Maximum size of an EAP-TTLS packet
.TP
.BR charon.plugins.eap-ttls.max_message_count " [32]"
Maximum number of processed EAP-TTLS packets
.TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
.BR charon.plugins.eap-ttls.phase2_method " [md5]"
Phase2 EAP client authentication method
.TP
@@ -382,7 +420,7 @@ Request peer authentication based on a client certificate
.TP
.BR charon.plugins.ha.remote
-
+
.TP
.BR charon.plugins.ha.resync " [yes]"
@@ -425,6 +463,9 @@ TNC IMC configuration directory
.TP
.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
TNC IMV configuration directory
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+enable loaded whitelist plugin
.SS libstrongswan section
.TP
.BR libstrongswan.crypto_test.bench " [no]"
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 891555dcd..b1a790b0e 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -263,6 +263,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -286,6 +288,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/scripts/fetch.c b/scripts/fetch.c
index 57abce4ca..ad50d0cd6 100644
--- a/scripts/fetch.c
+++ b/scripts/fetch.c
@@ -19,6 +19,18 @@
#include <library.h>
#include <debug.h>
+static int count = 0;
+
+static bool cb(void *userdata, chunk_t chunk)
+{
+ if (write(1, chunk.ptr, chunk.len) == chunk.len)
+ {
+ count++;
+ return TRUE;
+ }
+ return FALSE;
+}
+
int main(int argc, char *argv[])
{
chunk_t res;
@@ -27,15 +39,29 @@ int main(int argc, char *argv[])
atexit(library_deinit);
lib->plugins->load(lib->plugins, NULL, PLUGINS);
- if (argc != 2)
+ if (argc != 3 || (!streq(argv[1], "a") && !streq(argv[1], "s")))
+ {
+ fprintf(stderr, "usage: %s a|s <url>\n", argv[0]);
+ return 1;
+ }
+ if (streq(argv[1], "a"))
{
- fprintf(stderr, "usage: %s <url>\n", argv[0]);
+ if (lib->fetcher->fetch(lib->fetcher, argv[2], &res,
+ FETCH_END) == SUCCESS)
+ {
+ ignore_result(write(1, res.ptr, res.len));
+ free(res.ptr);
+ return 0;
+ }
}
- if (lib->fetcher->fetch(lib->fetcher, argv[1], &res, FETCH_END) == SUCCESS)
+ else
{
- ignore_result(write(1, res.ptr, res.len));
- free(res.ptr);
- return 0;
+ if (lib->fetcher->fetch(lib->fetcher, argv[2], NULL,
+ FETCH_CALLBACK, cb, FETCH_END) == SUCCESS)
+ {
+ fprintf(stderr, "received %d chunks\n", count);
+ return 0;
+ }
}
return 1;
}
diff --git a/src/Makefile.in b/src/Makefile.in
index 63d29b694..eff3f1337 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -254,6 +254,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -277,6 +279,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 8d4ef733e..5eab0bb5b 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -217,6 +217,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -240,6 +242,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index fa33bb570..d4361dd78 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -221,6 +221,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -244,6 +246,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index a428db4e2..7e2839cb0 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -221,6 +221,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -244,6 +246,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f502b0f25..3ba9c2731 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -220,6 +220,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -243,6 +245,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index d1fff5bd9..dda09f66d 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -109,7 +109,16 @@ static void run()
{
case SIGHUP:
{
- DBG1(DBG_DMN, "signal of type SIGHUP received. Ignored");
+ DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
+ "configuration");
+ if (lib->settings->load_files(lib->settings, NULL, FALSE))
+ {
+ lib->plugins->reload(lib->plugins, NULL);
+ }
+ else
+ {
+ DBG1(DBG_DMN, "reloading config failed, keeping old");
+ }
break;
}
case SIGINT:
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 65aa91422..2e11fe1f5 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -258,6 +258,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -281,6 +283,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 1c07710e0..a89df8f27 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -231,6 +231,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -254,6 +256,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index fea88818e..48bf9681f 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -79,7 +79,7 @@ static bool load_configs(char *suite_file, char *test_file)
return FALSE;
}
conftest->test = settings_create(suite_file);
- conftest->test->load_files(conftest->test, test_file);
+ conftest->test->load_files(conftest->test, test_file, TRUE);
conftest->suite_dir = strdup(dirname(suite_file));
return TRUE;
}
diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c
index dacc7a58c..fb7c89a0a 100644
--- a/src/conftest/hooks/log_ts.c
+++ b/src/conftest/hooks/log_ts.c
@@ -38,7 +38,6 @@ METHOD(listener_t, message, bool,
{
enumerator_t *enumerator;
payload_t *payload;
- linked_list_t *list;
ts_payload_t *ts;
enumerator = message->create_payload_enumerator(message);
@@ -48,10 +47,29 @@ METHOD(listener_t, message, bool,
payload->get_type(payload) == TRAFFIC_SELECTOR_RESPONDER)
{
ts = (ts_payload_t*)payload;
+ host_t *from, *to;
+ linked_list_t *list;
+ enumerator_t *tsenum;
+ traffic_selector_t *selector;
+
list = ts->get_traffic_selectors(ts);
+ tsenum = list->create_enumerator(list);
+ while (tsenum->enumerate(tsenum, &selector))
+ {
+ from = host_create_from_chunk(AF_UNSPEC,
+ selector->get_from_address(selector), 0);
+ to = host_create_from_chunk(AF_UNSPEC,
+ selector->get_to_address(selector), 0);
+
+ DBG1(DBG_CFG, "received %N: %N %H-%H proto %u port %u-%u",
+ payload_type_short_names, payload->get_type(payload),
+ ts_type_name, selector->get_type(selector),
+ from, to, selector->get_protocol(selector),
+ selector->get_from_port(selector),
+ selector->get_to_port(selector));
+ }
+ tsenum->destroy(tsenum);
- DBG1(DBG_CFG, "received %N: %#R",
- payload_type_short_names, payload->get_type(payload), list);
list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
}
}
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 79961b916..4a8f142ca 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -247,6 +247,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -270,6 +272,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/dumm/main.c b/src/dumm/main.c
index 337a1a144..37e7ba8f7 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -101,8 +101,17 @@ static page_t* get_page(int num)
static pid_t invoke(void *vte, guest_t *guest,
char *args[], int argc)
{
- return vte_terminal_fork_command(VTE_TERMINAL(vte), args[0], args, NULL,
- NULL, FALSE, FALSE, FALSE);
+ GPid pid;
+
+ if (vte_terminal_fork_command_full(VTE_TERMINAL(vte),
+ VTE_PTY_NO_LASTLOG | VTE_PTY_NO_UTMP | VTE_PTY_NO_WTMP,
+ NULL, args, NULL,
+ G_SPAWN_CHILD_INHERITS_STDIN | G_SPAWN_SEARCH_PATH,
+ NULL, NULL, &pid, NULL))
+ {
+ return pid;
+ }
+ return 0;
}
void idle(void)
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
index 9edad1141..609e7c5b2 100644
--- a/src/include/Makefile.am
+++ b/src/include/Makefile.am
@@ -1,3 +1,3 @@
-EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
+EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
linux/pfkeyv2.h linux/udp.h linux/xfrm.h linux/types.h \
linux/jhash.h sys/queue.h
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index b9b758193..59a325a14 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -193,6 +193,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -216,6 +218,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -223,7 +226,7 @@ top_srcdir = @top_srcdir@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
+EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
linux/pfkeyv2.h linux/udp.h linux/xfrm.h linux/types.h \
linux/jhash.h sys/queue.h
diff --git a/src/include/linux/if_alg.h b/src/include/linux/if_alg.h
new file mode 100644
index 000000000..0f9acce5b
--- /dev/null
+++ b/src/include/linux/if_alg.h
@@ -0,0 +1,40 @@
+/*
+ * if_alg: User-space algorithm interface
+ *
+ * Copyright (c) 2010 Herbert Xu <herbert@gondor.apana.org.au>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+#ifndef _LINUX_IF_ALG_H
+#define _LINUX_IF_ALG_H
+
+#include <linux/types.h>
+
+struct sockaddr_alg {
+ __u16 salg_family;
+ __u8 salg_type[14];
+ __u32 salg_feat;
+ __u32 salg_mask;
+ __u8 salg_name[64];
+};
+
+struct af_alg_iv {
+ __u32 ivlen;
+ __u8 iv[0];
+};
+
+/* Socket options */
+#define ALG_SET_KEY 1
+#define ALG_SET_IV 2
+#define ALG_SET_OP 3
+
+/* Operations */
+#define ALG_OP_DECRYPT 0
+#define ALG_OP_ENCRYPT 1
+
+#endif /* _LINUX_IF_ALG_H */
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
index 930fdd2de..22e61fdf7 100644
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@@ -84,6 +84,16 @@ struct xfrm_replay_state {
__u32 bitmap;
};
+struct xfrm_replay_state_esn {
+ unsigned int bmp_len;
+ __u32 oseq;
+ __u32 seq;
+ __u32 oseq_hi;
+ __u32 seq_hi;
+ __u32 replay_window;
+ __u32 bmp[0];
+};
+
struct xfrm_algo {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
@@ -284,6 +294,7 @@ enum xfrm_attr_type_t {
XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */
XFRMA_MARK, /* struct xfrm_mark */
XFRMA_TFCPAD, /* __u32 */
+ XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_esn */
__XFRMA_MAX
#define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -350,6 +361,8 @@ struct xfrm_usersa_info {
#define XFRM_STATE_WILDRECV 8
#define XFRM_STATE_ICMP 16
#define XFRM_STATE_AF_UNSPEC 32
+#define XFRM_STATE_ALIGN4 64
+#define XFRM_STATE_ESN 128
};
struct xfrm_usersa_id {
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 0b4870e94..04ca97781 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -221,6 +221,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -244,6 +246,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 21a2b8ee6..90e2bdc6a 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -55,6 +55,7 @@ processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
processing/jobs/roam_job.c processing/jobs/roam_job.h \
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
@@ -63,6 +64,8 @@ sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
+sa/authenticators/eap/sim_card.h sa/authenticators/eap/sim_provider.h \
+sa/authenticators/eap/sim_hooks.h \
sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
sa/child_sa.c sa/child_sa.h \
@@ -89,8 +92,12 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
sa/tasks/task.c sa/tasks/task.h \
-tnccs/tnccs.c tnccs/tnccs.h \
-tnccs/tnccs_manager.h tnccs/tnccs_manager.c
+tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \
+tnc/imc/imc.h tnc/imc/imc_manager.h \
+tnc/imv/imv.h tnc/imv/imv_manager.h \
+tnc/imv/imv_recommendations.c tnc/imv/imv_recommendations.h \
+tnc/tnccs/tnccs.c tnc/tnccs/tnccs.h \
+tnc/tnccs/tnccs_manager.c tnc/tnccs/tnccs_manager.h
# adding the plugin source files
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 1e78c9d79..9a4b28c3a 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -62,6 +62,8 @@ sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
+sa/authenticators/eap/sim_card.h sa/authenticators/eap/sim_provider.h \
+sa/authenticators/eap/sim_hooks.h \
sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
sa/child_sa.c sa/child_sa.h \
@@ -221,6 +223,13 @@ if MONOLITHIC
endif
endif
+if USE_EAP_SIM_PCSC
+ SUBDIRS += plugins/eap_sim_pcsc
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+endif
+endif
+
if USE_EAP_SIMAKA_SQL
SUBDIRS += plugins/eap_simaka_sql
if MONOLITHIC
@@ -305,6 +314,13 @@ if MONOLITHIC
endif
endif
+if USE_EAP_PEAP
+ SUBDIRS += plugins/eap_peap
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/eap_peap/libstrongswan-eap-peap.la
+endif
+endif
+
if USE_EAP_TNC
SUBDIRS += plugins/eap_tnc
if MONOLITHIC
@@ -403,6 +419,13 @@ if MONOLITHIC
endif
endif
+if USE_WHITELIST
+ SUBDIRS += plugins/whitelist
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/whitelist/libstrongswan-whitelist.la
+endif
+endif
+
if USE_LED
SUBDIRS += plugins/led
if MONOLITHIC
@@ -410,6 +433,20 @@ if MONOLITHIC
endif
endif
+if USE_DUPLICHECK
+ SUBDIRS += plugins/duplicheck
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/duplicheck/libstrongswan-duplicheck.la
+endif
+endif
+
+if USE_COUPLING
+ SUBDIRS += plugins/coupling
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/coupling/libstrongswan-coupling.la
+endif
+endif
+
if USE_UCI
SUBDIRS += plugins/uci
if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 6ec4c6ca5..70385f306 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -69,64 +69,74 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim/libstrongswan-eap-sim.la
@USE_EAP_SIM_FILE_TRUE@am__append_25 = plugins/eap_sim_file
@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_27 = plugins/eap_simaka_sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_28 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_29 = plugins/eap_simaka_pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_30 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_31 = plugins/eap_simaka_reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_32 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_34 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_35 = plugins/eap_aka_3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_36 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_37 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_38 = plugins/eap_md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_39 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_40 = plugins/eap_gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_41 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_42 = plugins/eap_mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_RADIUS_TRUE@am__append_44 = plugins/eap_radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_45 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_EAP_TLS_TRUE@am__append_46 = plugins/eap_tls
-@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_47 = plugins/eap_tls/libstrongswan-eap-tls.la
-@USE_EAP_TTLS_TRUE@am__append_48 = plugins/eap_ttls
-@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_49 = plugins/eap_ttls/libstrongswan-eap-ttls.la
-@USE_EAP_TNC_TRUE@am__append_50 = plugins/eap_tnc
-@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la
-@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la
-@USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc
-@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc-imc.la
-@USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv
-@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc-imv.la
-@USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11
-@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la
-@USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20
-@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la
-@USE_TNCCS_DYNAMIC_TRUE@am__append_61 = plugins/tnccs_dynamic
-@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_62 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
-@USE_MEDSRV_TRUE@am__append_63 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_64 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_65 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_66 = plugins/medcli/libstrongswan-medcli.la
-@USE_NM_TRUE@am__append_67 = plugins/nm
-@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_68 = plugins/nm/libstrongswan-nm.la
-@USE_DHCP_TRUE@am__append_69 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_70 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_TRUE@am__append_71 = plugins/android
-@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_72 = plugins/android/libstrongswan-android.la
-@USE_MAEMO_TRUE@am__append_73 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_74 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_75 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_76 = plugins/ha/libstrongswan-ha.la
-@USE_LED_TRUE@am__append_77 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_78 = plugins/led/libstrongswan-led.la
-@USE_UCI_TRUE@am__append_79 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_80 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_81 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_82 = plugins/uci/libstrongswan-addrblock.la
-@USE_UNIT_TESTS_TRUE@am__append_83 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_84 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_EAP_SIM_PCSC_TRUE@am__append_27 = plugins/eap_sim_pcsc
+@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_28 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_29 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_30 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_31 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_32 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_33 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_34 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_37 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_38 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_39 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_40 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_41 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_42 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_43 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_44 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_45 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_RADIUS_TRUE@am__append_46 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_47 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_48 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_49 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_50 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_51 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_PEAP_TRUE@am__append_52 = plugins/eap_peap
+@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_53 = plugins/eap_peap/libstrongswan-eap-peap.la
+@USE_EAP_TNC_TRUE@am__append_54 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_55 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_56 = $(top_builddir)/src/libtls/libtls.la
+@USE_TNC_IMC_TRUE@am__append_57 = plugins/tnc_imc
+@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_58 = plugins/tnc_imc/libstrongswan-tnc-imc.la
+@USE_TNC_IMV_TRUE@am__append_59 = plugins/tnc_imv
+@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_60 = plugins/tnc_imv/libstrongswan-tnc-imv.la
+@USE_TNCCS_11_TRUE@am__append_61 = plugins/tnccs_11
+@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_62 = plugins/tnccs_11/libstrongswan-tnccs-11.la
+@USE_TNCCS_20_TRUE@am__append_63 = plugins/tnccs_20
+@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_64 = plugins/tnccs_20/libstrongswan-tnccs-20.la
+@USE_TNCCS_DYNAMIC_TRUE@am__append_65 = plugins/tnccs_dynamic
+@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_66 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
+@USE_MEDSRV_TRUE@am__append_67 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_68 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_69 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_70 = plugins/medcli/libstrongswan-medcli.la
+@USE_NM_TRUE@am__append_71 = plugins/nm
+@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_72 = plugins/nm/libstrongswan-nm.la
+@USE_DHCP_TRUE@am__append_73 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_74 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_ANDROID_TRUE@am__append_75 = plugins/android
+@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_76 = plugins/android/libstrongswan-android.la
+@USE_MAEMO_TRUE@am__append_77 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_78 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_79 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_80 = plugins/ha/libstrongswan-ha.la
+@USE_WHITELIST_TRUE@am__append_81 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_82 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LED_TRUE@am__append_83 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_84 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_85 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_86 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_87 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_88 = plugins/coupling/libstrongswan-coupling.la
+@USE_UCI_TRUE@am__append_89 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_90 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_91 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_92 = plugins/uci/libstrongswan-addrblock.la
+@USE_UNIT_TESTS_TRUE@am__append_93 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_94 = plugins/unit_tester/libstrongswan-unit-tester.la
subdir = src/libcharon
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -176,15 +186,16 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__append_20) $(am__append_22) $(am__append_24) \
$(am__append_26) $(am__append_28) $(am__append_30) \
$(am__append_32) $(am__append_34) $(am__append_36) \
- $(am__append_37) $(am__append_39) $(am__append_41) \
+ $(am__append_38) $(am__append_39) $(am__append_41) \
$(am__append_43) $(am__append_45) $(am__append_47) \
- $(am__append_49) $(am__append_51) $(am__append_52) \
- $(am__append_54) $(am__append_56) $(am__append_58) \
+ $(am__append_49) $(am__append_51) $(am__append_53) \
+ $(am__append_55) $(am__append_56) $(am__append_58) \
$(am__append_60) $(am__append_62) $(am__append_64) \
$(am__append_66) $(am__append_68) $(am__append_70) \
$(am__append_72) $(am__append_74) $(am__append_76) \
$(am__append_78) $(am__append_80) $(am__append_82) \
- $(am__append_84)
+ $(am__append_84) $(am__append_86) $(am__append_88) \
+ $(am__append_90) $(am__append_92) $(am__append_94)
am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
bus/listeners/listener.h bus/listeners/file_logger.c \
bus/listeners/file_logger.h bus/listeners/sys_logger.c \
@@ -270,6 +281,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
sa/authenticators/eap/eap_manager.h \
sa/authenticators/eap/sim_manager.c \
sa/authenticators/eap/sim_manager.h \
+ sa/authenticators/eap/sim_card.h \
+ sa/authenticators/eap/sim_provider.h \
+ sa/authenticators/eap/sim_hooks.h \
sa/authenticators/psk_authenticator.c \
sa/authenticators/psk_authenticator.h \
sa/authenticators/pubkey_authenticator.c \
@@ -369,15 +383,17 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
plugins/socket_raw plugins/socket_dynamic plugins/farp \
plugins/stroke plugins/smp plugins/sql plugins/updown \
plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
- plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
- plugins/eap_simaka_reauth plugins/eap_aka \
- plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
- plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \
- plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \
- plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \
- plugins/tnccs_dynamic plugins/medsrv plugins/medcli plugins/nm \
- plugins/dhcp plugins/android plugins/maemo plugins/ha \
- plugins/led plugins/uci plugins/addrblock plugins/unit_tester
+ plugins/eap_sim_pcsc plugins/eap_simaka_sql \
+ plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
+ plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \
+ plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_radius \
+ plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
+ plugins/eap_tnc plugins/tnc_imc plugins/tnc_imv \
+ plugins/tnccs_11 plugins/tnccs_20 plugins/tnccs_dynamic \
+ plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
+ plugins/android plugins/maemo plugins/ha plugins/whitelist \
+ plugins/led plugins/duplicheck plugins/coupling plugins/uci \
+ plugins/addrblock plugins/unit_tester
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -544,6 +560,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -567,6 +585,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -660,6 +679,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
sa/authenticators/eap/eap_manager.h \
sa/authenticators/eap/sim_manager.c \
sa/authenticators/eap/sim_manager.h \
+ sa/authenticators/eap/sim_card.h \
+ sa/authenticators/eap/sim_provider.h \
+ sa/authenticators/eap/sim_hooks.h \
sa/authenticators/psk_authenticator.c \
sa/authenticators/psk_authenticator.h \
sa/authenticators/pubkey_authenticator.c \
@@ -706,15 +728,16 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
$(am__append_20) $(am__append_22) $(am__append_24) \
$(am__append_26) $(am__append_28) $(am__append_30) \
$(am__append_32) $(am__append_34) $(am__append_36) \
- $(am__append_37) $(am__append_39) $(am__append_41) \
+ $(am__append_38) $(am__append_39) $(am__append_41) \
$(am__append_43) $(am__append_45) $(am__append_47) \
- $(am__append_49) $(am__append_51) $(am__append_52) \
- $(am__append_54) $(am__append_56) $(am__append_58) \
+ $(am__append_49) $(am__append_51) $(am__append_53) \
+ $(am__append_55) $(am__append_56) $(am__append_58) \
$(am__append_60) $(am__append_62) $(am__append_64) \
$(am__append_66) $(am__append_68) $(am__append_70) \
$(am__append_72) $(am__append_74) $(am__append_76) \
$(am__append_78) $(am__append_80) $(am__append_82) \
- $(am__append_84)
+ $(am__append_84) $(am__append_86) $(am__append_88) \
+ $(am__append_90) $(am__append_92) $(am__append_94)
EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \
@MONOLITHIC_FALSE@ $(am__append_7) $(am__append_9) \
@@ -724,18 +747,21 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_23) $(am__append_25) \
@MONOLITHIC_FALSE@ $(am__append_27) $(am__append_29) \
@MONOLITHIC_FALSE@ $(am__append_31) $(am__append_33) \
-@MONOLITHIC_FALSE@ $(am__append_35) $(am__append_38) \
+@MONOLITHIC_FALSE@ $(am__append_35) $(am__append_37) \
@MONOLITHIC_FALSE@ $(am__append_40) $(am__append_42) \
@MONOLITHIC_FALSE@ $(am__append_44) $(am__append_46) \
@MONOLITHIC_FALSE@ $(am__append_48) $(am__append_50) \
-@MONOLITHIC_FALSE@ $(am__append_53) $(am__append_55) \
+@MONOLITHIC_FALSE@ $(am__append_52) $(am__append_54) \
@MONOLITHIC_FALSE@ $(am__append_57) $(am__append_59) \
@MONOLITHIC_FALSE@ $(am__append_61) $(am__append_63) \
@MONOLITHIC_FALSE@ $(am__append_65) $(am__append_67) \
@MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \
@MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \
@MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \
-@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83)
+@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \
+@MONOLITHIC_FALSE@ $(am__append_85) $(am__append_87) \
+@MONOLITHIC_FALSE@ $(am__append_89) $(am__append_91) \
+@MONOLITHIC_FALSE@ $(am__append_93)
# build optional plugins
########################
@@ -747,18 +773,21 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_23) $(am__append_25) \
@MONOLITHIC_TRUE@ $(am__append_27) $(am__append_29) \
@MONOLITHIC_TRUE@ $(am__append_31) $(am__append_33) \
-@MONOLITHIC_TRUE@ $(am__append_35) $(am__append_38) \
+@MONOLITHIC_TRUE@ $(am__append_35) $(am__append_37) \
@MONOLITHIC_TRUE@ $(am__append_40) $(am__append_42) \
@MONOLITHIC_TRUE@ $(am__append_44) $(am__append_46) \
@MONOLITHIC_TRUE@ $(am__append_48) $(am__append_50) \
-@MONOLITHIC_TRUE@ $(am__append_53) $(am__append_55) \
+@MONOLITHIC_TRUE@ $(am__append_52) $(am__append_54) \
@MONOLITHIC_TRUE@ $(am__append_57) $(am__append_59) \
@MONOLITHIC_TRUE@ $(am__append_61) $(am__append_63) \
@MONOLITHIC_TRUE@ $(am__append_65) $(am__append_67) \
@MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \
@MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \
@MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \
-@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83)
+@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \
+@MONOLITHIC_TRUE@ $(am__append_85) $(am__append_87) \
+@MONOLITHIC_TRUE@ $(am__append_89) $(am__append_91) \
+@MONOLITHIC_TRUE@ $(am__append_93)
all: all-recursive
.SUFFIXES:
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 157436a7d..36d18619a 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -53,11 +53,9 @@ struct private_file_logger_t {
bool ike_name;
};
-/**
- * Implementation of bus_listener_t.log.
- */
-static bool log_(private_file_logger_t *this, debug_t group, level_t level,
- int thread, ike_sa_t* ike_sa, char *format, va_list args)
+METHOD(listener_t, log_, bool,
+ private_file_logger_t *this, debug_t group, level_t level, int thread,
+ ike_sa_t* ike_sa, char *format, va_list args)
{
if (level <= this->levels[group])
{
@@ -118,10 +116,8 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
return TRUE;
}
-/**
- * Implementation of file_logger_t.set_level.
- */
-static void set_level(private_file_logger_t *this, debug_t group, level_t level)
+METHOD(file_logger_t, set_level, void,
+ private_file_logger_t *this, debug_t group, level_t level)
{
if (group < DBG_ANY)
{
@@ -136,10 +132,8 @@ static void set_level(private_file_logger_t *this, debug_t group, level_t level)
}
}
-/**
- * Implementation of file_logger_t.destroy.
- */
-static void destroy(private_file_logger_t *this)
+METHOD(file_logger_t, destroy, void,
+ private_file_logger_t *this)
{
if (this->out != stdout && this->out != stderr)
{
@@ -153,18 +147,21 @@ static void destroy(private_file_logger_t *this)
*/
file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
{
- private_file_logger_t *this = malloc_thing(private_file_logger_t);
-
- /* public functions */
- memset(&this->public.listener, 0, sizeof(listener_t));
- this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
- this->public.set_level = (void(*)(file_logger_t*,debug_t,level_t))set_level;
- this->public.destroy = (void(*)(file_logger_t*))destroy;
-
- /* private variables */
- this->out = out;
- this->time_format = time_format;
- this->ike_name = ike_name;
+ private_file_logger_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .log = _log_,
+ },
+ .set_level = _set_level,
+ .destroy = _destroy,
+ },
+ .out = out,
+ .time_format = time_format,
+ .ike_name = ike_name,
+ );
+
set_level(this, DBG_ANY, LEVEL_SILENT);
return &this->public;
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index fa394ba88..c29c9f2e4 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -48,19 +48,19 @@ struct private_sys_logger_t {
bool ike_name;
};
-/**
- * Implementation of listener_t.log.
- */
-static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
- int thread, ike_sa_t* ike_sa, char *format, va_list args)
+METHOD(listener_t, log_, bool,
+ private_sys_logger_t *this, debug_t group, level_t level, int thread,
+ ike_sa_t* ike_sa, char *format, va_list args)
{
if (level <= this->levels[group])
{
- char buffer[8192], namestr[128] = "";
+ char buffer[8192], groupstr[4], namestr[128] = "";
char *current = buffer, *next;
/* write in memory buffer first */
vsnprintf(buffer, sizeof(buffer), format, args);
+ /* cache group name */
+ snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
if (this->ike_name && ike_sa)
{
@@ -84,8 +84,8 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
{
*(next++) = '\0';
}
- syslog(this->facility|LOG_INFO, "%.2d[%N]%s %s\n",
- thread, debug_names, group, namestr, current);
+ syslog(this->facility|LOG_INFO, "%.2d[%s]%s %s\n",
+ thread, groupstr, namestr, current);
current = next;
}
}
@@ -93,10 +93,8 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
return TRUE;
}
-/**
- * Implementation of sys_logger_t.set_level.
- */
-static void set_level(private_sys_logger_t *this, debug_t group, level_t level)
+METHOD(sys_logger_t, set_level, void,
+ private_sys_logger_t *this, debug_t group, level_t level)
{
if (group < DBG_ANY)
{
@@ -111,10 +109,8 @@ static void set_level(private_sys_logger_t *this, debug_t group, level_t level)
}
}
-/**
- * Implementation of sys_logger_t.destroy.
- */
-static void destroy(private_sys_logger_t *this)
+METHOD(sys_logger_t, destroy, void,
+ private_sys_logger_t *this)
{
closelog();
free(this);
@@ -125,17 +121,20 @@ static void destroy(private_sys_logger_t *this)
*/
sys_logger_t *sys_logger_create(int facility, bool ike_name)
{
- private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
-
- /* public functions */
- memset(&this->public.listener, 0, sizeof(listener_t));
- this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
- this->public.set_level = (void(*)(sys_logger_t*,debug_t,level_t))set_level;
- this->public.destroy = (void(*)(sys_logger_t*))destroy;
+ private_sys_logger_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .log = _log_,
+ },
+ .set_level = _set_level,
+ .destroy = _destroy,
+ },
+ .facility = facility,
+ .ike_name = ike_name,
+ );
- /* private variables */
- this->facility = facility;
- this->ike_name = ike_name;
set_level(this, DBG_ANY, LEVEL_SILENT);
return &this->public;
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 86a59bc1b..2251b82dd 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -35,11 +35,6 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
"ESP",
);
-ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
- "NO_EXT_SEQ",
- "EXT_SEQ",
-);
-
typedef struct private_proposal_t private_proposal_t;
typedef struct algorithm_t algorithm_t;
@@ -549,6 +544,16 @@ static void check_proposal(private_proposal_t *this)
free(alg);
}
}
+
+ if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
+ {
+ e = this->esns->create_enumerator(this->esns);
+ if (!e->enumerate(e, &alg))
+ { /* ESN not specified, assume not supported */
+ add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+ }
+ e->destroy(e);
+ }
}
/**
@@ -918,9 +923,5 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
check_proposal(this);
- if (protocol == PROTO_AH || protocol == PROTO_ESP)
- {
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
- }
return &this->public;
}
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 97af5b60b..9337518bf 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -51,19 +51,6 @@ enum protocol_id_t {
extern enum_name_t *protocol_id_names;
/**
- * Extended sequence numbers, as in IKEv2 RFC 3.3.2.
- */
-enum extended_sequence_numbers_t {
- NO_EXT_SEQ_NUMBERS = 0,
- EXT_SEQ_NUMBERS = 1
-};
-
-/**
- * enum strings for extended_sequence_numbers_t.
- */
-extern enum_name_t *extended_sequence_numbers_names;
-
-/**
* Stores a set of algorithms used for an SA.
*
* A proposal stores algorithms for a specific
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 94c64028c..5bc19d11b 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -331,6 +331,8 @@ static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
return terminate_ike_execute(&job);
}
charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
+ /* checkin of the ike_sa happend in the thread that executed the job */
+ charon->bus->set_sa(charon->bus, NULL);
return job.listener.status;
}
@@ -417,6 +419,8 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
return terminate_child_execute(&job);
}
charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
+ /* checkin of the ike_sa happend in the thread that executed the job */
+ charon->bus->set_sa(charon->bus, NULL);
return job.listener.status;
}
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 4f2831e42..796e455a7 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -172,8 +172,10 @@ METHOD(daemon_t, drop_capabilities, bool,
.version = _LINUX_CAPABILITY_VERSION_3,
#elif defined(_LINUX_CAPABILITY_VERSION_2)
.version = _LINUX_CAPABILITY_VERSION_2,
-#else
+#elif defined(_LINUX_CAPABILITY_VERSION_1)
.version = _LINUX_CAPABILITY_VERSION_1,
+#else
+ .version = _LINUX_CAPABILITY_VERSION,
#endif
};
if (capset(&header, this->caps) != 0)
@@ -198,15 +200,17 @@ METHOD(daemon_t, start, void,
*/
static void print_plugins()
{
- char buf[512], *plugin;
+ char buf[512];
int len = 0;
enumerator_t *enumerator;
+ plugin_t *plugin;
buf[0] = '\0';
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
{
- len += snprintf(&buf[len], sizeof(buf)-len, "%s ", plugin);
+ len += snprintf(&buf[len], sizeof(buf)-len, "%s ",
+ plugin->get_name(plugin));
}
enumerator->destroy(enumerator);
DBG1(DBG_DMN, "loaded plugins: %s", buf);
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index dbef340ab..214612fdb 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -45,6 +45,16 @@
#define MAX_DELETE_PAYLOADS 20
/**
+ * Max number of certificate payloads per IKEv2 Message
+ */
+#define MAX_CERT_PAYLOADS 8
+
+/**
+ * Max number of Vendor ID payloads per IKEv2 Message
+ */
+#define MAX_VID_PAYLOADS 20
+
+/**
* A payload rule defines the rules for a payload
* in a specific message rule. It defines if and how
* many times a payload must/can occur in a message
@@ -104,7 +114,7 @@ static payload_rule_t ike_sa_init_i_rules[] = {
{SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
{KEY_EXCHANGE, 1, 1, FALSE, FALSE},
{NONCE, 1, 1, FALSE, FALSE},
- {VENDOR_ID, 0, 10, FALSE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
};
/**
@@ -131,8 +141,8 @@ static payload_rule_t ike_sa_init_r_rules[] = {
{SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
{KEY_EXCHANGE, 1, 1, FALSE, FALSE},
{NONCE, 1, 1, FALSE, FALSE},
- {CERTIFICATE_REQUEST, 1, 1, FALSE, FALSE},
- {VENDOR_ID, 0, 10, FALSE, FALSE},
+ {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
};
/**
@@ -160,7 +170,7 @@ static payload_rule_t ike_auth_i_rules[] = {
{EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
{AUTHENTICATION, 0, 1, TRUE, TRUE},
{ID_INITIATOR, 0, 1, TRUE, FALSE},
- {CERTIFICATE, 0, 4, TRUE, FALSE},
+ {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
{CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
{ID_RESPONDER, 0, 1, TRUE, FALSE},
#ifdef ME
@@ -173,7 +183,7 @@ static payload_rule_t ike_auth_i_rules[] = {
{TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
#endif /* ME */
{CONFIGURATION, 0, 1, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
};
/**
@@ -213,13 +223,13 @@ static payload_rule_t ike_auth_r_rules[] = {
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
{EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
{AUTHENTICATION, 0, 1, TRUE, TRUE},
- {CERTIFICATE, 0, 4, TRUE, FALSE},
+ {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
{ID_RESPONDER, 0, 1, TRUE, FALSE},
{SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
{CONFIGURATION, 0, 1, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
};
/**
@@ -256,7 +266,7 @@ static payload_rule_t informational_i_rules[] = {
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{CONFIGURATION, 0, 1, TRUE, FALSE},
{DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
};
/**
@@ -281,7 +291,7 @@ static payload_rule_t informational_r_rules[] = {
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{CONFIGURATION, 0, 1, TRUE, FALSE},
{DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
};
/**
@@ -310,7 +320,7 @@ static payload_rule_t create_child_sa_i_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
{CONFIGURATION, 0, 1, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
};
/**
@@ -343,7 +353,7 @@ static payload_rule_t create_child_sa_r_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
{CONFIGURATION, 0, 1, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE},
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
};
/**
@@ -372,7 +382,7 @@ static payload_rule_t me_connect_i_rules[] = {
/* payload type min max encr suff */
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
{ID_PEER, 1, 1, TRUE, FALSE},
- {VENDOR_ID, 0, 10, TRUE, FALSE}
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
};
/**
@@ -391,7 +401,7 @@ static payload_order_t me_connect_i_order[] = {
static payload_rule_t me_connect_r_rules[] = {
/* payload type min max encr suff */
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
- {VENDOR_ID, 0, 10, TRUE, FALSE}
+ {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
};
/**
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 018318a59..57aab1db7 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c
index 5fdb36c5c..72c551f0f 100644
--- a/src/libcharon/plugins/addrblock/addrblock_plugin.c
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c
@@ -43,6 +43,12 @@ struct private_addrblock_plugin_t {
addrblock_narrow_t *narrower;
};
+METHOD(plugin_t, get_name, char*,
+ private_addrblock_plugin_t *this)
+{
+ return "addrblock";
+}
+
METHOD(plugin_t, destroy, void,
private_addrblock_plugin_t *this)
{
@@ -63,6 +69,8 @@ plugin_t *addrblock_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 12cf0c941..1b07378f7 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -88,7 +88,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
METHOD(cert_validator_t, validate, bool,
private_addrblock_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, int pathlen, bool anchor,
+ certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
if (subject->get_type(subject) == CERT_X509 &&
@@ -114,7 +114,9 @@ addrblock_validator_t *addrblock_validator_create()
INIT(this,
.public = {
- .validator.validate = _validate,
+ .validator = {
+ .validate = _validate,
+ },
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index 7d6eb2b9c..08248da12 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
index 3d82d8f60..54a7017a1 100644
--- a/src/libcharon/plugins/android/android_plugin.c
+++ b/src/libcharon/plugins/android/android_plugin.c
@@ -54,11 +54,16 @@ struct private_android_plugin_t {
* Service that interacts with the Android Settings frontend
*/
android_service_t *service;
-
};
+METHOD(plugin_t, get_name, char*,
+ private_android_plugin_t *this)
+{
+ return "android";
+}
+
METHOD(plugin_t, destroy, void,
- private_android_plugin_t *this)
+ private_android_plugin_t *this)
{
hydra->attributes->remove_handler(hydra->attributes,
&this->handler->handler);
@@ -81,6 +86,8 @@ plugin_t *android_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/coupling/Makefile.am b/src/libcharon/plugins/coupling/Makefile.am
new file mode 100644
index 000000000..642ce820c
--- /dev/null
+++ b/src/libcharon/plugins/coupling/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-coupling.la
+else
+plugin_LTLIBRARIES = libstrongswan-coupling.la
+endif
+
+libstrongswan_coupling_la_SOURCES = coupling_plugin.h coupling_plugin.c \
+ coupling_validator.h coupling_validator.c
+
+libstrongswan_coupling_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
new file mode 100644
index 000000000..a3104e4c0
--- /dev/null
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -0,0 +1,608 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/coupling
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_coupling_la_LIBADD =
+am_libstrongswan_coupling_la_OBJECTS = coupling_plugin.lo \
+ coupling_validator.lo
+libstrongswan_coupling_la_OBJECTS = \
+ $(am_libstrongswan_coupling_la_OBJECTS)
+libstrongswan_coupling_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_coupling_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_coupling_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_coupling_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_coupling_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_coupling_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-coupling.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-coupling.la
+libstrongswan_coupling_la_SOURCES = coupling_plugin.h coupling_plugin.c \
+ coupling_validator.h coupling_validator.c
+
+libstrongswan_coupling_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/coupling/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/coupling/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES)
+ $(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/coupling_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/coupling_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/coupling/coupling_plugin.c b/src/libcharon/plugins/coupling/coupling_plugin.c
new file mode 100644
index 000000000..7ccc51db5
--- /dev/null
+++ b/src/libcharon/plugins/coupling/coupling_plugin.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "coupling_plugin.h"
+
+#include "coupling_validator.h"
+
+#include <daemon.h>
+
+typedef struct private_coupling_plugin_t private_coupling_plugin_t;
+
+/**
+ * private data of coupling plugin
+ */
+struct private_coupling_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ coupling_plugin_t public;
+
+ /**
+ * validator controlling couplings
+ */
+ coupling_validator_t *validator;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_coupling_plugin_t *this)
+{
+ return "coupling";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_coupling_plugin_t *this)
+{
+ lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+ this->validator->destroy(this->validator);
+ free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *coupling_plugin_create()
+{
+ private_coupling_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .validator = coupling_validator_create(),
+ );
+
+ if (!this->validator)
+ {
+ free(this);
+ return NULL;
+ }
+
+ lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/coupling/coupling_plugin.h b/src/libcharon/plugins/coupling/coupling_plugin.h
new file mode 100644
index 000000000..645100b45
--- /dev/null
+++ b/src/libcharon/plugins/coupling/coupling_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup coupling coupling
+ * @ingroup cplugins
+ *
+ * @defgroup coupling_plugin coupling_plugin
+ * @{ @ingroup coupling
+ */
+
+#ifndef COUPLING_PLUGIN_H_
+#define COUPLING_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct coupling_plugin_t coupling_plugin_t;
+
+/**
+ * Plugin to couple peer certificates permanently to peer authentication.
+ */
+struct coupling_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** COUPLING_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/coupling/coupling_validator.c b/src/libcharon/plugins/coupling/coupling_validator.c
new file mode 100644
index 000000000..06b6f7d86
--- /dev/null
+++ b/src/libcharon/plugins/coupling/coupling_validator.c
@@ -0,0 +1,258 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "coupling_validator.h"
+
+#include <errno.h>
+#include <time.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+
+/* buffer size for hex-encoded hash */
+#define MAX_HASH_SIZE (HASH_SIZE_SHA512 * 2 + 1)
+
+typedef struct private_coupling_validator_t private_coupling_validator_t;
+
+/**
+ * Private data of an coupling_validator_t object.
+ */
+struct private_coupling_validator_t {
+
+ /**
+ * Public coupling_validator_t interface.
+ */
+ coupling_validator_t public;
+
+ /**
+ * Mutex
+ */
+ mutex_t *mutex;
+
+ /**
+ * File with device couplings
+ */
+ FILE *f;
+
+ /**
+ * Hasher to create hashes
+ */
+ hasher_t *hasher;
+
+ /**
+ * maximum number of couplings
+ */
+ int max_couplings;
+};
+
+/**
+ * Get hash of a certificate
+ */
+static bool get_cert_hash(private_coupling_validator_t *this,
+ certificate_t *cert, char *hex)
+{
+ char buf[MAX_HASH_SIZE];
+ chunk_t encoding;
+
+ if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+ {
+ return FALSE;
+ }
+ this->hasher->get_hash(this->hasher, encoding, buf);
+ free(encoding.ptr);
+ chunk_to_hex(chunk_create(buf, this->hasher->get_hash_size(this->hasher)),
+ hex, FALSE);
+ return TRUE;
+}
+
+/**
+ * Check if we have an entry for a given hash
+ */
+static bool has_entry(private_coupling_validator_t *this, char *hash)
+{
+ char line[256];
+ int hash_len;
+
+ hash_len = strlen(hash);
+ rewind(this->f);
+
+ while (fgets(line, sizeof(line), this->f))
+ {
+ if (strlen(line) >= hash_len &&
+ strncaseeq(line, hash, hash_len))
+ {
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+/**
+ * Get the number of coupling entries we currently have
+ */
+static int get_number_of_entries(private_coupling_validator_t *this)
+{
+ char line[256];
+ int count = 0;
+
+ rewind(this->f);
+
+ while (fgets(line, sizeof(line), this->f))
+ {
+ /* valid entries start with hex encoded hash */
+ if (strchr("1234567890abcdefABCDEF", line[0]))
+ {
+ count++;
+ }
+ }
+ return count;
+}
+
+/**
+ * Add a new entry to the file
+ */
+static bool add_entry(private_coupling_validator_t *this, char *hash,
+ identification_t *id)
+{
+ return fseek(this->f, 0, SEEK_END) == 0 &&
+ fprintf(this->f, "%s %u '%Y'\n", hash, time(NULL), id) > 0;
+}
+
+METHOD(cert_validator_t, validate, bool,
+ private_coupling_validator_t *this,
+ certificate_t *subject, certificate_t *issuer,
+ bool online, u_int pathlen, bool anchor, auth_cfg_t *auth)
+{
+ bool valid = FALSE;
+ char hash[MAX_HASH_SIZE];
+
+ if (pathlen != 0)
+ {
+ return TRUE;
+ }
+ if (get_cert_hash(this, subject, hash))
+ {
+ this->mutex->lock(this->mutex);
+ if (has_entry(this, hash))
+ {
+ DBG1(DBG_CFG, "coupled certificate '%Y' found, accepted",
+ subject->get_subject(subject));
+ valid = TRUE;
+ }
+ else if (get_number_of_entries(this) < this->max_couplings)
+ {
+ if (add_entry(this, hash, subject->get_subject(subject)))
+ {
+ DBG1(DBG_CFG, "coupled new certificate '%Y'",
+ subject->get_subject(subject));
+ valid = TRUE;
+ }
+ else
+ {
+ DBG1(DBG_CFG, "coupling new certificate '%Y' failed",
+ subject->get_subject(subject));
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, "coupling new certificate '%Y' failed, limit of %d "
+ "couplings reached", subject->get_subject(subject),
+ this->max_couplings);
+ }
+ this->mutex->unlock(this->mutex);
+ }
+ return valid;
+}
+
+METHOD(coupling_validator_t, destroy, void,
+ private_coupling_validator_t *this)
+{
+ if (this->f)
+ {
+ fclose(this->f);
+ }
+ DESTROY_IF(this->hasher);
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/**
+ * See header
+ */
+coupling_validator_t *coupling_validator_create()
+{
+ private_coupling_validator_t *this;
+ char *path, *hash;
+ int i;
+ struct {
+ hash_algorithm_t alg;
+ char *name;
+ } hash_types[] = {
+ { HASH_MD5, "md5"},
+ { HASH_SHA1, "sha1"},
+ { HASH_SHA256, "sha256"},
+ { HASH_SHA384, "sha384"},
+ { HASH_SHA512, "sha512"},
+ };
+
+ INIT(this,
+ .public = {
+ .validator = {
+ .validate = _validate,
+ },
+ .destroy = _destroy,
+ },
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .max_couplings = lib->settings->get_int(lib->settings,
+ "charon.plugins.coupling.max", 1),
+ );
+
+ hash = lib->settings->get_str(lib->settings,
+ "charon.plugins.coupling.hash", "sha1");
+ for (i = 0; i < countof(hash_types); i++)
+ {
+ if (strcaseeq(hash_types[i].name, hash))
+ {
+ this->hasher = lib->crypto->create_hasher(lib->crypto,
+ hash_types[i].alg);
+ break;
+ }
+ }
+ if (!this->hasher)
+ {
+ DBG1(DBG_CFG, "unsupported coupling hash algorithm: %s", hash);
+ destroy(this);
+ return NULL;
+ }
+
+ path = lib->settings->get_str(lib->settings,
+ "charon.plugins.coupling.file", NULL);
+ if (!path)
+ {
+ DBG1(DBG_CFG, "coupling file path unspecified");
+ destroy(this);
+ return NULL;
+ }
+ this->f = fopen(path, "a+");
+ if (!this->f)
+ {
+ DBG1(DBG_CFG, "opening coupling file '%s' failed: %s",
+ path, strerror(errno));
+ destroy(this);
+ return NULL;
+ }
+ setlinebuf(this->f);
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/coupling/coupling_validator.h b/src/libcharon/plugins/coupling/coupling_validator.h
new file mode 100644
index 000000000..d6b4d3718
--- /dev/null
+++ b/src/libcharon/plugins/coupling/coupling_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup coupling_validator coupling_validator
+ * @{ @ingroup coupling
+ */
+
+#ifndef COUPLING_VALIDATOR_H_
+#define COUPLING_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct coupling_validator_t coupling_validator_t;
+
+/**
+ * Validator that couples authenticated certificates permanently.
+ */
+struct coupling_validator_t {
+
+ /**
+ * Implements cert_validator_t interface.
+ */
+ cert_validator_t validator;
+
+ /**
+ * Destroy a coupling_validator_t.
+ */
+ void (*destroy)(coupling_validator_t *this);
+};
+
+/**
+ * Create a coupling_validator instance.
+ */
+coupling_validator_t *coupling_validator_create();
+
+#endif /** COUPLING_VALIDATOR_H_ @}*/
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 8046fc052..7853659df 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index fccc99ba5..f8782c2a4 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -44,6 +44,12 @@ struct private_dhcp_plugin_t {
dhcp_provider_t *provider;
};
+METHOD(plugin_t, get_name, char*,
+ private_dhcp_plugin_t *this)
+{
+ return "dhcp";
+}
+
METHOD(plugin_t, destroy, void,
private_dhcp_plugin_t *this)
{
@@ -64,6 +70,8 @@ plugin_t *dhcp_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 8851c1b79..c98d50554 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -201,6 +201,9 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
dhcp->transaction_id = transaction->get_id(transaction);
if (chunk_equals(broadcast, this->dst->get_address(this->dst)))
{
+ /* Set broadcast flag to get broadcasted replies, as we actually
+ * do not own the MAC we request an address for. */
+ dhcp->flags = htons(0x8000);
/* TODO: send with 0.0.0.0 source address */
}
else
diff --git a/src/libcharon/plugins/duplicheck/Makefile.am b/src/libcharon/plugins/duplicheck/Makefile.am
new file mode 100644
index 000000000..63c91dfab
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+ -DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-duplicheck.la
+else
+plugin_LTLIBRARIES = libstrongswan-duplicheck.la
+endif
+
+libstrongswan_duplicheck_la_SOURCES = duplicheck_plugin.h duplicheck_plugin.c \
+ duplicheck_listener.h duplicheck_listener.c \
+ duplicheck_notify.h duplicheck_notify.c
+
+libstrongswan_duplicheck_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = duplicheck
+duplicheck_SOURCES = duplicheck.c
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
new file mode 100644
index 000000000..8cffa2f10
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -0,0 +1,668 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = duplicheck$(EXEEXT)
+subdir = src/libcharon/plugins/duplicheck
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_duplicheck_la_LIBADD =
+am_libstrongswan_duplicheck_la_OBJECTS = duplicheck_plugin.lo \
+ duplicheck_listener.lo duplicheck_notify.lo
+libstrongswan_duplicheck_la_OBJECTS = \
+ $(am_libstrongswan_duplicheck_la_OBJECTS)
+libstrongswan_duplicheck_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_duplicheck_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_duplicheck_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_duplicheck_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_duplicheck_OBJECTS = duplicheck.$(OBJEXT)
+duplicheck_OBJECTS = $(am_duplicheck_OBJECTS)
+duplicheck_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_duplicheck_la_SOURCES) $(duplicheck_SOURCES)
+DIST_SOURCES = $(libstrongswan_duplicheck_la_SOURCES) \
+ $(duplicheck_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+ -DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-duplicheck.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-duplicheck.la
+libstrongswan_duplicheck_la_SOURCES = duplicheck_plugin.h duplicheck_plugin.c \
+ duplicheck_listener.h duplicheck_listener.c \
+ duplicheck_notify.h duplicheck_notify.c
+
+libstrongswan_duplicheck_la_LDFLAGS = -module -avoid-version
+duplicheck_SOURCES = duplicheck.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/duplicheck/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/duplicheck/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES)
+ $(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+ @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed 's/$(EXEEXT)$$//' | \
+ while read p p1; do if test -f $$p || test -f $$p1; \
+ then echo "$$p"; echo "$$p"; else :; fi; \
+ done | \
+ sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+ sed 'N;N;N;s,\n, ,g' | \
+ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+ if ($$2 == $$4) files[d] = files[d] " " $$1; \
+ else { print "f", $$3 "/" $$4, $$1; } } \
+ END { for (d in files) print "f", d, files[d] }' | \
+ while read type dir files; do \
+ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+ test -z "$$files" || { \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+ } \
+ ; done
+
+uninstall-ipsecPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ files=`for p in $$list; do echo "$$p"; done | \
+ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+ -e 's/$$/$(EXEEXT)/' `; \
+ test -n "$$list" || exit 0; \
+ echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+ @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES)
+ @rm -f duplicheck$(EXEEXT)
+ $(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/duplicheck.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/duplicheck_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/duplicheck_notify.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/duplicheck_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+ clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-ipsecPROGRAMS install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/duplicheck/duplicheck.c b/src/libcharon/plugins/duplicheck/duplicheck.c
new file mode 100644
index 000000000..99731a22b
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <errno.h>
+
+#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
+
+int main(int argc, char *argv[])
+{
+ struct sockaddr_un addr;
+ char buf[128];
+ int fd, len;
+
+ addr.sun_family = AF_UNIX;
+ strcpy(addr.sun_path, DUPLICHECK_SOCKET);
+
+ fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+ if (fd < 0)
+ {
+ fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+ return 1;
+ }
+ if (connect(fd, (struct sockaddr *)&addr,
+ offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+ {
+ fprintf(stderr, "connecting to %s failed: %s\n",
+ DUPLICHECK_SOCKET, strerror(errno));
+ close(fd);
+ return 1;
+ }
+ while (1)
+ {
+ len = recv(fd, &buf, sizeof(buf) - 1, 0);
+ if (len < 0)
+ {
+ fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+ close(fd);
+ return 1;
+ }
+ printf("%.*s\n", len, buf);
+ }
+}
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_listener.c b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
new file mode 100644
index 000000000..226b2bd4e
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "duplicheck_listener.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <utils/hashtable.h>
+#include <encoding/payloads/delete_payload.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_duplicheck_listener_t private_duplicheck_listener_t;
+
+/**
+ * Private data of an duplicheck_listener_t object.
+ */
+struct private_duplicheck_listener_t {
+
+ /**
+ * Public duplicheck_listener_t interface.
+ */
+ duplicheck_listener_t public;
+
+ /**
+ * Socket to send notifications to
+ */
+ duplicheck_notify_t *notify;
+
+ /**
+ * Mutex to lock hashtables
+ */
+ mutex_t *mutex;
+
+ /**
+ * Hashtable of active IKE_SAs, identification_t => entry_t
+ */
+ hashtable_t *active;
+
+ /**
+ * Hashtable with active liveness checks, identification_t => entry_t
+ */
+ hashtable_t *checking;
+};
+
+/**
+ * Entry for hashtables
+ */
+typedef struct {
+ /** peer identity */
+ identification_t *id;
+ /** IKE_SA identifier */
+ ike_sa_id_t *sa;
+} entry_t;
+
+/**
+ * Destroy a hashtable entry
+ */
+static void entry_destroy(entry_t *this)
+{
+ this->id->destroy(this->id);
+ this->sa->destroy(this->sa);
+ free(this);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+ return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+ return a->equals(a, b);
+}
+
+METHOD(listener_t, ike_rekey, bool,
+ private_duplicheck_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+ identification_t *id;
+ ike_sa_id_t *sa;
+ entry_t *entry;
+
+ sa = new->get_id(new);
+ id = new->get_other_id(new);
+
+ INIT(entry,
+ .id = id->clone(id),
+ .sa = sa->clone(sa),
+ );
+ this->mutex->lock(this->mutex);
+ entry = this->active->put(this->active, entry->id, entry);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ entry_destroy(entry);
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+ private_duplicheck_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+ identification_t *id;
+ ike_sa_id_t *sa;
+ entry_t *entry;
+ job_t *job;
+
+ sa = ike_sa->get_id(ike_sa);
+ id = ike_sa->get_other_id(ike_sa);
+
+ if (up)
+ {
+ INIT(entry,
+ .id = id->clone(id),
+ .sa = sa->clone(sa),
+ );
+ this->mutex->lock(this->mutex);
+ entry = this->active->put(this->active, entry->id, entry);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ DBG1(DBG_CFG, "detected duplicate IKE_SA for '%Y', "
+ "triggering delete for old IKE_SA", id);
+ job = (job_t*)delete_ike_sa_job_create(entry->sa, TRUE);
+ this->mutex->lock(this->mutex);
+ entry = this->checking->put(this->checking, entry->id, entry);
+ this->mutex->unlock(this->mutex);
+ lib->processor->queue_job(lib->processor, job);
+ if (entry)
+ {
+ entry_destroy(entry);
+ }
+ }
+ }
+ else
+ {
+ this->mutex->lock(this->mutex);
+ entry = this->checking->remove(this->checking, id);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ DBG1(DBG_CFG, "delete for duplicate IKE_SA '%Y' timed out, "
+ "keeping new IKE_SA", id);
+ entry_destroy(entry);
+ }
+ else
+ {
+ this->mutex->lock(this->mutex);
+ entry = this->active->remove(this->active, id);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ entry_destroy(entry);
+ }
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+ private_duplicheck_listener_t *this, ike_sa_t *ike_sa,
+ message_t *message, bool incoming)
+{
+ if (incoming && !message->get_request(message))
+ {
+ identification_t *id;
+ entry_t *entry;
+
+ id = ike_sa->get_other_id(ike_sa);
+ this->mutex->lock(this->mutex);
+ entry = this->checking->remove(this->checking, id);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ DBG1(DBG_CFG, "got a response on a duplicate IKE_SA for '%Y', "
+ "deleting new IKE_SA", id);
+ entry_destroy(entry);
+ this->mutex->lock(this->mutex);
+ entry = this->active->remove(this->active, id);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ lib->processor->queue_job(lib->processor,
+ (job_t*)delete_ike_sa_job_create(entry->sa, TRUE));
+ entry_destroy(entry);
+ }
+ this->notify->send(this->notify, id);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(duplicheck_listener_t, destroy, void,
+ private_duplicheck_listener_t *this)
+{
+ enumerator_t *enumerator;
+ identification_t *key;
+ entry_t *value;
+
+ enumerator = this->active->create_enumerator(this->active);
+ while (enumerator->enumerate(enumerator, &key, &value))
+ {
+ entry_destroy(value);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = this->checking->create_enumerator(this->checking);
+ while (enumerator->enumerate(enumerator, &key, &value))
+ {
+ entry_destroy(value);
+ }
+ enumerator->destroy(enumerator);
+
+ this->active->destroy(this->active);
+ this->checking->destroy(this->checking);
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/**
+ * See header
+ */
+duplicheck_listener_t *duplicheck_listener_create(duplicheck_notify_t *notify)
+{
+ private_duplicheck_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .ike_rekey = _ike_rekey,
+ .ike_updown = _ike_updown,
+ .message = _message_hook,
+ },
+ .destroy = _destroy,
+ },
+ .notify = notify,
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .active = hashtable_create((hashtable_hash_t)hash,
+ (hashtable_equals_t)equals, 32),
+ .checking = hashtable_create((hashtable_hash_t)hash,
+ (hashtable_equals_t)equals, 2),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_listener.h b/src/libcharon/plugins/duplicheck/duplicheck_listener.h
new file mode 100644
index 000000000..7c575dd64
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_listener.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup duplicheck_listener duplicheck_listener
+ * @{ @ingroup duplicheck
+ */
+
+#ifndef DUPLICHECK_LISTENER_H_
+#define DUPLICHECK_LISTENER_H_
+
+#include "duplicheck_notify.h"
+
+#include <bus/listeners/listener.h>
+
+typedef struct duplicheck_listener_t duplicheck_listener_t;
+
+/**
+ * Listener checking for duplicates.
+ */
+struct duplicheck_listener_t {
+
+ /**
+ * Implements listener_t interface.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy a duplicheck_listener_t.
+ */
+ void (*destroy)(duplicheck_listener_t *this);
+};
+
+/**
+ * Create a duplicheck_listener instance.
+ *
+ * @param notify socket to send notifications to
+ * @return listener
+ */
+duplicheck_listener_t *duplicheck_listener_create(duplicheck_notify_t *notify);
+
+#endif /** DUPLICHECK_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
new file mode 100644
index 000000000..4e7618235
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "duplicheck_notify.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
+
+typedef struct private_duplicheck_notify_t private_duplicheck_notify_t;
+
+/**
+ * Private data of an duplicheck_notify_t object.
+ */
+struct private_duplicheck_notify_t {
+
+ /**
+ * Public duplicheck_notify_t interface.
+ */
+ duplicheck_notify_t public;
+
+ /**
+ * Callback job dispatching connections
+ */
+ callback_job_t *job;
+
+ /**
+ * Mutex to lock list
+ */
+ mutex_t *mutex;
+
+ /**
+ * List of connected sockets
+ */
+ linked_list_t *connected;
+
+ /**
+ * Socket dispatching connections
+ */
+ int socket;
+};
+
+/**
+ * Open duplicheck unix socket
+ */
+static bool open_socket(private_duplicheck_notify_t *this)
+{
+ struct sockaddr_un addr;
+ mode_t old;
+
+ addr.sun_family = AF_UNIX;
+ strcpy(addr.sun_path, DUPLICHECK_SOCKET);
+
+ this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+ if (this->socket == -1)
+ {
+ DBG1(DBG_CFG, "creating duplicheck socket failed");
+ return FALSE;
+ }
+ unlink(addr.sun_path);
+ old = umask(~(S_IRWXU | S_IRWXG));
+ if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+ {
+ DBG1(DBG_CFG, "binding duplicheck socket failed: %s", strerror(errno));
+ close(this->socket);
+ return FALSE;
+ }
+ umask(old);
+ if (chown(addr.sun_path, charon->uid, charon->gid) != 0)
+ {
+ DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
+ strerror(errno));
+ }
+ if (listen(this->socket, 3) < 0)
+ {
+ DBG1(DBG_CFG, "listening on duplicheck socket failed: %s",
+ strerror(errno));
+ close(this->socket);
+ unlink(addr.sun_path);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Accept duplicheck notification connections
+ */
+static job_requeue_t receive(private_duplicheck_notify_t *this)
+{
+ struct sockaddr_un addr;
+ int len = sizeof(addr);
+ uintptr_t fd;
+ bool oldstate;
+
+ oldstate = thread_cancelability(TRUE);
+ fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+ thread_cancelability(oldstate);
+
+ if (fd != -1)
+ {
+ this->mutex->lock(this->mutex);
+ this->connected->insert_last(this->connected, (void*)fd);
+ this->mutex->unlock(this->mutex);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "accepting duplicheck connection failed: %s",
+ strerror(errno));
+ }
+ return JOB_REQUEUE_FAIR;
+}
+
+METHOD(duplicheck_notify_t, send_, void,
+ private_duplicheck_notify_t *this, identification_t *id)
+{
+ char buf[128];
+ enumerator_t *enumerator;
+ uintptr_t fd;
+ int len;
+
+ len = snprintf(buf, sizeof(buf), "%Y", id);
+ if (len > 0 && len < sizeof(buf))
+ {
+ this->mutex->lock(this->mutex);
+ enumerator = this->connected->create_enumerator(this->connected);
+ while (enumerator->enumerate(enumerator, &fd))
+ {
+ if (send(fd, &buf, len + 1, 0) != len + 1)
+ {
+ DBG1(DBG_CFG, "sending duplicheck notify failed: %s",
+ strerror(errno));
+ this->connected->remove_at(this->connected, enumerator);
+ close(fd);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+ }
+}
+
+METHOD(duplicheck_notify_t, destroy, void,
+ private_duplicheck_notify_t *this)
+{
+ enumerator_t *enumerator;
+ uintptr_t fd;
+
+ if (this->job)
+ {
+ this->job->cancel(this->job);
+ }
+ enumerator = this->connected->create_enumerator(this->connected);
+ while (enumerator->enumerate(enumerator, &fd))
+ {
+ close(fd);
+ }
+ enumerator->destroy(enumerator);
+ this->connected->destroy(this->connected);
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/**
+ * See header
+ */
+duplicheck_notify_t *duplicheck_notify_create()
+{
+ private_duplicheck_notify_t *this;
+
+ INIT(this,
+ .public = {
+ .send = _send_,
+ .destroy = _destroy,
+ },
+ .connected = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ );
+
+ if (!open_socket(this))
+ {
+ destroy(this);
+ return NULL;
+ }
+ this->job = callback_job_create((callback_job_cb_t)receive,
+ this, NULL, NULL);
+ lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.h b/src/libcharon/plugins/duplicheck/duplicheck_notify.h
new file mode 100644
index 000000000..43dd20cca
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup duplicheck_notify duplicheck_notify
+ * @{ @ingroup duplicheck
+ */
+
+#ifndef DUPLICHECK_NOTIFY_H_
+#define DUPLICHECK_NOTIFY_H_
+
+#include <utils/identification.h>
+
+typedef struct duplicheck_notify_t duplicheck_notify_t;
+
+/**
+ * Sends notifications over a unix socket when duplicates are detected.
+ */
+struct duplicheck_notify_t {
+
+ /**
+ * Send a notification message if duplicate IKE_SA detected.
+ *
+ * @param id identity a duplicate tunnel has been detected
+ */
+ void (*send)(duplicheck_notify_t *this, identification_t *id);
+
+ /**
+ * Destroy a duplicheck_notify_t.
+ */
+ void (*destroy)(duplicheck_notify_t *this);
+};
+
+/**
+ * Create a duplicheck_notify instance.
+ */
+duplicheck_notify_t *duplicheck_notify_create();
+
+#endif /** DUPLICHECK_NOTIFY_H_ @}*/
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
new file mode 100644
index 000000000..5bc1a14af
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "duplicheck_plugin.h"
+
+#include "duplicheck_notify.h"
+#include "duplicheck_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_duplicheck_plugin_t private_duplicheck_plugin_t;
+
+/**
+ * Private data of duplicheck plugin
+ */
+struct private_duplicheck_plugin_t {
+
+ /**
+ * Implements plugin interface
+ */
+ duplicheck_plugin_t public;
+
+ /**
+ * Listener doing duplicate checks
+ */
+ duplicheck_listener_t *listener;
+
+ /**
+ * Notification sender facility
+ */
+ duplicheck_notify_t *notify;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_duplicheck_plugin_t *this)
+{
+ return "duplicheck";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_duplicheck_plugin_t *this)
+{
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ this->notify->destroy(this->notify);
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *duplicheck_plugin_create()
+{
+ private_duplicheck_plugin_t *this;
+
+ if (!lib->settings->get_bool(lib->settings,
+ "charon.plugins.duplicheck.enabled", TRUE))
+ {
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .notify = duplicheck_notify_create(),
+ );
+
+ if (!this->notify)
+ {
+ free(this);
+ return NULL;
+ }
+ this->listener = duplicheck_listener_create(this->notify);
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.h b/src/libcharon/plugins/duplicheck/duplicheck_plugin.h
new file mode 100644
index 000000000..3dddf1494
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup duplicheck duplicheck
+ * @ingroup cplugins
+ *
+ * @defgroup duplicheck_plugin duplicheck_plugin
+ * @{ @ingroup duplicheck
+ */
+
+#ifndef DUPLICHECK_PLUGIN_H_
+#define DUPLICHECK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct duplicheck_plugin_t duplicheck_plugin_t;
+
+/**
+ * Advanced duplicate checking using liveness checks.
+ */
+struct duplicheck_plugin_t {
+
+ /**
+ * Implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** DUPLICHECK_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 4a23f9010..666e22957 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index dfcc69710..df0c4c5b4 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -54,6 +54,11 @@ struct private_eap_aka_peer_t {
identification_t *reauth;
/**
+ * EAP message identifier
+ */
+ u_int8_t identifier;
+
+ /**
* MSK
*/
chunk_t msk;
@@ -72,8 +77,7 @@ struct private_eap_aka_peer_t {
/**
* Create a AKA_CLIENT_ERROR: "Unable to process"
*/
-static eap_payload_t* create_client_error(private_eap_aka_peer_t *this,
- u_int8_t identifier)
+static eap_payload_t* create_client_error(private_eap_aka_peer_t *this)
{
simaka_message_t *message;
eap_payload_t *out;
@@ -82,7 +86,7 @@ static eap_payload_t* create_client_error(private_eap_aka_peer_t *this,
DBG1(DBG_IKE, "sending client error '%N'",
simaka_client_error_names, AKA_UNABLE_TO_PROCESS);
- message = simaka_message_create(FALSE, identifier, EAP_AKA,
+ message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
AKA_CLIENT_ERROR, this->crypto);
encoded = htons(AKA_UNABLE_TO_PROCESS);
message->add_attribute(message, AT_CLIENT_ERROR_CODE,
@@ -124,7 +128,7 @@ static status_t process_identity(private_eap_aka_peer_t *this,
default:
if (!simaka_attribute_skippable(type))
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
enumerator->destroy(enumerator);
return NEED_MORE;
}
@@ -159,7 +163,7 @@ static status_t process_identity(private_eap_aka_peer_t *this,
default:
break;
}
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+ message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
AKA_IDENTITY, this->crypto);
if (id.len)
{
@@ -200,7 +204,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
default:
if (!simaka_attribute_skippable(type))
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
enumerator->destroy(enumerator);
return NEED_MORE;
}
@@ -212,7 +216,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
if (!rand.len || !autn.len)
{
DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
@@ -258,7 +262,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
* reading encrypted attributes */
if (!in->verify(in, chunk_empty) || !in->parse(in))
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
@@ -285,7 +289,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
}
enumerator->destroy(enumerator);
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+ message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
AKA_CHALLENGE, this->crypto);
message->add_attribute(message, AT_RES, chunk_create(res, res_len));
*out = message->generate(message, chunk_empty);
@@ -320,7 +324,7 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
{
DBG1(DBG_IKE, "received %N, but not expected",
simaka_subtype_names, AKA_REAUTHENTICATION);
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
@@ -330,7 +334,7 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
/* verify MAC and parse again with decryption key */
if (!in->verify(in, chunk_empty) || !in->parse(in))
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
@@ -351,7 +355,7 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
default:
if (!simaka_attribute_skippable(type))
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
enumerator->destroy(enumerator);
return NEED_MORE;
}
@@ -363,7 +367,7 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
if (!nonce.len || !counter.len)
{
DBG1(DBG_IKE, "EAP-AKA/Request/Reauthentication message incomplete");
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
@@ -440,38 +444,38 @@ static status_t process_notification(private_eap_aka_peer_t *this,
if (success)
{ /* empty notification reply */
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
+ message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
AKA_NOTIFICATION, this->crypto);
*out = message->generate(message, chunk_empty);
message->destroy(message);
}
else
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
}
return NEED_MORE;
}
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_aka_peer_t *this,
- eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process, status_t,
+ private_eap_aka_peer_t *this, eap_payload_t *in, eap_payload_t **out)
{
simaka_message_t *message;
status_t status;
+ /* store received EAP message identifier */
+ this->identifier = in->get_identifier(in);
+
message = simaka_message_create_from_payload(in, this->crypto);
if (!message)
{
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
if (!message->parse(message))
{
message->destroy(message);
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
return NEED_MORE;
}
switch (message->get_subtype(message))
@@ -491,7 +495,7 @@ static status_t process(private_eap_aka_peer_t *this,
default:
DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
simaka_subtype_names, message->get_subtype(message));
- *out = create_client_error(this, in->get_identifier(in));
+ *out = create_client_error(this);
status = NEED_MORE;
break;
}
@@ -499,28 +503,22 @@ static status_t process(private_eap_aka_peer_t *this,
return status;
}
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_aka_peer_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate, status_t,
+ private_eap_aka_peer_t *this, eap_payload_t **out)
{
/* peer never initiates */
return FAILED;
}
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_aka_peer_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_aka_peer_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_AKA;
}
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_aka_peer_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_aka_peer_t *this, chunk_t *msk)
{
if (this->msk.ptr)
{
@@ -530,18 +528,26 @@ static status_t get_msk(private_eap_aka_peer_t *this, chunk_t *msk)
return FAILED;
}
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_aka_peer_t *this)
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_aka_peer_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_aka_peer_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_aka_peer_t *this)
{
return TRUE;
}
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_aka_peer_t *this)
+METHOD(eap_method_t, destroy, void,
+ private_eap_aka_peer_t *this)
{
this->crypto->destroy(this->crypto);
this->permanent->destroy(this->permanent);
@@ -557,25 +563,31 @@ static void destroy(private_eap_aka_peer_t *this)
eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
identification_t *peer)
{
- private_eap_aka_peer_t *this = malloc_thing(private_eap_aka_peer_t);
-
- this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
- this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
- this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
- this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
- this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
- this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+ private_eap_aka_peer_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ .crypto = simaka_crypto_create(),
+ );
- this->crypto = simaka_crypto_create();
if (!this->crypto)
{
free(this);
return NULL;
}
+
this->permanent = peer->clone(peer);
- this->pseudonym = NULL;
- this->reauth = NULL;
- this->msk = chunk_empty;
return &this->public;
}
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_plugin.c b/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
index f9283393a..394a14b59 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
@@ -20,10 +20,14 @@
#include <daemon.h>
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_aka_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ eap_aka_plugin_t *this)
+{
+ return "eap-aka";
+}
+
+METHOD(plugin_t, destroy, void,
+ eap_aka_plugin_t *this)
{
charon->eap->remove_method(charon->eap,
(eap_constructor_t)eap_aka_server_create);
@@ -37,9 +41,15 @@ static void destroy(eap_aka_plugin_t *this)
*/
plugin_t *eap_aka_plugin_create()
{
- eap_aka_plugin_t *this = malloc_thing(eap_aka_plugin_t);
-
- this->plugin.destroy = (void(*)(plugin_t*))destroy;
+ eap_aka_plugin_t *this;
+
+ INIT(this,
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ );
charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_SERVER,
(eap_constructor_t)eap_aka_server_create);
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index 9baff3e23..bf0020ad8 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -57,7 +57,7 @@ struct private_eap_aka_server_t {
identification_t *reauth;
/**
- * EAP identifier value
+ * EAP message identifier
*/
u_int8_t identifier;
@@ -251,10 +251,8 @@ static status_t reauthenticate(private_eap_aka_server_t *this,
return NEED_MORE;
}
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_aka_server_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate, status_t,
+ private_eap_aka_server_t *this, eap_payload_t **out)
{
if (this->use_permanent || this->use_pseudonym || this->use_reauth)
{
@@ -560,11 +558,8 @@ static status_t process_authentication_reject(private_eap_aka_server_t *this,
return FAILED;
}
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_aka_server_t *this,
- eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process, status_t,
+ private_eap_aka_server_t *this, eap_payload_t *in, eap_payload_t **out)
{
simaka_message_t *message;
status_t status;
@@ -609,19 +604,15 @@ static status_t process(private_eap_aka_server_t *this,
return status;
}
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_aka_server_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_aka_server_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_AKA;
}
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_aka_server_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_aka_server_t *this, chunk_t *msk)
{
if (this->msk.ptr)
{
@@ -631,18 +622,26 @@ static status_t get_msk(private_eap_aka_server_t *this, chunk_t *msk)
return FAILED;
}
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_aka_server_t *this)
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_aka_server_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_aka_server_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_aka_server_t *this)
{
return TRUE;
}
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_aka_server_t *this)
+METHOD(eap_method_t, destroy, void,
+ private_eap_aka_server_t *this)
{
this->crypto->destroy(this->crypto);
this->permanent->destroy(this->permanent);
@@ -662,34 +661,35 @@ static void destroy(private_eap_aka_server_t *this)
eap_aka_server_t *eap_aka_server_create(identification_t *server,
identification_t *peer)
{
- private_eap_aka_server_t *this = malloc_thing(private_eap_aka_server_t);
-
- this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
- this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
- this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
- this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
- this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
- this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+ private_eap_aka_server_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ .crypto = simaka_crypto_create(),
+ );
- this->crypto = simaka_crypto_create();
if (!this->crypto)
{
free(this);
return NULL;
}
+
this->permanent = peer->clone(peer);
- this->pseudonym = NULL;
- this->reauth = NULL;
- this->xres = chunk_empty;
- this->rand = chunk_empty;
- this->nonce = chunk_empty;
- this->msk = chunk_empty;
- this->counter = chunk_empty;
- this->pending = 0;
- this->synchronized = FALSE;
this->use_reauth = this->use_pseudonym = this->use_permanent =
lib->settings->get_bool(lib->settings,
"charon.plugins.eap-aka.request_identity", TRUE);
+
/* generate a non-zero identifier */
do {
this->identifier = random();
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index ad1ae1906..1fe86a2bb 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
index 626e83311..ef5f62e34 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c
@@ -48,10 +48,14 @@ struct private_eap_aka_3gpp2_t {
eap_aka_3gpp2_functions_t *functions;
};
-/**
- * Implementation of eap_aka_3gpp2_t.destroy.
- */
-static void destroy(private_eap_aka_3gpp2_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_eap_aka_3gpp2_t *this)
+{
+ return "eap-aka-3gpp2";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_eap_aka_3gpp2_t *this)
{
charon->sim->remove_card(charon->sim, &this->card->card);
charon->sim->remove_provider(charon->sim, &this->provider->provider);
@@ -66,11 +70,19 @@ static void destroy(private_eap_aka_3gpp2_t *this)
*/
plugin_t *eap_aka_3gpp2_plugin_create()
{
- private_eap_aka_3gpp2_t *this = malloc_thing(private_eap_aka_3gpp2_t);
+ private_eap_aka_3gpp2_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .functions = eap_aka_3gpp2_functions_create(),
+ );
- this->functions = eap_aka_3gpp2_functions_create();
if (!this->functions)
{
free(this);
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 142a35e50..4f555a982 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index f641ad13a..c3ab07de0 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -70,10 +70,8 @@ struct eap_gtc_header_t {
u_int8_t data[];
} __attribute__((__packed__));
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_peer, status_t,
+ private_eap_gtc_t *this, eap_payload_t **out)
{
/* peer never initiates */
return FAILED;
@@ -136,10 +134,8 @@ static bool authenticate(char *service, char *user, char *password)
return ret == PAM_SUCCESS;
}
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_server, status_t,
+ private_eap_gtc_t *this, eap_payload_t **out)
{
eap_gtc_header_t *req;
size_t len;
@@ -157,11 +153,8 @@ static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
return NEED_MORE;
}
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_gtc_t *this,
- eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_peer, status_t,
+ private_eap_gtc_t *this, eap_payload_t *in, eap_payload_t **out)
{
eap_gtc_header_t *res;
shared_key_t *shared;
@@ -181,10 +174,11 @@ static status_t process_peer(private_eap_gtc_t *this,
/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
+ this->identifier = in->get_identifier(in);
res = alloca(sizeof(eap_gtc_header_t) + len);
res->length = htons(sizeof(eap_gtc_header_t) + len);
res->code = EAP_RESPONSE;
- res->identifier = in->get_identifier(in);
+ res->identifier = this->identifier;
res->type = EAP_GTC;
memcpy(res->data, key.ptr, len);
@@ -195,11 +189,8 @@ static status_t process_peer(private_eap_gtc_t *this,
return NEED_MORE;
}
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_gtc_t *this,
- eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_server, status_t,
+ private_eap_gtc_t *this, eap_payload_t *in, eap_payload_t **out)
{
chunk_t data, encoding;
char *user, *password, *service, *pos;
@@ -236,35 +227,39 @@ static status_t process_server(private_eap_gtc_t *this,
return SUCCESS;
}
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_gtc_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_GTC;
}
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_gtc_t *this, chunk_t *msk)
{
return FAILED;
}
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_gtc_t *this)
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_gtc_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_gtc_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_gtc_t *this)
{
return FALSE;
}
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_gtc_t *this)
+METHOD(eap_method_t, destroy, void,
+ private_eap_gtc_t *this)
{
this->peer->destroy(this->peer);
this->server->destroy(this->server);
@@ -277,19 +272,22 @@ static void destroy(private_eap_gtc_t *this)
static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
identification_t *peer)
{
- private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
-
- this->public.eap_method_interface.initiate = NULL;
- this->public.eap_method_interface.process = NULL;
- this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
- this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
- this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
- this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
- /* private data */
- this->peer = peer->clone(peer);
- this->server = server->clone(server);
- this->identifier = 0;
+ private_eap_gtc_t *this;
+
+ INIT(this,
+ .public = {
+ .eap_method_interface = {
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ .peer = peer->clone(peer),
+ .server = server->clone(server),
+ );
return this;
}
@@ -301,8 +299,8 @@ eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *pee
{
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
- this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
- this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+ this->public.eap_method_interface.initiate = _initiate_server;
+ this->public.eap_method_interface.process = _process_server;
/* generate a non-zero identifier */
do {
@@ -319,8 +317,8 @@ eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
{
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
- this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
- this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+ this->public.eap_method_interface.initiate = _initiate_peer;
+ this->public.eap_method_interface.process = _process_peer;
return &this->public;
}
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
index 91ba84b3d..c40ce60eb 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -22,10 +22,14 @@
/* missing in cababilities.h */
#define CAP_AUDIT_WRITE 29
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_gtc_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ eap_gtc_plugin_t *this)
+{
+ return "eap-gtc";
+}
+
+METHOD(plugin_t, destroy, void,
+ eap_gtc_plugin_t *this)
{
charon->eap->remove_method(charon->eap,
(eap_constructor_t)eap_gtc_create_server);
@@ -39,9 +43,15 @@ static void destroy(eap_gtc_plugin_t *this)
*/
plugin_t *eap_gtc_plugin_create()
{
- eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
+ eap_gtc_plugin_t *this;
- this->plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ );
/* required for PAM authentication */
charon->keep_cap(charon, CAP_AUDIT_WRITE);
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 5c1e07ade..9dc4602ff 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c
index 03066b2f8..6ecde065c 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity.c
@@ -39,6 +39,11 @@ struct private_eap_identity_t {
* received identity chunk
*/
chunk_t identity;
+
+ /**
+ * EAP identifier
+ */
+ u_int8_t identifier;
};
typedef struct eap_identity_header_t eap_identity_header_t;
@@ -68,10 +73,13 @@ METHOD(eap_method_t, process_peer, status_t,
id = this->peer->get_encoding(this->peer);
len = sizeof(eap_identity_header_t) + id.len;
-
+ if (in)
+ {
+ this->identifier = in->get_identifier(in);
+ }
hdr = alloca(len);
hdr->code = EAP_RESPONSE;
- hdr->identifier = in ? in->get_identifier(in) : 0;
+ hdr->identifier = this->identifier;
hdr->length = htons(len);
hdr->type = EAP_IDENTITY;
memcpy(hdr->data, id.ptr, id.len);
@@ -106,7 +114,7 @@ METHOD(eap_method_t, initiate_server, status_t,
eap_identity_header_t hdr;
hdr.code = EAP_REQUEST;
- hdr.identifier = 0;
+ hdr.identifier = this->identifier;
hdr.length = htons(sizeof(eap_identity_header_t));
hdr.type = EAP_IDENTITY;
@@ -133,6 +141,18 @@ METHOD(eap_method_t, get_msk, status_t,
return FAILED;
}
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_identity_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_identity_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
METHOD(eap_method_t, is_mutual, bool,
private_eap_identity_t *this)
{
@@ -163,6 +183,8 @@ eap_identity_t *eap_identity_create_peer(identification_t *server,
.get_type = _get_type,
.is_mutual = _is_mutual,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
},
@@ -189,6 +211,8 @@ eap_identity_t *eap_identity_create_server(identification_t *server,
.get_type = _get_type,
.is_mutual = _is_mutual,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
index 079c27909..3297416b2 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
@@ -18,6 +18,12 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ eap_identity_plugin_t *this)
+{
+ return "eap-identity";
+}
+
METHOD(plugin_t, destroy, void,
eap_identity_plugin_t *this)
{
@@ -37,6 +43,8 @@ plugin_t *eap_identity_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 4e01d96cc..e828fbc3e 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index f70754abb..b0a234527 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -147,12 +147,12 @@ METHOD(eap_method_t, process_peer, status_t,
this->identifier = in->get_identifier(in);
data = in->get_data(in);
- this->challenge = chunk_clone(chunk_skip(data, 6));
- if (data.len < 6 || this->challenge.len < *(data.ptr + 5))
+ if (data.len < 6 || data.ptr[5] + 6 > data.len)
{
DBG1(DBG_IKE, "received invalid EAP-MD5 message");
return FAILED;
}
+ this->challenge = chunk_clone(chunk_create(data.ptr + 6, data.ptr[5]));
if (hash_challenge(this, &response, this->peer, this->server) != SUCCESS)
{
return FAILED;
@@ -176,7 +176,9 @@ METHOD(eap_method_t, process_server, status_t,
chunk_t response, expected;
chunk_t data;
- if (this->identifier != in->get_identifier(in))
+ data = in->get_data(in);
+ if (this->identifier != in->get_identifier(in) ||
+ data.len < 6 || data.ptr[5] + 6 > data.len)
{
DBG1(DBG_IKE, "received invalid EAP-MD5 message");
return FAILED;
@@ -185,9 +187,7 @@ METHOD(eap_method_t, process_server, status_t,
{
return FAILED;
}
- data = in->get_data(in);
- response = chunk_skip(data, 6);
-
+ response = chunk_create(data.ptr + 6, data.ptr[5]);
if (response.len < expected.len ||
!memeq(response.ptr, expected.ptr, expected.len))
{
@@ -218,6 +218,18 @@ METHOD(eap_method_t, is_mutual, bool,
return FALSE;
}
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_md5_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_md5_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
METHOD(eap_method_t, destroy, void,
private_eap_md5_t *this)
{
@@ -242,6 +254,8 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee
.get_type = _get_type,
.is_mutual = _is_mutual,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
index 39a6f5731..fe5ae51bf 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
@@ -18,6 +18,12 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ eap_md5_plugin_t *this)
+{
+ return "eap-md5";
+}
+
METHOD(plugin_t, destroy, void,
eap_md5_plugin_t *this)
{
@@ -37,6 +43,8 @@ plugin_t *eap_md5_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 495ccf441..4986fdce3 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 4f39c8608..1dd94f6fb 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -560,19 +560,15 @@ static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len)
memcpy(&eap->ms_length, &len, sizeof(u_int16_t));
}
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_mschapv2_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_peer, status_t,
+ private_eap_mschapv2_t *this, eap_payload_t **out)
{
/* peer never initiates */
return FAILED;
}
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_server, status_t,
+ private_eap_mschapv2_t *this, eap_payload_t **out)
{
rng_t *rng;
eap_mschapv2_header_t *eap;
@@ -904,11 +900,8 @@ error:
return status;
}
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
- eap_payload_t **out)
+METHOD(eap_method_t, process_peer, status_t,
+ private_eap_mschapv2_t *this, eap_payload_t *in, eap_payload_t **out)
{
chunk_t data;
eap_mschapv2_header_t *eap;
@@ -1091,11 +1084,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
return process_server_retry(this, out);
}
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
- eap_payload_t **out)
+METHOD(eap_method_t, process_server, status_t,
+ private_eap_mschapv2_t *this, eap_payload_t *in, eap_payload_t **out)
{
eap_mschapv2_header_t *eap;
chunk_t data;
@@ -1140,19 +1130,15 @@ static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
return FAILED;
}
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_mschapv2_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_mschapv2_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_MSCHAPV2;
}
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_mschapv2_t *this, chunk_t *msk)
{
if (this->msk.ptr)
{
@@ -1162,18 +1148,26 @@ static status_t get_msk(private_eap_mschapv2_t *this, chunk_t *msk)
return FAILED;
}
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_mschapv2_t *this)
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_mschapv2_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_mschapv2_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_mschapv2_t *this)
{
return FALSE;
}
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_mschapv2_t *this)
+METHOD(eap_method_t, destroy, void,
+ private_eap_mschapv2_t *this)
{
this->peer->destroy(this->peer);
this->server->destroy(this->server);
@@ -1189,25 +1183,22 @@ static void destroy(private_eap_mschapv2_t *this)
*/
static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer)
{
- private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t);
-
- this->public.eap_method_interface.initiate = NULL;
- this->public.eap_method_interface.process = NULL;
- this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
- this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
- this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
- this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
- /* private data */
- this->peer = peer->clone(peer);
- this->server = server->clone(server);
- this->challenge = chunk_empty;
- this->nt_response = chunk_empty;
- this->auth_response = chunk_empty;
- this->msk = chunk_empty;
- this->identifier = 0;
- this->mschapv2id = 0;
- this->retries = 0;
+ private_eap_mschapv2_t *this;
+
+ INIT(this,
+ .public = {
+ .eap_method_interface = {
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ .peer = peer->clone(peer),
+ .server = server->clone(server),
+ );
return this;
}
@@ -1219,8 +1210,8 @@ eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identificat
{
private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
- this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
- this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server;
+ this->public.eap_method_interface.initiate = _initiate_server;
+ this->public.eap_method_interface.process = _process_server;
/* generate a non-zero identifier */
do
@@ -1240,8 +1231,8 @@ eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identificatio
{
private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
- this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
- this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer;
+ this->public.eap_method_interface.initiate = _initiate_peer;
+ this->public.eap_method_interface.process = _process_peer;
return &this->public;
}
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
index a7b41ddbf..e809b14b6 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
@@ -19,10 +19,14 @@
#include <daemon.h>
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_mschapv2_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ eap_mschapv2_plugin_t *this)
+{
+ return "eap-mschapv2";
+}
+
+METHOD(plugin_t, destroy, void,
+ eap_mschapv2_plugin_t *this)
{
charon->eap->remove_method(charon->eap,
(eap_constructor_t)eap_mschapv2_create_server);
@@ -36,9 +40,15 @@ static void destroy(eap_mschapv2_plugin_t *this)
*/
plugin_t *eap_mschapv2_plugin_create()
{
- eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t);
-
- this->plugin.destroy = (void(*)(plugin_t*))destroy;
+ eap_mschapv2_plugin_t *this;
+
+ INIT(this,
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ );
charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER,
(eap_constructor_t)eap_mschapv2_create_server);
diff --git a/src/libcharon/plugins/eap_peap/Makefile.am b/src/libcharon/plugins/eap_peap/Makefile.am
new file mode 100644
index 000000000..81f2575c7
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-peap.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-peap.la
+libstrongswan_eap_peap_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_peap_la_SOURCES = \
+ eap_peap_plugin.h eap_peap_plugin.c \
+ eap_peap.h eap_peap.c \
+ eap_peap_peer.h eap_peap_peer.c \
+ eap_peap_server.h eap_peap_server.c \
+ eap_peap_avp.h eap_peap_avp.c
+
+libstrongswan_eap_peap_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
new file mode 100644
index 000000000..0ed4a3dcf
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -0,0 +1,617 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_peap
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_peap_la_DEPENDENCIES = \
+@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_peap_la_OBJECTS = eap_peap_plugin.lo eap_peap.lo \
+ eap_peap_peer.lo eap_peap_server.lo eap_peap_avp.lo
+libstrongswan_eap_peap_la_OBJECTS = \
+ $(am_libstrongswan_eap_peap_la_OBJECTS)
+libstrongswan_eap_peap_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_peap_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_peap_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_peap_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-peap.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-peap.la
+@MONOLITHIC_FALSE@libstrongswan_eap_peap_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_peap_la_SOURCES = \
+ eap_peap_plugin.h eap_peap_plugin.c \
+ eap_peap.h eap_peap.c \
+ eap_peap_peer.h eap_peap_peer.c \
+ eap_peap_server.h eap_peap_server.c \
+ eap_peap_avp.h eap_peap_avp.c
+
+libstrongswan_eap_peap_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_peap/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/eap_peap/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES)
+ $(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap_avp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap_server.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c
new file mode 100644
index 000000000..5bae0fa9b
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2010 Martin Willi, revosec AG
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap.h"
+#include "eap_peap_peer.h"
+#include "eap_peap_server.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_peap_t private_eap_peap_t;
+
+/**
+ * Private data of an eap_peap_t object.
+ */
+struct private_eap_peap_t {
+
+ /**
+ * Public interface.
+ */
+ eap_peap_t public;
+
+ /**
+ * TLS stack, wrapped by EAP helper
+ */
+ tls_eap_t *tls_eap;
+};
+
+/** Maximum number of EAP-PEAP messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 32
+/** Default size of a EAP-PEAP fragment */
+#define MAX_FRAGMENT_LEN 1024
+
+METHOD(eap_method_t, initiate, status_t,
+ private_eap_peap_t *this, eap_payload_t **out)
+{
+ chunk_t data;
+
+ if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+ {
+ *out = eap_payload_create_data(data);
+ free(data.ptr);
+ return NEED_MORE;
+ }
+ return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+ private_eap_peap_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+ status_t status;
+ chunk_t data;
+
+ data = in->get_data(in);
+ status = this->tls_eap->process(this->tls_eap, data, &data);
+ if (status == NEED_MORE)
+ {
+ *out = eap_payload_create_data(data);
+ free(data.ptr);
+ }
+ return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_peap_t *this, u_int32_t *vendor)
+{
+ *vendor = 0;
+ return EAP_PEAP;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_peap_t *this, chunk_t *msk)
+{
+ *msk = this->tls_eap->get_msk(this->tls_eap);
+ if (msk->len)
+ {
+ return SUCCESS;
+ }
+ return FAILED;
+}
+
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_peap_t *this)
+{
+ return this->tls_eap->get_identifier(this->tls_eap);
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_peap_t *this, u_int8_t identifier)
+{
+ this->tls_eap->set_identifier(this->tls_eap, identifier);
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_peap_t *this)
+{
+ return TRUE;
+}
+
+METHOD(eap_method_t, destroy, void,
+ private_eap_peap_t *this)
+{
+ this->tls_eap->destroy(this->tls_eap);
+ free(this);
+}
+
+/**
+ * Create an empty private eap_peap_t object
+ */
+static private_eap_peap_t *eap_peap_create_empty(void)
+{
+ private_eap_peap_t *this;
+
+ INIT(this,
+ .public = {
+ .eap_method = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ );
+ return this;
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
+ identification_t *server,
+ identification_t *peer, bool is_server,
+ tls_application_t *application)
+{
+ size_t frag_size;
+ int max_msg_count;
+ bool include_length;
+ tls_t *tls;
+
+ if (is_server && !lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.request_peer_auth", FALSE))
+ {
+ peer = NULL;
+ }
+ frag_size = lib->settings->get_int(lib->settings,
+ "charon.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN);
+ max_msg_count = lib->settings->get_int(lib->settings,
+ "charon.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT);
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.include_length", FALSE);
+ tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP, application);
+ this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
+ include_length);
+ if (!this->tls_eap)
+ {
+ application->destroy(application);
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
+
+eap_peap_t *eap_peap_create_server(identification_t *server,
+ identification_t *peer)
+{
+ private_eap_peap_t *eap_peap;
+ eap_method_t *eap_method;
+ eap_peap_server_t *eap_peap_server;
+ tls_application_t *application;
+
+ /* the tunneled application needs a reference to the outer EAP-PEAP method */
+ eap_peap = eap_peap_create_empty();
+ eap_method = &eap_peap->public.eap_method;
+ eap_peap_server = eap_peap_server_create(server, peer, eap_method);
+ application = &eap_peap_server->application;
+
+ return eap_peap_create(eap_peap, server, peer, TRUE, application);
+}
+
+eap_peap_t *eap_peap_create_peer(identification_t *server,
+ identification_t *peer)
+{
+ private_eap_peap_t *eap_peap;
+ eap_method_t *eap_method;
+ eap_peap_peer_t *eap_peap_peer;
+ tls_application_t *application;
+
+ /* the tunneled application needs a reference to the outer EAP-PEAP method */
+ eap_peap = eap_peap_create_empty();
+ eap_method = &eap_peap->public.eap_method;
+ eap_peap_peer = eap_peap_peer_create(server, peer, eap_method);
+ application = &eap_peap_peer->application;
+
+ return eap_peap_create(eap_peap, server, peer, FALSE, application);
+}
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.h b/src/libcharon/plugins/eap_peap/eap_peap.h
new file mode 100644
index 000000000..f47bad561
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_i eap_peap
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_H_
+#define EAP_PEAP_H_
+
+typedef struct eap_peap_t eap_peap_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of eap_method_t using EAP-PEAP.
+ */
+struct eap_peap_t {
+
+ /**
+ * Implements eap_method_t interface.
+ */
+ eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-PEAP acting as server.
+ *
+ * @param server ID of the EAP server
+ * @param peer ID of the EAP client
+ * @return eap_peap_t object
+ */
+eap_peap_t *eap_peap_create_server(identification_t *server,
+ identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-PEAP acting as peer.
+ *
+ * @param server ID of the EAP server
+ * @param peer ID of the EAP client
+ * @return eap_peap_t object
+ */
+eap_peap_t *eap_peap_create_peer(identification_t *server,
+ identification_t *peer);
+
+#endif /** EAP_PEAP_H_ @}*/
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.c b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
new file mode 100644
index 000000000..06e5222d9
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_avp.h"
+
+#include <eap/eap.h>
+#include <debug.h>
+
+/**
+ * Microsoft Success and Failure Result AVPs
+ */
+static const chunk_t MS_AVP_Success = chunk_from_chars(
+ 0x80, 0x03, 0x00, 0x02, 0x00, 0x01);
+static const chunk_t MS_AVP_Failure = chunk_from_chars(
+ 0x80, 0x03, 0x00, 0x02, 0x00, 0x02);
+
+typedef struct private_eap_peap_avp_t private_eap_peap_avp_t;
+
+/**
+ * Private data of an eap_peap_avp_t object.
+ */
+struct private_eap_peap_avp_t {
+
+ /**
+ * Public eap_peap_avp_t interface.
+ */
+ eap_peap_avp_t public;
+
+ /**
+ * EAP server or peer
+ */
+ bool is_server;
+};
+
+METHOD(eap_peap_avp_t, build, void,
+ private_eap_peap_avp_t *this, tls_writer_t *writer, chunk_t data)
+{
+ u_int8_t code;
+ eap_packet_t *pkt;
+ chunk_t avp_data;
+
+ pkt = (eap_packet_t*)data.ptr;
+
+ if (pkt->code == EAP_SUCCESS || pkt->code == EAP_FAILURE)
+ {
+ code = (this->is_server) ? EAP_REQUEST : EAP_RESPONSE;
+ writer->write_uint8(writer, code);
+ writer->write_uint8(writer, pkt->identifier);
+ writer->write_uint16(writer, 11);
+ writer->write_uint8(writer, EAP_MSTLV);
+ avp_data = (pkt->code == EAP_SUCCESS) ? MS_AVP_Success : MS_AVP_Failure;
+ }
+ else
+ {
+ avp_data = chunk_skip(data, 4);
+ }
+ writer->write_data(writer, avp_data);
+}
+
+METHOD(eap_peap_avp_t, process, status_t,
+ private_eap_peap_avp_t* this, tls_reader_t *reader, chunk_t *data,
+ u_int8_t identifier)
+{
+ u_int8_t code;
+ u_int16_t len;
+ eap_packet_t *pkt;
+ chunk_t avp_data;
+
+ code = (this->is_server) ? EAP_RESPONSE : EAP_REQUEST;
+ len = reader->remaining(reader);
+ if (!reader->read_data(reader, len, &avp_data))
+ {
+ return FAILED;
+ }
+ pkt = (eap_packet_t*)avp_data.ptr;
+
+ if (len > 4 && pkt->code == code && untoh16(&pkt->length) == len)
+ {
+ if (len == 5 && pkt->type == EAP_IDENTITY)
+ {
+ DBG2(DBG_IKE, "uncompressed EAP Identity request");
+ *data = chunk_clone(avp_data);
+ return SUCCESS;
+ }
+ else if (len == 11 && pkt->type == EAP_MSTLV)
+ {
+ if (memeq(&pkt->data, MS_AVP_Success.ptr, MS_AVP_Success.len))
+ {
+ DBG2(DBG_IKE, "MS Success Result AVP");
+ code = EAP_SUCCESS;
+ }
+ else if (memeq(&pkt->data, MS_AVP_Failure.ptr, MS_AVP_Failure.len))
+ {
+ DBG2(DBG_IKE, "MS Failure Result AVP");
+ code = EAP_FAILURE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "unknown MS AVP message");
+ return FAILED;
+ }
+ identifier = pkt->identifier;
+ len = 0;
+ }
+ }
+
+ *data = chunk_alloc(4 + len);
+ pkt = (eap_packet_t*)data->ptr;
+ pkt->code = code;
+ pkt->identifier = identifier;
+ htoun16(&pkt->length, data->len);
+ memcpy(data->ptr + 4, avp_data.ptr, len);
+
+ return SUCCESS;
+}
+
+METHOD(eap_peap_avp_t, destroy, void,
+ private_eap_peap_avp_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_peap_avp_t *eap_peap_avp_create(bool is_server)
+{
+ private_eap_peap_avp_t *this;
+
+ INIT(this,
+ .public= {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ .is_server = is_server,
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.h b/src/libcharon/plugins/eap_peap/eap_peap_avp.h
new file mode 100644
index 000000000..db22f0f8f
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_avp eap_peap_avp
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_AVP_H_
+#define EAP_PEAP_AVP_H_
+
+typedef struct eap_peap_avp_t eap_peap_avp_t;
+
+#include <library.h>
+
+#include <tls_reader.h>
+#include <tls_writer.h>
+
+/**
+ * EAP-PEAP Attribute-Value Pair (AVP) handler.
+ */
+struct eap_peap_avp_t {
+
+ /**
+ * Process received EAP-PEAP Message AVP.
+ *
+ * @param reader TLS data buffer
+ * @param data received EAP Message
+ * @param identifier EAP-PEAP message identifier
+ * @return
+ * - SUCCESS if AVP processing succeeded
+ * - FAILED if AVP processing failed
+ * - NEED_MORE if another invocation of process/build needed
+ */
+ status_t (*process)(eap_peap_avp_t *this, tls_reader_t *reader,
+ chunk_t *data, u_int8_t identifier);
+
+ /**
+ * Build EAP-PEAP Message AVP to send out.
+ *
+ * @param writer TLS data buffer to write to
+ * @param data EAP Message to send
+ */
+ void (*build)(eap_peap_avp_t *this, tls_writer_t *writer, chunk_t data);
+
+ /**
+ * Destroy a eap_peap_application_t.
+ */
+ void (*destroy)(eap_peap_avp_t *this);
+};
+
+/**
+ * Create an eap_peap_avp instance.
+ *
+ * @param is_server TRUE iv eap server, FALSE if eap peer
+ */
+eap_peap_avp_t *eap_peap_avp_create(bool is_server);
+
+#endif /** EAP_PEAP_AVP_H_ @}*/
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
new file mode 100644
index 000000000..ca2af4fee
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_peer.h"
+#include "eap_peap_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+typedef struct private_eap_peap_peer_t private_eap_peap_peer_t;
+
+/**
+ * Private data of an eap_peap_peer_t object.
+ */
+struct private_eap_peap_peer_t {
+
+ /**
+ * Public eap_peap_peer_t interface.
+ */
+ eap_peap_peer_t public;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * Outer phase 1 EAP method
+ */
+ eap_method_t *ph1_method;
+
+ /**
+ * Current phase 2 EAP method
+ */
+ eap_method_t *ph2_method;
+
+ /**
+ * Pending outbound EAP message
+ */
+ eap_payload_t *out;
+
+ /**
+ * AVP handler
+ */
+ eap_peap_avp_t *avp;
+};
+
+METHOD(tls_application_t, process, status_t,
+ private_eap_peap_peer_t *this, tls_reader_t *reader)
+{
+ chunk_t data = chunk_empty;
+ status_t status;
+ payload_t *payload;
+ eap_payload_t *in;
+ eap_code_t code;
+ eap_type_t type, received_type;
+ u_int32_t vendor, received_vendor;
+
+ status = this->avp->process(this->avp, reader, &data,
+ this->ph1_method->get_identifier(this->ph1_method));
+ switch (status)
+ {
+ case SUCCESS:
+ break;
+ case NEED_MORE:
+ return NEED_MORE;
+ case FAILED:
+ default:
+ return FAILED;
+ }
+
+ in = eap_payload_create_data(data);
+ DBG3(DBG_IKE, "%B", &data);
+ chunk_free(&data);
+ payload = (payload_t*)in;
+
+ if (payload->verify(payload) != SUCCESS)
+ {
+ in->destroy(in);
+ return FAILED;
+ }
+
+ code = in->get_code(in);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ received_type = in->get_type(in, &received_vendor);
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code,
+ eap_type_short_names, received_type);
+ if (code != EAP_REQUEST)
+ {
+ DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+ this->out = eap_payload_create_code(code, in->get_identifier(in));
+ in->destroy(in);
+ return NEED_MORE;
+ }
+
+ /* yet another phase2 authentication? */
+ if (this->ph2_method)
+ {
+ type = this->ph2_method->get_type(this->ph2_method, &vendor);
+
+ if (type != received_type || vendor != received_vendor)
+ {
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+ }
+ }
+
+ if (this->ph2_method == NULL)
+ {
+ if (received_vendor)
+ {
+ DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d "
+ "(id 0x%02X", received_type, received_vendor,
+ in->get_identifier(in));
+ }
+ else
+ {
+ DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
+ eap_type_names, received_type, in->get_identifier(in));
+ }
+ this->ph2_method = charon->eap->create_instance(charon->eap,
+ received_type, received_vendor,
+ EAP_PEER, this->server, this->peer);
+ if (!this->ph2_method)
+ {
+ DBG1(DBG_IKE, "EAP method not supported");
+ this->out = eap_payload_create_nak(in->get_identifier(in));
+ in->destroy(in);
+ return NEED_MORE;
+ }
+ type = this->ph2_method->get_type(this->ph2_method, &vendor);
+ }
+
+ status = this->ph2_method->process(this->ph2_method, in, &this->out);
+ in->destroy(in);
+
+ switch (status)
+ {
+ case SUCCESS:
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+ /* fall through to NEED_MORE */
+ case NEED_MORE:
+ return NEED_MORE;
+ case FAILED:
+ default:
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+ type, vendor);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ }
+ return FAILED;
+ }
+}
+
+METHOD(tls_application_t, build, status_t,
+ private_eap_peap_peer_t *this, tls_writer_t *writer)
+{
+ chunk_t data;
+ eap_code_t code;
+ eap_type_t type;
+ u_int32_t vendor;
+
+ if (this->out)
+ {
+ code = this->out->get_code(this->out);
+ type = this->out->get_type(this->out, &vendor);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code, eap_type_short_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+ }
+
+ /* get the raw EAP message data */
+ data = this->out->get_data(this->out);
+ DBG3(DBG_IKE, "%B", &data);
+ this->avp->build(this->avp, writer, data);
+
+ this->out->destroy(this->out);
+ this->out = NULL;
+ }
+ return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+ private_eap_peap_peer_t *this)
+{
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ DESTROY_IF(this->ph2_method);
+ DESTROY_IF(this->out);
+ this->avp->destroy(this->avp);
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_peap_peer_t *eap_peap_peer_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method)
+{
+ private_eap_peap_peer_t *this;
+
+ INIT(this,
+ .public = {
+ .application = {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ },
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .ph1_method = eap_method,
+ .avp = eap_peap_avp_create(FALSE),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.h b/src/libcharon/plugins/eap_peap/eap_peap_peer.h
new file mode 100644
index 000000000..a87544209
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_peer eap_peap_peer
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_PEER_H_
+#define EAP_PEAP_PEER_H_
+
+typedef struct eap_peap_peer_t eap_peap_peer_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * TLS application data handler as peer.
+ */
+struct eap_peap_peer_t {
+
+ /**
+ * Implements the TLS application data handler.
+ */
+ tls_application_t application;
+};
+
+/**
+ * Create an eap_peap_peer instance.
+ */
+eap_peap_peer_t *eap_peap_peer_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method);
+
+#endif /** EAP_PEAP_PEER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_plugin.c b/src/libcharon/plugins/eap_peap/eap_peap_plugin.c
new file mode 100644
index 000000000..bac5f2d3e
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_plugin.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_plugin.h"
+
+#include "eap_peap.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+ eap_peap_plugin_t *this)
+{
+ return "eap-peap";
+}
+
+METHOD(plugin_t, destroy, void,
+ eap_peap_plugin_t *this)
+{
+ charon->eap->remove_method(charon->eap,
+ (eap_constructor_t)eap_peap_create_server);
+ charon->eap->remove_method(charon->eap,
+ (eap_constructor_t)eap_peap_create_peer);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_peap_plugin_create()
+{
+ eap_peap_plugin_t *this;
+
+ INIT(this,
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ );
+
+ charon->eap->add_method(charon->eap, EAP_PEAP, 0, EAP_SERVER,
+ (eap_constructor_t)eap_peap_create_server);
+ charon->eap->add_method(charon->eap, EAP_PEAP, 0, EAP_PEER,
+ (eap_constructor_t)eap_peap_create_peer);
+
+ return &this->plugin;
+}
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_plugin.h b/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
new file mode 100644
index 000000000..75bb504e1
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap eap_peap
+ * @ingroup cplugins
+ *
+ * @defgroup eap_peap_plugin eap_peap_plugin
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_PLUGIN_H_
+#define EAP_PEAP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_peap_plugin_t eap_peap_plugin_t;
+
+/**
+ * EAP-PEAP plugin
+ */
+struct eap_peap_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a eap_peap_plugin instance.
+ */
+plugin_t *eap_peap_plugin_create();
+
+#endif /** EAP_PEAP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
new file mode 100644
index 000000000..3fabc3575
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -0,0 +1,432 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_server.h"
+#include "eap_peap_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+typedef struct private_eap_peap_server_t private_eap_peap_server_t;
+
+/**
+ * Private data of an eap_peap_server_t object.
+ */
+struct private_eap_peap_server_t {
+
+ /**
+ * Public eap_peap_server_t interface.
+ */
+ eap_peap_server_t public;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * Current EAP-PEAP phase2 state
+ */
+ bool start_phase2;
+
+ /**
+ * Current EAP-PEAP phase2 TNC state
+ */
+ bool start_phase2_tnc;
+
+ /**
+ * Starts phase 2 with EAP Identity request
+ */
+ bool start_phase2_id;
+
+ /**
+ * Final EAP-PEAP phase2 result
+ */
+ eap_code_t phase2_result;
+
+ /**
+ * Outer phase 1 EAP method
+ */
+ eap_method_t *ph1_method;
+
+ /**
+ * Current phase 2 EAP method
+ */
+ eap_method_t *ph2_method;
+
+ /**
+ * Pending outbound EAP message
+ */
+ eap_payload_t *out;
+
+ /**
+ * AVP handler
+ */
+ eap_peap_avp_t *avp;
+};
+
+/**
+ * Start EAP client authentication protocol
+ */
+static status_t start_phase2_auth(private_eap_peap_server_t *this)
+{
+ char *eap_type_str;
+ eap_type_t type;
+
+ eap_type_str = lib->settings->get_str(lib->settings,
+ "charon.plugins.eap-peap.phase2_method", "mschapv2");
+ type = eap_type_from_string(eap_type_str);
+ if (type == 0)
+ {
+ DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
+ return FAILED;
+ }
+ DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+ this->ph2_method = charon->eap->create_instance(charon->eap, type, 0,
+ EAP_SERVER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
+ return FAILED;
+ }
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method) + 1);
+
+ if (this->ph2_method->initiate(this->ph2_method, &this->out) == NEED_MORE)
+ {
+ return NEED_MORE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ return FAILED;
+ }
+}
+
+/**
+ * If configured, start EAP-TNC protocol
+ */
+static status_t start_phase2_tnc(private_eap_peap_server_t *this)
+{
+ if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.phase2_tnc", FALSE))
+ {
+ DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
+ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_TNC,
+ 0, EAP_SERVER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
+ return FAILED;
+ }
+ this->start_phase2_tnc = FALSE;
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method) + 1);
+
+ if (this->ph2_method->initiate(this->ph2_method, &this->out) == NEED_MORE)
+ {
+ return NEED_MORE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
+ return FAILED;
+ }
+ }
+ return SUCCESS;
+}
+
+METHOD(tls_application_t, process, status_t,
+ private_eap_peap_server_t *this, tls_reader_t *reader)
+{
+ chunk_t data = chunk_empty;
+ status_t status;
+ payload_t *payload;
+ eap_payload_t *in;
+ eap_code_t code;
+ eap_type_t type = EAP_NAK, received_type;
+ u_int32_t vendor, received_vendor;
+
+ status = this->avp->process(this->avp, reader, &data,
+ this->ph1_method->get_identifier(this->ph1_method));
+ switch (status)
+ {
+ case SUCCESS:
+ break;
+ case NEED_MORE:
+ return NEED_MORE;
+ case FAILED:
+ default:
+ return FAILED;
+ }
+
+ in = eap_payload_create_data(data);
+ DBG3(DBG_IKE, "%B", &data);
+ chunk_free(&data);
+ payload = (payload_t*)in;
+
+ if (payload->verify(payload) != SUCCESS)
+ {
+ in->destroy(in);
+ return FAILED;
+ }
+
+ code = in->get_code(in);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ received_type = in->get_type(in, &received_vendor);
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code,
+ eap_type_short_names, received_type);
+ if (code != EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+
+ /* if EAP_SUCCESS check if to continue phase2 with EAP-TNC */
+ return (this->phase2_result == EAP_SUCCESS && code == EAP_SUCCESS) ?
+ start_phase2_tnc(this) : FAILED;
+ }
+
+ if (this->ph2_method)
+ {
+ type = this->ph2_method->get_type(this->ph2_method, &vendor);
+
+ if (type != received_type || vendor != received_vendor)
+ {
+ if (received_vendor == 0 && received_type == EAP_NAK)
+ {
+ DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received invalid EAP response");
+ }
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+
+ if (!received_vendor && received_type == EAP_IDENTITY)
+ {
+ chunk_t eap_id;
+
+ if (this->ph2_method == NULL)
+ {
+ /* Received an EAP Identity response without a matching request */
+ this->ph2_method = charon->eap->create_instance(charon->eap,
+ EAP_IDENTITY, 0, EAP_SERVER,
+ this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available",
+ eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+ }
+
+ if (this->ph2_method->process(this->ph2_method, in, &this->out) != SUCCESS)
+ {
+
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+
+ if (this->ph2_method->get_msk(this->ph2_method, &eap_id) == SUCCESS)
+ {
+ this->peer->destroy(this->peer);
+ this->peer = identification_create_from_data(eap_id);
+ DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
+ }
+
+ in->destroy(in);
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+
+ /* Start Phase 2 of EAP-PEAP authentication */
+ if (lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.request_peer_auth", FALSE))
+ {
+ return start_phase2_tnc(this);
+ }
+ else
+ {
+ return start_phase2_auth(this);
+ }
+ }
+
+ if (this->ph2_method == 0)
+ {
+ DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_PEAP);
+ in->destroy(in);
+ return FAILED;
+ }
+
+ status = this->ph2_method->process(this->ph2_method, in, &this->out);
+ in->destroy(in);
+
+ switch (status)
+ {
+ case SUCCESS:
+ DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
+ eap_type_names, EAP_PEAP, this->peer,
+ eap_type_names, type);
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+
+ /* EAP-PEAP requires the sending of an inner EAP_SUCCESS message */
+ this->phase2_result = EAP_SUCCESS;
+ this->out = eap_payload_create_code(this->phase2_result, 1 +
+ this->ph1_method->get_identifier(this->ph1_method));
+ return NEED_MORE;
+ case NEED_MORE:
+ break;
+ case FAILED:
+ default:
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+ type, vendor);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ }
+ /* EAP-PEAP requires the sending of an inner EAP_FAILURE message */
+ this->phase2_result = EAP_FAILURE;
+ this->out = eap_payload_create_code(this->phase2_result, 1 +
+ this->ph1_method->get_identifier(this->ph1_method));
+ return NEED_MORE;
+ }
+ return status;
+}
+
+METHOD(tls_application_t, build, status_t,
+ private_eap_peap_server_t *this, tls_writer_t *writer)
+{
+ chunk_t data;
+ eap_code_t code;
+ eap_type_t type;
+ u_int32_t vendor;
+
+ if (this->ph2_method == NULL && this->start_phase2 && this->start_phase2_id)
+ {
+ /*
+ * Start Phase 2 with an EAP Identity request either piggybacked right
+ * onto the TLS Finished payload or delayed after the reception of an
+ * empty EAP Acknowledge message.
+ */
+ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+ 0, EAP_SERVER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available",
+ eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method));
+
+ this->ph2_method->initiate(this->ph2_method, &this->out);
+ this->start_phase2 = FALSE;
+ }
+
+ this->start_phase2_id = TRUE;
+
+ if (this->out)
+ {
+ code = this->out->get_code(this->out);
+ type = this->out->get_type(this->out, &vendor);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code, eap_type_short_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+ }
+
+ /* get the raw EAP message data */
+ data = this->out->get_data(this->out);
+ DBG3(DBG_IKE, "%B", &data);
+ this->avp->build(this->avp, writer, data);
+
+ this->out->destroy(this->out);
+ this->out = NULL;
+ }
+ return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+ private_eap_peap_server_t *this)
+{
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ DESTROY_IF(this->ph2_method);
+ DESTROY_IF(this->out);
+ this->avp->destroy(this->avp);
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_peap_server_t *eap_peap_server_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method)
+{
+ private_eap_peap_server_t *this;
+
+ INIT(this,
+ .public = {
+ .application = {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ },
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .ph1_method = eap_method,
+ .start_phase2 = TRUE,
+ .start_phase2_tnc = TRUE,
+ .start_phase2_id = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.phase2_piggyback", FALSE),
+ .phase2_result = EAP_FAILURE,
+ .avp = eap_peap_avp_create(TRUE),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.h b/src/libcharon/plugins/eap_peap/eap_peap_server.h
new file mode 100644
index 000000000..93141d62b
--- /dev/null
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_server eap_peap_server
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_SERVER_H_
+#define EAP_PEAP_SERVER_H_
+
+typedef struct eap_peap_server_t eap_peap_server_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * TLS application data handler as server.
+ */
+struct eap_peap_server_t {
+
+ /**
+ * Implements the TLS application data handler.
+ */
+ tls_application_t application;
+};
+
+/**
+ * Create an eap_peap_server instance.
+ */
+eap_peap_server_t *eap_peap_server_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method);
+
+#endif /** EAP_PEAP_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 99084e2c1..740c64055 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 157034fe5..dfe0e2e09 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -55,6 +55,11 @@ struct private_eap_radius_t {
u_int32_t vendor;
/**
+ * EAP message identifier
+ */
+ u_int8_t identifier;
+
+ /**
* RADIUS client instance
*/
radius_client_t *client;
@@ -107,7 +112,7 @@ static void add_eap_identity(private_eap_radius_t *this,
hdr = alloca(len);
hdr->code = EAP_RESPONSE;
- hdr->identifier = 0;
+ hdr->identifier = this->identifier;
hdr->length = htons(len);
hdr->type = EAP_IDENTITY;
memcpy(hdr->data, prefix.ptr, prefix.len);
@@ -139,9 +144,12 @@ static bool radius2ike(private_eap_radius_t *this,
if (message.len)
{
*out = payload = eap_payload_create_data(message);
- free(message.ptr);
+
/* apply EAP method selected by RADIUS server */
this->type = payload->get_type(payload, &this->vendor);
+
+ DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message);
+ free(message.ptr);
return TRUE;
}
return FALSE;
@@ -284,6 +292,8 @@ METHOD(eap_method_t, process, status_t,
request = radius_message_create_request();
request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
data = in->get_data(in);
+ DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
+
/* fragment data suitable for RADIUS (not more than 253 bytes) */
while (data.len > 253)
{
@@ -351,6 +361,18 @@ METHOD(eap_method_t, get_msk, status_t,
return FAILED;
}
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_radius_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_radius_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
METHOD(eap_method_t, is_mutual, bool,
private_eap_radius_t *this)
{
@@ -388,6 +410,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
.get_type = _get_type,
.is_mutual = _is_mutual,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 1c24d77d5..c218bd48b 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -20,6 +20,7 @@
#include "radius_server.h"
#include <daemon.h>
+#include <threading/rwlock.h>
/**
* Default RADIUS server port, when not configured
@@ -42,6 +43,11 @@ struct private_eap_radius_plugin_t {
* List of RADIUS servers
*/
linked_list_t *servers;
+
+ /**
+ * Lock for server list
+ */
+ rwlock_t *lock;
};
/**
@@ -49,20 +55,10 @@ struct private_eap_radius_plugin_t {
*/
static private_eap_radius_plugin_t *instance = NULL;
-METHOD(plugin_t, destroy, void,
- private_eap_radius_plugin_t *this)
-{
- charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create);
- this->servers->destroy_offset(this->servers,
- offsetof(radius_server_t, destroy));
- free(this);
- instance = NULL;
-}
-
/**
* Load RADIUS servers from configuration
*/
-static bool load_servers(private_eap_radius_plugin_t *this)
+static void load_servers(private_eap_radius_plugin_t *this)
{
enumerator_t *enumerator;
radius_server_t *server;
@@ -78,7 +74,7 @@ static bool load_servers(private_eap_radius_plugin_t *this)
if (!secret)
{
DBG1(DBG_CFG, "no RADUIS secret defined");
- return FALSE;
+ return;
}
nas_identifier = lib->settings->get_str(lib->settings,
"charon.plugins.eap-radius.nas_identifier", "strongSwan");
@@ -86,15 +82,15 @@ static bool load_servers(private_eap_radius_plugin_t *this)
"charon.plugins.eap-radius.port", RADIUS_PORT);
sockets = lib->settings->get_int(lib->settings,
"charon.plugins.eap-radius.sockets", 1);
- server = radius_server_create(address, port, nas_identifier,
+ server = radius_server_create(address, address, port, nas_identifier,
secret, sockets, 0);
if (!server)
{
DBG1(DBG_CFG, "no RADUIS server defined");
- return FALSE;
+ return;
}
this->servers->insert_last(this->servers, server);
- return TRUE;
+ return;
}
enumerator = lib->settings->create_section_enumerator(lib->settings,
@@ -124,7 +120,7 @@ static bool load_servers(private_eap_radius_plugin_t *this)
"charon.plugins.eap-radius.servers.%s.sockets", 1, section);
preference = lib->settings->get_int(lib->settings,
"charon.plugins.eap-radius.servers.%s.preference", 0, section);
- server = radius_server_create(address, port, nas_identifier,
+ server = radius_server_create(section, address, port, nas_identifier,
secret, sockets, preference);
if (!server)
{
@@ -135,14 +131,40 @@ static bool load_servers(private_eap_radius_plugin_t *this)
}
enumerator->destroy(enumerator);
- if (this->servers->get_count(this->servers) == 0)
- {
- DBG1(DBG_CFG, "no valid RADIUS server configuration found");
- return FALSE;
- }
+ DBG1(DBG_CFG, "loaded %d RADIUS server configuration%s",
+ this->servers->get_count(this->servers),
+ this->servers->get_count(this->servers) == 1 ? "" : "s");
+}
+
+METHOD(plugin_t, get_name, char*,
+ private_eap_radius_plugin_t *this)
+{
+ return "eap-radius";
+}
+
+METHOD(plugin_t, reload, bool,
+ private_eap_radius_plugin_t *this)
+{
+ this->lock->write_lock(this->lock);
+ this->servers->destroy_offset(this->servers,
+ offsetof(radius_server_t, destroy));
+ this->servers = linked_list_create();
+ load_servers(this);
+ this->lock->unlock(this->lock);
return TRUE;
}
+METHOD(plugin_t, destroy, void,
+ private_eap_radius_plugin_t *this)
+{
+ charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create);
+ this->servers->destroy_offset(this->servers,
+ offsetof(radius_server_t, destroy));
+ this->lock->destroy(this->lock);
+ free(this);
+ instance = NULL;
+}
+
/*
* see header file
*/
@@ -153,17 +175,17 @@ plugin_t *eap_radius_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = _reload,
.destroy = _destroy,
},
},
.servers = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
);
- if (!load_servers(this))
- {
- destroy(this);
- return NULL;
- }
+ load_servers(this);
+
charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
EAP_SERVER, (eap_constructor_t)eap_radius_create);
@@ -179,7 +201,10 @@ enumerator_t *eap_radius_create_server_enumerator()
{
if (instance)
{
- return instance->servers->create_enumerator(instance->servers);
+ instance->lock->read_lock(instance->lock);
+ return enumerator_create_cleaner(
+ instance->servers->create_enumerator(instance->servers),
+ (void*)instance->lock->unlock, instance->lock);
}
return enumerator_create_empty();
}
diff --git a/src/libcharon/plugins/eap_radius/radius_client.c b/src/libcharon/plugins/eap_radius/radius_client.c
index 232b9135e..245308e59 100644
--- a/src/libcharon/plugins/eap_radius/radius_client.c
+++ b/src/libcharon/plugins/eap_radius/radius_client.c
@@ -98,13 +98,14 @@ METHOD(radius_client_t, request, radius_message_t*,
req->add(req, RAT_STATE, this->state);
}
socket = this->server->get_socket(this->server);
- DBG1(DBG_CFG, "sending RADIUS %N to %#H", radius_message_code_names,
- req->get_code(req), this->server->get_address(this->server));
+ DBG1(DBG_CFG, "sending RADIUS %N to server '%s'", radius_message_code_names,
+ req->get_code(req), this->server->get_name(this->server));
res = socket->request(socket, req);
if (res)
{
- DBG1(DBG_CFG, "received RADIUS %N from %#H", radius_message_code_names,
- res->get_code(res), this->server->get_address(this->server));
+ DBG1(DBG_CFG, "received RADIUS %N from server '%s'",
+ radius_message_code_names, res->get_code(res),
+ this->server->get_name(this->server));
save_state(this, res);
if (res->get_code(res) == RMC_ACCESS_ACCEPT)
{
@@ -128,6 +129,7 @@ METHOD(radius_client_t, get_msk, chunk_t,
METHOD(radius_client_t, destroy, void,
private_radius_client_t *this)
{
+ this->server->destroy(this->server);
chunk_clear(&this->msk);
free(this->state.ptr);
free(this);
@@ -159,15 +161,16 @@ radius_client_t *radius_client_create()
/* for two with equal preference, 50-50 chance */
(current == best && random() % 2 == 0))
{
- DBG2(DBG_CFG, "RADIUS server %H is candidate: %d",
- server->get_address(server), current);
+ DBG2(DBG_CFG, "RADIUS server '%s' is candidate: %d",
+ server->get_name(server), current);
best = current;
- this->server = server;
+ DESTROY_IF(this->server);
+ this->server = server->get_ref(server);
}
else
{
- DBG2(DBG_CFG, "RADIUS server %H skipped: %d",
- server->get_address(server), current);
+ DBG2(DBG_CFG, "RADIUS server '%s' skipped: %d",
+ server->get_name(server), current);
}
}
enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/eap_radius/radius_server.c b/src/libcharon/plugins/eap_radius/radius_server.c
index f54b8b2cd..3baf39807 100644
--- a/src/libcharon/plugins/eap_radius/radius_server.c
+++ b/src/libcharon/plugins/eap_radius/radius_server.c
@@ -32,11 +32,6 @@ struct private_radius_server_t {
radius_server_t public;
/**
- * RADIUS server address
- */
- host_t *host;
-
- /**
* list of radius sockets, as radius_socket_t
*/
linked_list_t *sockets;
@@ -57,9 +52,9 @@ struct private_radius_server_t {
condvar_t *condvar;
/**
- * RADIUS secret
+ * Server name
*/
- chunk_t secret;
+ char *name;
/**
* NAS-Identifier
@@ -80,6 +75,11 @@ struct private_radius_server_t {
* Retry counter for unreachable servers
*/
int retry;
+
+ /**
+ * reference count
+ */
+ refcount_t ref;
};
METHOD(radius_server_t, get_socket, radius_socket_t*,
@@ -147,27 +147,37 @@ METHOD(radius_server_t, get_preference, int,
return pref;
}
-METHOD(radius_server_t, get_address, host_t*,
+METHOD(radius_server_t, get_name, char*,
+ private_radius_server_t *this)
+{
+ return this->name;
+}
+
+METHOD(radius_server_t, get_ref, radius_server_t*,
private_radius_server_t *this)
{
- return this->host;
+ ref_get(&this->ref);
+ return &this->public;
}
+
METHOD(radius_server_t, destroy, void,
private_radius_server_t *this)
{
- DESTROY_IF(this->host);
- this->mutex->destroy(this->mutex);
- this->condvar->destroy(this->condvar);
- this->sockets->destroy_offset(this->sockets,
- offsetof(radius_socket_t, destroy));
- free(this);
+ if (ref_put(&this->ref))
+ {
+ this->mutex->destroy(this->mutex);
+ this->condvar->destroy(this->condvar);
+ this->sockets->destroy_offset(this->sockets,
+ offsetof(radius_socket_t, destroy));
+ free(this);
+ }
}
/**
* See header
*/
-radius_server_t *radius_server_create(char *server, u_int16_t port,
+radius_server_t *radius_server_create(char *name, char *address, u_int16_t port,
char *nas_identifier, char *secret, int sockets, int preference)
{
private_radius_server_t *this;
@@ -179,7 +189,8 @@ radius_server_t *radius_server_create(char *server, u_int16_t port,
.put_socket = _put_socket,
.get_nas_identifier = _get_nas_identifier,
.get_preference = _get_preference,
- .get_address = _get_address,
+ .get_name = _get_name,
+ .get_ref = _get_ref,
.destroy = _destroy,
},
.reachable = TRUE,
@@ -188,18 +199,14 @@ radius_server_t *radius_server_create(char *server, u_int16_t port,
.sockets = linked_list_create(),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
- .host = host_create_from_dns(server, 0, port),
+ .name = name,
.preference = preference,
+ .ref = 1,
);
- if (!this->host)
- {
- destroy(this);
- return NULL;
- }
while (sockets--)
{
- socket = radius_socket_create(this->host,
+ socket = radius_socket_create(address, port,
chunk_create(secret, strlen(secret)));
if (!socket)
{
diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h
index ba4c94619..c59361c49 100644
--- a/src/libcharon/plugins/eap_radius/radius_server.h
+++ b/src/libcharon/plugins/eap_radius/radius_server.h
@@ -61,11 +61,18 @@ struct radius_server_t {
int (*get_preference)(radius_server_t *this);
/**
- * Get the address of the RADIUS server.
+ * Get the name of the RADIUS server.
*
- * @return address, internal data
+ * @return server name
*/
- host_t* (*get_address)(radius_server_t *this);
+ char* (*get_name)(radius_server_t *this);
+
+ /**
+ * Increase reference count of this server.
+ *
+ * @return this
+ */
+ radius_server_t* (*get_ref)(radius_server_t *this);
/**
* Destroy a radius_server_t.
@@ -76,14 +83,15 @@ struct radius_server_t {
/**
* Create a radius_server instance.
*
- * @param server server address
+ * @param name server name
+ * @param address server address
* @param port server port
* @param nas_identifier NAS-Identifier to use with this server
* @param secret secret to use with this server
* @param sockets number of sockets to create in pool
* @param preference preference boost for this server
*/
-radius_server_t *radius_server_create(char *server, u_int16_t port,
+radius_server_t *radius_server_create(char *name, char *address, u_int16_t port,
char *nas_identifier, char *secret, int sockets, int preference);
#endif /** RADIUS_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/radius_socket.c b/src/libcharon/plugins/eap_radius/radius_socket.c
index f46c27ede..b3229c288 100644
--- a/src/libcharon/plugins/eap_radius/radius_socket.c
+++ b/src/libcharon/plugins/eap_radius/radius_socket.c
@@ -49,6 +49,16 @@ struct private_radius_socket_t {
int fd;
/**
+ * Server address
+ */
+ char *address;
+
+ /**
+ * Server port
+ */
+ u_int16_t port;
+
+ /**
* current RADIUS identifier
*/
u_int8_t identifier;
@@ -74,6 +84,45 @@ struct private_radius_socket_t {
chunk_t secret;
};
+/**
+ * Check or establish RADIUS connection
+ */
+static bool check_connection(private_radius_socket_t *this)
+{
+ if (this->fd == -1)
+ {
+ host_t *server;
+
+ server = host_create_from_dns(this->address, AF_UNSPEC, this->port);
+ if (!server)
+ {
+ DBG1(DBG_CFG, "resolving RADIUS server address '%s' failed",
+ this->address);
+ return FALSE;
+ }
+ this->fd = socket(server->get_family(server), SOCK_DGRAM, IPPROTO_UDP);
+ if (this->fd == -1)
+ {
+ DBG1(DBG_CFG, "opening RADIUS socket for %#H failed: %s",
+ server, strerror(errno));
+ server->destroy(server);
+ return FALSE;
+ }
+ if (connect(this->fd, server->get_sockaddr(server),
+ *server->get_sockaddr_len(server)) < 0)
+ {
+ DBG1(DBG_CFG, "connecting RADIUS socket to %#H failed: %s",
+ server, strerror(errno));
+ server->destroy(server);
+ close(this->fd);
+ this->fd = -1;
+ return FALSE;
+ }
+ server->destroy(server);
+ }
+ return TRUE;
+}
+
METHOD(radius_socket_t, request, radius_message_t*,
private_radius_socket_t *this, radius_message_t *request)
{
@@ -85,6 +134,11 @@ METHOD(radius_socket_t, request, radius_message_t*,
/* sign the request */
request->sign(request, this->rng, this->signer);
+ if (!check_connection(this))
+ {
+ return NULL;
+ }
+
data = request->get_encoding(request);
/* timeout after 2, 3, 4, 5 seconds */
for (i = 2; i <= 5; i++)
@@ -257,14 +311,18 @@ METHOD(radius_socket_t, destroy, void,
DESTROY_IF(this->hasher);
DESTROY_IF(this->signer);
DESTROY_IF(this->rng);
- close(this->fd);
+ if (this->fd != -1)
+ {
+ close(this->fd);
+ }
free(this);
}
/**
* See header
*/
-radius_socket_t *radius_socket_create(host_t *host, chunk_t secret)
+radius_socket_t *radius_socket_create(char *address, u_int16_t port,
+ chunk_t secret)
{
private_radius_socket_t *this;
@@ -274,23 +332,11 @@ radius_socket_t *radius_socket_create(host_t *host, chunk_t secret)
.decrypt_msk = _decrypt_msk,
.destroy = _destroy,
},
+ .address = address,
+ .port = port,
+ .fd = -1,
);
- this->fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
- if (this->fd < 0)
- {
- DBG1(DBG_CFG, "opening RADIUS socket failed: %s", strerror(errno));
- free(this);
- return NULL;
- }
- if (connect(this->fd, host->get_sockaddr(host),
- *host->get_sockaddr_len(host)) < 0)
- {
- DBG1(DBG_CFG, "connecting RADIUS socket failed");
- close(this->fd);
- free(this);
- return NULL;
- }
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
diff --git a/src/libcharon/plugins/eap_radius/radius_socket.h b/src/libcharon/plugins/eap_radius/radius_socket.h
index fe8491a8f..2875008eb 100644
--- a/src/libcharon/plugins/eap_radius/radius_socket.h
+++ b/src/libcharon/plugins/eap_radius/radius_socket.h
@@ -34,7 +34,7 @@ struct radius_socket_t {
/**
* Send a RADIUS request, wait for response.
-
+ *
* The socket fills in RADIUS Message identifier, builds a
* Request-Authenticator and calculates the Message-Authenticator
* attribute.
@@ -66,9 +66,11 @@ struct radius_socket_t {
/**
* Create a radius_socket instance.
*
- * @param host RADIUS server address to connect to
+ * @param address server name
+ * @param port server port
* @param secret RADIUS secret
*/
-radius_socket_t *radius_socket_create(host_t *host, chunk_t secret);
+radius_socket_t *radius_socket_create(char *address, u_int16_t port,
+ chunk_t secret);
#endif /** RADIUS_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 90f203f61..b9ab6656b 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
index a3506f4ba..083bf73a3 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
@@ -56,6 +56,11 @@ struct private_eap_sim_peer_t {
identification_t *reauth;
/**
+ * EAP message identifier
+ */
+ u_int8_t identifier;
+
+ /**
* EAP-SIM crypto helper
*/
simaka_crypto_t *crypto;
@@ -98,7 +103,7 @@ static chunk_t version = chunk_from_chars(0x00,0x01);
* Create a SIM_CLIENT_ERROR
*/
static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
- u_int8_t identifier, simaka_client_error_t code)
+ simaka_client_error_t code)
{
simaka_message_t *message;
eap_payload_t *out;
@@ -106,7 +111,7 @@ static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code);
- message = simaka_message_create(FALSE, identifier, EAP_SIM,
+ message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
SIM_CLIENT_ERROR, this->crypto);
encoded = htons(code);
message->add_attribute(message, AT_CLIENT_ERROR_CODE,
@@ -164,8 +169,7 @@ static status_t process_start(private_eap_sim_peer_t *this,
default:
if (!simaka_attribute_skippable(type))
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
enumerator->destroy(enumerator);
return NEED_MORE;
}
@@ -177,8 +181,7 @@ static status_t process_start(private_eap_sim_peer_t *this,
if (!supported)
{
DBG1(DBG_IKE, "server does not support EAP-SIM version number 1");
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNSUPPORTED_VERSION);
+ *out = create_client_error(this, SIM_UNSUPPORTED_VERSION);
return NEED_MORE;
}
@@ -214,7 +217,7 @@ static status_t process_start(private_eap_sim_peer_t *this,
free(this->nonce.ptr);
rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+ message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
SIM_START, this->crypto);
if (!this->reauth)
{
@@ -261,8 +264,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
default:
if (!simaka_attribute_skippable(type))
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
enumerator->destroy(enumerator);
return NEED_MORE;
}
@@ -277,8 +279,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
{
DBG1(DBG_IKE, "no valid AT_RAND received");
- *out = create_client_error(this, in->get_identifier(in),
- SIM_INSUFFICIENT_CHALLENGES);
+ *out = create_client_error(this, SIM_INSUFFICIENT_CHALLENGES);
return NEED_MORE;
}
/* get two or three KCs/SRESes from SIM using RANDs */
@@ -290,8 +291,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
rands.ptr, sres.ptr, kc.ptr))
{
DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
DBG3(DBG_IKE, "got triplet for RAND %b\n Kc %b\n SRES %b",
@@ -316,8 +316,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
* parse() again after key derivation, reading encrypted attributes */
if (!in->verify(in, this->nonce) || !in->parse(in))
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
@@ -345,7 +344,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
enumerator->destroy(enumerator);
/* build response with AT_MAC, built over "EAP packet | n*SRES" */
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+ message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
SIM_CHALLENGE, this->crypto);
*out = message->generate(message, sreses);
message->destroy(message);
@@ -379,8 +378,7 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
{
DBG1(DBG_IKE, "received %N, but not expected",
simaka_subtype_names, SIM_REAUTHENTICATION);
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
@@ -390,8 +388,7 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
/* verify MAC and parse again with decryption key */
if (!in->verify(in, chunk_empty) || !in->parse(in))
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
@@ -412,8 +409,7 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
default:
if (!simaka_attribute_skippable(type))
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
enumerator->destroy(enumerator);
return NEED_MORE;
}
@@ -425,12 +421,11 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
if (!nonce.len || !counter.len)
{
DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete");
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+ message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
SIM_REAUTHENTICATION, this->crypto);
if (counter_too_small(this, counter))
{
@@ -503,40 +498,37 @@ static status_t process_notification(private_eap_sim_peer_t *this,
if (success)
{ /* empty notification reply */
- message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+ message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
SIM_NOTIFICATION, this->crypto);
*out = message->generate(message, chunk_empty);
message->destroy(message);
}
else
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
}
return NEED_MORE;
}
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_sim_peer_t *this,
- eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process, status_t,
+ private_eap_sim_peer_t *this, eap_payload_t *in, eap_payload_t **out)
{
simaka_message_t *message;
status_t status;
+ /* store received EAP message identifier */
+ this->identifier = in->get_identifier(in);
+
message = simaka_message_create_from_payload(in, this->crypto);
if (!message)
{
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
if (!message->parse(message))
{
message->destroy(message);
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
return NEED_MORE;
}
switch (message->get_subtype(message))
@@ -556,8 +548,7 @@ static status_t process(private_eap_sim_peer_t *this,
default:
DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
simaka_subtype_names, message->get_subtype(message));
- *out = create_client_error(this, in->get_identifier(in),
- SIM_UNABLE_TO_PROCESS);
+ *out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
status = NEED_MORE;
break;
}
@@ -565,28 +556,22 @@ static status_t process(private_eap_sim_peer_t *this,
return status;
}
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_sim_peer_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate, status_t,
+ private_eap_sim_peer_t *this, eap_payload_t **out)
{
/* peer never initiates */
return FAILED;
}
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_sim_peer_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_sim_peer_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_SIM;
}
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_sim_peer_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_sim_peer_t *this, chunk_t *msk)
{
if (this->msk.ptr)
{
@@ -596,18 +581,26 @@ static status_t get_msk(private_eap_sim_peer_t *this, chunk_t *msk)
return FAILED;
}
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_sim_peer_t *this)
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_sim_peer_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_sim_peer_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_sim_peer_t *this)
{
return TRUE;
}
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_sim_peer_t *this)
+METHOD(eap_method_t, destroy, void,
+ private_eap_sim_peer_t *this)
{
this->permanent->destroy(this->permanent);
DESTROY_IF(this->pseudonym);
@@ -625,28 +618,32 @@ static void destroy(private_eap_sim_peer_t *this)
eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
identification_t *peer)
{
- private_eap_sim_peer_t *this = malloc_thing(private_eap_sim_peer_t);
-
- this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
- this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
- this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
- this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
- this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
- this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
+ private_eap_sim_peer_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ .crypto = simaka_crypto_create(),
+ );
- this->crypto = simaka_crypto_create();
if (!this->crypto)
{
free(this);
return NULL;
}
+
this->permanent = peer->clone(peer);
- this->pseudonym = NULL;
- this->reauth = NULL;
this->tries = MAX_TRIES;
- this->version_list = chunk_empty;
- this->nonce = chunk_empty;
- this->msk = chunk_empty;
return &this->public;
}
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_plugin.c b/src/libcharon/plugins/eap_sim/eap_sim_plugin.c
index f0c972253..b15292544 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_plugin.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_plugin.c
@@ -20,10 +20,14 @@
#include <daemon.h>
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_sim_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ eap_sim_plugin_t *this)
+{
+ return "eap-sim";
+}
+
+METHOD(plugin_t, destroy, void,
+ eap_sim_plugin_t *this)
{
charon->eap->remove_method(charon->eap,
(eap_constructor_t)eap_sim_server_create);
@@ -37,9 +41,15 @@ static void destroy(eap_sim_plugin_t *this)
*/
plugin_t *eap_sim_plugin_create()
{
- eap_sim_plugin_t *this = malloc_thing(eap_sim_plugin_t);
-
- this->plugin.destroy = (void(*)(plugin_t*))destroy;
+ eap_sim_plugin_t *this;
+
+ INIT(this,
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ );
charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_SERVER,
(eap_constructor_t)eap_sim_server_create);
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c
index f6d5df09b..d1dfde5d6 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_server.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c
@@ -107,10 +107,8 @@ struct private_eap_sim_server_t {
/* version of SIM protocol we speak */
static chunk_t version = chunk_from_chars(0x00,0x01);
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate, status_t,
+ private_eap_sim_server_t *this, eap_payload_t **out)
{
simaka_message_t *message;
@@ -479,11 +477,8 @@ static status_t process_client_error(private_eap_sim_server_t *this,
return FAILED;
}
-/**
- * Implementation of eap_method_t.process
- */
-static status_t process(private_eap_sim_server_t *this,
- eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process, status_t,
+ private_eap_sim_server_t *this, eap_payload_t *in, eap_payload_t **out)
{
simaka_message_t *message;
status_t status;
@@ -522,19 +517,15 @@ static status_t process(private_eap_sim_server_t *this,
return status;
}
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_sim_server_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_sim_server_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_SIM;
}
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_sim_server_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_sim_server_t *this, chunk_t *msk)
{
if (this->msk.ptr)
{
@@ -544,18 +535,26 @@ static status_t get_msk(private_eap_sim_server_t *this, chunk_t *msk)
return FAILED;
}
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_sim_server_t *this)
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_sim_server_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_sim_server_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_sim_server_t *this)
{
return TRUE;
}
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_sim_server_t *this)
+METHOD(eap_method_t, destroy, void,
+ private_eap_sim_server_t *this)
{
this->crypto->destroy(this->crypto);
this->permanent->destroy(this->permanent);
@@ -574,29 +573,31 @@ static void destroy(private_eap_sim_server_t *this)
eap_sim_server_t *eap_sim_server_create(identification_t *server,
identification_t *peer)
{
- private_eap_sim_server_t *this = malloc_thing(private_eap_sim_server_t);
+ private_eap_sim_server_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ .crypto = simaka_crypto_create(),
+ );
- this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
- this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
- this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
- this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
- this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
- this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
-
- this->crypto = simaka_crypto_create();
if (!this->crypto)
{
free(this);
return NULL;
}
+
this->permanent = peer->clone(peer);
- this->pseudonym = NULL;
- this->reauth = NULL;
- this->sreses = chunk_empty;
- this->nonce = chunk_empty;
- this->msk = chunk_empty;
- this->counter = chunk_empty;
- this->pending = 0;
this->use_reauth = this->use_pseudonym = this->use_permanent =
lib->settings->get_bool(lib->settings,
"charon.plugins.eap-sim.request_identity", TRUE);
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 3cd766a75..5662a1c53 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
index d132a38f6..5397c418e 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
@@ -35,11 +35,9 @@ struct private_eap_sim_file_card_t {
eap_sim_file_triplets_t *triplets;
};
-/**
- * Implementation of sim_card_t.get_triplet
- */
-static bool get_triplet(private_eap_sim_file_card_t *this,
- identification_t *id, char *rand, char *sres, char *kc)
+METHOD(sim_card_t, get_triplet, bool,
+ private_eap_sim_file_card_t *this, identification_t *id,
+ char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
{
enumerator_t *enumerator;
identification_t *cand;
@@ -68,18 +66,16 @@ static bool get_triplet(private_eap_sim_file_card_t *this,
return FALSE;
}
-/**
- * Implementation of sim_card_t.get_quintuplet
- */
-static status_t get_quintuplet()
+METHOD(sim_card_t, get_quintuplet, status_t,
+ private_eap_sim_file_card_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+ char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len)
{
return NOT_SUPPORTED;
}
-/**
- * Implementation of eap_sim_file_card_t.destroy.
- */
-static void destroy(private_eap_sim_file_card_t *this)
+METHOD(eap_sim_file_card_t, destroy, void,
+ private_eap_sim_file_card_t *this)
{
free(this);
}
@@ -89,18 +85,23 @@ static void destroy(private_eap_sim_file_card_t *this)
*/
eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
{
- private_eap_sim_file_card_t *this = malloc_thing(private_eap_sim_file_card_t);
-
- this->public.card.get_triplet = (bool(*)(sim_card_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
- this->public.card.get_quintuplet = (status_t(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))get_quintuplet;
- this->public.card.resync = (bool(*)(sim_card_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
- this->public.card.get_pseudonym = (identification_t*(*)(sim_card_t*, identification_t *perm))return_null;
- this->public.card.set_pseudonym = (void(*)(sim_card_t*, identification_t *id, identification_t *pseudonym))nop;
- this->public.card.get_reauth = (identification_t*(*)(sim_card_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))return_null;
- this->public.card.set_reauth = (void(*)(sim_card_t*, identification_t *id, identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter))nop;
- this->public.destroy = (void(*)(eap_sim_file_card_t*))destroy;
-
- this->triplets = triplets;
+ private_eap_sim_file_card_t *this;
+
+ INIT(this,
+ .public = {
+ .card = {
+ .get_triplet = _get_triplet,
+ .get_quintuplet = _get_quintuplet,
+ .resync = (void*)return_false,
+ .get_pseudonym = (void*)return_null,
+ .set_pseudonym = (void*)nop,
+ .get_reauth = (void*)return_null,
+ .set_reauth = (void*)nop,
+ },
+ .destroy = _destroy,
+ },
+ .triplets = triplets,
+ );
return &this->public;
}
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c
index 4f25c35ea..0ab5a1848 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_plugin.c
@@ -50,10 +50,14 @@ struct private_eap_sim_file_t {
eap_sim_file_triplets_t *triplets;
};
-/**
- * Implementation of eap_sim_file_t.destroy.
- */
-static void destroy(private_eap_sim_file_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_eap_sim_file_t *this)
+{
+ return "eap-sim-file";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_eap_sim_file_t *this)
{
charon->sim->remove_card(charon->sim, &this->card->card);
charon->sim->remove_provider(charon->sim, &this->provider->provider);
@@ -68,11 +72,19 @@ static void destroy(private_eap_sim_file_t *this)
*/
plugin_t *eap_sim_file_plugin_create()
{
- private_eap_sim_file_t *this = malloc_thing(private_eap_sim_file_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_eap_sim_file_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .triplets = eap_sim_file_triplets_create(TRIPLET_FILE),
+ );
- this->triplets = eap_sim_file_triplets_create(TRIPLET_FILE);
this->provider = eap_sim_file_provider_create(this->triplets);
if (!this->provider)
{
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c
index 9bee31fc3..38b651404 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_provider.c
@@ -35,11 +35,9 @@ struct private_eap_sim_file_provider_t {
eap_sim_file_triplets_t *triplets;
};
-/**
- * Implementation of sim_provider_t.get_triplet
- */
-static bool get_triplet(private_eap_sim_file_provider_t *this,
- identification_t *id, char *rand, char *sres, char *kc)
+METHOD(sim_provider_t, get_triplet, bool,
+ private_eap_sim_file_provider_t *this, identification_t *id,
+ char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
{
enumerator_t *enumerator;
identification_t *cand;
@@ -61,10 +59,8 @@ static bool get_triplet(private_eap_sim_file_provider_t *this,
return FALSE;
}
-/**
- * Implementation of eap_sim_file_provider_t.destroy.
- */
-static void destroy(private_eap_sim_file_provider_t *this)
+METHOD(eap_sim_file_provider_t, destroy, void,
+ private_eap_sim_file_provider_t *this)
{
free(this);
}
@@ -75,18 +71,23 @@ static void destroy(private_eap_sim_file_provider_t *this)
eap_sim_file_provider_t *eap_sim_file_provider_create(
eap_sim_file_triplets_t *triplets)
{
- private_eap_sim_file_provider_t *this = malloc_thing(private_eap_sim_file_provider_t);
-
- this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))get_triplet;
- this->public.provider.get_quintuplet = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))return_false;
- this->public.provider.resync = (bool(*)(sim_provider_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))return_false;
- this->public.provider.is_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
- this->public.provider.gen_pseudonym = (identification_t*(*)(sim_provider_t*, identification_t *id))return_null;
- this->public.provider.is_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char [HASH_SIZE_SHA1], u_int16_t *counter))return_null;
- this->public.provider.gen_reauth = (identification_t*(*)(sim_provider_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))return_null;
- this->public.destroy = (void(*)(eap_sim_file_provider_t*))destroy;
+ private_eap_sim_file_provider_t *this;
- this->triplets = triplets;
+ INIT(this,
+ .public = {
+ .provider = {
+ .get_triplet = _get_triplet,
+ .get_quintuplet = (void*)return_false,
+ .resync = (void*)return_false,
+ .is_pseudonym = (void*)return_null,
+ .gen_pseudonym = (void*)return_null,
+ .is_reauth = (void*)return_null,
+ .gen_reauth = (void*)return_null,
+ },
+ .destroy = _destroy,
+ },
+ .triplets = triplets,
+ );
return &this->public;
}
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
index 6b7d99fb7..c693923fe 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -117,10 +117,8 @@ static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **ims
return FALSE;
}
-/**
- * Implementation of eap_sim_file_triplets_t.create_enumerator
- */
-static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
+METHOD(eap_sim_file_triplets_t, create_enumerator, enumerator_t*,
+ private_eap_sim_file_triplets_t *this)
{
triplet_enumerator_t *enumerator = malloc_thing(triplet_enumerator_t);
@@ -230,10 +228,8 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
this->triplets->get_count(this->triplets), path);
}
-/**
- * Implementation of eap_sim_file_triplets_t.destroy.
- */
-static void destroy(private_eap_sim_file_triplets_t *this)
+METHOD(eap_sim_file_triplets_t, destroy, void,
+ private_eap_sim_file_triplets_t *this)
{
this->triplets->destroy_function(this->triplets, (void*)triplet_destroy);
this->mutex->destroy(this->mutex);
@@ -245,14 +241,16 @@ static void destroy(private_eap_sim_file_triplets_t *this)
*/
eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
{
- private_eap_sim_file_triplets_t *this = malloc_thing(private_eap_sim_file_triplets_t);
-
- this->public.create_enumerator = (enumerator_t*(*)(eap_sim_file_triplets_t*))create_enumerator;
- this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
-
- this->triplets = linked_list_create();
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ private_eap_sim_file_triplets_t *this;
+ INIT(this,
+ .public = {
+ .create_enumerator = _create_enumerator,
+ .destroy = _destroy,
+ },
+ .triplets = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ );
read_triplets(this, file);
return &this->public;
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
new file mode 100644
index 000000000..2d75fe3ad
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic ${pcsclite_CFLAGS}
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-sim-pcsc.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-sim-pcsc.la
+endif
+
+libstrongswan_eap_sim_pcsc_la_SOURCES = \
+ eap_sim_pcsc_plugin.h eap_sim_pcsc_plugin.c \
+ eap_sim_pcsc_card.h eap_sim_pcsc_card.c
+
+libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_sim_pcsc_la_LIBADD = ${pcsclite_LIBS}
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
new file mode 100644
index 000000000..a8249a7ac
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -0,0 +1,611 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_sim_pcsc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_eap_sim_pcsc_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_eap_sim_pcsc_la_OBJECTS = eap_sim_pcsc_plugin.lo \
+ eap_sim_pcsc_card.lo
+libstrongswan_eap_sim_pcsc_la_OBJECTS = \
+ $(am_libstrongswan_eap_sim_pcsc_la_OBJECTS)
+libstrongswan_eap_sim_pcsc_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_eap_sim_pcsc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_sim_pcsc_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_sim_pcsc_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic ${pcsclite_CFLAGS}
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim-pcsc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim-pcsc.la
+libstrongswan_eap_sim_pcsc_la_SOURCES = \
+ eap_sim_pcsc_plugin.h eap_sim_pcsc_plugin.c \
+ eap_sim_pcsc_card.h eap_sim_pcsc_card.c
+
+libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
+libstrongswan_eap_sim_pcsc_la_LIBADD = ${pcsclite_LIBS}
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_pcsc/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_pcsc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES)
+ $(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_pcsc_card.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_pcsc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
new file mode 100644
index 000000000..d0a2718f3
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
@@ -0,0 +1,392 @@
+/*
+ * Copyright (C) 2011 Duncan Salerno
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_pcsc_card.h"
+
+#include <PCSC/wintypes.h>
+#include <PCSC/winscard.h>
+#include <daemon.h>
+
+typedef struct private_eap_sim_pcsc_card_t private_eap_sim_pcsc_card_t;
+
+/**
+ * Private data of an eap_sim_pcsc_card_t object.
+ */
+struct private_eap_sim_pcsc_card_t {
+
+ /**
+ * Public eap_sim_pcsc_card_t interface.
+ */
+ eap_sim_pcsc_card_t public;
+};
+
+/**
+ * Maximum length for an IMSI.
+ */
+#define SIM_IMSI_MAX_LEN 15
+
+/**
+ * Length of the status at the end of response APDUs.
+ */
+#define APDU_STATUS_LEN 2
+
+/**
+ * First byte of status word indicating success.
+ */
+#define APDU_SW1_SUCCESS 0x90
+
+/**
+ * First byte of status word indicating there is response data to be read.
+ */
+#define APDU_SW1_RESPONSE_DATA 0x9f
+
+/**
+ * Decode IMSI EF (Elementary File) into an ASCII string
+ */
+static bool decode_imsi_ef(unsigned char *input, int input_len, char *output)
+{
+ /* Only digits 0-9 valid in IMSIs */
+ static const char bcd_num_digits[] = {
+ '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', '\0', '\0', '\0', '\0', '\0', '\0'
+ };
+ int i;
+
+ /* Check length byte matches how many bytes we have, and that input
+ * is correct length for an IMSI */
+ if (input[0] != input_len-1 || input_len < 2 || input_len > 9)
+ {
+ return FALSE;
+ }
+
+ /* Check type byte is IMSI (bottom 3 bits == 001) */
+ if ((input[1] & 0x07) != 0x01)
+ {
+ return FALSE;
+ }
+ *output++ = bcd_num_digits[input[1] >> 4];
+
+ for (i = 2; i < input_len; i++)
+ {
+ *output++ = bcd_num_digits[input[i] & 0xf];
+ *output++ = bcd_num_digits[input[i] >> 4];
+ }
+
+ *output++ = '\0';
+ return TRUE;
+}
+
+METHOD(sim_card_t, get_triplet, bool,
+ private_eap_sim_pcsc_card_t *this, identification_t *id,
+ char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
+{
+ status_t found = FALSE;
+ LONG rv;
+ SCARDCONTEXT hContext;
+ DWORD dwReaders;
+ LPSTR mszReaders;
+ char *cur_reader;
+ char full_nai[128];
+ SCARDHANDLE hCard;
+ enum { DISCONNECTED, CONNECTED, TRANSACTION } hCard_status = DISCONNECTED;
+
+ snprintf(full_nai, sizeof(full_nai), "%Y", id);
+
+ DBG2(DBG_IKE, "looking for triplet: %Y rand %b", id, rand, SIM_RAND_LEN);
+
+ rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardEstablishContext: %s", pcsc_stringify_error(rv));
+ return FALSE;
+ }
+
+ rv = SCardListReaders(hContext, NULL, NULL, &dwReaders);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
+ return FALSE;
+ }
+ mszReaders = malloc(sizeof(char)*dwReaders);
+
+ rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
+ return FALSE;
+ }
+
+ /* mszReaders is a multi-string of readers, separated by '\0' and
+ * terminated by an additional '\0' */
+ for (cur_reader = mszReaders; *cur_reader != '\0' && found == FALSE;
+ cur_reader += strlen(cur_reader) + 1)
+ {
+ DWORD dwActiveProtocol = -1;
+ SCARD_IO_REQUEST *pioSendPci;
+ SCARD_IO_REQUEST pioRecvPci;
+ BYTE pbRecvBuffer[64];
+ DWORD dwRecvLength;
+ char imsi[SIM_IMSI_MAX_LEN + 1];
+
+ /* See GSM 11.11 for SIM APDUs */
+ static const BYTE pbSelectMF[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x3f, 0x00 };
+ static const BYTE pbSelectDFGSM[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x7f, 0x20 };
+ static const BYTE pbSelectIMSI[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x6f, 0x07 };
+ static const BYTE pbReadBinary[] = { 0xa0, 0xb0, 0x00, 0x00, 0x09 };
+ BYTE pbRunGSMAlgorithm[5 + SIM_RAND_LEN] = { 0xa0, 0x88, 0x00, 0x00, 0x10 };
+ static const BYTE pbGetResponse[] = { 0xa0, 0xc0, 0x00, 0x00, 0x0c };
+
+ /* If on 2nd or later reader, make sure we end the transaction
+ * and disconnect card in the previous reader */
+ switch (hCard_status)
+ {
+ case TRANSACTION:
+ SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
+ /* FALLTHRU */
+ case CONNECTED:
+ SCardDisconnect(hCard, SCARD_LEAVE_CARD);
+ /* FALLTHRU */
+ case DISCONNECTED:
+ hCard_status = DISCONNECTED;
+ }
+
+ /* Copy RAND into APDU */
+ memcpy(pbRunGSMAlgorithm + 5, rand, SIM_RAND_LEN);
+
+ rv = SCardConnect(hContext, cur_reader, SCARD_SHARE_SHARED,
+ SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &hCard, &dwActiveProtocol);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardConnect: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ hCard_status = CONNECTED;
+
+ switch(dwActiveProtocol)
+ {
+ case SCARD_PROTOCOL_T0:
+ pioSendPci = SCARD_PCI_T0;
+ break;
+ case SCARD_PROTOCOL_T1:
+ pioSendPci = SCARD_PCI_T1;
+ break;
+ default:
+ DBG1(DBG_IKE, "Unknown SCARD_PROTOCOL");
+ continue;
+ }
+
+ /* Start transaction */
+ rv = SCardBeginTransaction(hCard);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardBeginTransaction: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ hCard_status = TRANSACTION;
+
+ /* APDU: Select MF */
+ dwRecvLength = sizeof(pbRecvBuffer);
+ rv = SCardTransmit(hCard, pioSendPci, pbSelectMF, sizeof(pbSelectMF),
+ &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ if (dwRecvLength < APDU_STATUS_LEN ||
+ pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+ {
+ DBG1(DBG_IKE, "Select MF failed: %b", pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* APDU: Select DF GSM */
+ dwRecvLength = sizeof(pbRecvBuffer);
+ rv = SCardTransmit(hCard, pioSendPci, pbSelectDFGSM, sizeof(pbSelectDFGSM),
+ &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ if (dwRecvLength < APDU_STATUS_LEN ||
+ pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+ {
+ DBG1(DBG_IKE, "Select DF GSM failed: %b", pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* APDU: Select IMSI */
+ dwRecvLength = sizeof(pbRecvBuffer);
+ rv = SCardTransmit(hCard, pioSendPci, pbSelectIMSI, sizeof(pbSelectIMSI),
+ &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ if (dwRecvLength < APDU_STATUS_LEN ||
+ pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+ {
+ DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* APDU: Read Binary (of IMSI) */
+ dwRecvLength = sizeof(pbRecvBuffer);
+ rv = SCardTransmit(hCard, pioSendPci, pbReadBinary, sizeof(pbReadBinary),
+ &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ if (dwRecvLength < APDU_STATUS_LEN ||
+ pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
+ {
+ DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ if (!decode_imsi_ef(pbRecvBuffer, dwRecvLength-APDU_STATUS_LEN, imsi))
+ {
+ DBG1(DBG_IKE, "Couldn't decode IMSI EF: %b",
+ pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* The IMSI could be post/prefixed in the full NAI, so just make sure
+ * it's in there */
+ if (!(strlen(full_nai) && strstr(full_nai, imsi)))
+ {
+ DBG1(DBG_IKE, "Not the SIM we're looking for, IMSI: %s", imsi);
+ continue;
+ }
+
+ /* APDU: Run GSM Algorithm */
+ dwRecvLength = sizeof(pbRecvBuffer);
+ rv = SCardTransmit(hCard, pioSendPci,
+ pbRunGSMAlgorithm, sizeof(pbRunGSMAlgorithm),
+ &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+ if (dwRecvLength < APDU_STATUS_LEN ||
+ pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+ {
+ DBG1(DBG_IKE, "Run GSM Algorithm failed: %b",
+ pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* APDU: Get Response (of Run GSM Algorithm) */
+ dwRecvLength = sizeof(pbRecvBuffer);
+ rv = SCardTransmit(hCard, pioSendPci, pbGetResponse, sizeof(pbGetResponse),
+ &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+ continue;
+ }
+
+ if (dwRecvLength < APDU_STATUS_LEN ||
+ pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
+ {
+ DBG1(DBG_IKE, "Get Response failed: %b", pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* Extract out Kc and SRES from response */
+ if (dwRecvLength == SIM_SRES_LEN + SIM_KC_LEN + APDU_STATUS_LEN)
+ {
+ memcpy(sres, pbRecvBuffer, SIM_SRES_LEN);
+ memcpy(kc, pbRecvBuffer+4, SIM_KC_LEN);
+ /* This will also cause the loop to exit */
+ found = TRUE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "Get Response incorrect length: %b",
+ pbRecvBuffer, dwRecvLength);
+ continue;
+ }
+
+ /* Transaction will be ended and card disconnected at the
+ * beginning of this loop or after this loop */
+ }
+
+ /* Make sure we end any previous transaction and disconnect card */
+ switch (hCard_status)
+ {
+ case TRANSACTION:
+ SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
+ /* FALLTHRU */
+ case CONNECTED:
+ SCardDisconnect(hCard, SCARD_LEAVE_CARD);
+ /* FALLTHRU */
+ case DISCONNECTED:
+ hCard_status = DISCONNECTED;
+ }
+
+ rv = SCardReleaseContext(hContext);
+ if (rv != SCARD_S_SUCCESS)
+ {
+ DBG1(DBG_IKE, "SCardReleaseContext: %s", pcsc_stringify_error(rv));
+ }
+
+ free(mszReaders);
+ return found;
+}
+
+METHOD(sim_card_t, get_quintuplet, status_t,
+ private_eap_sim_pcsc_card_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+ char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len)
+{
+ return NOT_SUPPORTED;
+}
+
+METHOD(eap_sim_pcsc_card_t, destroy, void,
+ private_eap_sim_pcsc_card_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_sim_pcsc_card_t *eap_sim_pcsc_card_create()
+{
+ private_eap_sim_pcsc_card_t *this;
+
+ INIT(this,
+ .public = {
+ .card = {
+ .get_triplet = _get_triplet,
+ .get_quintuplet = _get_quintuplet,
+ .resync = (void*)return_false,
+ .get_pseudonym = (void*)return_null,
+ .set_pseudonym = (void*)nop,
+ .get_reauth = (void*)return_null,
+ .set_reauth = (void*)nop,
+ },
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.h b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.h
new file mode 100644
index 000000000..e7659656b
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2011 Duncan Salerno
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_pcsc_card eap_sim_pcsc_card
+ * @{ @ingroup eap_sim_pcsc
+ */
+
+#ifndef EAP_SIM_PCSC_CARD_H_
+#define EAP_SIM_PCSC_CARD_H_
+
+#include <sa/authenticators/eap/sim_manager.h>
+
+typedef struct eap_sim_pcsc_card_t eap_sim_pcsc_card_t;
+
+/**
+ * SIM card implementation using a PCSC reader.
+ */
+struct eap_sim_pcsc_card_t {
+
+ /**
+ * Implements sim_card_t interface
+ */
+ sim_card_t card;
+
+ /**
+ * Destroy a eap_sim_pcsc_card_t.
+ */
+ void (*destroy)(eap_sim_pcsc_card_t *this);
+};
+
+/**
+ * Create a eap_sim_pcsc_card instance.
+ */
+eap_sim_pcsc_card_t *eap_sim_pcsc_card_create();
+
+#endif /** EAP_SIM_PCSC_CARD_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.c b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.c
new file mode 100644
index 000000000..44096455e
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2011 Duncan Salerno
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim_pcsc_plugin.h"
+#include "eap_sim_pcsc_card.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_sim_pcsc_plugin_t private_eap_sim_pcsc_plugin_t;
+
+/**
+ * Private data of an eap_sim_pcsc_t object.
+ */
+struct private_eap_sim_pcsc_plugin_t {
+
+ /**
+ * Public eap_sim_pcsc_plugin_t interface.
+ */
+ eap_sim_pcsc_plugin_t public;
+
+ /**
+ * SIM card
+ */
+ eap_sim_pcsc_card_t *card;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_eap_sim_pcsc_plugin_t *this)
+{
+ return "eap-sim-pcsc";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_eap_sim_pcsc_plugin_t *this)
+{
+ charon->sim->remove_card(charon->sim, &this->card->card);
+ this->card->destroy(this->card);
+ free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_sim_pcsc_plugin_create()
+{
+ private_eap_sim_pcsc_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .card = eap_sim_pcsc_card_create(),
+ );
+ charon->sim->add_card(charon->sim, &this->card->card);
+
+ return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.h b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.h
new file mode 100644
index 000000000..a03ca1f9c
--- /dev/null
+++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_plugin.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2011 Duncan Salerno
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_sim_pcsc eap_sim_pcsc
+ * @ingroup cplugins
+ *
+ * @defgroup eap_sim_pcsc_plugin eap_sim_pcsc_plugin
+ * @{ @ingroup eap_sim_pcsc
+ */
+
+#ifndef EAP_SIM_PCSC_PLUGIN_H_
+#define EAP_SIM_PCSC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_sim_pcsc_plugin_t eap_sim_pcsc_plugin_t;
+
+/**
+ * Plugin to provide a SIM card from a PCSC reader.
+ */
+struct eap_sim_pcsc_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** EAP_SIM_PCSC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index a48fb652a..98e80bc71 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -246,6 +246,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -269,6 +271,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
index 81b9d7b00..06631b1c5 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_plugin.c
@@ -42,10 +42,14 @@ struct private_eap_simaka_pseudonym_t {
eap_simaka_pseudonym_provider_t *provider;
};
-/**
- * Implementation of eap_simaka_pseudonym_t.destroy.
- */
-static void destroy(private_eap_simaka_pseudonym_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_eap_simaka_pseudonym_t *this)
+{
+ return "eap-simaka-pseudonym";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_eap_simaka_pseudonym_t *this)
{
charon->sim->remove_card(charon->sim, &this->card->card);
charon->sim->remove_provider(charon->sim, &this->provider->provider);
@@ -61,11 +65,17 @@ plugin_t *eap_simaka_pseudonym_plugin_create()
{
private_eap_simaka_pseudonym_t *this;
- this = malloc_thing(private_eap_simaka_pseudonym_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .provider = eap_simaka_pseudonym_provider_create(),
+ );
- this->provider = eap_simaka_pseudonym_provider_create();
if (!this->provider)
{
free(this);
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index f2af3ae0d..56bc188b0 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
index 987a0e109..343e4eefb 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_plugin.c
@@ -42,10 +42,14 @@ struct private_eap_simaka_reauth_t {
eap_simaka_reauth_provider_t *provider;
};
-/**
- * Implementation of eap_simaka_reauth_t.destroy.
- */
-static void destroy(private_eap_simaka_reauth_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_eap_simaka_reauth_t *this)
+{
+ return "eap-simaka-reauth";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_eap_simaka_reauth_t *this)
{
charon->sim->remove_card(charon->sim, &this->card->card);
charon->sim->remove_provider(charon->sim, &this->provider->provider);
@@ -59,11 +63,19 @@ static void destroy(private_eap_simaka_reauth_t *this)
*/
plugin_t *eap_simaka_reauth_plugin_create()
{
- private_eap_simaka_reauth_t *this = malloc_thing(private_eap_simaka_reauth_t);
+ private_eap_simaka_reauth_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .provider = eap_simaka_reauth_provider_create(),
+ );
- this->provider = eap_simaka_reauth_provider_create();
if (!this->provider)
{
free(this);
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 9a58a6055..93c7aed03 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
index 1cc5352d8..5a528153d 100644
--- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -47,6 +47,12 @@ struct private_eap_simaka_sql_t {
database_t *db;
};
+METHOD(plugin_t, get_name, char*,
+ private_eap_simaka_sql_t *this)
+{
+ return "eap-simaka-sql";
+}
+
METHOD(plugin_t, destroy, void,
private_eap_simaka_sql_t *this)
{
@@ -87,6 +93,8 @@ plugin_t *eap_simaka_sql_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 9ebb85be9..c58bced06 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index efe72c437..39e1a60d9 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -91,6 +91,18 @@ METHOD(eap_method_t, get_msk, status_t,
return FAILED;
}
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_tls_t *this)
+{
+ return this->tls_eap->get_identifier(this->tls_eap);
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_tls_t *this, u_int8_t identifier)
+{
+ this->tls_eap->set_identifier(this->tls_eap, identifier);
+}
+
METHOD(eap_method_t, is_mutual, bool,
private_eap_tls_t *this)
{
@@ -113,6 +125,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
private_eap_tls_t *this;
size_t frag_size;
int max_msg_count;
+ bool include_length;
tls_t *tls;
INIT(this,
@@ -123,6 +136,8 @@ static eap_tls_t *eap_tls_create(identification_t *server,
.get_type = _get_type,
.is_mutual = _is_mutual,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
},
@@ -132,8 +147,11 @@ static eap_tls_t *eap_tls_create(identification_t *server,
"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT);
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-tls.include_length", TRUE);
tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
- this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count);
+ this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
+ include_length);
if (!this->tls_eap)
{
free(this);
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.c b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
index a7c040bf4..7afb79819 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
@@ -19,6 +19,11 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ eap_tls_plugin_t *this)
+{
+ return "eap-tls";
+}
METHOD(plugin_t, destroy, void,
eap_tls_plugin_t *this)
@@ -39,6 +44,8 @@ plugin_t *eap_tls_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index cf75585ef..dfc052bf8 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index dd4ed5322..ab3f87688 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -92,6 +92,18 @@ METHOD(eap_method_t, get_msk, status_t,
return FAILED;
}
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_tnc_t *this)
+{
+ return this->tls_eap->get_identifier(this->tls_eap);
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_tnc_t *this, u_int8_t identifier)
+{
+ this->tls_eap->set_identifier(this->tls_eap, identifier);
+}
+
METHOD(eap_method_t, is_mutual, bool,
private_eap_tnc_t *this)
{
@@ -114,6 +126,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
private_eap_tnc_t *this;
size_t frag_size;
int max_msg_count;
+ bool include_length;
char* protocol;
tnccs_type_t type;
tnccs_t *tnccs;
@@ -126,6 +139,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
.get_type = _get_type,
.is_mutual = _is_mutual,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
},
@@ -135,7 +150,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT);
- protocol = lib->settings->get_str(lib->settings,
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-tnc.include_length", TRUE);
+ protocol = lib->settings->get_str(lib->settings,
"charon.plugins.eap-tnc.protocol", "tnccs-1.1");
if (strcaseeq(protocol, "tnccs-2.0"))
{
@@ -156,7 +173,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
return NULL;
}
tnccs = charon->tnccs->create_instance(charon->tnccs, type, is_server);
- this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count);
+ this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size,
+ max_msg_count, include_length);
if (!this->tls_eap)
{
free(this);
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
index 7430e4cac..93847e636 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
@@ -18,6 +18,12 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ eap_tnc_plugin_t *this)
+{
+ return "eap-tnc";
+}
+
METHOD(plugin_t, destroy, void,
eap_tnc_plugin_t *this)
{
@@ -37,6 +43,8 @@ plugin_t *eap_tnc_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index ff67686b2..d0d5341e2 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -246,6 +246,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -269,6 +271,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index a62af6ea4..7193bc9f0 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -93,6 +93,18 @@ METHOD(eap_method_t, get_msk, status_t,
return FAILED;
}
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_ttls_t *this)
+{
+ return this->tls_eap->get_identifier(this->tls_eap);
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_ttls_t *this, u_int8_t identifier)
+{
+ this->tls_eap->set_identifier(this->tls_eap, identifier);
+}
+
METHOD(eap_method_t, is_mutual, bool,
private_eap_ttls_t *this)
{
@@ -116,6 +128,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
private_eap_ttls_t *this;
size_t frag_size;
int max_msg_count;
+ bool include_length;
tls_t *tls;
INIT(this,
@@ -125,6 +138,8 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
.process = _process,
.get_type = _get_type,
.is_mutual = _is_mutual,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.get_msk = _get_msk,
.destroy = _destroy,
},
@@ -139,8 +154,11 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT);
- tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
- this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count);
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-ttls.include_length", TRUE);
+ tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
+ this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
+ include_length);
if (!this->tls_eap)
{
application->destroy(application);
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 29b0a9303..931eb2e89 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -64,17 +64,6 @@ struct private_eap_ttls_peer_t {
eap_ttls_avp_t *avp;
};
-/**
- * EAP packet format
- */
-typedef struct __attribute__((packed)) {
- u_int8_t code;
- u_int8_t identifier;
- u_int16_t length;
- u_int8_t type;
- u_int8_t data;
-} eap_packet_t;
-
#define MAX_RADIUS_ATTRIBUTE_SIZE 253
METHOD(tls_application_t, process, status_t,
@@ -174,17 +163,30 @@ METHOD(tls_application_t, process, status_t,
return FAILED;
}
+ /* yet another phase2 authentication? */
+ if (this->method)
+ {
+ type = this->method->get_type(this->method, &vendor);
+
+ if (type != received_type || vendor != received_vendor)
+ {
+ this->method->destroy(this->method);
+ this->method = NULL;
+ }
+ }
+
if (this->method == NULL)
{
if (received_vendor)
{
- DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
- received_type, received_vendor);
+ DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d "
+ "(id 0x%02X)", received_type, received_vendor,
+ in->get_identifier(in));
}
else
{
- DBG1(DBG_IKE, "server requested %N authentication",
- eap_type_names, received_type);
+ DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
+ eap_type_names, received_type, in->get_identifier(in));
}
this->method = charon->eap->create_instance(charon->eap,
received_type, received_vendor,
@@ -196,18 +198,10 @@ METHOD(tls_application_t, process, status_t,
in->destroy(in);
return NEED_MORE;
}
+ type = this->method->get_type(this->method, &vendor);
this->start_phase2 = FALSE;
}
- type = this->method->get_type(this->method, &vendor);
-
- if (type != received_type || vendor != received_vendor)
- {
- DBG1(DBG_IKE, "received invalid EAP request");
- in->destroy(in);
- return FAILED;
- }
-
status = this->method->process(this->method, in, &this->out);
in->destroy(in);
@@ -216,13 +210,8 @@ METHOD(tls_application_t, process, status_t,
case SUCCESS:
this->method->destroy(this->method);
this->method = NULL;
- return NEED_MORE;
+ /* fall through to NEED_MORE */
case NEED_MORE:
- if (type != EAP_TNC)
- {
- this->method->destroy(this->method);
- this->method = NULL;
- }
return NEED_MORE;
case FAILED:
default:
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
index 48e759dcc..cbc3929bb 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
@@ -19,6 +19,11 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ eap_ttls_plugin_t *this)
+{
+ return "eap-ttls";
+}
METHOD(plugin_t, destroy, void,
eap_ttls_plugin_t *this)
@@ -39,6 +44,8 @@ plugin_t *eap_ttls_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 21e8b78db..4ba29472d 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index d83bc1fd2..a30c11962 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -43,6 +43,12 @@ struct private_farp_plugin_t {
farp_spoofer_t *spoofer;
};
+METHOD(plugin_t, get_name, char*,
+ private_farp_plugin_t *this)
+{
+ return "farp";
+}
+
METHOD(plugin_t, destroy, void,
private_farp_plugin_t *this)
{
@@ -62,6 +68,8 @@ plugin_t *farp_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 2fcd7cc82..fe72c5c8e 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index 1a9425423..707add94d 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -91,6 +91,10 @@ METHOD(listener_t, child_keys, bool,
{
m->add_attribute(m, HA_ALG_INTEG, alg);
}
+ if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, &alg, NULL))
+ {
+ m->add_attribute(m, HA_ESN, alg);
+ }
m->add_attribute(m, HA_NONCE_I, nonce_i);
m->add_attribute(m, HA_NONCE_R, nonce_r);
if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS)
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 85dc0f4a4..0d0df8dd1 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -462,6 +462,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
u_int16_t inbound_cpi = 0, outbound_cpi = 0;
u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0;
+ u_int16_t esn = NO_EXT_SEQ_NUMBERS;
u_int seg_i, seg_o;
chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
chunk_t encr_i, integ_i, encr_r, integ_r;
@@ -512,6 +513,9 @@ static void process_child_add(private_ha_dispatcher_t *this,
case HA_ALG_INTEG:
integ = value.u16;
break;
+ case HA_ESN:
+ esn = value.u16;
+ break;
case HA_NONCE_I:
nonce_i = value.chunk;
break;
@@ -558,6 +562,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
{
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
}
+ proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
keymat = ike_sa->get_keymat(ike_sa);
if (!keymat->derive_child_keys(keymat, proposal, secret.ptr ? &dh : NULL,
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 7ce9cbe09..f98f78dd4 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -234,6 +234,7 @@ METHOD(ha_message_t, add_attribute, void,
case HA_INBOUND_CPI:
case HA_OUTBOUND_CPI:
case HA_SEGMENT:
+ case HA_ESN:
{
u_int16_t val;
@@ -447,6 +448,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
case HA_INBOUND_CPI:
case HA_OUTBOUND_CPI:
case HA_SEGMENT:
+ case HA_ESN:
{
if (this->buf.len < sizeof(u_int16_t))
{
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 50e11830f..1f8eabd62 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -140,6 +140,8 @@ enum ha_message_attribute_t {
HA_MID,
/** u_int16_t, HA segment */
HA_SEGMENT,
+ /** u_int16_t, Extended Sequence numbers */
+ HA_ESN,
};
/**
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 581294e60..b4bde5ea5 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -91,6 +91,12 @@ struct private_ha_plugin_t {
ha_attribute_t *attr;
};
+METHOD(plugin_t, get_name, char*,
+ private_ha_plugin_t *this)
+{
+ return "ha";
+}
+
METHOD(plugin_t, destroy, void,
private_ha_plugin_t *this)
{
@@ -144,6 +150,8 @@ plugin_t *ha_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index fa1194fd0..db3a7c702 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c
index 322d198ff..b6b69b466 100644
--- a/src/libcharon/plugins/led/led_plugin.c
+++ b/src/libcharon/plugins/led/led_plugin.c
@@ -37,6 +37,12 @@ struct private_led_plugin_t {
led_listener_t *listener;
};
+METHOD(plugin_t, get_name, char*,
+ private_led_plugin_t *this)
+{
+ return "led";
+}
+
METHOD(plugin_t, destroy, void,
private_led_plugin_t *this)
{
@@ -55,6 +61,8 @@ plugin_t *led_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index c921ec3db..1e9a5fe82 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -246,6 +246,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -269,6 +271,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index ef9d7f9ef..fdec5300e 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -54,8 +54,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
- u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts)
+ u_int16_t cpi, bool encap, bool esn, bool inbound,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
return SUCCESS;
}
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 8fd65adfa..94115e307 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -146,10 +146,14 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
return JOB_REQUEUE_NONE;
}
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_load_tester_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_load_tester_plugin_t *this)
+{
+ return "load-tester";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_load_tester_plugin_t *this)
{
this->iterations = -1;
this->mutex->lock(this->mutex);
@@ -188,32 +192,39 @@ plugin_t *load_tester_plugin_create()
return NULL;
}
- this = malloc_thing(private_load_tester_plugin_t);
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .delay = lib->settings->get_int(lib->settings,
+ "charon.plugins.load-tester.delay", 0),
+ .iterations = lib->settings->get_int(lib->settings,
+ "charon.plugins.load-tester.iterations", 1),
+ .initiators = lib->settings->get_int(lib->settings,
+ "charon.plugins.load-tester.initiators", 0),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+ .config = load_tester_config_create(),
+ .creds = load_tester_creds_create(),
+ .listener = load_tester_listener_create(shutdown_on),
+ );
lib->crypto->add_dh(lib->crypto, MODP_NULL, plugin_name,
(dh_constructor_t)load_tester_diffie_hellman_create);
+ charon->backends->add_backend(charon->backends, &this->config->backend);
+ lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
- this->delay = lib->settings->get_int(lib->settings,
- "charon.plugins.load-tester.delay", 0);
- this->iterations = lib->settings->get_int(lib->settings,
- "charon.plugins.load-tester.iterations", 1);
- this->initiators = lib->settings->get_int(lib->settings,
- "charon.plugins.load-tester.initiators", 0);
if (lib->settings->get_bool(lib->settings,
"charon.plugins.load-tester.shutdown_when_complete", 0))
{
shutdown_on = this->iterations * this->initiators;
}
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
- this->config = load_tester_config_create();
- this->creds = load_tester_creds_create();
- this->listener = load_tester_listener_create(shutdown_on);
- charon->backends->add_backend(charon->backends, &this->config->backend);
- lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
- charon->bus->add_listener(charon->bus, &this->listener->listener);
if (lib->settings->get_bool(lib->settings,
"charon.plugins.load-tester.fake_kernel", FALSE))
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 0ca1fa436..27e72295c 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c
index d4549f43a..38cb031b5 100644
--- a/src/libcharon/plugins/maemo/maemo_plugin.c
+++ b/src/libcharon/plugins/maemo/maemo_plugin.c
@@ -34,11 +34,16 @@ struct private_maemo_plugin_t {
* service
*/
maemo_service_t *service;
-
};
+METHOD(plugin_t, get_name, char*,
+ private_maemo_plugin_t *this)
+{
+ return "maemo";
+}
+
METHOD(plugin_t, destroy, void,
- private_maemo_plugin_t *this)
+ private_maemo_plugin_t *this)
{
this->service->destroy(this->service);
free(this);
@@ -54,6 +59,8 @@ plugin_t *maemo_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 372a436a6..83b457b46 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c
index 6befbf440..469915476 100644
--- a/src/libcharon/plugins/medcli/medcli_plugin.c
+++ b/src/libcharon/plugins/medcli/medcli_plugin.c
@@ -54,10 +54,14 @@ struct private_medcli_plugin_t {
medcli_listener_t *listener;
};
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_medcli_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_medcli_plugin_t *this)
+{
+ return "medcli";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_medcli_plugin_t *this)
{
charon->bus->remove_listener(charon->bus, &this->listener->listener);
charon->backends->remove_backend(charon->backends, &this->config->backend);
@@ -75,9 +79,17 @@ static void destroy(private_medcli_plugin_t *this)
plugin_t *medcli_plugin_create()
{
char *uri;
- private_medcli_plugin_t *this = malloc_thing(private_medcli_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_medcli_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ );
uri = lib->settings->get_str(lib->settings,
"medcli.database", NULL);
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 4bb65bd09..068f311a5 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c
index c150346cb..5df46d04f 100644
--- a/src/libcharon/plugins/medsrv/medsrv_plugin.c
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c
@@ -48,10 +48,14 @@ struct private_medsrv_plugin_t {
medsrv_config_t *config;
};
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_medsrv_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_medsrv_plugin_t *this)
+{
+ return "medsrv";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_medsrv_plugin_t *this)
{
charon->backends->remove_backend(charon->backends, &this->config->backend);
lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
@@ -67,9 +71,17 @@ static void destroy(private_medsrv_plugin_t *this)
plugin_t *medsrv_plugin_create()
{
char *uri;
- private_medsrv_plugin_t *this = malloc_thing(private_medsrv_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_medsrv_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ );
uri = lib->settings->get_str(lib->settings,
"medsrv.database", NULL);
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
index 69af7bf83..308d27229 100644
--- a/src/libcharon/plugins/nm/Makefile.in
+++ b/src/libcharon/plugins/nm/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c
index fd0580bd6..f1d3be7a5 100644
--- a/src/libcharon/plugins/nm/nm_plugin.c
+++ b/src/libcharon/plugins/nm/nm_plugin.c
@@ -67,10 +67,14 @@ static job_requeue_t run(private_nm_plugin_t *this)
return JOB_REQUEUE_NONE;
}
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_nm_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_nm_plugin_t *this)
+{
+ return "nm";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_nm_plugin_t *this)
{
if (this->loop)
{
@@ -96,22 +100,29 @@ static void destroy(private_nm_plugin_t *this)
*/
plugin_t *nm_plugin_create()
{
- private_nm_plugin_t *this = malloc_thing(private_nm_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_nm_plugin_t *this;
- this->loop = NULL;
g_type_init ();
if (!g_thread_supported())
{
g_thread_init(NULL);
}
- this->creds = nm_creds_create();
- this->handler = nm_handler_create();
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .creds = nm_creds_create(),
+ .handler = nm_handler_create(),
+ .plugin = nm_strongswan_plugin_new(this->creds, this->handler),
+ );
+
hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
lib->credmgr->add_set(lib->credmgr, &this->creds->set);
- this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
if (!this->plugin)
{
DBG1(DBG_CFG, "DBUS binding failed");
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 3d2cef13c..e36fa6bb4 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 60937f23d..d20f32248 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -707,10 +707,14 @@ static job_requeue_t dispatch(private_smp_t *this)
return JOB_REQUEUE_DIRECT;
}
-/**
- * Implementation of itnerface_t.destroy.
- */
-static void destroy(private_smp_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_smp_t *this)
+{
+ return "smp";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_smp_t *this)
{
this->job->cancel(this->job);
close(this->socket);
@@ -723,10 +727,18 @@ static void destroy(private_smp_t *this)
plugin_t *smp_plugin_create()
{
struct sockaddr_un unix_addr = { AF_UNIX, IPSEC_PIDDIR "/charon.xml"};
- private_smp_t *this = malloc_thing(private_smp_t);
+ private_smp_t *this;
mode_t old;
- this->public.plugin.destroy = (void (*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ );
/* set up unix socket */
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index b82372e30..95cb04d14 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c
index b5dea68b6..1bc8244d5 100644
--- a/src/libcharon/plugins/socket_default/socket_default_plugin.c
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c
@@ -32,9 +32,14 @@ struct private_socket_default_plugin_t {
* Implements plugin interface
*/
socket_default_plugin_t public;
-
};
+METHOD(plugin_t, get_name, char*,
+ private_socket_default_plugin_t *this)
+{
+ return "socket-default";
+}
+
METHOD(plugin_t, destroy, void,
private_socket_default_plugin_t *this)
{
@@ -53,6 +58,8 @@ plugin_t *socket_default_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 7a49088b2..97e3a713d 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
index a6ff14efd..c5ea37a10 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
@@ -32,9 +32,14 @@ struct private_socket_dynamic_plugin_t {
* Implements plugin interface
*/
socket_dynamic_plugin_t public;
-
};
+METHOD(plugin_t, get_name, char*,
+ private_socket_dynamic_plugin_t *this)
+{
+ return "socket-dynamic";
+}
+
METHOD(plugin_t, destroy, void,
private_socket_dynamic_plugin_t *this)
{
@@ -53,6 +58,8 @@ plugin_t *socket_dynamic_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
index 744b12fcf..6f1a09c88 100644
--- a/src/libcharon/plugins/socket_raw/Makefile.in
+++ b/src/libcharon/plugins/socket_raw/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
index 17a3a8db7..5bd28bd42 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
+++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
@@ -32,9 +32,14 @@ struct private_socket_raw_plugin_t {
* Implements plugin interface
*/
socket_raw_plugin_t public;
-
};
+METHOD(plugin_t, get_name, char*,
+ private_socket_raw_plugin_t *this)
+{
+ return "socket-raw";
+}
+
METHOD(plugin_t, destroy, void,
private_socket_raw_plugin_t *this)
{
@@ -53,6 +58,8 @@ plugin_t *socket_raw_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 4244d3b5e..d7b43dcc9 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index ad1eb91b1..d915d4696 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -53,6 +53,12 @@ struct private_sql_plugin_t {
sql_logger_t *logger;
};
+METHOD(plugin_t, get_name, char*,
+ private_sql_plugin_t *this)
+{
+ return "sql";
+}
+
METHOD(plugin_t, destroy, void,
private_sql_plugin_t *this)
{
@@ -84,6 +90,8 @@ plugin_t *sql_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index ccf3eeede..fd859daeb 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index ea7d17592..2b3164384 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -409,7 +409,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
else
{
- DBG1(DBG_CFG, "CA certificate %s not found, discarding CA "
+ DBG1(DBG_CFG, "CA certificate \"%s\" not found, discarding CA "
"constraint", ca);
}
}
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 3541ab8f9..4943ee670 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -92,48 +92,94 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
return found;
}
+/**
+ * call the charon controller to initiate the connection
+ */
+static void charon_initiate(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ stroke_msg_t *msg, FILE *out)
+{
+ if (msg->output_verbosity < 0)
+ {
+ charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+ NULL, NULL);
+ }
+ else
+ {
+ stroke_log_info_t info = { msg->output_verbosity, out };
+
+ charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+ (controller_cb_t)stroke_log, &info);
+ }
+}
+
METHOD(stroke_control_t, initiate, void,
private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
+ child_cfg_t *child_cfg = NULL;
peer_cfg_t *peer_cfg;
- child_cfg_t *child_cfg;
- stroke_log_info_t info;
+ enumerator_t *enumerator;
+ bool empty = TRUE;
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->initiate.name);
- if (peer_cfg == NULL)
- {
- DBG1(DBG_CFG, "no config named '%s'\n", msg->initiate.name);
- return;
- }
- if (peer_cfg->get_ike_version(peer_cfg) != 2)
+ if (peer_cfg)
{
- DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
- peer_cfg->get_ike_version(peer_cfg));
- peer_cfg->destroy(peer_cfg);
- return;
- }
+ if (peer_cfg->get_ike_version(peer_cfg) != 2)
+ {
+ DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
+ peer_cfg->get_ike_version(peer_cfg));
+ peer_cfg->destroy(peer_cfg);
+ return;
+ }
- child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
- if (child_cfg == NULL)
- {
- DBG1(DBG_CFG, "no child config named '%s'\n", msg->initiate.name);
- peer_cfg->destroy(peer_cfg);
- return;
- }
+ child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
+ if (child_cfg == NULL)
+ {
+ enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+ while (enumerator->enumerate(enumerator, &child_cfg))
+ {
+ empty = FALSE;
+ charon_initiate(peer_cfg->get_ref(peer_cfg),
+ child_cfg->get_ref(child_cfg), msg, out);
+ }
+ enumerator->destroy(enumerator);
- if (msg->output_verbosity < 0)
- {
- charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
- NULL, NULL);
+ if (empty)
+ {
+ DBG1(DBG_CFG, "no child config named '%s'", msg->initiate.name);
+ fprintf(out, "no child config named '%s'\n", msg->initiate.name);
+ }
+ peer_cfg->destroy(peer_cfg);
+ return;
+ }
}
else
{
- info.out = out;
- info.level = msg->output_verbosity;
- charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
- (controller_cb_t)stroke_log, &info);
+ enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+ NULL, NULL, NULL, NULL);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
+ {
+ if (peer_cfg->get_ike_version(peer_cfg) != 2)
+ {
+ continue;
+ }
+ child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
+ if (child_cfg)
+ {
+ peer_cfg->get_ref(peer_cfg);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (child_cfg == NULL)
+ {
+ DBG1(DBG_CFG, "no config named '%s'", msg->initiate.name);
+ fprintf(out, "no config named '%s'\n", msg->initiate.name);
+ return;
+ }
}
+ charon_initiate(peer_cfg, child_cfg, msg, out);
}
/**
@@ -470,41 +516,90 @@ METHOD(stroke_control_t, purge_ike, void,
list->destroy(list);
}
+/**
+ * call charon to install a trap
+ */
+static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ char *name, FILE *out)
+{
+ if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
+ {
+ fprintf(out, "'%s' routed\n", name);
+ }
+ else
+ {
+ fprintf(out, "routing '%s' failed\n", name);
+ }
+}
+
METHOD(stroke_control_t, route, void,
private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
+ child_cfg_t *child_cfg = NULL;
peer_cfg_t *peer_cfg;
- child_cfg_t *child_cfg;
+ enumerator_t *enumerator;
+ bool empty = TRUE;
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->route.name);
- if (peer_cfg == NULL)
- {
- fprintf(out, "no config named '%s'\n", msg->route.name);
- return;
- }
- if (peer_cfg->get_ike_version(peer_cfg) != 2)
+ if (peer_cfg)
{
- peer_cfg->destroy(peer_cfg);
- return;
- }
+ if (peer_cfg->get_ike_version(peer_cfg) != 2)
+ {
+ DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
+ peer_cfg->get_ike_version(peer_cfg));
+ peer_cfg->destroy(peer_cfg);
+ return;
+ }
- child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
- if (child_cfg == NULL)
- {
- fprintf(out, "no child config named '%s'\n", msg->route.name);
- peer_cfg->destroy(peer_cfg);
- return;
- }
+ child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
+ if (child_cfg == NULL)
+ {
+ enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+ while (enumerator->enumerate(enumerator, &child_cfg))
+ {
+ empty = FALSE;
+ charon_route(peer_cfg, child_cfg, child_cfg->get_name(child_cfg),
+ out);
+ }
+ enumerator->destroy(enumerator);
- if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
- {
- fprintf(out, "configuration '%s' routed\n", msg->route.name);
+ if (empty)
+ {
+ DBG1(DBG_CFG, "no child config named '%s'", msg->route.name);
+ fprintf(out, "no child config named '%s'\n", msg->route.name);
+ }
+ peer_cfg->destroy(peer_cfg);
+ return;
+ }
}
else
{
- fprintf(out, "routing configuration '%s' failed\n", msg->route.name);
+ enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+ NULL, NULL, NULL, NULL);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
+ {
+ if (peer_cfg->get_ike_version(peer_cfg) != 2)
+ {
+ continue;
+ }
+ child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
+ if (child_cfg)
+ {
+ peer_cfg->get_ref(peer_cfg);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (child_cfg == NULL)
+ {
+ DBG1(DBG_CFG, "no config named '%s'", msg->route.name);
+ fprintf(out, "no config named '%s'\n", msg->route.name);
+ return;
+ }
}
+ charon_route(peer_cfg, child_cfg, msg->route.name, out);
peer_cfg->destroy(peer_cfg);
child_cfg->destroy(child_cfg);
}
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 83e5a9ad6..baf02a6da 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -280,7 +280,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
chunk = crl->get_authKeyIdentifier(crl);
hex = chunk_to_hex(chunk, NULL, FALSE);
- snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
+ snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr);
free(hex.ptr);
if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
@@ -518,7 +518,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
return FALSE;
}
- snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
+ snprintf(smartcard, sizeof(smartcard), "%.*s", (int)sc.len, sc.ptr);
smartcard[sizeof(smartcard) - 1] = '\0';
/* parse slot and key id. Three formats are supported:
@@ -536,7 +536,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
return FALSE;
}
*pos = '\0';
- strcpy(keyid, pos + 1);
+ strncpy(keyid, pos + 1, sizeof(keyid));
format = SC_FORMAT_SLOT_MODULE_KEYID;
}
else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
@@ -660,13 +660,13 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
if (*filename.ptr == '/')
{
/* absolute path name */
- snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+ snprintf(path, sizeof(path), "%.*s", (int)filename.len, filename.ptr);
}
else
{
/* relative path name */
snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
- filename.len, filename.ptr);
+ (int)filename.len, filename.ptr);
}
/* check for optional passphrase */
@@ -768,6 +768,8 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
if (ugh != NULL)
{
DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+ shared_key->destroy(shared_key);
+ owners->destroy_offset(owners, offsetof(identification_t, destroy));
return FALSE;
}
if (id.len == 0)
@@ -874,7 +876,8 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
DBG1(DBG_CFG, "include pattern too long, ignored");
continue;
}
- snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr);
+ snprintf(pattern, sizeof(pattern), "%.*s",
+ (int)line.len, line.ptr);
}
else
{ /* use directory of current file if relative */
@@ -888,7 +891,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
continue;
}
snprintf(pattern, sizeof(pattern), "%s/%.*s",
- dir, line.len, line.ptr);
+ dir, (int)line.len, line.ptr);
free(dir);
}
if (glob(pattern, GLOB_ERR, NULL, &buf) != 0)
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 36311f092..6c42f8f8a 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -402,7 +402,8 @@ METHOD(stroke_list_t, status, void,
if (all)
{
peer_cfg_t *peer_cfg;
- char *plugin, *pool;
+ plugin_t *plugin;
+ char *pool;
host_t *host;
u_int32_t dpd;
time_t since, now;
@@ -431,7 +432,7 @@ METHOD(stroke_list_t, status, void,
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (enumerator->enumerate(enumerator, &plugin))
{
- fprintf(out, "%s ", plugin);
+ fprintf(out, "%s ", plugin->get_name(plugin));
}
enumerator->destroy(enumerator);
fprintf(out, "\n");
@@ -1069,12 +1070,12 @@ static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type,
{
char alg_name[BUF_LEN];
int alg_name_len;
-
+
alg_name_len = sprintf(alg_name, " %N[%s]", alg_names, alg_type, plugin_name);
if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
{
fprintf(out, "\n ");
- *len = 13;
+ *len = 13;
}
fprintf(out, "%s", alg_name);
*len += alg_name_len;
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 2e83d0d28..2884db4bf 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -36,6 +36,12 @@ struct private_stroke_plugin_t {
stroke_socket_t *socket;
};
+METHOD(plugin_t, get_name, char*,
+ private_stroke_plugin_t *this)
+{
+ return "stroke";
+}
+
METHOD(plugin_t, destroy, void,
private_stroke_plugin_t *this)
{
@@ -53,6 +59,8 @@ plugin_t *stroke_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 18e77905d..88d0270d8 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -122,7 +122,7 @@ static void pop_string(stroke_msg_t *msg, char **string)
/* check for sanity of string pointer and string */
if (string < (char**)msg ||
- string > (char**)msg + sizeof(stroke_msg_t) ||
+ string > (char**)((char*)msg + sizeof(stroke_msg_t)) ||
(unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) ||
(unsigned long)*string > msg->length)
{
@@ -396,7 +396,7 @@ static void stroke_export(private_stroke_socket_t *this,
{
if (cert->get_encoding(cert, CERT_PEM, &encoded))
{
- fprintf(out, "%.*s", encoded.len, encoded.ptr);
+ fprintf(out, "%.*s", (int)encoded.len, encoded.ptr);
free(encoded.ptr);
}
}
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index dc44408ff..c2bc35dc5 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c
index 174084436..d7fc2c65d 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c
@@ -19,11 +19,12 @@
#include <debug.h>
#include <library.h>
+#include <threading/mutex.h>
typedef struct private_tnc_imc_t private_tnc_imc_t;
/**
- * Private data of an imv_t object.
+ * Private data of an imc_t object.
*/
struct private_tnc_imc_t {
@@ -61,6 +62,11 @@ struct private_tnc_imc_t {
* Number of supported message types
*/
TNC_UInt32 type_count;
+
+ /**
+ * mutex to lock the imc_t object
+ */
+ mutex_t *mutex;
};
METHOD(imc_t, set_id, void,
@@ -85,6 +91,14 @@ METHOD(imc_t, set_message_types, void,
private_tnc_imc_t *this, TNC_MessageTypeList supported_types,
TNC_UInt32 type_count)
{
+ char buf[512];
+ char *pos = buf;
+ int len = sizeof(buf);
+ int written;
+
+ /* lock the imc_t instance */
+ this->mutex->lock(this->mutex);
+
/* Free an existing MessageType list */
free(this->supported_types);
this->supported_types = NULL;
@@ -94,11 +108,27 @@ METHOD(imc_t, set_message_types, void,
if (type_count && supported_types)
{
size_t size = type_count * sizeof(TNC_MessageType);
+ int i;
+ for (i = 0; i < type_count; i++)
+ {
+ written = snprintf(pos, len, " 0x%08x", supported_types[i]);
+ if (written >= len)
+ {
+ break;
+ }
+ pos += written;
+ len -= written;
+ }
this->supported_types = malloc(size);
memcpy(this->supported_types, supported_types, size);
}
- DBG2(DBG_TNC, "IMC %u supports %u message types", this->id, type_count);
+ *pos = '\0';
+ DBG2(DBG_TNC, "IMC %u supports %u message types:%s",
+ this->id, type_count, buf);
+
+ /* lock the imc_t instance */
+ this->mutex->unlock(this->mutex);
}
METHOD(imc_t, type_supported, bool,
@@ -132,6 +162,7 @@ METHOD(imc_t, destroy, void,
private_tnc_imc_t *this)
{
dlclose(this->handle);
+ this->mutex->destroy(this->mutex);
free(this->supported_types);
free(this->name);
free(this->path);
@@ -156,6 +187,7 @@ imc_t* tnc_imc_create(char *name, char *path)
},
.name = name,
.path = path,
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
this->handle = dlopen(path, RTLD_LAZY);
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
index e18f1b006..25a6a1cc4 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
@@ -28,6 +28,12 @@ TNC_Result TNC_TNCC_ReportMessageTypes(TNC_IMCID imc_id,
TNC_MessageTypeList supported_types,
TNC_UInt32 type_count)
{
+ if (!charon->imcs->is_registered(charon->imcs, imc_id))
+ {
+ DBG1(DBG_TNC, "ignoring ReportMessageTypes() from unregistered IMC %u",
+ imc_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->imcs->set_message_types(charon->imcs, imc_id,
supported_types, type_count);
}
@@ -39,6 +45,12 @@ TNC_Result TNC_TNCC_RequestHandshakeRetry(TNC_IMCID imc_id,
TNC_ConnectionID connection_id,
TNC_RetryReason reason)
{
+ if (!charon->imcs->is_registered(charon->imcs, imc_id))
+ {
+ DBG1(DBG_TNC, "ignoring RequestHandshakeRetry() from unregistered IMC %u",
+ imc_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->request_handshake_retry(charon->tnccs, TRUE, imc_id,
connection_id, reason);
}
@@ -52,6 +64,12 @@ TNC_Result TNC_TNCC_SendMessage(TNC_IMCID imc_id,
TNC_UInt32 msg_len,
TNC_MessageType msg_type)
{
+ if (!charon->imcs->is_registered(charon->imcs, imc_id))
+ {
+ DBG1(DBG_TNC, "ignoring SendMessage() from unregistered IMC %u",
+ imc_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->send_message(charon->tnccs, imc_id, TNC_IMVID_ANY,
connection_id, msg, msg_len, msg_type);
}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
index aa20534f5..ccf6aea67 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
@@ -77,7 +77,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
private_tnc_imc_manager_t *this, TNC_IMCID id)
{
enumerator_t *enumerator;
- imc_t *imc;
+ imc_t *imc, *removed_imc = NULL;
enumerator = this->imcs->create_enumerator(this->imcs);
while (enumerator->enumerate(enumerator, &imc))
@@ -85,11 +85,34 @@ METHOD(imc_manager_t, remove_, imc_t*,
if (id == imc->get_id(imc))
{
this->imcs->remove_at(this->imcs, enumerator);
- return imc;
+ removed_imc = imc;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return removed_imc;
+}
+
+METHOD(imc_manager_t, is_registered, bool,
+ private_tnc_imc_manager_t *this, TNC_IMCID id)
+{
+ enumerator_t *enumerator;
+ imc_t *imc;
+ bool found = FALSE;
+
+ enumerator = this->imcs->create_enumerator(this->imcs);
+ while (enumerator->enumerate(enumerator, &imc))
+ {
+ if (id == imc->get_id(imc))
+ {
+ found = TRUE;
+ break;
}
}
enumerator->destroy(enumerator);
- return NULL;
+
+ return found;
}
METHOD(imc_manager_t, get_preferred_language, char*,
@@ -160,6 +183,7 @@ METHOD(imc_manager_t, receive_message, void,
TNC_UInt32 message_len,
TNC_MessageType message_type)
{
+ bool type_supported = FALSE;
enumerator_t *enumerator;
imc_t *imc;
@@ -168,11 +192,16 @@ METHOD(imc_manager_t, receive_message, void,
{
if (imc->receive_message && imc->type_supported(imc, message_type))
{
+ type_supported = TRUE;
imc->receive_message(imc->get_id(imc), connection_id,
message, message_len, message_type);
}
}
enumerator->destroy(enumerator);
+ if (!type_supported)
+ {
+ DBG2(DBG_TNC, "message type 0x%08x not supported by any IMC", message_type);
+ }
}
METHOD(imc_manager_t, batch_ending, void,
@@ -222,6 +251,7 @@ imc_manager_t* tnc_imc_manager_create(void)
.public = {
.add = _add,
.remove = _remove_, /* avoid name conflict with stdio.h */
+ .is_registered = _is_registered,
.get_preferred_language = _get_preferred_language,
.notify_connection_change = _notify_connection_change,
.begin_handshake = _begin_handshake,
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
index 89888040a..bc13b8735 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
@@ -130,6 +130,12 @@ static bool load_imcs(char *filename)
}
if (!charon->imcs->add(charon->imcs, imc))
{
+ if (imc->terminate &&
+ imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS)
+ {
+ DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully",
+ imc->get_name(imc));
+ }
imc->destroy(imc);
return FALSE;
}
@@ -141,6 +147,12 @@ static bool load_imcs(char *filename)
return TRUE;
}
+METHOD(plugin_t, get_name, char*,
+ tnc_imc_plugin_t *this)
+{
+ return "tnc-imc";
+}
+
METHOD(plugin_t, destroy, void,
tnc_imc_plugin_t *this)
{
@@ -158,6 +170,8 @@ plugin_t *tnc_imc_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 0324d2eb9..fb96150f4 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
index f88b645d6..fe628ee7e 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -19,6 +19,7 @@
#include <debug.h>
#include <library.h>
+#include <threading/mutex.h>
typedef struct private_tnc_imv_t private_tnc_imv_t;
@@ -61,6 +62,11 @@ struct private_tnc_imv_t {
* Number of supported message types
*/
TNC_UInt32 type_count;
+
+ /**
+ * mutex to lock the imv_t object
+ */
+ mutex_t *mutex;
};
METHOD(imv_t, set_id, void,
@@ -85,6 +91,14 @@ METHOD(imv_t, set_message_types, void,
private_tnc_imv_t *this, TNC_MessageTypeList supported_types,
TNC_UInt32 type_count)
{
+ char buf[512];
+ char *pos = buf;
+ int len = sizeof(buf);
+ int written;
+
+ /* lock the imv_t instance */
+ this->mutex->lock(this->mutex);
+
/* Free an existing MessageType list */
free(this->supported_types);
this->supported_types = NULL;
@@ -95,10 +109,27 @@ METHOD(imv_t, set_message_types, void,
{
size_t size = type_count * sizeof(TNC_MessageType);
+ int i;
+
+ for (i = 0; i < type_count; i++)
+ {
+ written = snprintf(pos, len, " 0x%08x", supported_types[i]);
+ if (written >= len)
+ {
+ break;
+ }
+ pos += written;
+ len -= written;
+ }
this->supported_types = malloc(size);
memcpy(this->supported_types, supported_types, size);
}
- DBG2(DBG_TNC, "IMV %u supports %u message types", this->id, type_count);
+ *pos = '\0';
+ DBG2(DBG_TNC, "IMV %u supports %u message types:%s",
+ this->id, type_count, buf);
+
+ /* lock the imv_t instance */
+ this->mutex->unlock(this->mutex);
}
METHOD(imv_t, type_supported, bool,
@@ -132,6 +163,7 @@ METHOD(imv_t, destroy, void,
private_tnc_imv_t *this)
{
dlclose(this->handle);
+ this->mutex->destroy(this->mutex);
free(this->supported_types);
free(this->name);
free(this->path);
@@ -156,6 +188,7 @@ imv_t* tnc_imv_create(char *name, char *path)
},
.name = name,
.path = path,
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
this->handle = dlopen(path, RTLD_LAZY);
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
index 0ea52f08e..0ed00b001 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -28,6 +28,12 @@ TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id,
TNC_MessageTypeList supported_types,
TNC_UInt32 type_count)
{
+ if (!charon->imvs->is_registered(charon->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring ReportMessageTypes() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->imvs->set_message_types(charon->imvs, imv_id,
supported_types, type_count);
}
@@ -39,6 +45,12 @@ TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id,
TNC_ConnectionID connection_id,
TNC_RetryReason reason)
{
+ if (!charon->imvs->is_registered(charon->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring RequestHandshakeRetry() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->request_handshake_retry(charon->tnccs, FALSE, imv_id,
connection_id, reason);
}
@@ -52,6 +64,12 @@ TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id,
TNC_UInt32 msg_len,
TNC_MessageType msg_type)
{
+ if (!charon->imvs->is_registered(charon->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring SendMessage() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->send_message(charon->tnccs, TNC_IMCID_ANY, imv_id,
connection_id, msg, msg_len, msg_type);
}
@@ -65,6 +83,12 @@ TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id,
TNC_IMV_Action_Recommendation recommendation,
TNC_IMV_Evaluation_Result evaluation)
{
+ if (!charon->imvs->is_registered(charon->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring ProvideRecommendation() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->provide_recommendation(charon->tnccs, imv_id,
connection_id, recommendation, evaluation);
}
@@ -80,6 +104,12 @@ TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id,
TNC_BufferReference buffer,
TNC_UInt32 *out_value_len)
{
+ if (!charon->imvs->is_registered(charon->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring GetAttribute() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->get_attribute(charon->tnccs, imv_id, connection_id,
attribute_id, buffer_len, buffer, out_value_len);
}
@@ -94,6 +124,12 @@ TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id,
TNC_UInt32 buffer_len,
TNC_BufferReference buffer)
{
+ if (!charon->imvs->is_registered(charon->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring SetAttribute() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
return charon->tnccs->set_attribute(charon->tnccs, imv_id, connection_id,
attribute_id, buffer_len, buffer);
}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 559de86d0..579ab06ff 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -84,7 +84,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
private_tnc_imv_manager_t *this, TNC_IMVID id)
{
enumerator_t *enumerator;
- imv_t *imv;
+ imv_t *imv, *removed_imv = NULL;
enumerator = this->imvs->create_enumerator(this->imvs);
while (enumerator->enumerate(enumerator, &imv))
@@ -92,11 +92,34 @@ METHOD(imv_manager_t, remove_, imv_t*,
if (id == imv->get_id(imv))
{
this->imvs->remove_at(this->imvs, enumerator);
- return imv;
+ removed_imv = imv;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return removed_imv;
+}
+
+METHOD(imv_manager_t, is_registered, bool,
+ private_tnc_imv_manager_t *this, TNC_IMVID id)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+ bool found = FALSE;
+
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (id == imv->get_id(imv))
+ {
+ found = TRUE;
+ break;
}
}
enumerator->destroy(enumerator);
- return NULL;
+
+ return found;
}
METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t,
@@ -112,36 +135,56 @@ METHOD(imv_manager_t, create_recommendations, recommendations_t*,
}
METHOD(imv_manager_t, enforce_recommendation, bool,
- private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+ private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
{
char *group;
identification_t *id;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
+ bool no_access = FALSE;
+
+ DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
switch (rec)
{
case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
- DBG1(DBG_TNC, "TNC recommendation is allow");
group = "allow";
break;
case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
- DBG1(DBG_TNC, "TNC recommendation is isolate");
group = "isolate";
break;
case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
default:
- DBG1(DBG_TNC, "TNC recommendation is none");
- return FALSE;
+ group = "no access";
+ no_access = TRUE;
+ break;
}
+
ike_sa = charon->bus->get_sa(charon->bus);
- if (ike_sa)
+ if (!ike_sa)
+ {
+ DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
+ return FALSE;
+ }
+
+ id = ike_sa->get_other_id(ike_sa);
+ DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
+
+ if (no_access)
{
+ return FALSE;
+ }
+ else
+ {
auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
id = identification_create_from_string(group);
auth->add(auth, AUTH_RULE_GROUP, id);
- DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+ DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
+ group);
}
return TRUE;
}
@@ -208,6 +251,7 @@ METHOD(imv_manager_t, receive_message, void,
TNC_UInt32 message_len,
TNC_MessageType message_type)
{
+ bool type_supported = FALSE;
enumerator_t *enumerator;
imv_t *imv;
@@ -216,11 +260,16 @@ METHOD(imv_manager_t, receive_message, void,
{
if (imv->receive_message && imv->type_supported(imv, message_type))
{
+ type_supported = TRUE;
imv->receive_message(imv->get_id(imv), connection_id,
message, message_len, message_type);
}
}
enumerator->destroy(enumerator);
+ if (!type_supported)
+ {
+ DBG2(DBG_TNC, "message type 0x%08x not supported by any IMV", message_type);
+ }
}
METHOD(imv_manager_t, batch_ending, void,
@@ -271,6 +320,7 @@ imv_manager_t* tnc_imv_manager_create(void)
.public = {
.add = _add,
.remove = _remove_, /* avoid name conflict with stdio.h */
+ .is_registered = _is_registered,
.get_recommendation_policy = _get_recommendation_policy,
.create_recommendations = _create_recommendations,
.enforce_recommendation = _enforce_recommendation,
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
index f238f01ea..45cf95c1b 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -130,6 +130,12 @@ static bool load_imvs(char *filename)
}
if (!charon->imvs->add(charon->imvs, imv))
{
+ if (imv->terminate &&
+ imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
+ {
+ DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
+ imv->get_name(imv));
+ }
imv->destroy(imv);
return FALSE;
}
@@ -141,6 +147,12 @@ static bool load_imvs(char *filename)
return TRUE;
}
+METHOD(plugin_t, get_name, char*,
+ tnc_imv_plugin_t *this)
+{
+ return "tnc-imv";
+}
+
METHOD(plugin_t, destroy, void,
tnc_imv_plugin_t *this)
{
@@ -158,6 +170,8 @@ plugin_t *tnc_imv_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index 5ab7ccbca..308dd57ca 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -247,6 +247,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -270,6 +272,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index 2104bf401..86f1c269f 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -77,6 +77,11 @@ struct private_tnccs_11_t {
bool delete_state;
/**
+ * SendMessage() by IMC/IMV only allowed if flag is set
+ */
+ bool send_msg;
+
+ /**
* Flag set by IMC/IMV RequestHandshakeRetry() function
*/
bool request_handshake_retry;
@@ -87,7 +92,7 @@ struct private_tnccs_11_t {
recommendations_t *recs;
};
-METHOD(tnccs_t, send_msg, void,
+METHOD(tnccs_t, send_msg, TNC_Result,
private_tnccs_11_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
TNC_BufferReference msg,
TNC_UInt32 msg_len,
@@ -95,6 +100,13 @@ METHOD(tnccs_t, send_msg, void,
{
tnccs_msg_t *tnccs_msg;
+ if (!this->send_msg)
+ {
+ DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()",
+ this->is_server ? "IMV" : "IMC",
+ this->is_server ? imv_id : imc_id);
+ return TNC_RESULT_ILLEGAL_OPERATION;
+ }
tnccs_msg = imc_imv_msg_create(msg_type, chunk_create(msg, msg_len));
/* adding an IMC-IMV Message to TNCCS batch */
@@ -105,6 +117,7 @@ METHOD(tnccs_t, send_msg, void,
}
this->batch->add_msg(this->batch, tnccs_msg);
this->mutex->unlock(this->mutex);
+ return TNC_RESULT_SUCCESS;
}
/**
@@ -126,6 +139,7 @@ static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg)
DBG2(DBG_TNC, "handling IMC_IMV message type 0x%08x", msg_type);
+ this->send_msg = TRUE;
if (this->is_server)
{
charon->imvs->receive_message(charon->imvs,
@@ -136,6 +150,7 @@ static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg)
charon->imcs->receive_message(charon->imcs,
this->connection_id, msg_body.ptr, msg_body.len,msg_type);
}
+ this->send_msg = FALSE;
break;
}
case TNCCS_MSG_RECOMMENDATION:
@@ -237,6 +252,8 @@ METHOD(tls_t, process, status_t,
}
charon->imvs->notify_connection_change(charon->imvs,
this->connection_id, TNC_CONNECTION_STATE_CREATE);
+ charon->imvs->notify_connection_change(charon->imvs,
+ this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
}
data = chunk_create(buf, buflen);
@@ -284,6 +301,7 @@ METHOD(tls_t, process, status_t,
return FAILED;
}
+ this->send_msg = TRUE;
if (this->is_server)
{
charon->imvs->batch_ending(charon->imvs, this->connection_id);
@@ -292,6 +310,7 @@ METHOD(tls_t, process, status_t,
{
charon->imcs->batch_ending(charon->imcs, this->connection_id);
}
+ this->send_msg = FALSE;
}
batch->destroy(batch);
@@ -369,13 +388,15 @@ METHOD(tls_t, build, status_t,
this->connection_id, TNC_CONNECTION_STATE_CREATE);
charon->imcs->notify_connection_change(charon->imcs,
this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+ this->send_msg = TRUE;
charon->imcs->begin_handshake(charon->imcs, this->connection_id);
+ this->send_msg = FALSE;
}
/* Do not allow any asynchronous IMCs or IMVs to add additional messages */
this->mutex->lock(this->mutex);
- if (this->is_server && !this->delete_state &&
+ if (this->recs && !this->delete_state &&
(!this->batch || this->fatal_error))
{
check_and_build_recommendation(this);
@@ -435,11 +456,7 @@ METHOD(tls_t, is_complete, bool,
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'",
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- return charon->imvs->enforce_recommendation(charon->imvs, rec);
+ return charon->imvs->enforce_recommendation(charon->imvs, rec, eval);
}
else
{
@@ -456,17 +473,8 @@ METHOD(tls_t, get_eap_msk, chunk_t,
METHOD(tls_t, destroy, void,
private_tnccs_11_t *this)
{
- if (this->is_server)
- {
- charon->imvs->notify_connection_change(charon->imvs,
- this->connection_id, TNC_CONNECTION_STATE_DELETE);
- }
- else
- {
- charon->imcs->notify_connection_change(charon->imcs,
- this->connection_id, TNC_CONNECTION_STATE_DELETE);
- }
- charon->tnccs->remove_connection(charon->tnccs, this->connection_id);
+ charon->tnccs->remove_connection(charon->tnccs, this->connection_id,
+ this->is_server);
this->mutex->destroy(this->mutex);
DESTROY_IF(this->batch);
free(this);
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
index 03905ca37..9ec91f006 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
@@ -18,6 +18,12 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ tnccs_11_plugin_t *this)
+{
+ return "tnccs-11";
+}
+
METHOD(plugin_t, destroy, void,
tnccs_11_plugin_t *this)
{
@@ -35,11 +41,13 @@ plugin_t *tnccs_11_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
- charon->tnccs->add_method(charon->tnccs, TNCCS_1_1,
+ charon->tnccs->add_method(charon->tnccs, TNCCS_1_1,
(tnccs_constructor_t)tnccs_11_create);
return &this->plugin;
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index 9853be338..bbfcc2760 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -249,6 +249,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -272,6 +274,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
index a46dc0ab9..f0cf14ac1 100644
--- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
@@ -107,7 +107,8 @@ METHOD(pb_tnc_state_machine_t, receive_batch, bool,
}
return FALSE;
case PB_STATE_SERVER_WORKING:
- if (!this->is_server && type == PB_BATCH_SDATA)
+ if (!this->is_server && (type == PB_BATCH_SDATA ||
+ type == PB_BATCH_SRETRY))
{
this->state = PB_STATE_CLIENT_WORKING;
break;
@@ -117,8 +118,7 @@ METHOD(pb_tnc_state_machine_t, receive_batch, bool,
this->state = PB_STATE_DECIDED;
break;
}
- if ((this->is_server && type == PB_BATCH_CRETRY) ||
- (!this->is_server && type == PB_BATCH_SRETRY))
+ if (this->is_server && type == PB_BATCH_CRETRY)
{
break;
}
@@ -198,7 +198,8 @@ METHOD(pb_tnc_state_machine_t, send_batch, bool,
}
return FALSE;
case PB_STATE_SERVER_WORKING:
- if (this->is_server && type == PB_BATCH_SDATA)
+ if (this->is_server && (type == PB_BATCH_SDATA ||
+ type == PB_BATCH_SRETRY))
{
this->state = PB_STATE_CLIENT_WORKING;
break;
@@ -208,7 +209,7 @@ METHOD(pb_tnc_state_machine_t, send_batch, bool,
this->state = PB_STATE_DECIDED;
break;
}
- if (this->is_server && type == PB_BATCH_SRETRY)
+ if (!this->is_server && type == PB_BATCH_CRETRY)
{
break;
}
@@ -219,11 +220,16 @@ METHOD(pb_tnc_state_machine_t, send_batch, bool,
}
return FALSE;
case PB_STATE_CLIENT_WORKING:
- if (!this->is_server && type == PB_BATCH_CDATA)
+ if (!this->is_server && (type == PB_BATCH_CDATA ||
+ type == PB_BATCH_CRETRY))
{
this->state = PB_STATE_SERVER_WORKING;
break;
}
+ if (this->is_server && type == PB_BATCH_SRETRY)
+ {
+ break;
+ }
if (type == PB_BATCH_CLOSE)
{
this->state = PB_STATE_END;
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index d53fd8eb7..9e2081d46 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -81,12 +81,17 @@ struct private_tnccs_20_t {
bool request_handshake_retry;
/**
+ * SendMessage() by IMC/IMV only allowed if flag is set
+ */
+ bool send_msg;
+
+ /**
* Set of IMV recommendations (TNC Server only)
*/
recommendations_t *recs;
};
-METHOD(tnccs_t, send_msg, void,
+METHOD(tnccs_t, send_msg, TNC_Result,
private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
TNC_BufferReference msg,
TNC_UInt32 msg_len,
@@ -97,6 +102,14 @@ METHOD(tnccs_t, send_msg, void,
pb_tnc_msg_t *pb_tnc_msg;
pb_tnc_batch_type_t batch_type;
+ if (!this->send_msg)
+ {
+ DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()",
+ this->is_server ? "IMV" : "IMC",
+ this->is_server ? imv_id : imc_id);
+ return TNC_RESULT_ILLEGAL_OPERATION;
+ }
+
msg_sub_type = msg_type & TNC_SUBTYPE_ANY;
msg_vendor_id = (msg_type >> 8) & TNC_VENDORID_ANY;
@@ -119,6 +132,7 @@ METHOD(tnccs_t, send_msg, void,
pb_tnc_msg->destroy(pb_tnc_msg);
}
this->mutex->unlock(this->mutex);
+ return TNC_RESULT_SUCCESS;
}
/**
@@ -145,6 +159,7 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
DBG2(DBG_TNC, "handling PB-PA message type 0x%08x", msg_type);
+ this->send_msg = TRUE;
if (this->is_server)
{
charon->imvs->receive_message(charon->imvs,
@@ -155,6 +170,7 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
charon->imcs->receive_message(charon->imcs,
this->connection_id, msg_body.ptr, msg_body.len,msg_type);
}
+ this->send_msg = FALSE;
break;
}
case PB_MSG_ASSESSMENT_RESULT:
@@ -289,14 +305,21 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
*/
static void build_retry_batch(private_tnccs_20_t *this)
{
+ pb_tnc_batch_type_t batch_retry_type;
+
+ batch_retry_type = this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY;
if (this->batch)
{
+ if (this->batch->get_type(this->batch) == batch_retry_type)
+ {
+ /* retry batch has already been created */
+ return;
+ }
DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
pb_tnc_batch_type_names, this->batch->get_type(this->batch));
this->batch->destroy(this->batch);
}
- this->batch = pb_tnc_batch_create(this->is_server,
- this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY);
+ this->batch = pb_tnc_batch_create(this->is_server, batch_retry_type);
}
METHOD(tls_t, process, status_t,
@@ -319,6 +342,8 @@ METHOD(tls_t, process, status_t,
}
charon->imvs->notify_connection_change(charon->imvs,
this->connection_id, TNC_CONNECTION_STATE_CREATE);
+ charon->imvs->notify_connection_change(charon->imvs,
+ this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
}
data = chunk_create(buf, buflen);
@@ -349,7 +374,9 @@ METHOD(tls_t, process, status_t,
/* Restart the measurements */
charon->imcs->notify_connection_change(charon->imcs,
this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+ this->send_msg = TRUE;
charon->imcs->begin_handshake(charon->imcs, this->connection_id);
+ this->send_msg = FALSE;
}
enumerator = batch->create_msg_enumerator(batch);
@@ -376,6 +403,7 @@ METHOD(tls_t, process, status_t,
}
}
+ this->send_msg = TRUE;
if (this->is_server)
{
charon->imvs->batch_ending(charon->imvs, this->connection_id);
@@ -384,6 +412,7 @@ METHOD(tls_t, process, status_t,
{
charon->imcs->batch_ending(charon->imcs, this->connection_id);
}
+ this->send_msg = FALSE;
}
switch (status)
@@ -463,6 +492,7 @@ METHOD(tls_t, build, status_t,
private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen)
{
status_t status;
+ pb_tnc_state_t state;
/* Initialize the connection */
if (!this->is_server && !this->connection_id)
@@ -491,11 +521,14 @@ METHOD(tls_t, build, status_t,
this->connection_id, TNC_CONNECTION_STATE_CREATE);
charon->imcs->notify_connection_change(charon->imcs,
this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+ this->send_msg = TRUE;
charon->imcs->begin_handshake(charon->imcs, this->connection_id);
+ this->send_msg = FALSE;
}
- if (this->is_server && this->fatal_error &&
- this->state_machine->get_state(this->state_machine) == PB_STATE_END)
+ state = this->state_machine->get_state(this->state_machine);
+
+ if (this->is_server && this->fatal_error && state == PB_STATE_END)
{
DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
return FAILED;
@@ -506,7 +539,10 @@ METHOD(tls_t, build, status_t,
if (this->request_handshake_retry)
{
- build_retry_batch(this);
+ if (state != PB_STATE_INIT)
+ {
+ build_retry_batch(this);
+ }
/* Reset the flag for the next handshake retry request */
this->request_handshake_retry = FALSE;
@@ -514,9 +550,6 @@ METHOD(tls_t, build, status_t,
if (!this->batch)
{
- pb_tnc_state_t state;
-
- state = this->state_machine->get_state(this->state_machine);
if (this->is_server)
{
if (state == PB_STATE_SERVER_WORKING)
@@ -606,11 +639,7 @@ METHOD(tls_t, is_complete, bool,
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'",
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- return charon->imvs->enforce_recommendation(charon->imvs, rec);
+ return charon->imvs->enforce_recommendation(charon->imvs, rec, eval);
}
else
{
@@ -627,17 +656,8 @@ METHOD(tls_t, get_eap_msk, chunk_t,
METHOD(tls_t, destroy, void,
private_tnccs_20_t *this)
{
- if (this->is_server)
- {
- charon->imvs->notify_connection_change(charon->imvs,
- this->connection_id, TNC_CONNECTION_STATE_DELETE);
- }
- else
- {
- charon->imcs->notify_connection_change(charon->imcs,
- this->connection_id, TNC_CONNECTION_STATE_DELETE);
- }
- charon->tnccs->remove_connection(charon->tnccs, this->connection_id);
+ charon->tnccs->remove_connection(charon->tnccs, this->connection_id,
+ this->is_server);
this->state_machine->destroy(this->state_machine);
this->mutex->destroy(this->mutex);
DESTROY_IF(this->batch);
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
index 82c78f74c..e6dc699e6 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
@@ -18,6 +18,12 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ tnccs_20_plugin_t *this)
+{
+ return "tnccs-20";
+}
+
METHOD(plugin_t, destroy, void,
tnccs_20_plugin_t *this)
{
@@ -35,11 +41,13 @@ plugin_t *tnccs_20_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
- charon->tnccs->add_method(charon->tnccs, TNCCS_2_0,
+ charon->tnccs->add_method(charon->tnccs, TNCCS_2_0,
(tnccs_constructor_t)tnccs_20_create);
return &this->plugin;
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index 722da2830..dda1472db 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
index dbbf222e0..089a3ed57 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
@@ -18,6 +18,12 @@
#include <daemon.h>
+METHOD(plugin_t, get_name, char*,
+ tnccs_dynamic_plugin_t *this)
+{
+ return "tnccs-dynamic";
+}
+
METHOD(plugin_t, destroy, void,
tnccs_dynamic_plugin_t *this)
{
@@ -35,11 +41,13 @@ plugin_t *tnccs_dynamic_plugin_create()
INIT(this,
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
);
- charon->tnccs->add_method(charon->tnccs, TNCCS_DYNAMIC,
+ charon->tnccs->add_method(charon->tnccs, TNCCS_DYNAMIC,
(tnccs_constructor_t)tnccs_dynamic_create);
return &this->plugin;
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index f7162d800..013ceb7da 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c
index 4790ef4e7..a6d24c32b 100644
--- a/src/libcharon/plugins/uci/uci_plugin.c
+++ b/src/libcharon/plugins/uci/uci_plugin.c
@@ -58,10 +58,14 @@ struct private_uci_plugin_t {
uci_control_t *control;
};
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_uci_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_uci_plugin_t *this)
+{
+ return "uci";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_uci_plugin_t *this)
{
charon->backends->remove_backend(charon->backends, &this->config->backend);
lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
@@ -77,14 +81,22 @@ static void destroy(private_uci_plugin_t *this)
*/
plugin_t *uci_plugin_create()
{
- private_uci_plugin_t *this = malloc_thing(private_uci_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_uci_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .parser = uci_parser_create(UCI_PACKAGE),
+ .config = uci_config_create(this->parser),
+ .creds = uci_creds_create(this->parser),
+ .control = uci_control_create(),
+ );
- this->parser = uci_parser_create(UCI_PACKAGE);
- this->config = uci_config_create(this->parser);
- this->creds = uci_creds_create(this->parser);
- this->control = uci_control_create();
charon->backends->add_backend(charon->backends, &this->config->backend);
lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 5fa749e56..2fee3da82 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -247,6 +247,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -270,6 +272,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c
index 5f6f94e03..ad7dba7a5 100644
--- a/src/libcharon/plugins/unit_tester/unit_tester.c
+++ b/src/libcharon/plugins/unit_tester/unit_tester.c
@@ -92,10 +92,14 @@ static void run_tests(private_unit_tester_t *this)
success, run, failed, skipped);
}
-/**
- * Implementation of 2007_t.destroy
- */
-static void destroy(private_unit_tester_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_unit_tester_t *this)
+{
+ return "unit-tester";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_unit_tester_t *this)
{
free(this);
}
@@ -105,9 +109,17 @@ static void destroy(private_unit_tester_t *this)
*/
plugin_t *unit_tester_plugin_create()
{
- private_unit_tester_t *this = malloc_thing(private_unit_tester_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_unit_tester_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ );
run_tests(this);
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 5dd2dc843..49cffe218 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index 9d0591e62..2ce2d3257 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -36,10 +36,14 @@ struct private_updown_plugin_t {
updown_listener_t *listener;
};
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_updown_plugin_t *this)
+METHOD(plugin_t, get_name, char*,
+ private_updown_plugin_t *this)
+{
+ return "updown";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_updown_plugin_t *this)
{
charon->bus->remove_listener(charon->bus, &this->listener->listener);
this->listener->destroy(this->listener);
@@ -51,11 +55,19 @@ static void destroy(private_updown_plugin_t *this)
*/
plugin_t *updown_plugin_create()
{
- private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
+ private_updown_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .listener = updown_listener_create(),
+ );
- this->listener = updown_listener_create();
charon->bus->add_listener(charon->bus, &this->listener->listener);
return &this->public.plugin;
diff --git a/src/libcharon/plugins/whitelist/Makefile.am b/src/libcharon/plugins/whitelist/Makefile.am
new file mode 100644
index 000000000..064a759dd
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+ -DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-whitelist.la
+else
+plugin_LTLIBRARIES = libstrongswan-whitelist.la
+endif
+
+libstrongswan_whitelist_la_SOURCES = whitelist_plugin.h whitelist_plugin.c \
+ whitelist_listener.h whitelist_listener.c whitelist_msg.h \
+ whitelist_control.h whitelist_control.c
+
+libstrongswan_whitelist_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = whitelist
+whitelist_SOURCES = whitelist.c
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
new file mode 100644
index 000000000..37ae5f9c3
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -0,0 +1,668 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = whitelist$(EXEEXT)
+subdir = src/libcharon/plugins/whitelist
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_whitelist_la_LIBADD =
+am_libstrongswan_whitelist_la_OBJECTS = whitelist_plugin.lo \
+ whitelist_listener.lo whitelist_control.lo
+libstrongswan_whitelist_la_OBJECTS = \
+ $(am_libstrongswan_whitelist_la_OBJECTS)
+libstrongswan_whitelist_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_whitelist_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_whitelist_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_whitelist_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_whitelist_OBJECTS = whitelist.$(OBJEXT)
+whitelist_OBJECTS = $(am_whitelist_OBJECTS)
+whitelist_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_whitelist_la_SOURCES) $(whitelist_SOURCES)
+DIST_SOURCES = $(libstrongswan_whitelist_la_SOURCES) \
+ $(whitelist_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+ -DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-whitelist.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-whitelist.la
+libstrongswan_whitelist_la_SOURCES = whitelist_plugin.h whitelist_plugin.c \
+ whitelist_listener.h whitelist_listener.c whitelist_msg.h \
+ whitelist_control.h whitelist_control.c
+
+libstrongswan_whitelist_la_LDFLAGS = -module -avoid-version
+whitelist_SOURCES = whitelist.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/whitelist/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/whitelist/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES)
+ $(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+ @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed 's/$(EXEEXT)$$//' | \
+ while read p p1; do if test -f $$p || test -f $$p1; \
+ then echo "$$p"; echo "$$p"; else :; fi; \
+ done | \
+ sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+ sed 'N;N;N;s,\n, ,g' | \
+ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+ if ($$2 == $$4) files[d] = files[d] " " $$1; \
+ else { print "f", $$3 "/" $$4, $$1; } } \
+ END { for (d in files) print "f", d, files[d] }' | \
+ while read type dir files; do \
+ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+ test -z "$$files" || { \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+ } \
+ ; done
+
+uninstall-ipsecPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ files=`for p in $$list; do echo "$$p"; done | \
+ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+ -e 's/$$/$(EXEEXT)/' `; \
+ test -n "$$list" || exit 0; \
+ echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+ @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES)
+ @rm -f whitelist$(EXEEXT)
+ $(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist_control.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+ clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-ipsecPROGRAMS install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/whitelist/whitelist.c b/src/libcharon/plugins/whitelist/whitelist.c
new file mode 100644
index 000000000..5f511f2c5
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "whitelist_msg.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <errno.h>
+
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
+{
+ struct sockaddr_un addr;
+ int fd;
+
+ addr.sun_family = AF_UNIX;
+ strcpy(addr.sun_path, WHITELIST_SOCKET);
+
+ fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+ if (fd < 0)
+ {
+ fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+ return -1;
+ }
+ if (connect(fd, (struct sockaddr *)&addr,
+ offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+ {
+ fprintf(stderr, "connecting to %s failed: %s\n",
+ WHITELIST_SOCKET, strerror(errno));
+ close(fd);
+ return -1;
+ }
+ return fd;
+}
+
+/**
+ * Send a single message
+ */
+static int send_msg(int type, char *id)
+{
+ whitelist_msg_t msg = {
+ .type = type,
+ };
+ int fd;
+
+ fd = make_connection();
+ if (fd == -1)
+ {
+ return 2;
+ }
+ snprintf(msg.id, sizeof(msg.id), "%s", id);
+ if (send(fd, &msg, sizeof(msg), 0) != sizeof(msg))
+ {
+ fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
+ close(fd);
+ return 2;
+ }
+ if (type == WHITELIST_LIST)
+ {
+ while (recv(fd, &msg, sizeof(msg), 0) == sizeof(msg))
+ {
+ if (msg.type != WHITELIST_LIST)
+ {
+ break;
+ }
+ printf("%s\n", msg.id);
+ }
+ }
+ close(fd);
+ return 0;
+}
+
+/**
+ * Send a batch of messages, reading identities from a file
+ */
+static int send_batch(int type, char *file)
+{
+ whitelist_msg_t msg = {
+ .type = type,
+ };
+ FILE *f = stdin;
+ int fd, len;
+
+ fd = make_connection();
+ if (fd == -1)
+ {
+ return 2;
+ }
+ if (file)
+ {
+ f = fopen(file, "r");
+ if (f == NULL)
+ {
+ fprintf(stderr, "opening %s failed: %s\n", file, strerror(errno));
+ close(fd);
+ return 3;
+ }
+ }
+ while (fgets(msg.id, sizeof(msg.id), f))
+ {
+ len = strlen(msg.id);
+ if (len == 0)
+ {
+ continue;
+ }
+ if (msg.id[len-1] == '\n')
+ {
+ msg.id[len-1] = '\0';
+ }
+ if (send(fd, &msg, sizeof(msg), 0) != sizeof(msg))
+ {
+ fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
+ if (f != stdin)
+ {
+ fclose(f);
+ }
+ close(fd);
+ return 2;
+ }
+ }
+ if (f != stdin)
+ {
+ fclose(f);
+ }
+ close(fd);
+ return 0;
+}
+
+int main(int argc, char *argv[])
+{
+ if (argc == 3 && strcmp(argv[1], "add") == 0)
+ {
+ return send_msg(WHITELIST_ADD, argv[2]);
+ }
+ if (argc == 3 && strcmp(argv[1], "remove") == 0)
+ {
+ return send_msg(WHITELIST_REMOVE, argv[2]);
+ }
+ if ((argc == 2 || argc == 3) && strcmp(argv[1], "add-from") == 0)
+ {
+ return send_batch(WHITELIST_ADD, argc == 3 ? argv[2] : NULL);
+ }
+ if ((argc == 2 || argc == 3) && strcmp(argv[1], "remove-from") == 0)
+ {
+ return send_batch(WHITELIST_REMOVE, argc == 3 ? argv[2] : NULL);
+ }
+ if ((argc == 2 || argc == 3) && strcmp(argv[1], "flush") == 0)
+ {
+ return send_msg(WHITELIST_FLUSH, argc == 3 ? argv[2] : "%any");
+ }
+ if ((argc == 2 || argc == 3) && strcmp(argv[1], "list") == 0)
+ {
+ return send_msg(WHITELIST_LIST, argc == 3 ? argv[2] : "%any");
+ }
+ if (argc == 2 && strcmp(argv[1], "enable") == 0)
+ {
+ return send_msg(WHITELIST_ENABLE, "");
+ }
+ if (argc == 2 && strcmp(argv[1], "disable") == 0)
+ {
+ return send_msg(WHITELIST_DISABLE, "");
+ }
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s add <identity>\n", argv[0]);
+ fprintf(stderr, " %s remove <identity>\n", argv[0]);
+ fprintf(stderr, " %s add-from <file>\n", argv[0]);
+ fprintf(stderr, " %s remove-from <file>\n", argv[0]);
+ fprintf(stderr, " %s flush [<pattern>]\n", argv[0]);
+ fprintf(stderr, " %s list [<pattern>]\n", argv[0]);
+ fprintf(stderr, " %s enable\n", argv[0]);
+ fprintf(stderr, " %s disable\n", argv[0]);
+ return 1;
+}
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
new file mode 100644
index 000000000..4a1fc5d87
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "whitelist_control.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+#include "whitelist_msg.h"
+
+typedef struct private_whitelist_control_t private_whitelist_control_t;
+
+/**
+ * Private data of an whitelist_control_t object.
+ */
+struct private_whitelist_control_t {
+
+ /**
+ * Public whitelist_control_t interface.
+ */
+ whitelist_control_t public;
+
+ /**
+ * Whitelist
+ */
+ whitelist_listener_t *listener;
+
+ /**
+ * Whitelist unix socket file descriptor
+ */
+ int socket;
+
+ /**
+ * Callback job dispatching commands
+ */
+ callback_job_t *job;
+};
+
+/**
+ * Open whitelist unix socket
+ */
+static bool open_socket(private_whitelist_control_t *this)
+{
+ struct sockaddr_un addr;
+ mode_t old;
+
+ addr.sun_family = AF_UNIX;
+ strcpy(addr.sun_path, WHITELIST_SOCKET);
+
+ this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+ if (this->socket == -1)
+ {
+ DBG1(DBG_CFG, "creating whitelist socket failed");
+ return FALSE;
+ }
+ unlink(addr.sun_path);
+ old = umask(~(S_IRWXU | S_IRWXG));
+ if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+ {
+ DBG1(DBG_CFG, "binding whitelist socket failed: %s", strerror(errno));
+ close(this->socket);
+ return FALSE;
+ }
+ umask(old);
+ if (chown(addr.sun_path, charon->uid, charon->gid) != 0)
+ {
+ DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
+ strerror(errno));
+ }
+ if (listen(this->socket, 10) < 0)
+ {
+ DBG1(DBG_CFG, "listening on whitelist socket failed: %s", strerror(errno));
+ close(this->socket);
+ unlink(addr.sun_path);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Dispatch a received message
+ */
+static void dispatch(private_whitelist_control_t *this,
+ int fd, whitelist_msg_t *msg)
+{
+ identification_t *id, *current;
+ enumerator_t *enumerator;
+
+ msg->id[sizeof(msg->id)-1] = 0;
+ id = identification_create_from_string(msg->id);
+ switch (msg->type)
+ {
+ case WHITELIST_ADD:
+ this->listener->add(this->listener, id);
+ break;
+ case WHITELIST_REMOVE:
+ this->listener->remove(this->listener, id);
+ break;
+ case WHITELIST_LIST:
+ enumerator = this->listener->create_enumerator(this->listener);
+ while (enumerator->enumerate(enumerator, &current))
+ {
+ if (current->matches(current, id))
+ {
+ snprintf(msg->id, sizeof(msg->id), "%Y", current);
+ if (send(fd, msg, sizeof(*msg), 0) != sizeof(*msg))
+ {
+ DBG1(DBG_CFG, "listing whitelist failed");
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ msg->type = WHITELIST_END;
+ memset(msg->id, 0, sizeof(msg->id));
+ send(fd, msg, sizeof(*msg), 0);
+ break;
+ case WHITELIST_FLUSH:
+ this->listener->flush(this->listener, id);
+ break;
+ case WHITELIST_ENABLE:
+ this->listener->set_active(this->listener, TRUE);
+ break;
+ case WHITELIST_DISABLE:
+ this->listener->set_active(this->listener, FALSE);
+ break;
+ default:
+ DBG1(DBG_CFG, "received unknown whitelist command");
+ break;
+ }
+ id->destroy(id);
+}
+
+/**
+ * Accept whitelist control connections, dispatch
+ */
+static job_requeue_t receive(private_whitelist_control_t *this)
+{
+ struct sockaddr_un addr;
+ int fd, len = sizeof(addr);
+ whitelist_msg_t msg;
+ bool oldstate;
+
+ oldstate = thread_cancelability(TRUE);
+ fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+ thread_cancelability(oldstate);
+
+ if (fd != -1)
+ {
+ while (TRUE)
+ {
+ oldstate = thread_cancelability(TRUE);
+ len = recv(fd, &msg, sizeof(msg), 0);
+ thread_cancelability(oldstate);
+
+ if (len == sizeof(msg))
+ {
+ dispatch(this, fd, &msg);
+ }
+ else
+ {
+ if (len != 0)
+ {
+ DBG1(DBG_CFG, "receiving whitelist msg failed: %s",
+ strerror(errno));
+ }
+ break;
+ }
+ }
+ close(fd);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "accepting whitelist connection failed: %s",
+ strerror(errno));
+ }
+ return JOB_REQUEUE_FAIR;
+}
+
+METHOD(whitelist_control_t, destroy, void,
+ private_whitelist_control_t *this)
+{
+ this->job->cancel(this->job);
+ close(this->socket);
+ free(this);
+}
+
+/**
+ * See header
+ */
+whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
+{
+ private_whitelist_control_t *this;
+
+ INIT(this,
+ .public = {
+ .destroy = _destroy,
+ },
+ .listener = listener,
+ );
+
+ if (!open_socket(this))
+ {
+ free(this);
+ return NULL;
+ }
+
+ this->job = callback_job_create((callback_job_cb_t)receive,
+ this, NULL, NULL);
+ lib->processor->queue_job(lib->processor, (job_t*)this->job);
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.h b/src/libcharon/plugins/whitelist/whitelist_control.h
new file mode 100644
index 000000000..dc813414d
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_control.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup whitelist_control whitelist_control
+ * @{ @ingroup whitelist
+ */
+
+#ifndef WHITELIST_CONTROL_H_
+#define WHITELIST_CONTROL_H_
+
+#include "whitelist_listener.h"
+
+typedef struct whitelist_control_t whitelist_control_t;
+
+/**
+ * Whitelist UNIX control socket.
+ */
+struct whitelist_control_t {
+
+ /**
+ * Destroy a whitelist_control_t.
+ */
+ void (*destroy)(whitelist_control_t *this);
+};
+
+/**
+ * Create a whitelist_control instance.
+ */
+whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener);
+
+#endif /** WHITELIST_CONTROL_H_ @}*/
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c
new file mode 100644
index 000000000..5634e3ef8
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "whitelist_listener.h"
+
+#include <daemon.h>
+#include <utils/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_whitelist_listener_t private_whitelist_listener_t;
+
+/**
+ * Private data of an whitelist_listener_t object.
+ */
+struct private_whitelist_listener_t {
+
+ /**
+ * Public whitelist_listener_t interface.
+ */
+ whitelist_listener_t public;
+
+ /**
+ * Lock for hashtable
+ */
+ rwlock_t *lock;
+
+ /**
+ * Hashtable with whitelisted identities
+ */
+ hashtable_t *ids;
+
+ /**
+ * Whitelist checking enabled
+ */
+ bool enabled;
+};
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(identification_t *key)
+{
+ return chunk_hash(key->get_encoding(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+ return a->equals(a, b);
+}
+
+METHOD(listener_t, authorize, bool,
+ private_whitelist_listener_t *this, ike_sa_t *ike_sa,
+ bool final, bool *success)
+{
+ /* check each authentication round */
+ if (this->enabled && !final)
+ {
+ bool whitelisted = FALSE;
+ identification_t *id;
+ auth_cfg_t *auth;
+
+ auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+ /* for authenticated with EAP, check EAP identity */
+ id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+ if (!id)
+ {
+ id = auth->get(auth, AUTH_RULE_IDENTITY);
+ }
+ if (id)
+ {
+ this->lock->read_lock(this->lock);
+ whitelisted = this->ids->get(this->ids, id) != NULL;
+ this->lock->unlock(this->lock);
+ }
+ if (whitelisted)
+ {
+ DBG2(DBG_CFG, "peer identity '%Y' whitelisted", id);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "peer identity '%Y' not whitelisted", id);
+ *success = FALSE;
+ }
+ }
+ return TRUE;
+}
+
+METHOD(whitelist_listener_t, add, void,
+ private_whitelist_listener_t *this, identification_t *id)
+{
+ id = id->clone(id);
+ this->lock->write_lock(this->lock);
+ id = this->ids->put(this->ids, id, id);
+ this->lock->unlock(this->lock);
+ DESTROY_IF(id);
+}
+
+METHOD(whitelist_listener_t, remove_, void,
+ private_whitelist_listener_t *this, identification_t *id)
+{
+ this->lock->write_lock(this->lock);
+ id = this->ids->remove(this->ids, id);
+ this->lock->unlock(this->lock);
+ DESTROY_IF(id);
+}
+
+/**
+ * Enumerator filter, from hashtable (key, value) to single identity
+ */
+static bool whitelist_filter(rwlock_t *lock, identification_t **key,
+ identification_t **id, identification_t **value)
+{
+ *id = *value;
+ return TRUE;
+}
+
+METHOD(whitelist_listener_t, create_enumerator, enumerator_t*,
+ private_whitelist_listener_t *this)
+{
+ this->lock->read_lock(this->lock);
+ return enumerator_create_filter(this->ids->create_enumerator(this->ids),
+ (void*)whitelist_filter, this->lock,
+ (void*)this->lock->unlock);
+}
+
+METHOD(whitelist_listener_t, flush, void,
+ private_whitelist_listener_t *this, identification_t *id)
+{
+ enumerator_t *enumerator;
+ identification_t *key, *value;
+
+ this->lock->write_lock(this->lock);
+ enumerator = this->ids->create_enumerator(this->ids);
+ while (enumerator->enumerate(enumerator, &key, &value))
+ {
+ if (value->matches(value, id))
+ {
+ this->ids->remove_at(this->ids, enumerator);
+ value->destroy(value);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+}
+
+METHOD(whitelist_listener_t, set_active, void,
+ private_whitelist_listener_t *this, bool enable)
+{
+ DBG1(DBG_CFG, "whitelist functionality %s%sabled",
+ (this->enabled == enable) ? "was already " : "", enable ? "en" : "dis");
+ this->enabled = enable;
+}
+
+METHOD(whitelist_listener_t, destroy, void,
+ private_whitelist_listener_t *this)
+{
+ identification_t *key, *value;
+ enumerator_t *enumerator;
+
+ enumerator = this->ids->create_enumerator(this->ids);
+ while (enumerator->enumerate(enumerator, &key, &value))
+ {
+ value->destroy(value);
+ }
+ enumerator->destroy(enumerator);
+ this->ids->destroy(this->ids);
+ this->lock->destroy(this->lock);
+ free(this);
+}
+
+/**
+ * See header
+ */
+whitelist_listener_t *whitelist_listener_create()
+{
+ private_whitelist_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .authorize = _authorize,
+ },
+ .add = _add,
+ .remove = _remove_,
+ .create_enumerator = _create_enumerator,
+ .flush = _flush,
+ .set_active = _set_active,
+ .destroy = _destroy,
+ },
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .ids = hashtable_create((hashtable_hash_t)hash,
+ (hashtable_equals_t)equals, 32),
+ .enabled = lib->settings->get_bool(lib->settings,
+ "charon.plugins.whitelist.enable", FALSE),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.h b/src/libcharon/plugins/whitelist/whitelist_listener.h
new file mode 100644
index 000000000..ac9475245
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup whitelist_listener whitelist_listener
+ * @{ @ingroup whitelist
+ */
+
+#ifndef WHITELIST_LISTENER_H_
+#define WHITELIST_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct whitelist_listener_t whitelist_listener_t;
+
+/**
+ * Listener checking connecting peer against a whitelist.
+ */
+struct whitelist_listener_t {
+
+ /**
+ * Implements listener_t interface.
+ */
+ listener_t listener;
+
+ /**
+ * Add a peer identity to the whitelist.
+ *
+ * @param id identity to whitelist
+ */
+ void (*add)(whitelist_listener_t *this, identification_t *id);
+
+ /**
+ * Remove a peer identity from the whitelist.
+ *
+ * @param id identity to remove from whitelist
+ */
+ void (*remove)(whitelist_listener_t *this, identification_t *id);
+
+ /**
+ * Create an enumerator over whitelisted peer identities.
+ *
+ * The enumerator read-locks the whitelist, do not call add/remove while
+ * it is alive.
+ *
+ * @return enumerator over identification_t*
+ */
+ enumerator_t* (*create_enumerator)(whitelist_listener_t *this);
+
+ /**
+ * Flush identities from whitelist matching id.
+ *
+ * @param id id to match
+ */
+ void (*flush)(whitelist_listener_t *this, identification_t *id);
+
+ /**
+ * Enable/Disable whitelist checking.
+ *
+ * @param enable TRUE to enable, FALSE to disable
+ */
+ void (*set_active)(whitelist_listener_t *this, bool enable);
+
+ /**
+ * Destroy a whitelist_listener_t.
+ */
+ void (*destroy)(whitelist_listener_t *this);
+};
+
+/**
+ * Create a whitelist_listener instance.
+ */
+whitelist_listener_t *whitelist_listener_create();
+
+#endif /** WHITELIST_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/whitelist/whitelist_msg.h b/src/libcharon/plugins/whitelist/whitelist_msg.h
new file mode 100644
index 000000000..65b922996
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_msg.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup whitelist_msg whitelist_msg
+ * @{ @ingroup whitelist
+ */
+
+#ifndef WHITELIST_MSG_H_
+#define WHITELIST_MSG_H_
+
+#define WHITELIST_SOCKET IPSEC_PIDDIR "/charon.wlst"
+
+typedef struct whitelist_msg_t whitelist_msg_t;
+
+/**
+ * Message type.
+ */
+enum {
+ /* add whitelist entry */
+ WHITELIST_ADD = 1,
+ /* remove whitelist entry */
+ WHITELIST_REMOVE = 2,
+ /* list identities matching id, gets responded with LIST messages */
+ WHITELIST_LIST = 3,
+ /* indicates end of list in a series of LIST messages */
+ WHITELIST_END = 4,
+ /* flush identities matching id */
+ WHITELIST_FLUSH = 5,
+ /* enable whitelist checking */
+ WHITELIST_ENABLE = 6,
+ /* disable whitelist checking */
+ WHITELIST_DISABLE = 7,
+};
+
+/**
+ * Message to exchange over whitelist
+ */
+struct whitelist_msg_t {
+ /** message type */
+ int type;
+ /** null terminated identity */
+ char id[128];
+};
+
+#endif /** WHITELIST_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
new file mode 100644
index 000000000..fca9d293f
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "whitelist_plugin.h"
+
+#include "whitelist_listener.h"
+#include "whitelist_control.h"
+
+#include <daemon.h>
+
+typedef struct private_whitelist_plugin_t private_whitelist_plugin_t;
+
+/**
+ * private data of whitelist plugin
+ */
+struct private_whitelist_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ whitelist_plugin_t public;
+
+ /**
+ * Listener checking whitelist entries during authorization
+ */
+ whitelist_listener_t *listener;
+
+ /**
+ * Whitelist control socket
+ */
+ whitelist_control_t *control;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_whitelist_plugin_t *this)
+{
+ return "whitelist";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_whitelist_plugin_t *this)
+{
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ this->listener->destroy(this->listener);
+ DESTROY_IF(this->control);
+ free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *whitelist_plugin_create()
+{
+ private_whitelist_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .listener = whitelist_listener_create(),
+ );
+ this->control = whitelist_control_create(this->listener);
+
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.h b/src/libcharon/plugins/whitelist/whitelist_plugin.h
new file mode 100644
index 000000000..243313376
--- /dev/null
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup whitelist whitelist
+ * @ingroup cplugins
+ *
+ * @defgroup whitelist_plugin whitelist_plugin
+ * @{ @ingroup whitelist
+ */
+
+#ifndef WHITELIST_PLUGIN_H_
+#define WHITELIST_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct whitelist_plugin_t whitelist_plugin_t;
+
+/**
+ * Peer identity whitelisting plugin.
+ */
+struct whitelist_plugin_t {
+
+ /**
+ * Implements plugin interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** WHITELIST_PLUGIN_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index da3ecf06f..468c9ef94 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -76,8 +76,8 @@ METHOD(job_t, execute, void,
}
else
{
- /* destroy only if not ESTABLISHED */
- if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
+ /* destroy IKE_SA did not complete connecting phase */
+ if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
{
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
}
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
index 9961039ff..0eab2b5ff 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.h
+++ b/src/libcharon/sa/authenticators/eap/eap_method.h
@@ -113,14 +113,29 @@ struct eap_method_t {
* Not all EAP methods establish a shared secret. For implementations of
* the EAP-Identity method, get_msk() returns the received identity.
*
- * @param msk chunk receiving internal stored MSK
+ * @param msk chunk receiving internal stored MSK
* @return
- * - SUCCESS, or
- * - FAILED, if MSK not established (yet)
+ * - SUCCESS, or
+ * - FAILED, if MSK not established (yet)
*/
status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
/**
+ * Get the current EAP identifier.
+ *
+ * @return current EAP identifier
+ */
+ u_int8_t (*get_identifier) (eap_method_t *this);
+
+ /**
+ * Set the EAP identifier to a deterministic value, overwriting
+ * the randomly initialized default value.
+ *
+ * @param identifier current EAP identifier
+ */
+ void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
+
+ /**
* Destroys a eap_method_t object.
*/
void (*destroy) (eap_method_t *this);
diff --git a/src/libcharon/sa/authenticators/eap/sim_card.h b/src/libcharon/sa/authenticators/eap/sim_card.h
new file mode 100644
index 000000000..5f5dc580b
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/sim_card.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_card sim_card
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_CARD_H_
+#define SIM_CARD_H_
+
+typedef struct sim_card_t sim_card_t;
+
+/**
+ * Interface for a (U)SIM card (used as EAP client).
+ *
+ * The SIM card completes triplets/quintuplets requested in a challenge
+ * received from the server.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
+ */
+struct sim_card_t {
+
+ /**
+ * Calculate SRES/KC from a RAND for SIM authentication.
+ *
+ * @param id permanent identity to get a triplet for
+ * @param rand RAND input buffer, fixed size 16 bytes
+ * @param sres SRES output buffer, fixed size 4 byte
+ * @param kc KC output buffer, fixed size 8 bytes
+ * @return TRUE if SRES/KC calculated, FALSE on error/wrong identity
+ */
+ bool (*get_triplet)(sim_card_t *this, identification_t *id,
+ char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+ char kc[SIM_KC_LEN]);
+
+ /**
+ * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
+ *
+ * If the received sequence number (in autn) is out of sync, INVALID_STATE
+ * is returned.
+ * The RES value is the only one with variable length. Pass a buffer
+ * of at least AKA_RES_MAX, the actual number of bytes is written to the
+ * res_len value. While the standard would allow any bit length between
+ * 32 and 128 bits, we support only full bytes for now.
+ *
+ * @param id permanent identity to request quintuplet for
+ * @param rand random value rand
+ * @param autn authentication token autn
+ * @param ck buffer receiving encryption key ck
+ * @param ik buffer receiving integrity key ik
+ * @param res buffer receiving authentication result res
+ * @param res_len nubmer of bytes written to res buffer
+ * @return SUCCESS, FAILED, or INVALID_STATE if out of sync
+ */
+ status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
+ char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+ char res[AKA_RES_MAX], int *res_len);
+
+ /**
+ * Calculate AUTS from RAND for AKA resynchronization.
+ *
+ * @param id permanent identity to request quintuplet for
+ * @param rand random value rand
+ * @param auts resynchronization parameter auts
+ * @return TRUE if parameter generated successfully
+ */
+ bool (*resync)(sim_card_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+ /**
+ * Set the pseudonym to use for next authentication.
+ *
+ * @param id permanent identity of the peer
+ * @param pseudonym pseudonym identity received from the server
+ */
+ void (*set_pseudonym)(sim_card_t *this, identification_t *id,
+ identification_t *pseudonym);
+
+ /**
+ * Get the pseudonym previously stored via set_pseudonym().
+ *
+ * @param id permanent identity of the peer
+ * @return associated pseudonym identity, NULL if none stored
+ */
+ identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
+
+ /**
+ * Store parameters to use for the next fast reauthentication.
+ *
+ * @param id permanent identity of the peer
+ * @param next next fast reauthentication identity to use
+ * @param mk master key MK to store for reauthentication
+ * @param counter counter value to store, host order
+ */
+ void (*set_reauth)(sim_card_t *this, identification_t *id,
+ identification_t *next, char mk[HASH_SIZE_SHA1],
+ u_int16_t counter);
+
+ /**
+ * Retrieve parameters for fast reauthentication stored via set_reauth().
+ *
+ * @param id permanent identity of the peer
+ * @param mk buffer receiving master key MK
+ * @param counter pointer receiving counter value, in host order
+ * @return fast reauthentication identity, NULL if not found
+ */
+ identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
+ char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+};
+
+#endif /** SIM_CARD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/sim_hooks.h b/src/libcharon/sa/authenticators/eap/sim_hooks.h
new file mode 100644
index 000000000..0a675e4ab
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/sim_hooks.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_hooks sim_hooks
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_HOOKS_H_
+#define SIM_HOOKS_H_
+
+typedef struct sim_hooks_t sim_hooks_t;
+
+/**
+ * Additional hooks invoked during EAP-SIM/AKA message processing.
+ */
+struct sim_hooks_t {
+
+ /**
+ * SIM/AKA message parsing.
+ *
+ * As a SIM/AKA optionally contains encrypted attributes, the hook
+ * might get invoked twice, once before and once after decryption.
+ *
+ * @param message SIM/AKA message
+ * @param inbound TRUE for incoming messages, FALSE for outgoing
+ * @param decrypted TRUE if AT_ENCR_DATA has been decrypted
+ */
+ void (*message)(sim_hooks_t *this, simaka_message_t *message,
+ bool inbound, bool decrypted);
+
+ /**
+ * SIM/AKA encryption/authentication key hooks.
+ *
+ * @param k_encr derived SIM/AKA encryption key k_encr
+ * @param k_auth derived SIM/AKA authentication key k_auth
+ */
+ void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
+};
+
+#endif /** SIM_HOOKS_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/sim_manager.c b/src/libcharon/sa/authenticators/eap/sim_manager.c
index 157865083..9ccaf5298 100644
--- a/src/libcharon/sa/authenticators/eap/sim_manager.c
+++ b/src/libcharon/sa/authenticators/eap/sim_manager.c
@@ -17,6 +17,7 @@
#include <daemon.h>
#include <utils/linked_list.h>
+#include <threading/rwlock.h>
typedef struct private_sim_manager_t private_sim_manager_t;
@@ -44,65 +45,67 @@ struct private_sim_manager_t {
* list of added hooks
*/
linked_list_t *hooks;
+
+ /**
+ * lock for lists above
+ */
+ rwlock_t *lock;
};
-/**
- * Implementation of sim_manager_t.add_card
- */
-static void add_card(private_sim_manager_t *this, sim_card_t *card)
+METHOD(sim_manager_t, add_card, void,
+ private_sim_manager_t *this, sim_card_t *card)
{
+ this->lock->write_lock(this->lock);
this->cards->insert_last(this->cards, card);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.remove_card
- */
-static void remove_card(private_sim_manager_t *this, sim_card_t *card)
+METHOD(sim_manager_t, remove_card, void,
+ private_sim_manager_t *this, sim_card_t *card)
{
+ this->lock->write_lock(this->lock);
this->cards->remove(this->cards, card, NULL);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.card_get_triplet
- */
-static bool card_get_triplet(private_sim_manager_t *this, identification_t *id,
- char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
- char kc[SIM_KC_LEN])
+METHOD(sim_manager_t, card_get_triplet, bool,
+ private_sim_manager_t *this, identification_t *id,
+ char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
{
enumerator_t *enumerator;
sim_card_t *card;
int tried = 0;
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
if (card->get_triplet(card, id, rand, sres, kc))
{
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return TRUE;
}
tried++;
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
DBG1(DBG_IKE, "tried %d SIM cards, but none has triplets for '%Y'",
tried, id);
return FALSE;
}
-/**
- * Implementation of sim_manager_t.card_get_quintuplet
- */
-static status_t card_get_quintuplet(private_sim_manager_t *this,
- identification_t *id, char rand[AKA_RAND_LEN],
- char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
- char ik[AKA_IK_LEN], char res[AKA_RES_MAX],
- int *res_len)
+METHOD(sim_manager_t, card_get_quintuplet, status_t,
+ private_sim_manager_t *this, identification_t *id, char rand[AKA_RAND_LEN],
+ char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+ char res[AKA_RES_MAX], int *res_len)
{
enumerator_t *enumerator;
sim_card_t *card;
status_t status = NOT_FOUND;
int tried = 0;
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
@@ -112,6 +115,7 @@ static status_t card_get_quintuplet(private_sim_manager_t *this,
case SUCCESS:
case INVALID_STATE:
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return status;
case NOT_SUPPORTED:
case FAILED:
@@ -121,62 +125,62 @@ static status_t card_get_quintuplet(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
DBG1(DBG_IKE, "tried %d SIM cards, but none has quintuplets for '%Y'",
tried, id);
return status;
}
-/**
- * Implementation of sim_manager_t.card_resync
- */
-static bool card_resync(private_sim_manager_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+METHOD(sim_manager_t, card_resync, bool,
+ private_sim_manager_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
{
enumerator_t *enumerator;
sim_card_t *card;
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
if (card->resync(card, id, rand, auts))
{
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return TRUE;
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return FALSE;
}
-/**
- * Implementation of sim_manager_t.card_set_pseudonym
- */
-static void card_set_pseudonym(private_sim_manager_t *this,
- identification_t *id, identification_t *pseudonym)
+METHOD(sim_manager_t, card_set_pseudonym, void,
+ private_sim_manager_t *this, identification_t *id,
+ identification_t *pseudonym)
{
enumerator_t *enumerator;
sim_card_t *card;
DBG1(DBG_IKE, "storing pseudonym '%Y' for '%Y'", pseudonym, id);
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
card->set_pseudonym(card, id, pseudonym);
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.card_get_pseudonym
- */
-static identification_t* card_get_pseudonym(private_sim_manager_t *this,
- identification_t *id)
+METHOD(sim_manager_t, card_get_pseudonym, identification_t*,
+ private_sim_manager_t *this, identification_t *id)
{
enumerator_t *enumerator;
sim_card_t *card;
identification_t *pseudonym = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
@@ -189,15 +193,13 @@ static identification_t* card_get_pseudonym(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return pseudonym;
}
-/**
- * Implementation of sim_manager_t.card_set_reauth
- */
-static void card_set_reauth(private_sim_manager_t *this, identification_t *id,
- identification_t *next, char mk[HASH_SIZE_SHA1],
- u_int16_t counter)
+METHOD(sim_manager_t, card_set_reauth, void,
+ private_sim_manager_t *this, identification_t *id, identification_t *next,
+ char mk[HASH_SIZE_SHA1], u_int16_t counter)
{
enumerator_t *enumerator;
sim_card_t *card;
@@ -205,25 +207,25 @@ static void card_set_reauth(private_sim_manager_t *this, identification_t *id,
DBG1(DBG_IKE, "storing next reauthentication identity '%Y' for '%Y'",
next, id);
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
card->set_reauth(card, id, next, mk, counter);
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.card_get_reauth
- */
-static identification_t* card_get_reauth(private_sim_manager_t *this,
- identification_t *id, char mk[HASH_SIZE_SHA1],
- u_int16_t *counter)
+METHOD(sim_manager_t, card_get_reauth, identification_t*,
+ private_sim_manager_t *this, identification_t *id, char mk[HASH_SIZE_SHA1],
+ u_int16_t *counter)
{
enumerator_t *enumerator;
sim_card_t *card;
identification_t *reauth = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->cards->create_enumerator(this->cards);
while (enumerator->enumerate(enumerator, &card))
{
@@ -236,66 +238,63 @@ static identification_t* card_get_reauth(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return reauth;
}
-/**
- * Implementation of sim_manager_t.add_provider
- */
-static void add_provider(private_sim_manager_t *this, sim_provider_t *provider)
+METHOD(sim_manager_t, add_provider, void,
+ private_sim_manager_t *this, sim_provider_t *provider)
{
+ this->lock->write_lock(this->lock);
this->providers->insert_last(this->providers, provider);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.remove_provider
- */
-static void remove_provider(private_sim_manager_t *this,
- sim_provider_t *provider)
+METHOD(sim_manager_t, remove_provider, void,
+ private_sim_manager_t *this, sim_provider_t *provider)
{
+ this->lock->write_lock(this->lock);
this->providers->remove(this->providers, provider, NULL);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.provider_get_triplet
- */
-static bool provider_get_triplet(private_sim_manager_t *this,
- identification_t *id, char rand[SIM_RAND_LEN],
- char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
+METHOD(sim_manager_t, provider_get_triplet, bool,
+ private_sim_manager_t *this, identification_t *id, char rand[SIM_RAND_LEN],
+ char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
{
enumerator_t *enumerator;
sim_provider_t *provider;
int tried = 0;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
if (provider->get_triplet(provider, id, rand, sres, kc))
{
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return TRUE;
}
tried++;
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
tried, id);
return FALSE;
}
-/**
- * Implementation of sim_manager_t.provider_get_quintuplet
- */
-static bool provider_get_quintuplet(private_sim_manager_t *this,
- identification_t *id, char rand[AKA_RAND_LEN],
- char xres[AKA_RES_MAX], int *xres_len,
- char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
- char autn[AKA_AUTN_LEN])
+METHOD(sim_manager_t, provider_get_quintuplet, bool,
+ private_sim_manager_t *this, identification_t *id, char rand[AKA_RAND_LEN],
+ char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN],
+ char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN])
{
enumerator_t *enumerator;
sim_provider_t *provider;
int tried = 0;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
@@ -303,47 +302,48 @@ static bool provider_get_quintuplet(private_sim_manager_t *this,
ck, ik, autn))
{
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return TRUE;
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
DBG1(DBG_IKE, "tried %d SIM providers, but none had a quintuplet for '%Y'",
tried, id);
return FALSE;
}
-/**
- * Implementation of sim_manager_t.provider_resync
- */
-static bool provider_resync(private_sim_manager_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
+METHOD(sim_manager_t, provider_resync, bool,
+ private_sim_manager_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
{
enumerator_t *enumerator;
sim_provider_t *provider;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
if (provider->resync(provider, id, rand, auts))
{
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return TRUE;
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return FALSE;
}
-/**
- * Implementation of sim_manager_t.provider_is_pseudonym
- */
-static identification_t* provider_is_pseudonym(private_sim_manager_t *this,
- identification_t *id)
+METHOD(sim_manager_t, provider_is_pseudonym, identification_t*,
+ private_sim_manager_t *this, identification_t *id)
{
enumerator_t *enumerator;
sim_provider_t *provider;
identification_t *permanent = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
@@ -356,19 +356,18 @@ static identification_t* provider_is_pseudonym(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return permanent;
}
-/**
- * Implementation of sim_manager_t.provider_gen_pseudonym
- */
-static identification_t* provider_gen_pseudonym(private_sim_manager_t *this,
- identification_t *id)
+METHOD(sim_manager_t, provider_gen_pseudonym, identification_t*,
+ private_sim_manager_t *this, identification_t *id)
{
enumerator_t *enumerator;
sim_provider_t *provider;
identification_t *pseudonym = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
@@ -380,20 +379,19 @@ static identification_t* provider_gen_pseudonym(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return pseudonym;
}
-/**
- * Implementation of sim_manager_t.provider_is_reauth
- */
-static identification_t* provider_is_reauth(private_sim_manager_t *this,
- identification_t *id, char mk[HASH_SIZE_SHA1],
- u_int16_t *counter)
+METHOD(sim_manager_t, provider_is_reauth, identification_t*,
+ private_sim_manager_t *this, identification_t *id, char mk[HASH_SIZE_SHA1],
+ u_int16_t *counter)
{
enumerator_t *enumerator;
sim_provider_t *provider;
identification_t *permanent = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
@@ -406,19 +404,18 @@ static identification_t* provider_is_reauth(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return permanent;
}
-/**
- * Implementation of sim_manager_t.provider_gen_reauth
- */
-static identification_t* provider_gen_reauth(private_sim_manager_t *this,
- identification_t *id, char mk[HASH_SIZE_SHA1])
+METHOD(sim_manager_t, provider_gen_reauth, identification_t*,
+ private_sim_manager_t *this, identification_t *id, char mk[HASH_SIZE_SHA1])
{
enumerator_t *enumerator;
sim_provider_t *provider;
identification_t *reauth = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &provider))
{
@@ -430,67 +427,66 @@ static identification_t* provider_gen_reauth(private_sim_manager_t *this,
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
return reauth;
}
-/**
- * Implementation of sim_manager_t.add_hooks
- */
-static void add_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
+METHOD(sim_manager_t, add_hooks, void,
+ private_sim_manager_t *this, sim_hooks_t *hooks)
{
+ this->lock->write_lock(this->lock);
this->hooks->insert_last(this->hooks, hooks);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.remove_hooks
- */
-static void remove_hooks(private_sim_manager_t *this, sim_hooks_t *hooks)
+METHOD(sim_manager_t, remove_hooks, void,
+ private_sim_manager_t *this, sim_hooks_t *hooks)
{
+ this->lock->write_lock(this->lock);
this->hooks->remove(this->hooks, hooks, NULL);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.message_hook
- */
-static void message_hook(private_sim_manager_t *this,
- simaka_message_t *message, bool inbound, bool decrypted)
+METHOD(sim_manager_t, message_hook, void,
+ private_sim_manager_t *this, simaka_message_t *message,
+ bool inbound, bool decrypted)
{
enumerator_t *enumerator;
sim_hooks_t *hooks;
+ this->lock->read_lock(this->lock);
enumerator = this->hooks->create_enumerator(this->hooks);
while (enumerator->enumerate(enumerator, &hooks))
{
hooks->message(hooks, message, inbound, decrypted);
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.key_hook
- */
-static void key_hook(private_sim_manager_t *this,
- chunk_t k_encr, chunk_t k_auth)
+METHOD(sim_manager_t, key_hook, void,
+ private_sim_manager_t *this, chunk_t k_encr, chunk_t k_auth)
{
enumerator_t *enumerator;
sim_hooks_t *hooks;
+ this->lock->read_lock(this->lock);
enumerator = this->hooks->create_enumerator(this->hooks);
while (enumerator->enumerate(enumerator, &hooks))
{
hooks->keys(hooks, k_encr, k_auth);
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
}
-/**
- * Implementation of sim_manager_t.destroy.
- */
-static void destroy(private_sim_manager_t *this)
+METHOD(sim_manager_t, destroy, void,
+ private_sim_manager_t *this)
{
this->cards->destroy(this->cards);
this->providers->destroy(this->providers);
this->hooks->destroy(this->hooks);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -499,35 +495,39 @@ static void destroy(private_sim_manager_t *this)
*/
sim_manager_t *sim_manager_create()
{
- private_sim_manager_t *this = malloc_thing(private_sim_manager_t);
-
- this->public.add_card = (void(*)(sim_manager_t*, sim_card_t *card))add_card;
- this->public.remove_card = (void(*)(sim_manager_t*, sim_card_t *card))remove_card;
- this->public.card_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))card_get_triplet;
- this->public.card_get_quintuplet = (status_t(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len))card_get_quintuplet;
- this->public.card_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))card_resync;
- this->public.card_set_pseudonym = (void(*)(sim_manager_t*, identification_t *id, identification_t *pseudonym))card_set_pseudonym;
- this->public.card_get_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))card_get_pseudonym;
- this->public.card_set_reauth = (void(*)(sim_manager_t*, identification_t *id, identification_t *next, char mk[HASH_SIZE_SHA1], u_int16_t counter))card_set_reauth;
- this->public.card_get_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))card_get_reauth;
- this->public.add_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))add_provider;
- this->public.remove_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))remove_provider;
- this->public.provider_get_triplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]))provider_get_triplet;
- this->public.provider_get_quintuplet = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]))provider_get_quintuplet;
- this->public.provider_resync = (bool(*)(sim_manager_t*, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]))provider_resync;
- this->public.provider_is_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_is_pseudonym;
- this->public.provider_gen_pseudonym = (identification_t*(*)(sim_manager_t*, identification_t *id))provider_gen_pseudonym;
- this->public.provider_is_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1], u_int16_t *counter))provider_is_reauth;
- this->public.provider_gen_reauth = (identification_t*(*)(sim_manager_t*, identification_t *id, char mk[HASH_SIZE_SHA1]))provider_gen_reauth;
- this->public.add_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))add_hooks;
- this->public.remove_hooks = (void(*)(sim_manager_t*, sim_hooks_t *hooks))remove_hooks;
- this->public.message_hook = (void(*)(sim_manager_t*, simaka_message_t *message, bool inbound, bool decrypted))message_hook;
- this->public.key_hook = (void(*)(sim_manager_t*, chunk_t k_encr, chunk_t k_auth))key_hook;
- this->public.destroy = (void(*)(sim_manager_t*))destroy;
-
- this->cards = linked_list_create();
- this->providers = linked_list_create();
- this->hooks = linked_list_create();
+ private_sim_manager_t *this;
+
+ INIT(this,
+ .public = {
+ .add_card = _add_card,
+ .remove_card = _remove_card,
+ .card_get_triplet = _card_get_triplet,
+ .card_get_quintuplet = _card_get_quintuplet,
+ .card_resync = _card_resync,
+ .card_set_pseudonym = _card_set_pseudonym,
+ .card_get_pseudonym = _card_get_pseudonym,
+ .card_set_reauth = _card_set_reauth,
+ .card_get_reauth = _card_get_reauth,
+ .add_provider = _add_provider,
+ .remove_provider = _remove_provider,
+ .provider_get_triplet = _provider_get_triplet,
+ .provider_get_quintuplet = _provider_get_quintuplet,
+ .provider_resync = _provider_resync,
+ .provider_is_pseudonym = _provider_is_pseudonym,
+ .provider_gen_pseudonym = _provider_gen_pseudonym,
+ .provider_is_reauth = _provider_is_reauth,
+ .provider_gen_reauth = _provider_gen_reauth,
+ .add_hooks = _add_hooks,
+ .remove_hooks = _remove_hooks,
+ .message_hook = _message_hook,
+ .key_hook = _key_hook,
+ .destroy = _destroy,
+ },
+ .cards = linked_list_create(),
+ .providers = linked_list_create(),
+ .hooks = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ );
return &this->public;
}
diff --git a/src/libcharon/sa/authenticators/eap/sim_manager.h b/src/libcharon/sa/authenticators/eap/sim_manager.h
index 9aa661ac8..db4a65011 100644
--- a/src/libcharon/sa/authenticators/eap/sim_manager.h
+++ b/src/libcharon/sa/authenticators/eap/sim_manager.h
@@ -27,9 +27,6 @@
#include <sa/authenticators/eap/eap_method.h>
typedef struct sim_manager_t sim_manager_t;
-typedef struct sim_card_t sim_card_t;
-typedef struct sim_provider_t sim_provider_t;
-typedef struct sim_hooks_t sim_hooks_t;
/** implemented in libsimaka, but we need it for the message hook */
typedef struct simaka_message_t simaka_message_t;
@@ -45,229 +42,9 @@ typedef struct simaka_message_t simaka_message_t;
#define AKA_AUTN_LEN 16
#define AKA_AUTS_LEN 14
-/**
- * Interface for a (U)SIM card (used as EAP client).
- *
- * The SIM card completes triplets/quintuplets requested in a challenge
- * received from the server.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
- */
-struct sim_card_t {
-
- /**
- * Calculate SRES/KC from a RAND for SIM authentication.
- *
- * @param id permanent identity to get a triplet for
- * @param rand RAND input buffer, fixed size 16 bytes
- * @param sres SRES output buffer, fixed size 4 byte
- * @param kc KC output buffer, fixed size 8 bytes
- * @return TRUE if SRES/KC calculated, FALSE on error/wrong identity
- */
- bool (*get_triplet)(sim_card_t *this, identification_t *id,
- char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
- char kc[SIM_KC_LEN]);
-
- /**
- * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
- *
- * If the received sequence number (in autn) is out of sync, INVALID_STATE
- * is returned.
- * The RES value is the only one with variable length. Pass a buffer
- * of at least AKA_RES_MAX, the actual number of bytes is written to the
- * res_len value. While the standard would allow any bit length between
- * 32 and 128 bits, we support only full bytes for now.
- *
- * @param id permanent identity to request quintuplet for
- * @param rand random value rand
- * @param autn authentication token autn
- * @param ck buffer receiving encryption key ck
- * @param ik buffer receiving integrity key ik
- * @param res buffer receiving authentication result res
- * @param res_len nubmer of bytes written to res buffer
- * @return SUCCESS, FAILED, or INVALID_STATE if out of sync
- */
- status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
- char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
- char res[AKA_RES_MAX], int *res_len);
-
- /**
- * Calculate AUTS from RAND for AKA resynchronization.
- *
- * @param id permanent identity to request quintuplet for
- * @param rand random value rand
- * @param auts resynchronization parameter auts
- * @return TRUE if parameter generated successfully
- */
- bool (*resync)(sim_card_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
- /**
- * Set the pseudonym to use for next authentication.
- *
- * @param id permanent identity of the peer
- * @param pseudonym pseudonym identity received from the server
- */
- void (*set_pseudonym)(sim_card_t *this, identification_t *id,
- identification_t *pseudonym);
-
- /**
- * Get the pseudonym previously stored via set_pseudonym().
- *
- * @param id permanent identity of the peer
- * @return associated pseudonym identity, NULL if none stored
- */
- identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
-
- /**
- * Store parameters to use for the next fast reauthentication.
- *
- * @param id permanent identity of the peer
- * @param next next fast reauthentication identity to use
- * @param mk master key MK to store for reauthentication
- * @param counter counter value to store, host order
- */
- void (*set_reauth)(sim_card_t *this, identification_t *id,
- identification_t *next, char mk[HASH_SIZE_SHA1],
- u_int16_t counter);
-
- /**
- * Retrieve parameters for fast reauthentication stored via set_reauth().
- *
- * @param id permanent identity of the peer
- * @param mk buffer receiving master key MK
- * @param counter pointer receiving counter value, in host order
- * @return fast reauthentication identity, NULL if not found
- */
- identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
- char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-};
-
-/**
- * Interface for a triplet/quintuplet provider (used as EAP server).
- *
- * A SIM provider hands out triplets for SIM authentication and quintuplets
- * for AKA authentication. Multiple SIM provider instances can serve as
- * authentication backend to authenticate clients using SIM/AKA.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false().
- */
-struct sim_provider_t {
-
- /**
- * Create a challenge for SIM authentication.
- *
- * @param id permanent identity of peer to gen triplet for
- * @param rand RAND output buffer, fixed size 16 bytes
- * @param sres SRES output buffer, fixed size 4 byte
- * @param kc KC output buffer, fixed size 8 bytes
- * @return TRUE if triplet received, FALSE otherwise
- */
- bool (*get_triplet)(sim_provider_t *this, identification_t *id,
- char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
- char kc[SIM_KC_LEN]);
-
- /**
- * Create a challenge for AKA authentication.
- *
- * The XRES value is the only one with variable length. Pass a buffer
- * of at least AKA_RES_MAX, the actual number of bytes is written to the
- * xres_len value. While the standard would allow any bit length between
- * 32 and 128 bits, we support only full bytes for now.
- *
- * @param id permanent identity of peer to create challenge for
- * @param rand buffer receiving random value rand
- * @param xres buffer receiving expected authentication result xres
- * @param xres_len nubmer of bytes written to xres buffer
- * @param ck buffer receiving encryption key ck
- * @param ik buffer receiving integrity key ik
- * @param autn authentication token autn
- * @return TRUE if quintuplet generated successfully
- */
- bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
- char rand[AKA_RAND_LEN],
- char xres[AKA_RES_MAX], int *xres_len,
- char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
- char autn[AKA_AUTN_LEN]);
-
- /**
- * Process AKA resynchroniusation request of a peer.
- *
- * @param id permanent identity of peer requesting resynchronisation
- * @param rand random value rand
- * @param auts synchronization parameter auts
- * @return TRUE if resynchronized successfully
- */
- bool (*resync)(sim_provider_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
- /**
- * Check if peer uses a pseudonym, get permanent identity.
- *
- * @param id pseudonym identity candidate
- * @return permanent identity, NULL if id not a pseudonym
- */
- identification_t* (*is_pseudonym)(sim_provider_t *this,
- identification_t *id);
-
- /**
- * Generate a pseudonym identitiy for a given peer identity.
- *
- * @param id permanent identity to generate a pseudonym for
- * @return generated pseudonym, NULL to not use a pseudonym identity
- */
- identification_t* (*gen_pseudonym)(sim_provider_t *this,
- identification_t *id);
-
- /**
- * Check if peer uses reauthentication, retrieve reauth parameters.
- *
- * @param id reauthentication identity (candidate)
- * @param mk buffer receiving master key MK
- * @param counter pointer receiving current counter value, host order
- * @return permanent identity, NULL if id not a reauth identity
- */
- identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
- char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-
- /**
- * Generate a fast reauthentication identity, associated to a master key.
- *
- * @param id permanent peer identity
- * @param mk master key to store along with generated identity
- * @return fast reauthentication identity, NULL to not use reauth
- */
- identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
- char mk[HASH_SIZE_SHA1]);
-};
-
-/**
- * Additional hooks invoked during EAP-SIM/AKA message processing.
- */
-struct sim_hooks_t {
-
- /**
- * SIM/AKA message parsing.
- *
- * As a SIM/AKA optionally contains encrypted attributes, the hook
- * might get invoked twice, once before and once after decryption.
- *
- * @param message SIM/AKA message
- * @param inbound TRUE for incoming messages, FALSE for outgoing
- * @param decrypted TRUE if AT_ENCR_DATA has been decrypted
- */
- void (*message)(sim_hooks_t *this, simaka_message_t *message,
- bool inbound, bool decrypted);
-
- /**
- * SIM/AKA encryption/authentication key hooks.
- *
- * @param k_encr derived SIM/AKA encryption key k_encr
- * @param k_auth derived SIM/AKA authentication key k_auth
- */
- void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
-};
+#include <sa/authenticators/eap/sim_card.h>
+#include <sa/authenticators/eap/sim_provider.h>
+#include <sa/authenticators/eap/sim_hooks.h>
/**
* The SIM manager handles multiple (U)SIM cards/providers and hooks.
diff --git a/src/libcharon/sa/authenticators/eap/sim_provider.h b/src/libcharon/sa/authenticators/eap/sim_provider.h
new file mode 100644
index 000000000..191e094db
--- /dev/null
+++ b/src/libcharon/sa/authenticators/eap/sim_provider.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_provider sim_provider
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_PROVIDER_H_
+#define SIM_PROVIDER_H_
+
+typedef struct sim_provider_t sim_provider_t;
+
+/**
+ * Interface for a triplet/quintuplet provider (used as EAP server).
+ *
+ * A SIM provider hands out triplets for SIM authentication and quintuplets
+ * for AKA authentication. Multiple SIM provider instances can serve as
+ * authentication backend to authenticate clients using SIM/AKA.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false().
+ */
+struct sim_provider_t {
+
+ /**
+ * Create a challenge for SIM authentication.
+ *
+ * @param id permanent identity of peer to gen triplet for
+ * @param rand RAND output buffer, fixed size 16 bytes
+ * @param sres SRES output buffer, fixed size 4 byte
+ * @param kc KC output buffer, fixed size 8 bytes
+ * @return TRUE if triplet received, FALSE otherwise
+ */
+ bool (*get_triplet)(sim_provider_t *this, identification_t *id,
+ char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+ char kc[SIM_KC_LEN]);
+
+ /**
+ * Create a challenge for AKA authentication.
+ *
+ * The XRES value is the only one with variable length. Pass a buffer
+ * of at least AKA_RES_MAX, the actual number of bytes is written to the
+ * xres_len value. While the standard would allow any bit length between
+ * 32 and 128 bits, we support only full bytes for now.
+ *
+ * @param id permanent identity of peer to create challenge for
+ * @param rand buffer receiving random value rand
+ * @param xres buffer receiving expected authentication result xres
+ * @param xres_len nubmer of bytes written to xres buffer
+ * @param ck buffer receiving encryption key ck
+ * @param ik buffer receiving integrity key ik
+ * @param autn authentication token autn
+ * @return TRUE if quintuplet generated successfully
+ */
+ bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN],
+ char xres[AKA_RES_MAX], int *xres_len,
+ char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+ char autn[AKA_AUTN_LEN]);
+
+ /**
+ * Process AKA resynchroniusation request of a peer.
+ *
+ * @param id permanent identity of peer requesting resynchronisation
+ * @param rand random value rand
+ * @param auts synchronization parameter auts
+ * @return TRUE if resynchronized successfully
+ */
+ bool (*resync)(sim_provider_t *this, identification_t *id,
+ char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+ /**
+ * Check if peer uses a pseudonym, get permanent identity.
+ *
+ * @param id pseudonym identity candidate
+ * @return permanent identity, NULL if id not a pseudonym
+ */
+ identification_t* (*is_pseudonym)(sim_provider_t *this,
+ identification_t *id);
+
+ /**
+ * Generate a pseudonym identitiy for a given peer identity.
+ *
+ * @param id permanent identity to generate a pseudonym for
+ * @return generated pseudonym, NULL to not use a pseudonym identity
+ */
+ identification_t* (*gen_pseudonym)(sim_provider_t *this,
+ identification_t *id);
+
+ /**
+ * Check if peer uses reauthentication, retrieve reauth parameters.
+ *
+ * @param id reauthentication identity (candidate)
+ * @param mk buffer receiving master key MK
+ * @param counter pointer receiving current counter value, host order
+ * @return permanent identity, NULL if id not a reauth identity
+ */
+ identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
+ char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+
+ /**
+ * Generate a fast reauthentication identity, associated to a master key.
+ *
+ * @param id permanent peer identity
+ * @param mk master key to store along with generated identity
+ * @return fast reauthentication identity, NULL to not use reauth
+ */
+ identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
+ char mk[HASH_SIZE_SHA1]);
+};
+
+#endif /** SIM_CARD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index dea02755d..d442acb00 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -183,16 +183,18 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
if (this->method)
{
action = "initiating";
+ type = this->method->get_type(this->method, &vendor);
if (this->method->initiate(this->method, &out) == NEED_MORE)
{
if (vendor)
{
- DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method",
- type, vendor);
+ DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method (id 0x%02X)",
+ type, vendor, out->get_identifier(out));
}
else
{
- DBG1(DBG_IKE, "initiating %N method", eap_type_names, type);
+ DBG1(DBG_IKE, "initiating %N method (id 0x%02X)", eap_type_names,
+ type, out->get_identifier(out));
}
return out;
}
@@ -371,13 +373,13 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
{
if (vendor)
{
- DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
- type, vendor);
+ DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d ",
+ "(id 0x%02X)", type, vendor, in->get_identifier(in));
}
else
{
- DBG1(DBG_IKE, "server requested %N authentication",
- eap_type_names, type);
+ DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
+ eap_type_names, type, in->get_identifier(in));
}
this->method = load_method(this, type, vendor, EAP_PEER);
if (!this->method)
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 495929965..dc42ba787 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -563,6 +563,7 @@ METHOD(child_sa_t, install, status_t,
linked_list_t *other_ts)
{
u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
+ u_int16_t esn = NO_EXT_SEQ_NUMBERS;
traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
time_t now;
lifetime_cfg_t *lifetime;
@@ -608,6 +609,8 @@ METHOD(child_sa_t, install, status_t,
&enc_alg, &size);
this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
&int_alg, &size);
+ this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
+ &esn, NULL);
lifetime = this->config->get_lifetime(this->config);
@@ -647,7 +650,7 @@ METHOD(child_sa_t, install, status_t,
src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
inbound ? this->mark_in : this->mark_out, tfc,
lifetime, enc_alg, encr, int_alg, integ, this->mode,
- this->ipcomp, cpi, this->encap, update, src_ts, dst_ts);
+ this->ipcomp, cpi, this->encap, esn, update, src_ts, dst_ts);
free(lifetime);
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 9b6f9d06d..2fc186fe8 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1573,7 +1573,7 @@ METHOD(ike_sa_t, reestablish, status_t,
#endif /* ME */
))
{
- DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
+ DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
return FAILED;
}
@@ -1896,7 +1896,7 @@ METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
return this->task_manager->create_task_enumerator(this->task_manager, queue);
}
-METHOD(ike_sa_t, inherit, status_t,
+METHOD(ike_sa_t, inherit, void,
private_ike_sa_t *this, ike_sa_t *other_public)
{
private_ike_sa_t *other = (private_ike_sa_t*)other_public;
@@ -1977,8 +1977,6 @@ METHOD(ike_sa_t, inherit, status_t,
lib->scheduler->schedule_job(lib->scheduler,
(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
}
- /* we have to initate here, there may be new tasks to handle */
- return this->task_manager->initiate(this->task_manager);
}
METHOD(ike_sa_t, destroy, void,
@@ -1989,6 +1987,7 @@ METHOD(ike_sa_t, destroy, void,
charon->bus->set_sa(charon->bus, &this->public);
set_state(this, IKE_DESTROYING);
+ this->task_manager->destroy(this->task_manager);
/* remove attributes first, as we pass the IKE_SA to the handler */
while (this->attributes->remove_last(this->attributes,
@@ -2006,7 +2005,6 @@ METHOD(ike_sa_t, destroy, void,
/* unset SA after here to avoid usage by the listeners */
charon->bus->set_sa(charon->bus, NULL);
- this->task_manager->destroy(this->task_manager);
this->keymat->destroy(this->keymat);
if (this->my_virtual_ip)
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 988100bcc..69a74d8b7 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -912,9 +912,8 @@ struct ike_sa_t {
* As this call may initiate inherited tasks, a status is returned.
*
* @param other other task to inherit from
- * @return DESTROY_ME if initiation of inherited task failed
*/
- status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
+ void (*inherit) (ike_sa_t *this, ike_sa_t *other);
/**
* Reset the IKE_SA, useable when initiating fails
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index 9467d1586..f07d2e384 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -161,12 +161,12 @@ static void flush(private_task_manager_t *this)
{
this->queued_tasks->destroy_offset(this->queued_tasks,
offsetof(task_t, destroy));
+ this->queued_tasks = linked_list_create();
this->passive_tasks->destroy_offset(this->passive_tasks,
offsetof(task_t, destroy));
+ this->passive_tasks = linked_list_create();
this->active_tasks->destroy_offset(this->active_tasks,
offsetof(task_t, destroy));
- this->queued_tasks = linked_list_create();
- this->passive_tasks = linked_list_create();
this->active_tasks = linked_list_create();
}
@@ -545,7 +545,7 @@ static status_t process_response(private_task_manager_t *this,
/**
* handle exchange collisions
*/
-static void handle_collisions(private_task_manager_t *this, task_t *task)
+static bool handle_collisions(private_task_manager_t *this, task_t *task)
{
iterator_t *iterator;
task_t *active;
@@ -584,12 +584,11 @@ static void handle_collisions(private_task_manager_t *this, task_t *task)
continue;
}
iterator->destroy(iterator);
- return;
+ return TRUE;
}
iterator->destroy(iterator);
}
- /* destroy task if not registered in any active task */
- task->destroy(task);
+ return FALSE;
}
/**
@@ -623,9 +622,17 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
case SUCCESS:
/* task completed, remove it */
iterator->remove(iterator);
- handle_collisions(this, task);
+ if (!handle_collisions(this, task))
+ {
+ task->destroy(task);
+ }
+ break;
case NEED_MORE:
/* processed, but task needs another exchange */
+ if (handle_collisions(this, task))
+ {
+ iterator->remove(iterator);
+ }
break;
case FAILED:
default:
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
index 45e97e4cd..e6834a93c 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -163,6 +163,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
protocol, spi);
continue;
}
+ /* fall through */
case CHILD_INSTALLED:
if (!this->initiator)
{ /* reestablish installed children if required */
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index e74ca4eef..b39a5fc67 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -382,7 +382,7 @@ static void collide(private_child_rekey_t *this, task_t *other)
if (other->get_type(other) == CHILD_REKEY)
{
private_child_rekey_t *rekey = (private_child_rekey_t*)other;
- if (rekey == NULL || rekey->child_sa != this->child_sa)
+ if (rekey->child_sa != this->child_sa)
{
/* not the same child => no collision */
other->destroy(other);
@@ -399,7 +399,7 @@ static void collide(private_child_rekey_t *this, task_t *other)
other->destroy(other);
return;
}
- if (del == NULL || del->get_child(del) != this->child_sa)
+ if (del->get_child(del) != this->child_sa)
{
/* not the same child => no collision */
other->destroy(other);
@@ -412,6 +412,8 @@ static void collide(private_child_rekey_t *this, task_t *other)
other->destroy(other);
return;
}
+ DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, CHILD_REKEY,
+ task_type_names, other->get_type(other));
DESTROY_IF(this->collision);
this->collision = other;
}
diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c
index c92b5bca5..a61663c48 100644
--- a/src/libcharon/sa/tasks/ike_config.c
+++ b/src/libcharon/sa/tasks/ike_config.c
@@ -317,7 +317,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
id = this->ike_sa->get_other_eap_id(this->ike_sa);
config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (config && this->virtual_ip)
+ if (this->virtual_ip)
{
DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
if (config->get_pool(config))
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c
index 44c55036e..c055dabc1 100644
--- a/src/libcharon/sa/tasks/ike_rekey.c
+++ b/src/libcharon/sa/tasks/ike_rekey.c
@@ -68,9 +68,45 @@ struct private_ike_rekey_t {
};
/**
- * Implementation of task_t.build for initiator, after rekeying
+ * Establish the new replacement IKE_SA
*/
-static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
+static void establish_new(private_ike_rekey_t *this)
+{
+ if (this->new_sa)
+ {
+ this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+ DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
+ this->new_sa->get_name(this->new_sa),
+ this->new_sa->get_unique_id(this->new_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
+ this->new_sa->inherit(this->new_sa, this->ike_sa);
+ charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+ this->new_sa = NULL;
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+}
+
+METHOD(task_t, process_r_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ establish_new(this);
+ return this->ike_delete->task.process(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_r_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_i_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
/* update exchange type to INFORMATIONAL for the delete */
message->set_exchange_type(message, INFORMATIONAL);
@@ -78,18 +114,14 @@ static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
return this->ike_delete->task.build(&this->ike_delete->task, message);
}
-/**
- * Implementation of task_t.process for initiator, after rekeying
- */
-static status_t process_i_delete(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, process_i_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
return this->ike_delete->task.process(&this->ike_delete->task, message);
}
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, build_i, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
host_t *other_host;
@@ -112,10 +144,8 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
return NEED_MORE;
}
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, process_r, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
iterator_t *iterator;
@@ -156,10 +186,8 @@ static status_t process_r(private_ike_rekey_t *this, message_t *message)
return NEED_MORE;
}
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, build_r, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
if (this->new_sa == NULL)
{
@@ -174,22 +202,17 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
}
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
- this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
- this->new_sa->get_name(this->new_sa),
- this->new_sa->get_unique_id(this->new_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
-
- return SUCCESS;
+
+ /* rekeying successful, delete the IKE_SA using a subtask */
+ this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
+ this->public.task.build = _build_r_delete;
+ this->public.task.process = _process_r_delete;
+
+ return NEED_MORE;
}
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, process_i, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
if (message->get_notify(message, NO_ADDITIONAL_SAS))
{
@@ -228,15 +251,6 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
break;
}
- this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
- this->new_sa->get_name(this->new_sa),
- this->new_sa->get_unique_id(this->new_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
-
/* check for collisions */
if (this->collision &&
this->collision->get_type(this->collision) == IKE_REKEY)
@@ -275,21 +289,20 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
host = this->ike_sa->get_other_host(this->ike_sa);
this->new_sa->set_other_host(this->new_sa, host->clone(host));
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ this->new_sa->set_state(this->new_sa, IKE_REKEYING);
if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
{
- charon->ike_sa_manager->checkin_and_destroy(
- charon->ike_sa_manager, this->new_sa);
+ this->new_sa->destroy(this->new_sa);
}
else
{
charon->ike_sa_manager->checkin(
charon->ike_sa_manager, this->new_sa);
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
}
- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- /* inherit to other->new_sa in destroy() */
- this->new_sa = other->new_sa;
- other->new_sa = NULL;
+ this->new_sa = NULL;
+ establish_new(other);
return SUCCESS;
}
}
@@ -297,32 +310,33 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
charon->bus->set_sa(charon->bus, this->ike_sa);
}
+ establish_new(this);
+
/* rekeying successful, delete the IKE_SA using a subtask */
this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
+ this->public.task.build = _build_i_delete;
+ this->public.task.process = _process_i_delete;
return NEED_MORE;
}
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_rekey_t *this)
+METHOD(task_t, get_type, task_type_t,
+ private_ike_rekey_t *this)
{
return IKE_REKEY;
}
-static void collide(private_ike_rekey_t* this, task_t *other)
+METHOD(ike_rekey_t, collide, void,
+ private_ike_rekey_t* this, task_t *other)
{
+ DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, IKE_REKEY,
+ task_type_names, other->get_type(other));
DESTROY_IF(this->collision);
this->collision = other;
}
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
+METHOD(task_t, migrate, void,
+ private_ike_rekey_t *this, ike_sa_t *ike_sa)
{
if (this->ike_init)
{
@@ -332,13 +346,7 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
{
this->ike_delete->task.destroy(&this->ike_delete->task);
}
- if (this->new_sa)
- {
- charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
- this->new_sa);
- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
+ DESTROY_IF(this->new_sa);
DESTROY_IF(this->collision);
this->collision = NULL;
@@ -348,28 +356,9 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
this->ike_delete = NULL;
}
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_rekey_t *this)
+METHOD(task_t, destroy, void,
+ private_ike_rekey_t *this)
{
- if (this->new_sa)
- {
- if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
- this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
- {
- /* invoke hook if rekeying was successful */
- charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
- }
- else
- {
- charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
- this->new_sa);
- }
- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
if (this->ike_init)
{
this->ike_init->task.destroy(&this->ike_init->task);
@@ -378,6 +367,7 @@ static void destroy(private_ike_rekey_t *this)
{
this->ike_delete->task.destroy(&this->ike_delete->task);
}
+ DESTROY_IF(this->new_sa);
DESTROY_IF(this->collision);
free(this);
}
@@ -387,29 +377,27 @@ static void destroy(private_ike_rekey_t *this)
*/
ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
{
- private_ike_rekey_t *this = malloc_thing(private_ike_rekey_t);
-
- this->public.collide = (void(*)(ike_rekey_t*,task_t*))collide;
- this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
- this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
- this->public.task.destroy = (void(*)(task_t*))destroy;
+ private_ike_rekey_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .build = _build_r,
+ .process = _process_r,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .collide = _collide,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
if (initiator)
{
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
}
- else
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
- }
-
- this->ike_sa = ike_sa;
- this->new_sa = NULL;
- this->ike_init = NULL;
- this->ike_delete = NULL;
- this->initiator = initiator;
- this->collision = NULL;
return &this->public;
}
diff --git a/src/libcharon/tnc/imc/imc_manager.h b/src/libcharon/tnc/imc/imc_manager.h
index 634afdbe8..ad83cf552 100644
--- a/src/libcharon/tnc/imc/imc_manager.h
+++ b/src/libcharon/tnc/imc/imc_manager.h
@@ -49,6 +49,14 @@ struct imc_manager_t {
imc_t* (*remove)(imc_manager_t *this, TNC_IMCID id);
/**
+ * Check if an IMC with a given ID is registered with the IMC manager
+ *
+ * @param id ID of IMC instance
+ * @return TRUE if registered
+ */
+ bool (*is_registered)(imc_manager_t *this, TNC_IMCID id);
+
+ /**
* Return the preferred language for recommendations
*
* @return preferred language string
diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h
index b5c581a75..0dd2d6253 100644
--- a/src/libcharon/tnc/imv/imv_manager.h
+++ b/src/libcharon/tnc/imv/imv_manager.h
@@ -50,6 +50,15 @@ struct imv_manager_t {
imv_t* (*remove)(imv_manager_t *this, TNC_IMVID id);
/**
+ * Check if an IMV with a given ID is registered with the IMV manager
+ *
+ * @param id ID of IMV instance
+ * @return TRUE if registered
+ */
+ bool (*is_registered)(imv_manager_t *this, TNC_IMVID id);
+
+
+ /**
* Get the configured recommendation policy
*
* @return configured recommendation policy
@@ -67,11 +76,13 @@ struct imv_manager_t {
* Enforce the TNC recommendation on the IKE_SA by either inserting an
* allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
*
- * @param void TNC action recommendation
+ * @param rec TNC action recommendation
+ * @param eval TNC evaluation result
* @return TRUE for allow|isolate, FALSE for none
*/
bool (*enforce_recommendation)(imv_manager_t *this,
- TNC_IMV_Action_Recommendation rec);
+ TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval);
/**
* Notify all IMV instances
diff --git a/src/libcharon/tnc/tnccs/tnccs.h b/src/libcharon/tnc/tnccs/tnccs.h
index c5d6f5ef0..32f065f67 100644
--- a/src/libcharon/tnc/tnccs/tnccs.h
+++ b/src/libcharon/tnc/tnccs/tnccs.h
@@ -72,8 +72,9 @@ typedef tnccs_t* (*tnccs_constructor_t)(bool is_server);
* @param msg message to be added
* @param msg_len message length
* @param msg_type message type
+ * @return result code
*/
-typedef void (*tnccs_send_message_t)(tnccs_t* tncss, TNC_IMCID imc_id,
+typedef TNC_Result (*tnccs_send_message_t)(tnccs_t* tncss, TNC_IMCID imc_id,
TNC_IMVID imv_id,
TNC_BufferReference msg,
TNC_UInt32 msg_len,
diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.c b/src/libcharon/tnc/tnccs/tnccs_manager.c
index 7e522b870..609742dc8 100644
--- a/src/libcharon/tnc/tnccs/tnccs_manager.c
+++ b/src/libcharon/tnc/tnccs/tnccs_manager.c
@@ -215,11 +215,28 @@ METHOD(tnccs_manager_t, create_connection, TNC_ConnectionID,
}
METHOD(tnccs_manager_t, remove_connection, void,
- private_tnccs_manager_t *this, TNC_ConnectionID id)
+ private_tnccs_manager_t *this, TNC_ConnectionID id, bool is_server)
{
enumerator_t *enumerator;
tnccs_connection_entry_t *entry;
+ if (is_server)
+ {
+ if (charon->imvs)
+ {
+ charon->imvs->notify_connection_change(charon->imvs, id,
+ TNC_CONNECTION_STATE_DELETE);
+ }
+ }
+ else
+ {
+ if (charon->imcs)
+ {
+ charon->imcs->notify_connection_change(charon->imcs, id,
+ TNC_CONNECTION_STATE_DELETE);
+ }
+ }
+
this->connection_lock->write_lock(this->connection_lock);
enumerator = this->connections->create_enumerator(this->connections);
while (enumerator->enumerate(enumerator, &entry))
@@ -254,8 +271,8 @@ METHOD(tnccs_manager_t, request_handshake_retry, TNC_Result,
}
else
{
- DBG2(DBG_TNC, "%s %u requests handshake retry for connection ID %u "
- "(reason: %u)", is_imc ? "IMC":"IMV", id, reason);
+ DBG2(DBG_TNC, "%s %u requests handshake retry for Connection ID %u "
+ "(reason: %u)", is_imc ? "IMC":"IMV", imcv_id, id, reason);
}
this->connection_lock->read_lock(this->connection_lock);
enumerator = this->connections->create_enumerator(this->connections);
@@ -279,11 +296,23 @@ METHOD(tnccs_manager_t, send_message, TNC_Result,
TNC_BufferReference msg,
TNC_UInt32 msg_len,
TNC_MessageType msg_type)
+
{
enumerator_t *enumerator;
tnccs_connection_entry_t *entry;
tnccs_send_message_t send_message = NULL;
tnccs_t *tnccs = NULL;
+ TNC_VendorID msg_vid;
+ TNC_MessageSubtype msg_subtype;
+
+ msg_vid = (msg_type >> 8) & TNC_VENDORID_ANY;
+ msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+ if (msg_vid == TNC_VENDORID_ANY || msg_subtype == TNC_SUBTYPE_ANY)
+ {
+ DBG1(DBG_TNC, "not sending message of invalid type 0x%08x", msg_type);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
this->connection_lock->read_lock(this->connection_lock);
enumerator = this->connections->create_enumerator(this->connections);
@@ -301,9 +330,8 @@ METHOD(tnccs_manager_t, send_message, TNC_Result,
if (tnccs && send_message)
{
- send_message(tnccs, imc_id, imv_id, msg, msg_len, msg_type);
- return TNC_RESULT_SUCCESS;
- }
+ return send_message(tnccs, imc_id, imv_id, msg, msg_len, msg_type);
+ }
return TNC_RESULT_FATAL;
}
diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.h b/src/libcharon/tnc/tnccs/tnccs_manager.h
index c02eac03c..34f60029d 100644
--- a/src/libcharon/tnc/tnccs/tnccs_manager.h
+++ b/src/libcharon/tnc/tnccs/tnccs_manager.h
@@ -82,8 +82,10 @@ struct tnccs_manager_t {
* Remove a TNCCS connection using its connection ID.
*
* @param id ID of the connection to be removed
+ * @param is_server TNC Server if TRUE, TNC Client if FALSE
*/
- void (*remove_connection)(tnccs_manager_t *this, TNC_ConnectionID id);
+ void (*remove_connection)(tnccs_manager_t *this, TNC_ConnectionID id,
+ bool is_server);
/**
* Request a handshake retry
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 46f23f4d6..47678029f 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -238,6 +238,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -261,6 +263,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 88ceab557..d00ae91e0 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -253,6 +253,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -276,6 +278,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
index 8f1be0a84..a3643801e 100644
--- a/src/libfreeswan/atoaddr.c
+++ b/src/libfreeswan/atoaddr.c
@@ -45,7 +45,7 @@ struct in_addr *addrp;
{
struct addrinfo hints, *res;
struct netent *ne = NULL;
- const char *oops;
+ const char *oops, *msg = NULL;
# define HEXLEN 10 /* strlen("0x11223344") */
# ifndef ATOADDRBUF
# define ATOADDRBUF 100
@@ -84,10 +84,18 @@ struct in_addr *addrp;
/* next, check that it's a vaguely legal name */
for (q = p; *q != '\0'; q++)
+ {
if (!isprint(*q))
- return "unprintable character in name";
+ {
+ msg = "unprintable character in name";
+ goto error;
+ }
+ }
if (strspn(p, namechars) != srclen)
- return "illegal (non-DNS-name) character in name";
+ {
+ msg = "illegal (non-DNS-name) character in name";
+ goto error;
+ }
/* try as host name, failing that as /etc/networks network name */
memset(&hints, 0, sizeof(hints));
@@ -98,11 +106,8 @@ struct in_addr *addrp;
ne = getnetbyname(p);
if (ne == NULL)
{
- if (p != namebuf)
- {
- FREE(p);
- }
- return "name lookup failed";
+ msg = "name lookup failed";
+ goto error;
}
addrp->s_addr = htonl(ne->n_net);
}
@@ -113,12 +118,13 @@ struct in_addr *addrp;
freeaddrinfo(res);
}
+error:
if (p != namebuf)
{
FREE(p);
}
- return NULL;
+ return msg;
}
/*
diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c
index 0217538a0..0762d8f2b 100644
--- a/src/libfreeswan/pfkey_v2_debug.c
+++ b/src/libfreeswan/pfkey_v2_debug.c
@@ -54,10 +54,11 @@ static char *pfkey_sadb_ext_strings[]={
"X-source-mask", /* SADB_X_EXT_ADDRESS_SRC_MASK 23 */
"X-dest-mask", /* SADB_X_EXT_ADDRESS_DST_MASK 24 */
"X-set-debug", /* SADB_X_EXT_DEBUG 25 */
- "X-NAT-T-type", /* SADB_X_EXT_NAT_T_TYPE 26 */
- "X-NAT-T-sport", /* SADB_X_EXT_NAT_T_SPORT 27 */
- "X-NAT-T-dport", /* SADB_X_EXT_NAT_T_DPORT 28 */
- "X-NAT-T-OA", /* SADB_X_EXT_NAT_T_OA 29 */
+ "X-protocol", /* SADB_X_EXT_PROTOCOL 26 */
+ "X-NAT-T-type", /* SADB_X_EXT_NAT_T_TYPE 27 */
+ "X-NAT-T-sport", /* SADB_X_EXT_NAT_T_SPORT 28 */
+ "X-NAT-T-dport", /* SADB_X_EXT_NAT_T_DPORT 29 */
+ "X-NAT-T-OA", /* SADB_X_EXT_NAT_T_OA 30 */
};
const char *
@@ -72,23 +73,24 @@ pfkey_v2_sadb_ext_string(int ext)
static char *pfkey_sadb_type_strings[]={
- "reserved", /* SADB_RESERVED */
- "getspi", /* SADB_GETSPI */
- "update", /* SADB_UPDATE */
- "add", /* SADB_ADD */
- "delete", /* SADB_DELETE */
- "get", /* SADB_GET */
- "acquire", /* SADB_ACQUIRE */
- "register", /* SADB_REGISTER */
- "expire", /* SADB_EXPIRE */
- "flush", /* SADB_FLUSH */
- "dump", /* SADB_DUMP */
- "x-promisc", /* SADB_X_PROMISC */
- "x-pchange", /* SADB_X_PCHANGE */
- "x-groupsa", /* SADB_X_GRPSA */
- "x-addflow(eroute)", /* SADB_X_ADDFLOW */
- "x-delflow(eroute)", /* SADB_X_DELFLOW */
- "x-debug", /* SADB_X_DEBUG */
+ "reserved", /* SADB_RESERVED */
+ "getspi", /* SADB_GETSPI */
+ "update", /* SADB_UPDATE */
+ "add", /* SADB_ADD */
+ "delete", /* SADB_DELETE */
+ "get", /* SADB_GET */
+ "acquire", /* SADB_ACQUIRE */
+ "register", /* SADB_REGISTER */
+ "expire", /* SADB_EXPIRE */
+ "flush", /* SADB_FLUSH */
+ "dump", /* SADB_DUMP */
+ "x-promisc", /* SADB_X_PROMISC */
+ "x-pchange", /* SADB_X_PCHANGE */
+ "x-groupsa", /* SADB_X_GRPSA */
+ "x-addflow(eroute)", /* SADB_X_ADDFLOW */
+ "x-delflow(eroute)", /* SADB_X_DELFLOW */
+ "x-debug", /* SADB_X_DEBUG */
+ "x-nat-t-new-mapping", /* SADB_X_NAT_T_NEW_MAPPING */
};
const char *
diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c
index 49d5cdf4a..a143003b3 100644
--- a/src/libfreeswan/pfkey_v2_parse.c
+++ b/src/libfreeswan/pfkey_v2_parse.c
@@ -1247,6 +1247,7 @@ pfkey_msg_parse(struct sadb_msg *pfkey_msg,
pfkey_msg->sadb_msg_type,
pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
}
+ /* fall through */
case SADB_ACQUIRE:
case SADB_REGISTER:
case SADB_EXPIRE:
diff --git a/src/libfreeswan/satot.c b/src/libfreeswan/satot.c
index e70036482..a3feb1591 100644
--- a/src/libfreeswan/satot.c
+++ b/src/libfreeswan/satot.c
@@ -77,7 +77,7 @@ size_t dstlen;
break; /* NOTE BREAK OUT */
}
if (pre == NULL) { /* unknown protocol */
- strcpy(unk, "unk");
+ strncpy(unk, "unk", sizeof(unk));
(void) ultot((unsigned char)sa->proto, 10, unk+strlen(unk),
sizeof(unk)-strlen(unk));
pre = unk;
@@ -86,9 +86,9 @@ size_t dstlen;
if (strcmp(pre, PASSTHROUGHTYPE) == 0 &&
sa->spi == PASSTHROUGHSPI &&
isunspecaddr(&sa->dst)) {
- strcpy(buf, (addrtypeof(&sa->dst) == AF_INET) ?
+ strncpy(buf, (addrtypeof(&sa->dst) == AF_INET) ?
PASSTHROUGH4NAME :
- PASSTHROUGH6NAME);
+ PASSTHROUGH6NAME, sizeof(buf));
len = strlen(buf);
}
@@ -104,13 +104,13 @@ size_t dstlen;
default: p = NULL; break;
}
if (p != NULL) {
- strcpy(buf, p);
+ strncpy(buf, p, sizeof(buf));
len = strlen(buf);
}
}
if (len == 0) { /* general case needed */
- strcpy(buf, pre);
+ strncpy(buf, pre, sizeof(buf));
len = strlen(buf);
if (showversion) {
*(buf+len) = (addrtypeof(&sa->dst) == AF_INET) ? '.' :
@@ -126,7 +126,7 @@ size_t dstlen;
if (dst != NULL) {
if (len > dstlen)
*(buf+dstlen-1) = '\0';
- strcpy(dst, buf);
+ strncpy(dst, buf, dstlen);
}
return len;
}
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 8b1e7384f..08c73b5e3 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -292,6 +292,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -315,6 +317,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 4fd5a7535..4b5b41f2b 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -81,8 +81,8 @@ METHOD(kernel_interface_t, add_sa, status_t,
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
- u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts)
+ u_int16_t cpi, bool encap, bool esn, bool inbound,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
if (!this->ipsec)
{
@@ -90,7 +90,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
}
return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
- ipcomp, cpi, encap, inbound, src_ts, dst_ts);
+ ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
}
METHOD(kernel_interface_t, update_sa, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index ec73fa1f7..471a1d5d3 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -101,6 +101,7 @@ struct kernel_interface_t {
* @param ipcomp IPComp transform to use
* @param cpi CPI for IPComp
* @param encap enable UDP encapsulation for NAT traversal
+ * @param esn TRUE to use Extended Sequence Numbers
* @param inbound TRUE if this is an inbound SA
* @param src_ts traffic selector with BEET source address
* @param dst_ts traffic selector with BEET destination address
@@ -113,7 +114,7 @@ struct kernel_interface_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- bool encap, bool inbound,
+ bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
/**
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 3e2d8b9ce..ef36efd11 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -214,6 +214,7 @@ struct kernel_ipsec_t {
* @param ipcomp IPComp transform to use
* @param cpi CPI for IPComp
* @param encap enable UDP encapsulation for NAT traversal
+ * @param esn TRUE to use Extended Sequence Numbers
* @param inbound TRUE if this is an inbound SA
* @param src_ts traffic selector with BEET source address
* @param dst_ts traffic selector with BEET destination address
@@ -226,7 +227,7 @@ struct kernel_ipsec_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- bool encap, bool inbound,
+ bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
/**
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 2da06a89c..250ac9539 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c
index 0f66b680a..cb14495af 100644
--- a/src/libhydra/plugins/attr/attr_plugin.c
+++ b/src/libhydra/plugins/attr/attr_plugin.c
@@ -36,6 +36,19 @@ struct private_attr_plugin_t {
attr_provider_t *provider;
};
+METHOD(plugin_t, get_name, char*,
+ private_attr_plugin_t *this)
+{
+ return "attr";
+}
+
+METHOD(plugin_t, reload, bool,
+ private_attr_plugin_t *this)
+{
+ this->provider->reload(this->provider);
+ return TRUE;
+}
+
METHOD(plugin_t, destroy, void,
private_attr_plugin_t *this)
{
@@ -54,6 +67,8 @@ plugin_t *attr_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = _reload,
.destroy = _destroy,
},
},
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index b3c0cc076..44242c259 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -21,6 +21,7 @@
#include <hydra.h>
#include <debug.h>
#include <utils/linked_list.h>
+#include <threading/rwlock.h>
#define SERVER_MAX 2
@@ -41,6 +42,11 @@ struct private_attr_provider_t {
* List of attributes, attribute_entry_t
*/
linked_list_t *attributes;
+
+ /**
+ * Lock for attribute list
+ */
+ rwlock_t *lock;
};
struct attribute_entry_t {
@@ -51,6 +57,15 @@ struct attribute_entry_t {
};
/**
+ * Destroy an entry
+ */
+static void attribute_destroy(attribute_entry_t *this)
+{
+ free(this->value.ptr);
+ free(this);
+}
+
+/**
* convert enumerator value from attribute_entry
*/
static bool attr_enum_filter(void *null, attribute_entry_t **in,
@@ -61,35 +76,26 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in,
return TRUE;
}
-/**
- * Implementation of attribute_provider_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this,
- char *pool, identification_t *id, host_t *vip)
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+ private_attr_provider_t *this, char *pool,
+ identification_t *id, host_t *vip)
{
if (vip)
{
+ this->lock->read_lock(this->lock);
return enumerator_create_filter(
- this->attributes->create_enumerator(this->attributes),
- (void*)attr_enum_filter, NULL, NULL);
+ this->attributes->create_enumerator(this->attributes),
+ (void*)attr_enum_filter, this->lock, (void*)this->lock->unlock);
}
return enumerator_create_empty();
}
-/**
- * Implementation of attr_provider_t.destroy
- */
-static void destroy(private_attr_provider_t *this)
+METHOD(attr_provider_t, destroy, void,
+ private_attr_provider_t *this)
{
- attribute_entry_t *entry;
-
- while (this->attributes->remove_last(this->attributes,
- (void**)&entry) == SUCCESS)
- {
- free(entry->value.ptr);
- free(entry);
- }
- this->attributes->destroy(this->attributes);
+ this->attributes->destroy_function(this->attributes,
+ (void*)attribute_destroy);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -129,6 +135,8 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
entry->type = type;
entry->value = chunk_clone(host->get_address(host));
host->destroy(host);
+ DBG2(DBG_CFG, "loaded legacy entry attribute %N: %#B",
+ configuration_attribute_type_names, entry->type, &entry->value);
this->attributes->insert_last(this->attributes, entry);
}
}
@@ -158,6 +166,13 @@ static void load_entries(private_attr_provider_t *this)
{
enumerator_t *enumerator, *tokens;
char *key, *value, *token;
+ int i;
+
+ for (i = 1; i <= SERVER_MAX; i++)
+ {
+ add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS);
+ add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
+ }
enumerator = lib->settings->create_key_value_enumerator(lib->settings,
"%s.plugins.attr", hydra->daemon);
@@ -231,6 +246,8 @@ static void load_entries(private_attr_provider_t *this)
}
}
host->destroy(host);
+ DBG2(DBG_CFG, "loaded attribute %N: %#B",
+ configuration_attribute_type_names, entry->type, &entry->value);
this->attributes->insert_last(this->attributes, entry);
}
tokens->destroy(tokens);
@@ -238,28 +255,43 @@ static void load_entries(private_attr_provider_t *this)
enumerator->destroy(enumerator);
}
+METHOD(attr_provider_t, reload, void,
+ private_attr_provider_t *this)
+{
+ this->lock->write_lock(this->lock);
+
+ this->attributes->destroy_function(this->attributes, (void*)attribute_destroy);
+ this->attributes = linked_list_create();
+
+ load_entries(this);
+
+ DBG1(DBG_CFG, "loaded %d entr%s for attr plugin configuration",
+ this->attributes->get_count(this->attributes),
+ this->attributes->get_count(this->attributes) == 1 ? "y" : "ies");
+
+ this->lock->unlock(this->lock);
+}
+
/*
* see header file
*/
attr_provider_t *attr_provider_create(database_t *db)
{
private_attr_provider_t *this;
- int i;
-
- this = malloc_thing(private_attr_provider_t);
-
- this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
- this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
- this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *vip))create_attribute_enumerator;
- this->public.destroy = (void(*)(attr_provider_t*))destroy;
-
- this->attributes = linked_list_create();
- for (i = 1; i <= SERVER_MAX; i++)
- {
- add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS);
- add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
- }
+ INIT(this,
+ .public = {
+ .provider = {
+ .acquire_address = (void*)return_null,
+ .release_address = (void*)return_false,
+ .create_attribute_enumerator = _create_attribute_enumerator,
+ },
+ .reload = _reload,
+ .destroy = _destroy,
+ },
+ .attributes = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ );
load_entries(this);
diff --git a/src/libhydra/plugins/attr/attr_provider.h b/src/libhydra/plugins/attr/attr_provider.h
index a41466718..17db30408 100644
--- a/src/libhydra/plugins/attr/attr_provider.h
+++ b/src/libhydra/plugins/attr/attr_provider.h
@@ -36,6 +36,11 @@ struct attr_provider_t {
attribute_provider_t provider;
/**
+ * Reload configuration from strongswan.conf.
+ */
+ void (*reload)(attr_provider_t *this);
+
+ /**
* Destroy a attr_provider instance.
*/
void (*destroy)(attr_provider_t *this);
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 26e7a3038..80d497f59 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -253,6 +253,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -276,6 +278,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index ca9de023e..c04ec9a01 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -40,9 +40,14 @@ struct private_attr_sql_plugin_t {
* configuration attributes
*/
sql_attribute_t *attribute;
-
};
+METHOD(plugin_t, get_name, char*,
+ private_attr_sql_plugin_t *this)
+{
+ return "attr-sql";
+}
+
METHOD(plugin_t, destroy, void,
private_attr_sql_plugin_t *this)
{
@@ -71,6 +76,8 @@ plugin_t *attr_sql_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index b4bdfc629..e81a23ed9 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -379,7 +379,7 @@ static void add(char *name, host_t *start, host_t *end, int timeout)
chunk_increment(cur_addr);
}
commit_transaction();
- printf("done.\n", count);
+ printf("done.\n");
}
static bool add_address(u_int pool_id, char *address_str, int *family)
@@ -407,9 +407,11 @@ static bool add_address(u_int pool_id, char *address_str, int *family)
fprintf(stderr, "invalid address '%s'.\n", address_str);
return FALSE;
}
- if (family && *family && *family != address->get_family(address))
+ if (family && *family != AF_UNSPEC &&
+ *family != address->get_family(address))
{
fprintf(stderr, "invalid address family '%s'.\n", address_str);
+ address->destroy(address);
return FALSE;
}
@@ -421,9 +423,13 @@ static bool add_address(u_int pool_id, char *address_str, int *family)
DB_UINT, user_id, DB_UINT, 0, DB_UINT, 1) != 1)
{
fprintf(stderr, "inserting address '%s' failed.\n", address_str);
+ address->destroy(address);
return FALSE;
}
- *family = address->get_family(address);
+ if (family)
+ {
+ *family = address->get_family(address);
+ }
address->destroy(address);
return TRUE;
@@ -469,6 +475,10 @@ static void add_addresses(char *pool, char *path, int timeout)
}
if (add_address(pool_id, address_str, &family) == FALSE)
{
+ if (file != stdin)
+ {
+ fclose(file);
+ }
exit(EXIT_FAILURE);
}
++count;
@@ -586,7 +596,7 @@ static void resize(char *name, host_t *end)
DB_UINT, id, DB_BLOB, cur_addr, DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
}
commit_transaction();
- printf("done.\n", count);
+ printf("done.\n");
}
@@ -1004,6 +1014,7 @@ static void do_args(int argc, char *argv[])
break;
case '1':
operation = OP_STATUS_ATTR;
+ break;
case 'u':
utc = TRUE;
continue;
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
index 5f7afdfcd..5c7397476 100644
--- a/src/libhydra/plugins/attr_sql/pool_attributes.c
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -241,7 +241,7 @@ static bool parse_attributes(char *name, char *value, value_type_t *value_type,
/* clean up */
DESTROY_IF(addr);
- /* is the attribute type numeric? */
+ /* is the attribute type numeric? */
*type = strtol(name, &endptr, 10);
if (*endptr != '\0')
@@ -262,7 +262,7 @@ static bool parse_attributes(char *name, char *value, value_type_t *value_type,
}
return TRUE;
}
-
+
/**
* Lookup/insert an attribute pool by name
*/
@@ -541,11 +541,11 @@ void del_attr(char *name, char *pool, char *identity,
}
}
else
- {
+ {
if (value_type == VALUE_ADDR)
{
host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0);
-
+
fprintf(stderr, "the %s server %H%s was not found.\n", name,
server, id_pool_str);
server->destroy(server);
@@ -630,7 +630,7 @@ void status_attr(bool hexout)
if (type == attr_info[i].type)
{
value_type = attr_info[i].value_type;
- break;
+ break;
}
}
}
@@ -671,8 +671,8 @@ void status_attr(bool hexout)
}
break;
case VALUE_STRING:
- printf("\"%.*s\"\n", value.len, value.ptr);
- break;
+ printf("\"%.*s\"\n", (int)value.len, value.ptr);
+ break;
case VALUE_HEX:
default:
printf(" %#B\n", &value);
@@ -692,13 +692,13 @@ void show_attr(void)
for (i = 0; i < countof(attr_info); i++)
{
char value_name[10];
-
-
+
+
snprintf(value_name, sizeof(value_name), "%N",
value_type_names, attr_info[i].value_type);
-
- printf("%-20s --%-6s (%N",
- attr_info[i].keyword, value_name,
+
+ printf("%-20s --%-6s (%N",
+ attr_info[i].keyword, value_name,
configuration_attribute_type_names, attr_info[i].type);
if (attr_info[i].type_ip6)
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 7d2464456..5f6512b44 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index cf9a3e1fd..ff4f0ed55 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1671,7 +1671,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
- u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
+ u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
unsigned char request[PFKEY_BUFFER_SIZE];
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
index 3c312ca2b..7fe47f630 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
@@ -32,6 +32,12 @@ struct private_kernel_klips_plugin_t {
kernel_klips_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_kernel_klips_plugin_t *this)
+{
+ return "kernel-klips";
+}
+
METHOD(plugin_t, destroy, void,
private_kernel_klips_plugin_t *this)
{
@@ -50,6 +56,8 @@ plugin_t *kernel_klips_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index c7404fe06..78dfb1b54 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -245,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -268,6 +270,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 4dc80785c..8b2a1aa77 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -61,6 +61,9 @@
#define PRIO_LOW 1024
#define PRIO_HIGH 512
+/** default replay window size, if not set using charon.replay_window */
+#define DEFAULT_REPLAY_WINDOW 32
+
/**
* map the limit for bytes and packets to XFRM_INF per default
*/
@@ -348,6 +351,16 @@ struct private_kernel_netlink_ipsec_t {
* whether to install routes along policies
*/
bool install_routes;
+
+ /**
+ * Size of the replay window, in packets
+ */
+ u_int32_t replay_window;
+
+ /**
+ * Size of the replay window bitmap, in bytes
+ */
+ u_int32_t replay_bmp;
};
/**
@@ -868,7 +881,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
- u_int16_t cpi, bool encap, bool inbound,
+ u_int16_t cpi, bool encap, bool esn, bool inbound,
traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
{
netlink_buf_t request;
@@ -876,6 +889,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
struct nlmsghdr *hdr;
struct xfrm_usersa_info *sa;
u_int16_t icv_size = 64;
+ status_t status = FAILED;
/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
* we are in the recursive call below */
@@ -884,7 +898,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc,
&lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
- mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
+ mode, ipcomp, 0, FALSE, FALSE, inbound, NULL, NULL);
ipcomp = IPCOMP_NONE;
/* use transport mode ESP SA, IPComp uses tunnel mode */
mode = MODE_TRANSPORT;
@@ -930,7 +944,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
break;
}
- sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
sa->reqid = reqid;
sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
@@ -971,17 +984,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
encryption_algorithm_names, enc_alg);
- return FAILED;
+ goto failed;
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
rthdr->rta_type = XFRMA_ALG_AEAD;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
@@ -1002,17 +1015,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
encryption_algorithm_names, enc_alg);
- return FAILED;
+ goto failed;
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
rthdr->rta_type = XFRMA_ALG_CRYPT;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
algo = (struct xfrm_algo*)RTA_DATA(rthdr);
@@ -1031,7 +1044,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
integrity_algorithm_names, int_alg);
- return FAILED;
+ goto failed;
}
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
integrity_algorithm_names, int_alg, int_key.len * 8);
@@ -1045,10 +1058,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
@@ -1064,10 +1077,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
rthdr->rta_type = XFRMA_ALG_AUTH;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
algo = (struct xfrm_algo*)RTA_DATA(rthdr);
@@ -1086,16 +1099,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
ipcomp_transform_names, ipcomp);
- return FAILED;
+ goto failed;
}
DBG2(DBG_KNL, " using compression algorithm %N",
ipcomp_transform_names, ipcomp);
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
@@ -1112,10 +1125,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
rthdr->rta_type = XFRMA_ENCAP;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
@@ -1142,10 +1155,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
rthdr->rta_type = XFRMA_MARK;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
@@ -1161,10 +1174,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
rthdr->rta_type = XFRMA_TFCPAD;
rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
tfcpad = (u_int32_t*)RTA_DATA(rthdr);
@@ -1172,6 +1185,41 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
rthdr = XFRM_RTA_NEXT(rthdr);
}
+ if (protocol != IPPROTO_COMP)
+ {
+ if (esn || this->replay_window > DEFAULT_REPLAY_WINDOW)
+ {
+ /* for ESN or larger replay windows we need the new
+ * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
+ struct xfrm_replay_state_esn *replay;
+
+ rthdr->rta_type = XFRMA_REPLAY_ESN_VAL;
+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
+ (this->replay_window + 7) / 8);
+
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
+ if (hdr->nlmsg_len > sizeof(request))
+ {
+ goto failed;
+ }
+
+ replay = (struct xfrm_replay_state_esn*)RTA_DATA(rthdr);
+ /* bmp_len contains number uf __u32's */
+ replay->bmp_len = this->replay_bmp;
+ replay->replay_window = this->replay_window;
+
+ rthdr = XFRM_RTA_NEXT(rthdr);
+ if (esn)
+ {
+ sa->flags |= XFRM_STATE_ESN;
+ }
+ }
+ else
+ {
+ sa->replay_window = DEFAULT_REPLAY_WINDOW;
+ }
+ }
+
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
if (mark.value)
@@ -1183,17 +1231,25 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
{
DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
}
- return FAILED;
+ goto failed;
}
- return SUCCESS;
+
+ status = SUCCESS;
+
+failed:
+ memwipe(request, sizeof(request));
+ return status;
}
/**
- * Get the replay state (i.e. sequence numbers) of an SA.
+ * Get the ESN replay state (i.e. sequence numbers) of an SA.
+ *
+ * Allocates into one the replay state structure we get from the kernel.
*/
-static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
- u_int32_t spi, u_int8_t protocol, host_t *dst,
- struct xfrm_replay_state *replay)
+static void get_replay_state(private_kernel_netlink_ipsec_t *this,
+ u_int32_t spi, u_int8_t protocol, host_t *dst,
+ struct xfrm_replay_state_esn **replay_esn,
+ struct xfrm_replay_state **replay)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out = NULL;
@@ -1204,7 +1260,8 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
memset(&request, 0, sizeof(request));
- DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
+ DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
+ ntohl(spi));
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
@@ -1248,32 +1305,30 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
}
}
- if (out_aevent == NULL)
+ if (out_aevent)
{
- DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
- ntohl(spi));
- free(out);
- return FAILED;
- }
-
- rta = XFRM_RTA(out, struct xfrm_aevent_id);
- rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
- while(RTA_OK(rta, rtasize))
- {
- if (rta->rta_type == XFRMA_REPLAY_VAL &&
- RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
+ rta = XFRM_RTA(out, struct xfrm_aevent_id);
+ rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
+ while (RTA_OK(rta, rtasize))
{
- memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
- free(out);
- return SUCCESS;
+ if (rta->rta_type == XFRMA_REPLAY_VAL &&
+ RTA_PAYLOAD(rta) == sizeof(**replay))
+ {
+ *replay = malloc(RTA_PAYLOAD(rta));
+ memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
+ break;
+ }
+ if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
+ RTA_PAYLOAD(rta) >= sizeof(**replay_esn) + this->replay_bmp)
+ {
+ *replay_esn = malloc(RTA_PAYLOAD(rta));
+ memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
+ break;
+ }
+ rta = RTA_NEXT(rta, rtasize);
}
- rta = RTA_NEXT(rta, rtasize);
}
-
- DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
- ntohl(spi));
free(out);
- return FAILED;
}
METHOD(kernel_ipsec_t, query_sa, status_t,
@@ -1284,6 +1339,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
struct nlmsghdr *out = NULL, *hdr;
struct xfrm_usersa_id *sa_id;
struct xfrm_usersa_info *sa = NULL;
+ status_t status = FAILED;
size_t len;
memset(&request, 0, sizeof(request));
@@ -1315,7 +1371,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
rthdr->rta_type = XFRMA_MARK;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
@@ -1370,13 +1426,15 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
if (sa == NULL)
{
DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
- free(out);
- return FAILED;
}
- *bytes = sa->curlft.bytes;
-
+ else
+ {
+ *bytes = sa->curlft.bytes;
+ status = SUCCESS;
+ }
+ memwipe(out, len);
free(out);
- return SUCCESS;
+ return status;
}
METHOD(kernel_ipsec_t, del_sa, status_t,
@@ -1422,7 +1480,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
rthdr->rta_type = XFRMA_MARK;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
@@ -1472,8 +1530,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
struct rtattr *rta;
size_t rtasize;
struct xfrm_encap_tmpl* tmpl = NULL;
- bool got_replay_state = FALSE;
- struct xfrm_replay_state replay;
+ struct xfrm_replay_state *replay = NULL;
+ struct xfrm_replay_state_esn *replay_esn = NULL;
+ status_t status = FAILED;
/* if IPComp is used, we first update the IPComp SA */
if (cpi)
@@ -1529,22 +1588,16 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
if (out_sa == NULL)
{
DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
- free(out);
- return FAILED;
+ goto failed;
}
- /* try to get the replay state */
- if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
- {
- got_replay_state = TRUE;
- }
+ get_replay_state(this, spi, protocol, dst, &replay_esn, &replay);
/* delete the old SA (without affecting the IPComp SA) */
if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
- free(out);
- return FAILED;
+ goto failed;
}
DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
@@ -1594,10 +1647,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
rta->rta_type = XFRMA_ENCAP;
rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
- hdr->nlmsg_len += rta->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
@@ -1609,30 +1662,56 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
rta = XFRM_RTA_NEXT(rta);
}
- if (got_replay_state)
- { /* copy the replay data if available */
+ if (replay_esn)
+ {
+ rta->rta_type = XFRMA_REPLAY_ESN_VAL;
+ rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
+ this->replay_bmp);
+
+ hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
+ if (hdr->nlmsg_len > sizeof(request))
+ {
+ goto failed;
+ }
+ memcpy(RTA_DATA(rta), replay_esn,
+ sizeof(struct xfrm_replay_state_esn) + this->replay_bmp);
+
+ rta = XFRM_RTA_NEXT(rta);
+ }
+ else if (replay)
+ {
rta->rta_type = XFRMA_REPLAY_VAL;
rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
- hdr->nlmsg_len += rta->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
- return FAILED;
+ goto failed;
}
- memcpy(RTA_DATA(rta), &replay, sizeof(replay));
+ memcpy(RTA_DATA(rta), replay, sizeof(replay));
rta = XFRM_RTA_NEXT(rta);
}
+ else
+ {
+ DBG1(DBG_KNL, "unable to copy replay state from old SAD entry "
+ "with SPI %.8x", ntohl(spi));
+ }
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
- free(out);
- return FAILED;
+ goto failed;
}
+
+ status = SUCCESS;
+failed:
+ free(replay);
+ free(replay_esn);
+ memwipe(out, len);
free(out);
- return SUCCESS;
+ return status;
}
METHOD(kernel_ipsec_t, add_policy, status_t,
@@ -1757,7 +1836,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
}
rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
- hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+ hdr->nlmsg_len += RTA_ALIGN(RTA_LENGTH(sizeof(struct xfrm_user_tmpl)));
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
@@ -1793,7 +1872,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
rthdr->rta_type = XFRMA_MARK;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
@@ -1912,7 +1991,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
rthdr->rta_type = XFRMA_MARK;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
@@ -2054,7 +2133,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
rthdr->rta_type = XFRMA_MARK;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
- hdr->nlmsg_len += rthdr->rta_len;
+ hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
@@ -2195,10 +2274,14 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
(hashtable_equals_t)policy_equals, 32),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.install_routes = lib->settings->get_bool(lib->settings,
- "%s.install_routes", TRUE,
- hydra->daemon),
+ "%s.install_routes", TRUE, hydra->daemon),
+ .replay_window = lib->settings->get_int(lib->settings,
+ "%s.replay_window", DEFAULT_REPLAY_WINDOW, hydra->daemon),
);
+ this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
+ (sizeof(u_int32_t) * 8);
+
if (streq(hydra->daemon, "pluto"))
{ /* no routes for pluto, they are installed via updown script */
this->install_routes = FALSE;
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 314c1acc1..8315ed310 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -350,7 +350,7 @@ static void process_link(private_kernel_netlink_net_t *this,
entry->addrs = linked_list_create();
this->ifaces->insert_last(this->ifaces, entry);
}
- memcpy(entry->ifname, name, IFNAMSIZ);
+ strncpy(entry->ifname, name, IFNAMSIZ);
entry->ifname[IFNAMSIZ-1] = '\0';
if (event)
{
@@ -534,6 +534,7 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
switch (rta->rta_type)
{
case RTA_PREFSRC:
+ DESTROY_IF(host);
host = host_create_from_chunk(msg->rtm_family,
chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
break;
@@ -652,7 +653,8 @@ static void address_enumerator_destroy(address_enumerator_t *data)
/**
* filter for addresses
*/
-static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+static bool filter_addresses(address_enumerator_t *data,
+ addr_entry_t** in, host_t** out)
{
if (!data->include_virtual_ips && (*in)->virtual)
{ /* skip virtual interfaces added by us */
@@ -669,16 +671,19 @@ static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host
/**
* enumerator constructor for interfaces
*/
-static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
+ address_enumerator_t *data)
{
- return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+ return enumerator_create_filter(
+ iface->addrs->create_enumerator(iface->addrs),
(void*)filter_addresses, data, NULL);
}
/**
* filter for interfaces
*/
-static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
+ iface_entry_t** out)
{
if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
{ /* skip interfaces not up */
@@ -688,11 +693,9 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, if
return TRUE;
}
-/**
- * implementation of kernel_net_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this,
- bool include_down_ifaces, bool include_virtual_ips)
+METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
+ private_kernel_netlink_net_t *this,
+ bool include_down_ifaces, bool include_virtual_ips)
{
address_enumerator_t *data = malloc_thing(address_enumerator_t);
data->this = this;
@@ -701,15 +704,15 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi
this->mutex->lock(this->mutex);
return enumerator_create_nested(
- enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
- (void*)filter_interfaces, data, NULL),
- (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+ enumerator_create_filter(
+ this->ifaces->create_enumerator(this->ifaces),
+ (void*)filter_interfaces, data, NULL),
+ (void*)create_iface_enumerator, data,
+ (void*)address_enumerator_destroy);
}
-/**
- * implementation of kernel_net_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip)
+METHOD(kernel_net_t, get_interface_name, char*,
+ private_kernel_netlink_net_t *this, host_t* ip)
{
enumerator_t *ifaces, *addrs;
iface_entry_t *iface;
@@ -1036,19 +1039,14 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
return src;
}
-/**
- * Implementation of kernel_net_t.get_source_addr.
- */
-static host_t* get_source_addr(private_kernel_netlink_net_t *this,
- host_t *dest, host_t *src)
+METHOD(kernel_net_t, get_source_addr, host_t*,
+ private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
{
return get_route(this, dest, FALSE, src);
}
-/**
- * Implementation of kernel_net_t.get_nexthop.
- */
-static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest)
+METHOD(kernel_net_t, get_nexthop, host_t*,
+ private_kernel_netlink_net_t *this, host_t *dest)
{
return get_route(this, dest, TRUE, NULL);
}
@@ -1086,11 +1084,8 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
return this->socket->send_ack(this->socket, hdr);
}
-/**
- * Implementation of kernel_net_t.add_ip.
- */
-static status_t add_ip(private_kernel_netlink_net_t *this,
- host_t *virtual_ip, host_t *iface_ip)
+METHOD(kernel_net_t, add_ip, status_t,
+ private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip)
{
iface_entry_t *iface;
addr_entry_t *addr;
@@ -1165,10 +1160,8 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
return FAILED;
}
-/**
- * Implementation of kernel_net_t.del_ip.
- */
-static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
+METHOD(kernel_net_t, del_ip, status_t,
+ private_kernel_netlink_net_t *this, host_t *virtual_ip)
{
iface_entry_t *iface;
addr_entry_t *addr;
@@ -1296,21 +1289,17 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
return this->socket->send_ack(this->socket, hdr);
}
-/**
- * Implementation of kernel_net_t.add_route.
- */
-static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
- u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+METHOD(kernel_net_t, add_route, status_t,
+ private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+ host_t *gateway, host_t *src_ip, char *if_name)
{
return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
dst_net, prefixlen, gateway, src_ip, if_name);
}
-/**
- * Implementation of kernel_net_t.del_route.
- */
-static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
- u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+METHOD(kernel_net_t, del_route, status_t,
+ private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+ host_t *gateway, host_t *src_ip, char *if_name)
{
return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
gateway, src_ip, if_name);
@@ -1441,10 +1430,8 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
return this->socket->send_ack(this->socket, hdr);
}
-/**
- * Implementation of kernel_netlink_net_t.destroy.
- */
-static void destroy(private_kernel_netlink_net_t *this)
+METHOD(kernel_net_t, destroy, void,
+ private_kernel_netlink_net_t *this)
{
if (this->routing_table)
{
@@ -1474,37 +1461,41 @@ static void destroy(private_kernel_netlink_net_t *this)
*/
kernel_netlink_net_t *kernel_netlink_net_create()
{
- private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
+ private_kernel_netlink_net_t *this;
struct sockaddr_nl addr;
enumerator_t *enumerator;
char *exclude;
- /* public functions */
- this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
- this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
- this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
- this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
- this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
- this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
- this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
- this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
- this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
- /* private members */
- this->ifaces = linked_list_create();
- this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
- this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+ INIT(this,
+ .public = {
+ .interface = {
+ .get_interface = _get_interface_name,
+ .create_address_enumerator = _create_address_enumerator,
+ .get_source_addr = _get_source_addr,
+ .get_nexthop = _get_nexthop,
+ .add_ip = _add_ip,
+ .del_ip = _del_ip,
+ .add_route = _add_route,
+ .del_route = _del_route,
+ .destroy = _destroy,
+ },
+ },
+ .socket = netlink_socket_create(NETLINK_ROUTE),
+ .rt_exclude = linked_list_create(),
+ .ifaces = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+ .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+ .routing_table = lib->settings->get_int(lib->settings,
+ "%s.routing_table", ROUTING_TABLE, hydra->daemon),
+ .routing_table_prio = lib->settings->get_int(lib->settings,
+ "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon),
+ .process_route = lib->settings->get_bool(lib->settings,
+ "%s.process_route", TRUE, hydra->daemon),
+ .install_virtual_ip = lib->settings->get_bool(lib->settings,
+ "%s.install_virtual_ip", TRUE, hydra->daemon),
+ );
timerclear(&this->last_roam);
- this->routing_table = lib->settings->get_int(lib->settings,
- "%s.routing_table", ROUTING_TABLE, hydra->daemon);
- this->routing_table_prio = lib->settings->get_int(lib->settings,
- "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon);
- this->process_route = lib->settings->get_bool(lib->settings,
- "%s.process_route", TRUE, hydra->daemon);
- this->install_virtual_ip = lib->settings->get_bool(lib->settings,
- "%s.install_virtual_ip", TRUE, hydra->daemon);
-
- this->rt_exclude = linked_list_create();
+
exclude = lib->settings->get_str(lib->settings,
"%s.ignore_routing_tables", NULL, hydra->daemon);
if (exclude)
@@ -1526,9 +1517,6 @@ kernel_netlink_net_t *kernel_netlink_net_create()
enumerator->destroy(enumerator);
}
- this->socket = netlink_socket_create(NETLINK_ROUTE);
- this->job = NULL;
-
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 9fc1a03f5..779466472 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -33,6 +33,12 @@ struct private_kernel_netlink_plugin_t {
kernel_netlink_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_kernel_netlink_plugin_t *this)
+{
+ return "kernel-netlink";
+}
+
METHOD(plugin_t, destroy, void,
private_kernel_netlink_plugin_t *this)
{
@@ -53,6 +59,8 @@ plugin_t *kernel_netlink_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 40363f319..251483017 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 681811528..b252b7092 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1209,7 +1209,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
- u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
+ u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
unsigned char request[PFKEY_BUFFER_SIZE];
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 9e7a7904d..842511181 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -32,6 +32,12 @@ struct private_kernel_pfkey_plugin_t {
kernel_pfkey_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_kernel_pfkey_plugin_t *this)
+{
+ return "kernel-pfkey";
+}
+
METHOD(plugin_t, destroy, void,
private_kernel_pfkey_plugin_t *this)
{
@@ -50,6 +56,8 @@ plugin_t *kernel_pfkey_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 4db374b75..b7e12561d 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 59fc915fd..fca46bfd2 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -412,7 +412,8 @@ static void address_enumerator_destroy(address_enumerator_t *data)
/**
* filter for addresses
*/
-static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+static bool filter_addresses(address_enumerator_t *data,
+ addr_entry_t** in, host_t** out)
{
host_t *ip;
if (!data->include_virtual_ips && (*in)->virtual)
@@ -435,7 +436,8 @@ static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host
/**
* enumerator constructor for interfaces
*/
-static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
+ address_enumerator_t *data)
{
return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
(void*)filter_addresses, data, NULL);
@@ -444,7 +446,8 @@ static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enume
/**
* filter for interfaces
*/
-static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
+ iface_entry_t** out)
{
if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
{ /* skip interfaces not up */
@@ -454,11 +457,9 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, if
return TRUE;
}
-/**
- * implementation of kernel_net_t.create_address_enumerator
- */
-static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
- bool include_down_ifaces, bool include_virtual_ips)
+METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
+ private_kernel_pfroute_net_t *this,
+ bool include_down_ifaces, bool include_virtual_ips)
{
address_enumerator_t *data = malloc_thing(address_enumerator_t);
data->this = this;
@@ -467,15 +468,15 @@ static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *thi
this->mutex->lock(this->mutex);
return enumerator_create_nested(
- enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
- (void*)filter_interfaces, data, NULL),
- (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+ enumerator_create_filter(
+ this->ifaces->create_enumerator(this->ifaces),
+ (void*)filter_interfaces, data, NULL),
+ (void*)create_iface_enumerator, data,
+ (void*)address_enumerator_destroy);
}
-/**
- * implementation of kernel_net_t.get_interface_name
- */
-static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+METHOD(kernel_net_t, get_interface_name, char*,
+ private_kernel_pfroute_net_t *this, host_t* ip)
{
enumerator_t *ifaces, *addrs;
iface_entry_t *iface;
@@ -517,54 +518,40 @@ static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
return name;
}
-/**
- * Implementation of kernel_net_t.get_source_addr.
- */
-static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
- host_t *dest, host_t *src)
+METHOD(kernel_net_t, get_source_addr, host_t*,
+ private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
{
return NULL;
}
-/**
- * Implementation of kernel_net_t.get_nexthop.
- */
-static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+METHOD(kernel_net_t, get_nexthop, host_t*,
+ private_kernel_pfroute_net_t *this, host_t *dest)
{
return NULL;
}
-/**
- * Implementation of kernel_net_t.add_ip.
- */
-static status_t add_ip(private_kernel_pfroute_net_t *this,
- host_t *virtual_ip, host_t *iface_ip)
+METHOD(kernel_net_t, add_ip, status_t,
+ private_kernel_pfroute_net_t *this, host_t *virtual_ip, host_t *iface_ip)
{
return FAILED;
}
-/**
- * Implementation of kernel_net_t.del_ip.
- */
-static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+METHOD(kernel_net_t, del_ip, status_t,
+ private_kernel_pfroute_net_t *this, host_t *virtual_ip)
{
return FAILED;
}
-/**
- * Implementation of kernel_net_t.add_route.
- */
-static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
- u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+METHOD(kernel_net_t, add_route, status_t,
+ private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+ host_t *gateway, host_t *src_ip, char *if_name)
{
return FAILED;
}
-/**
- * Implementation of kernel_net_t.del_route.
- */
-static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
- u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+METHOD(kernel_net_t, del_route, status_t,
+ private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+ host_t *gateway, host_t *src_ip, char *if_name)
{
return FAILED;
}
@@ -658,10 +645,8 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
return SUCCESS;
}
-/**
- * Implementation of kernel_netlink_net_t.destroy.
- */
-static void destroy(private_kernel_pfroute_net_t *this)
+METHOD(kernel_net_t, destroy, void,
+ private_kernel_pfroute_net_t *this)
{
if (this->job)
{
@@ -686,28 +671,26 @@ static void destroy(private_kernel_pfroute_net_t *this)
*/
kernel_pfroute_net_t *kernel_pfroute_net_create()
{
- private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
-
- /* public functions */
- this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
- this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
- this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
- this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
- this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
- this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
- this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
- this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-
- this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
- /* private members */
- this->ifaces = linked_list_create();
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
-
- this->seq = 0;
- this->socket_events = 0;
- this->job = NULL;
+ private_kernel_pfroute_net_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .get_interface = _get_interface_name,
+ .create_address_enumerator = _create_address_enumerator,
+ .get_source_addr = _get_source_addr,
+ .get_nexthop = _get_nexthop,
+ .add_ip = _add_ip,
+ .del_ip = _del_ip,
+ .add_route = _add_route,
+ .del_route = _del_route,
+ .destroy = _destroy,
+ },
+ },
+ .ifaces = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT),
+ );
/* create a PF_ROUTE socket to communicate with the kernel */
this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
index a4cb53edd..680caa5d0 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -32,6 +32,12 @@ struct private_kernel_pfroute_plugin_t {
kernel_pfroute_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_kernel_pfroute_plugin_t *this)
+{
+ return "kernel-pfroute";
+}
+
METHOD(plugin_t, destroy, void,
private_kernel_pfroute_plugin_t *this)
{
@@ -50,6 +56,8 @@ plugin_t *kernel_pfroute_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index e6c5fb712..d3cda309a 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index cdc639038..feb2fd05a 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -116,7 +116,7 @@ static void release(private_resolve_handler_t *this, identification_t *server,
configuration_attribute_type_t type, chunk_t data)
{
FILE *in, *out;
- char line[1024], matcher[512], *pos;
+ char line[1024], matcher[512];
host_t *addr;
int family;
@@ -148,7 +148,7 @@ static void release(private_resolve_handler_t *this, identification_t *server,
addr, server);
/* copy all, but matching line */
- while ((pos = fgets(line, sizeof(line), in)))
+ while (fgets(line, sizeof(line), in))
{
if (strneq(line, matcher, strlen(matcher)))
{
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c
index ad18c7060..d23d36127 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.c
+++ b/src/libhydra/plugins/resolve/resolve_plugin.c
@@ -36,6 +36,12 @@ struct private_resolve_plugin_t {
resolve_handler_t *handler;
};
+METHOD(plugin_t, get_name, char*,
+ private_resolve_plugin_t *this)
+{
+ return "resolve";
+}
+
METHOD(plugin_t, destroy, void,
private_resolve_plugin_t *this)
{
@@ -54,6 +60,8 @@ plugin_t *resolve_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index ef7a6ee38..30af27406 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -213,6 +213,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -236,6 +238,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 431543151..259f0a375 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -32,8 +32,7 @@ credentials/keys/private_key.c credentials/keys/private_key.h \
credentials/keys/public_key.c credentials/keys/public_key.h \
credentials/keys/shared_key.c credentials/keys/shared_key.h \
credentials/certificates/certificate.c credentials/certificates/certificate.h \
-credentials/certificates/x509.h credentials/certificates/x509.c \
-credentials/certificates/ac.h \
+credentials/certificates/x509.h credentials/certificates/ac.h \
credentials/certificates/crl.h credentials/certificates/crl.c \
credentials/certificates/pkcs10.h \
credentials/certificates/ocsp_request.h \
@@ -49,7 +48,7 @@ credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
-fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+fetcher/fetcher.h fetcher/fetcher.c fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
eap/eap.h eap/eap.c \
plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
processing/jobs/job.h \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 6a29d8eea..b6c70daea 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -46,7 +46,7 @@ credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
-fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+fetcher/fetcher.h fetcher/fetcher.c fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
eap/eap.h eap/eap.c \
plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
processing/jobs/job.h \
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 76b4f70c6..c9ae8992e 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -216,7 +216,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
credentials/auth_cfg.h credentials/credential_set.h \
credentials/cert_validator.h database/database.h \
database/database_factory.h database/database_factory.c \
- fetcher/fetcher.h fetcher/fetcher_manager.h \
+ fetcher/fetcher.h fetcher/fetcher.c fetcher/fetcher_manager.h \
fetcher/fetcher_manager.c eap/eap.h eap/eap.c \
plugins/plugin_loader.c plugins/plugin_loader.h \
plugins/plugin.h processing/jobs/job.h \
@@ -247,7 +247,7 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
crl.lo ocsp_response.lo ietf_attributes.lo \
credential_manager.lo auth_cfg_wrapper.lo \
ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
- callback_cred.lo auth_cfg.lo database_factory.lo \
+ callback_cred.lo auth_cfg.lo database_factory.lo fetcher.lo \
fetcher_manager.lo eap.lo plugin_loader.lo callback_job.lo \
processor.lo scheduler.lo traffic_selector.lo thread.lo \
thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
@@ -460,6 +460,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -483,6 +485,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -537,7 +540,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
credentials/auth_cfg.h credentials/credential_set.h \
credentials/cert_validator.h database/database.h \
database/database_factory.h database/database_factory.c \
- fetcher/fetcher.h fetcher/fetcher_manager.h \
+ fetcher/fetcher.h fetcher/fetcher.c fetcher/fetcher_manager.h \
fetcher/fetcher_manager.c eap/eap.h eap/eap.c \
plugins/plugin_loader.c plugins/plugin_loader.h \
plugins/plugin.h processing/jobs/job.h \
@@ -724,6 +727,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
@@ -1021,6 +1025,13 @@ database_factory.lo: database/database_factory.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+fetcher.lo: fetcher/fetcher.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fetcher/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
+
fetcher_manager.lo: fetcher/fetcher_manager.c
@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index f80c2b93b..4466b37a4 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -129,10 +129,10 @@ chunk_t asn1_build_known_oid(int n)
chunk_t asn1_oid_from_string(char *str)
{
enumerator_t *enumerator;
- u_char buf[32];
+ u_char buf[64];
char *end;
- int i = 0, pos = 0;
- u_int val, first = 0;
+ int i = 0, pos = 0, shift;
+ u_int val, shifted_val, first = 0;
enumerator = enumerator_create_token(str, ".", "");
while (enumerator->enumerate(enumerator, &str))
@@ -152,16 +152,17 @@ chunk_t asn1_oid_from_string(char *str)
buf[pos++] = first * 40 + val;
break;
default:
- if (val < 128)
+ shift = 28; /* sufficient to handle 32 bit node numbers */
+ while (shift)
{
- buf[pos++] = val;
+ shifted_val = val >> shift;
+ shift -= 7;
+ if (shifted_val) /* do not encode leading zeroes */
+ {
+ buf[pos++] = 0x80 | (shifted_val & 0x7F);
+ }
}
- else
- {
- buf[pos++] = 128 | (val >> 7);
- buf[pos++] = (val % 256) & 0x7F;
- }
- break;
+ buf[pos++] = val & 0x7F;
}
}
enumerator->destroy(enumerator);
@@ -183,38 +184,32 @@ char *asn1_oid_to_string(chunk_t oid)
return NULL;
}
val = oid.ptr[0] / 40;
- len = snprintf(buf, sizeof(buf), "%d.%d", val, oid.ptr[0] - val * 40);
+ len = snprintf(buf, sizeof(buf), "%u.%u", val, oid.ptr[0] - val * 40);
oid = chunk_skip(oid, 1);
if (len < 0 || len >= sizeof(buf))
{
return NULL;
}
pos += len;
+ val = 0;
while (oid.len)
{
+ val = (val << 7) + (u_int)(oid.ptr[0] & 0x7f);
+
if (oid.ptr[0] < 128)
{
- len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", oid.ptr[0]);
- oid = chunk_skip(oid, 1);
- }
- else
- {
- if (oid.len == 1)
+ len = snprintf(pos, sizeof(buf) + buf - pos, ".%u", val);
+ if (len < 0 || len >= sizeof(buf) + buf - pos)
{
return NULL;
}
- val = ((u_int)(oid.ptr[0] & 0x7F) << 7) + oid.ptr[1];
- len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", val);
- oid = chunk_skip(oid, 2);
- }
- if (len < 0 || len >= sizeof(buf) + buf - pos)
- {
- return NULL;
+ pos += len;
+ val = 0;
}
- pos += len;
+ oid = chunk_skip(oid, 1);
}
- return strdup(buf);
+ return (val == 0) ? strdup(buf) : NULL;
}
/*
@@ -468,12 +463,22 @@ void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
{
case ASN1_OID:
oid = asn1_known_oid(object);
- if (oid != OID_UNKNOWN)
+ if (oid == OID_UNKNOWN)
+ {
+ char *oid_str = asn1_oid_to_string(object);
+
+ if (!oid_str)
+ {
+ break;
+ }
+ DBG2(DBG_LIB, " %s", oid_str);
+ free(oid_str);
+ }
+ else
{
DBG2(DBG_LIB, " '%s'", oid_names[oid].name);
- return;
}
- break;
+ return;
case ASN1_UTF8STRING:
case ASN1_IA5STRING:
case ASN1_PRINTABLESTRING:
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 57a00a39e..6af088fd2 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -74,7 +74,7 @@ const oid_t oid_names[] = {
{ 0x36, 62, 0, 2, "inhibitAnyPolicy" }, /* 61 */
{ 0x37, 63, 0, 2, "targetInformation" }, /* 62 */
{ 0x38, 0, 0, 2, "noRevAvail" }, /* 63 */
- {0x2A, 161, 1, 0, "" }, /* 64 */
+ {0x2A, 163, 1, 0, "" }, /* 64 */
{ 0x83, 77, 1, 1, "" }, /* 65 */
{ 0x08, 0, 1, 2, "jp" }, /* 66 */
{ 0x8C, 0, 1, 3, "" }, /* 67 */
@@ -89,7 +89,7 @@ const oid_t oid_names[] = {
{ 0x04, 0, 0, 10, "camellia256-cbc" }, /* 76 */
{ 0x86, 0, 1, 1, "" }, /* 77 */
{ 0x48, 0, 1, 2, "us" }, /* 78 */
- { 0x86, 120, 1, 3, "" }, /* 79 */
+ { 0x86, 122, 1, 3, "" }, /* 79 */
{ 0xF6, 85, 1, 4, "" }, /* 80 */
{ 0x7D, 0, 1, 5, "NortelNetworks" }, /* 81 */
{ 0x07, 0, 1, 6, "Entrust" }, /* 82 */
@@ -97,276 +97,285 @@ const oid_t oid_names[] = {
{ 0x00, 0, 0, 8, "entrustVersInfo" }, /* 84 */
{ 0xF7, 0, 1, 4, "" }, /* 85 */
{ 0x0D, 0, 1, 5, "RSADSI" }, /* 86 */
- { 0x01, 115, 1, 6, "PKCS" }, /* 87 */
- { 0x01, 97, 1, 7, "PKCS-1" }, /* 88 */
+ { 0x01, 117, 1, 6, "PKCS" }, /* 87 */
+ { 0x01, 99, 1, 7, "PKCS-1" }, /* 88 */
{ 0x01, 90, 0, 8, "rsaEncryption" }, /* 89 */
{ 0x02, 91, 0, 8, "md2WithRSAEncryption" }, /* 90 */
{ 0x04, 92, 0, 8, "md5WithRSAEncryption" }, /* 91 */
{ 0x05, 93, 0, 8, "sha-1WithRSAEncryption" }, /* 92 */
- { 0x0B, 94, 0, 8, "sha256WithRSAEncryption" }, /* 93 */
- { 0x0C, 95, 0, 8, "sha384WithRSAEncryption" }, /* 94 */
- { 0x0D, 96, 0, 8, "sha512WithRSAEncryption" }, /* 95 */
- { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 96 */
- { 0x07, 104, 1, 7, "PKCS-7" }, /* 97 */
- { 0x01, 99, 0, 8, "data" }, /* 98 */
- { 0x02, 100, 0, 8, "signedData" }, /* 99 */
- { 0x03, 101, 0, 8, "envelopedData" }, /* 100 */
- { 0x04, 102, 0, 8, "signedAndEnvelopedData" }, /* 101 */
- { 0x05, 103, 0, 8, "digestedData" }, /* 102 */
- { 0x06, 0, 0, 8, "encryptedData" }, /* 103 */
- { 0x09, 0, 1, 7, "PKCS-9" }, /* 104 */
- { 0x01, 106, 0, 8, "E" }, /* 105 */
- { 0x02, 107, 0, 8, "unstructuredName" }, /* 106 */
- { 0x03, 108, 0, 8, "contentType" }, /* 107 */
- { 0x04, 109, 0, 8, "messageDigest" }, /* 108 */
- { 0x05, 110, 0, 8, "signingTime" }, /* 109 */
- { 0x06, 111, 0, 8, "counterSignature" }, /* 110 */
- { 0x07, 112, 0, 8, "challengePassword" }, /* 111 */
- { 0x08, 113, 0, 8, "unstructuredAddress" }, /* 112 */
- { 0x0E, 114, 0, 8, "extensionRequest" }, /* 113 */
- { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 114 */
- { 0x02, 118, 1, 6, "digestAlgorithm" }, /* 115 */
- { 0x02, 117, 0, 7, "md2" }, /* 116 */
- { 0x05, 0, 0, 7, "md5" }, /* 117 */
- { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 118 */
- { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 119 */
- { 0xCE, 0, 1, 3, "" }, /* 120 */
- { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 121 */
- { 0x02, 124, 1, 5, "id-publicKeyType" }, /* 122 */
- { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 123 */
- { 0x03, 154, 1, 5, "ellipticCurve" }, /* 124 */
- { 0x00, 146, 1, 6, "c-TwoCurve" }, /* 125 */
- { 0x01, 127, 0, 7, "c2pnb163v1" }, /* 126 */
- { 0x02, 128, 0, 7, "c2pnb163v2" }, /* 127 */
- { 0x03, 129, 0, 7, "c2pnb163v3" }, /* 128 */
- { 0x04, 130, 0, 7, "c2pnb176w1" }, /* 129 */
- { 0x05, 131, 0, 7, "c2tnb191v1" }, /* 130 */
- { 0x06, 132, 0, 7, "c2tnb191v2" }, /* 131 */
- { 0x07, 133, 0, 7, "c2tnb191v3" }, /* 132 */
- { 0x08, 134, 0, 7, "c2onb191v4" }, /* 133 */
- { 0x09, 135, 0, 7, "c2onb191v5" }, /* 134 */
- { 0x0A, 136, 0, 7, "c2pnb208w1" }, /* 135 */
- { 0x0B, 137, 0, 7, "c2tnb239v1" }, /* 136 */
- { 0x0C, 138, 0, 7, "c2tnb239v2" }, /* 137 */
- { 0x0D, 139, 0, 7, "c2tnb239v3" }, /* 138 */
- { 0x0E, 140, 0, 7, "c2onb239v4" }, /* 139 */
- { 0x0F, 141, 0, 7, "c2onb239v5" }, /* 140 */
- { 0x10, 142, 0, 7, "c2pnb272w1" }, /* 141 */
- { 0x11, 143, 0, 7, "c2pnb304w1" }, /* 142 */
- { 0x12, 144, 0, 7, "c2tnb359v1" }, /* 143 */
- { 0x13, 145, 0, 7, "c2pnb368w1" }, /* 144 */
- { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 145 */
- { 0x01, 0, 1, 6, "primeCurve" }, /* 146 */
- { 0x01, 148, 0, 7, "prime192v1" }, /* 147 */
- { 0x02, 149, 0, 7, "prime192v2" }, /* 148 */
- { 0x03, 150, 0, 7, "prime192v3" }, /* 149 */
- { 0x04, 151, 0, 7, "prime239v1" }, /* 150 */
- { 0x05, 152, 0, 7, "prime239v2" }, /* 151 */
- { 0x06, 153, 0, 7, "prime239v3" }, /* 152 */
- { 0x07, 0, 0, 7, "prime256v1" }, /* 153 */
- { 0x04, 0, 1, 5, "id-ecSigType" }, /* 154 */
- { 0x01, 156, 0, 6, "ecdsa-with-SHA1" }, /* 155 */
- { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 156 */
- { 0x01, 158, 0, 7, "ecdsa-with-SHA224" }, /* 157 */
- { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */
- { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */
- { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */
- {0x2B, 312, 1, 0, "" }, /* 161 */
- { 0x06, 226, 1, 1, "dod" }, /* 162 */
- { 0x01, 0, 1, 2, "internet" }, /* 163 */
- { 0x04, 186, 1, 3, "private" }, /* 164 */
- { 0x01, 0, 1, 4, "enterprise" }, /* 165 */
- { 0x82, 179, 1, 5, "" }, /* 166 */
- { 0x37, 176, 1, 6, "Microsoft" }, /* 167 */
- { 0x0A, 172, 1, 7, "" }, /* 168 */
- { 0x03, 0, 1, 8, "" }, /* 169 */
- { 0x03, 171, 0, 9, "msSGC" }, /* 170 */
- { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */
- { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */
- { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */
- { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */
- { 0x03, 0, 0, 9, "msUPN" }, /* 175 */
- { 0xA0, 0, 1, 6, "" }, /* 176 */
- { 0x2A, 0, 1, 7, "ITA" }, /* 177 */
- { 0x01, 0, 0, 8, "strongSwan" }, /* 178 */
- { 0x89, 0, 1, 5, "" }, /* 179 */
- { 0x31, 0, 1, 6, "" }, /* 180 */
- { 0x01, 0, 1, 7, "" }, /* 181 */
- { 0x01, 0, 1, 8, "" }, /* 182 */
- { 0x02, 0, 1, 9, "" }, /* 183 */
- { 0x02, 0, 1, 10, "" }, /* 184 */
- { 0x4B, 0, 0, 11, "TCGID" }, /* 185 */
- { 0x05, 0, 1, 3, "security" }, /* 186 */
- { 0x05, 0, 1, 4, "mechanisms" }, /* 187 */
- { 0x07, 0, 1, 5, "id-pkix" }, /* 188 */
- { 0x01, 193, 1, 6, "id-pe" }, /* 189 */
- { 0x01, 191, 0, 7, "authorityInfoAccess" }, /* 190 */
- { 0x03, 192, 0, 7, "qcStatements" }, /* 191 */
- { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 192 */
- { 0x02, 196, 1, 6, "id-qt" }, /* 193 */
- { 0x01, 195, 0, 7, "cps" }, /* 194 */
- { 0x02, 0, 0, 7, "unotice" }, /* 195 */
- { 0x03, 206, 1, 6, "id-kp" }, /* 196 */
- { 0x01, 198, 0, 7, "serverAuth" }, /* 197 */
- { 0x02, 199, 0, 7, "clientAuth" }, /* 198 */
- { 0x03, 200, 0, 7, "codeSigning" }, /* 199 */
- { 0x04, 201, 0, 7, "emailProtection" }, /* 200 */
- { 0x05, 202, 0, 7, "ipsecEndSystem" }, /* 201 */
- { 0x06, 203, 0, 7, "ipsecTunnel" }, /* 202 */
- { 0x07, 204, 0, 7, "ipsecUser" }, /* 203 */
- { 0x08, 205, 0, 7, "timeStamping" }, /* 204 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 205 */
- { 0x08, 208, 1, 6, "id-otherNames" }, /* 206 */
- { 0x05, 0, 0, 7, "xmppAddr" }, /* 207 */
- { 0x0A, 213, 1, 6, "id-aca" }, /* 208 */
- { 0x01, 210, 0, 7, "authenticationInfo" }, /* 209 */
- { 0x02, 211, 0, 7, "accessIdentity" }, /* 210 */
- { 0x03, 212, 0, 7, "chargingIdentity" }, /* 211 */
- { 0x04, 0, 0, 7, "group" }, /* 212 */
- { 0x0B, 214, 0, 6, "subjectInfoAccess" }, /* 213 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 214 */
- { 0x01, 223, 1, 7, "ocsp" }, /* 215 */
- { 0x01, 217, 0, 8, "basic" }, /* 216 */
- { 0x02, 218, 0, 8, "nonce" }, /* 217 */
- { 0x03, 219, 0, 8, "crl" }, /* 218 */
- { 0x04, 220, 0, 8, "response" }, /* 219 */
- { 0x05, 221, 0, 8, "noCheck" }, /* 220 */
- { 0x06, 222, 0, 8, "archiveCutoff" }, /* 221 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 222 */
- { 0x02, 224, 0, 7, "caIssuers" }, /* 223 */
- { 0x03, 225, 0, 7, "timeStamping" }, /* 224 */
- { 0x05, 0, 0, 7, "caRepository" }, /* 225 */
- { 0x0E, 232, 1, 1, "oiw" }, /* 226 */
- { 0x03, 0, 1, 2, "secsig" }, /* 227 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 228 */
- { 0x07, 230, 0, 4, "des-cbc" }, /* 229 */
- { 0x1A, 231, 0, 4, "sha-1" }, /* 230 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 231 */
- { 0x24, 278, 1, 1, "TeleTrusT" }, /* 232 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 233 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 234 */
- { 0x01, 239, 1, 4, "rsaSignature" }, /* 235 */
- { 0x02, 237, 0, 5, "rsaSigWithripemd160" }, /* 236 */
- { 0x03, 238, 0, 5, "rsaSigWithripemd128" }, /* 237 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 238 */
- { 0x02, 0, 1, 4, "ecSign" }, /* 239 */
- { 0x01, 241, 0, 5, "ecSignWithsha1" }, /* 240 */
- { 0x02, 242, 0, 5, "ecSignWithripemd160" }, /* 241 */
- { 0x03, 243, 0, 5, "ecSignWithmd2" }, /* 242 */
- { 0x04, 244, 0, 5, "ecSignWithmd5" }, /* 243 */
- { 0x05, 261, 1, 5, "ttt-ecg" }, /* 244 */
- { 0x01, 249, 1, 6, "fieldType" }, /* 245 */
- { 0x01, 0, 1, 7, "characteristictwoField" }, /* 246 */
- { 0x01, 0, 1, 8, "basisType" }, /* 247 */
- { 0x01, 0, 0, 9, "ipBasis" }, /* 248 */
- { 0x02, 251, 1, 6, "keyType" }, /* 249 */
- { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 250 */
- { 0x03, 252, 0, 6, "curve" }, /* 251 */
- { 0x04, 259, 1, 6, "signatures" }, /* 252 */
- { 0x01, 254, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 253 */
- { 0x02, 255, 0, 7, "ecgdsa-with-SHA1" }, /* 254 */
- { 0x03, 256, 0, 7, "ecgdsa-with-SHA224" }, /* 255 */
- { 0x04, 257, 0, 7, "ecgdsa-with-SHA256" }, /* 256 */
- { 0x05, 258, 0, 7, "ecgdsa-with-SHA384" }, /* 257 */
- { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 258 */
- { 0x05, 0, 1, 6, "module" }, /* 259 */
- { 0x01, 0, 0, 7, "1" }, /* 260 */
- { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 261 */
- { 0x01, 0, 1, 6, "ellipticCurve" }, /* 262 */
- { 0x01, 0, 1, 7, "versionOne" }, /* 263 */
- { 0x01, 265, 0, 8, "brainpoolP160r1" }, /* 264 */
- { 0x02, 266, 0, 8, "brainpoolP160t1" }, /* 265 */
- { 0x03, 267, 0, 8, "brainpoolP192r1" }, /* 266 */
- { 0x04, 268, 0, 8, "brainpoolP192t1" }, /* 267 */
- { 0x05, 269, 0, 8, "brainpoolP224r1" }, /* 268 */
- { 0x06, 270, 0, 8, "brainpoolP224t1" }, /* 269 */
- { 0x07, 271, 0, 8, "brainpoolP256r1" }, /* 270 */
- { 0x08, 272, 0, 8, "brainpoolP256t1" }, /* 271 */
- { 0x09, 273, 0, 8, "brainpoolP320r1" }, /* 272 */
- { 0x0A, 274, 0, 8, "brainpoolP320t1" }, /* 273 */
- { 0x0B, 275, 0, 8, "brainpoolP384r1" }, /* 274 */
- { 0x0C, 276, 0, 8, "brainpoolP384t1" }, /* 275 */
- { 0x0D, 277, 0, 8, "brainpoolP512r1" }, /* 276 */
- { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 277 */
- { 0x81, 0, 1, 1, "" }, /* 278 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 279 */
- { 0x00, 0, 1, 3, "curve" }, /* 280 */
- { 0x01, 282, 0, 4, "sect163k1" }, /* 281 */
- { 0x02, 283, 0, 4, "sect163r1" }, /* 282 */
- { 0x03, 284, 0, 4, "sect239k1" }, /* 283 */
- { 0x04, 285, 0, 4, "sect113r1" }, /* 284 */
- { 0x05, 286, 0, 4, "sect113r2" }, /* 285 */
- { 0x06, 287, 0, 4, "secp112r1" }, /* 286 */
- { 0x07, 288, 0, 4, "secp112r2" }, /* 287 */
- { 0x08, 289, 0, 4, "secp160r1" }, /* 288 */
- { 0x09, 290, 0, 4, "secp160k1" }, /* 289 */
- { 0x0A, 291, 0, 4, "secp256k1" }, /* 290 */
- { 0x0F, 292, 0, 4, "sect163r2" }, /* 291 */
- { 0x10, 293, 0, 4, "sect283k1" }, /* 292 */
- { 0x11, 294, 0, 4, "sect283r1" }, /* 293 */
- { 0x16, 295, 0, 4, "sect131r1" }, /* 294 */
- { 0x17, 296, 0, 4, "sect131r2" }, /* 295 */
- { 0x18, 297, 0, 4, "sect193r1" }, /* 296 */
- { 0x19, 298, 0, 4, "sect193r2" }, /* 297 */
- { 0x1A, 299, 0, 4, "sect233k1" }, /* 298 */
- { 0x1B, 300, 0, 4, "sect233r1" }, /* 299 */
- { 0x1C, 301, 0, 4, "secp128r1" }, /* 300 */
- { 0x1D, 302, 0, 4, "secp128r2" }, /* 301 */
- { 0x1E, 303, 0, 4, "secp160r2" }, /* 302 */
- { 0x1F, 304, 0, 4, "secp192k1" }, /* 303 */
- { 0x20, 305, 0, 4, "secp224k1" }, /* 304 */
- { 0x21, 306, 0, 4, "secp224r1" }, /* 305 */
- { 0x22, 307, 0, 4, "secp384r1" }, /* 306 */
- { 0x23, 308, 0, 4, "secp521r1" }, /* 307 */
- { 0x24, 309, 0, 4, "sect409k1" }, /* 308 */
- { 0x25, 310, 0, 4, "sect409r1" }, /* 309 */
- { 0x26, 311, 0, 4, "sect571k1" }, /* 310 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 311 */
- {0x60, 0, 1, 0, "" }, /* 312 */
- { 0x86, 0, 1, 1, "" }, /* 313 */
- { 0x48, 0, 1, 2, "" }, /* 314 */
- { 0x01, 0, 1, 3, "organization" }, /* 315 */
- { 0x65, 334, 1, 4, "gov" }, /* 316 */
- { 0x03, 0, 1, 5, "csor" }, /* 317 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 318 */
- { 0x01, 329, 1, 7, "aes" }, /* 319 */
- { 0x02, 321, 0, 8, "id-aes128-CBC" }, /* 320 */
- { 0x06, 322, 0, 8, "id-aes128-GCM" }, /* 321 */
- { 0x07, 323, 0, 8, "id-aes128-CCM" }, /* 322 */
- { 0x16, 324, 0, 8, "id-aes192-CBC" }, /* 323 */
- { 0x1A, 325, 0, 8, "id-aes192-GCM" }, /* 324 */
- { 0x1B, 326, 0, 8, "id-aes192-CCM" }, /* 325 */
- { 0x2A, 327, 0, 8, "id-aes256-CBC" }, /* 326 */
- { 0x2E, 328, 0, 8, "id-aes256-GCM" }, /* 327 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 328 */
- { 0x02, 0, 1, 7, "hashalgs" }, /* 329 */
- { 0x01, 331, 0, 8, "id-SHA-256" }, /* 330 */
- { 0x02, 332, 0, 8, "id-SHA-384" }, /* 331 */
- { 0x03, 333, 0, 8, "id-SHA-512" }, /* 332 */
- { 0x04, 0, 0, 8, "id-SHA-224" }, /* 333 */
- { 0x86, 0, 1, 4, "" }, /* 334 */
- { 0xf8, 0, 1, 5, "" }, /* 335 */
- { 0x42, 348, 1, 6, "netscape" }, /* 336 */
- { 0x01, 343, 1, 7, "" }, /* 337 */
- { 0x01, 339, 0, 8, "nsCertType" }, /* 338 */
- { 0x03, 340, 0, 8, "nsRevocationUrl" }, /* 339 */
- { 0x04, 341, 0, 8, "nsCaRevocationUrl" }, /* 340 */
- { 0x08, 342, 0, 8, "nsCaPolicyUrl" }, /* 341 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 342 */
- { 0x03, 346, 1, 7, "directory" }, /* 343 */
- { 0x01, 0, 1, 8, "" }, /* 344 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 345 */
- { 0x04, 0, 1, 7, "policy" }, /* 346 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 347 */
- { 0x45, 0, 1, 6, "verisign" }, /* 348 */
- { 0x01, 0, 1, 7, "pki" }, /* 349 */
- { 0x09, 0, 1, 8, "attributes" }, /* 350 */
- { 0x02, 352, 0, 9, "messageType" }, /* 351 */
- { 0x03, 353, 0, 9, "pkiStatus" }, /* 352 */
- { 0x04, 354, 0, 9, "failInfo" }, /* 353 */
- { 0x05, 355, 0, 9, "senderNonce" }, /* 354 */
- { 0x06, 356, 0, 9, "recipientNonce" }, /* 355 */
- { 0x07, 357, 0, 9, "transID" }, /* 356 */
- { 0x08, 358, 0, 9, "extensionReq" }, /* 357 */
- { 0x08, 0, 0, 9, "extensionReq" } /* 358 */
+ { 0x07, 94, 0, 8, "id-RSAES-OAEP" }, /* 93 */
+ { 0x09, 95, 0, 8, "id-pSpecified" }, /* 94 */
+ { 0x0B, 96, 0, 8, "sha256WithRSAEncryption" }, /* 95 */
+ { 0x0C, 97, 0, 8, "sha384WithRSAEncryption" }, /* 96 */
+ { 0x0D, 98, 0, 8, "sha512WithRSAEncryption" }, /* 97 */
+ { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 98 */
+ { 0x07, 106, 1, 7, "PKCS-7" }, /* 99 */
+ { 0x01, 101, 0, 8, "data" }, /* 100 */
+ { 0x02, 102, 0, 8, "signedData" }, /* 101 */
+ { 0x03, 103, 0, 8, "envelopedData" }, /* 102 */
+ { 0x04, 104, 0, 8, "signedAndEnvelopedData" }, /* 103 */
+ { 0x05, 105, 0, 8, "digestedData" }, /* 104 */
+ { 0x06, 0, 0, 8, "encryptedData" }, /* 105 */
+ { 0x09, 0, 1, 7, "PKCS-9" }, /* 106 */
+ { 0x01, 108, 0, 8, "E" }, /* 107 */
+ { 0x02, 109, 0, 8, "unstructuredName" }, /* 108 */
+ { 0x03, 110, 0, 8, "contentType" }, /* 109 */
+ { 0x04, 111, 0, 8, "messageDigest" }, /* 110 */
+ { 0x05, 112, 0, 8, "signingTime" }, /* 111 */
+ { 0x06, 113, 0, 8, "counterSignature" }, /* 112 */
+ { 0x07, 114, 0, 8, "challengePassword" }, /* 113 */
+ { 0x08, 115, 0, 8, "unstructuredAddress" }, /* 114 */
+ { 0x0E, 116, 0, 8, "extensionRequest" }, /* 115 */
+ { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 116 */
+ { 0x02, 120, 1, 6, "digestAlgorithm" }, /* 117 */
+ { 0x02, 119, 0, 7, "md2" }, /* 118 */
+ { 0x05, 0, 0, 7, "md5" }, /* 119 */
+ { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 120 */
+ { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 121 */
+ { 0xCE, 0, 1, 3, "" }, /* 122 */
+ { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 123 */
+ { 0x02, 126, 1, 5, "id-publicKeyType" }, /* 124 */
+ { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 125 */
+ { 0x03, 156, 1, 5, "ellipticCurve" }, /* 126 */
+ { 0x00, 148, 1, 6, "c-TwoCurve" }, /* 127 */
+ { 0x01, 129, 0, 7, "c2pnb163v1" }, /* 128 */
+ { 0x02, 130, 0, 7, "c2pnb163v2" }, /* 129 */
+ { 0x03, 131, 0, 7, "c2pnb163v3" }, /* 130 */
+ { 0x04, 132, 0, 7, "c2pnb176w1" }, /* 131 */
+ { 0x05, 133, 0, 7, "c2tnb191v1" }, /* 132 */
+ { 0x06, 134, 0, 7, "c2tnb191v2" }, /* 133 */
+ { 0x07, 135, 0, 7, "c2tnb191v3" }, /* 134 */
+ { 0x08, 136, 0, 7, "c2onb191v4" }, /* 135 */
+ { 0x09, 137, 0, 7, "c2onb191v5" }, /* 136 */
+ { 0x0A, 138, 0, 7, "c2pnb208w1" }, /* 137 */
+ { 0x0B, 139, 0, 7, "c2tnb239v1" }, /* 138 */
+ { 0x0C, 140, 0, 7, "c2tnb239v2" }, /* 139 */
+ { 0x0D, 141, 0, 7, "c2tnb239v3" }, /* 140 */
+ { 0x0E, 142, 0, 7, "c2onb239v4" }, /* 141 */
+ { 0x0F, 143, 0, 7, "c2onb239v5" }, /* 142 */
+ { 0x10, 144, 0, 7, "c2pnb272w1" }, /* 143 */
+ { 0x11, 145, 0, 7, "c2pnb304w1" }, /* 144 */
+ { 0x12, 146, 0, 7, "c2tnb359v1" }, /* 145 */
+ { 0x13, 147, 0, 7, "c2pnb368w1" }, /* 146 */
+ { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 147 */
+ { 0x01, 0, 1, 6, "primeCurve" }, /* 148 */
+ { 0x01, 150, 0, 7, "prime192v1" }, /* 149 */
+ { 0x02, 151, 0, 7, "prime192v2" }, /* 150 */
+ { 0x03, 152, 0, 7, "prime192v3" }, /* 151 */
+ { 0x04, 153, 0, 7, "prime239v1" }, /* 152 */
+ { 0x05, 154, 0, 7, "prime239v2" }, /* 153 */
+ { 0x06, 155, 0, 7, "prime239v3" }, /* 154 */
+ { 0x07, 0, 0, 7, "prime256v1" }, /* 155 */
+ { 0x04, 0, 1, 5, "id-ecSigType" }, /* 156 */
+ { 0x01, 158, 0, 6, "ecdsa-with-SHA1" }, /* 157 */
+ { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 158 */
+ { 0x01, 160, 0, 7, "ecdsa-with-SHA224" }, /* 159 */
+ { 0x02, 161, 0, 7, "ecdsa-with-SHA256" }, /* 160 */
+ { 0x03, 162, 0, 7, "ecdsa-with-SHA384" }, /* 161 */
+ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 162 */
+ {0x2B, 314, 1, 0, "" }, /* 163 */
+ { 0x06, 228, 1, 1, "dod" }, /* 164 */
+ { 0x01, 0, 1, 2, "internet" }, /* 165 */
+ { 0x04, 188, 1, 3, "private" }, /* 166 */
+ { 0x01, 0, 1, 4, "enterprise" }, /* 167 */
+ { 0x82, 181, 1, 5, "" }, /* 168 */
+ { 0x37, 178, 1, 6, "Microsoft" }, /* 169 */
+ { 0x0A, 174, 1, 7, "" }, /* 170 */
+ { 0x03, 0, 1, 8, "" }, /* 171 */
+ { 0x03, 173, 0, 9, "msSGC" }, /* 172 */
+ { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 173 */
+ { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 174 */
+ { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 175 */
+ { 0x02, 177, 0, 9, "msSmartcardLogon" }, /* 176 */
+ { 0x03, 0, 0, 9, "msUPN" }, /* 177 */
+ { 0xA0, 0, 1, 6, "" }, /* 178 */
+ { 0x2A, 0, 1, 7, "ITA" }, /* 179 */
+ { 0x01, 0, 0, 8, "strongSwan" }, /* 180 */
+ { 0x89, 0, 1, 5, "" }, /* 181 */
+ { 0x31, 0, 1, 6, "" }, /* 182 */
+ { 0x01, 0, 1, 7, "" }, /* 183 */
+ { 0x01, 0, 1, 8, "" }, /* 184 */
+ { 0x02, 0, 1, 9, "" }, /* 185 */
+ { 0x02, 0, 1, 10, "" }, /* 186 */
+ { 0x4B, 0, 0, 11, "TCGID" }, /* 187 */
+ { 0x05, 0, 1, 3, "security" }, /* 188 */
+ { 0x05, 0, 1, 4, "mechanisms" }, /* 189 */
+ { 0x07, 0, 1, 5, "id-pkix" }, /* 190 */
+ { 0x01, 195, 1, 6, "id-pe" }, /* 191 */
+ { 0x01, 193, 0, 7, "authorityInfoAccess" }, /* 192 */
+ { 0x03, 194, 0, 7, "qcStatements" }, /* 193 */
+ { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 194 */
+ { 0x02, 198, 1, 6, "id-qt" }, /* 195 */
+ { 0x01, 197, 0, 7, "cps" }, /* 196 */
+ { 0x02, 0, 0, 7, "unotice" }, /* 197 */
+ { 0x03, 208, 1, 6, "id-kp" }, /* 198 */
+ { 0x01, 200, 0, 7, "serverAuth" }, /* 199 */
+ { 0x02, 201, 0, 7, "clientAuth" }, /* 200 */
+ { 0x03, 202, 0, 7, "codeSigning" }, /* 201 */
+ { 0x04, 203, 0, 7, "emailProtection" }, /* 202 */
+ { 0x05, 204, 0, 7, "ipsecEndSystem" }, /* 203 */
+ { 0x06, 205, 0, 7, "ipsecTunnel" }, /* 204 */
+ { 0x07, 206, 0, 7, "ipsecUser" }, /* 205 */
+ { 0x08, 207, 0, 7, "timeStamping" }, /* 206 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 207 */
+ { 0x08, 210, 1, 6, "id-otherNames" }, /* 208 */
+ { 0x05, 0, 0, 7, "xmppAddr" }, /* 209 */
+ { 0x0A, 215, 1, 6, "id-aca" }, /* 210 */
+ { 0x01, 212, 0, 7, "authenticationInfo" }, /* 211 */
+ { 0x02, 213, 0, 7, "accessIdentity" }, /* 212 */
+ { 0x03, 214, 0, 7, "chargingIdentity" }, /* 213 */
+ { 0x04, 0, 0, 7, "group" }, /* 214 */
+ { 0x0B, 216, 0, 6, "subjectInfoAccess" }, /* 215 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 216 */
+ { 0x01, 225, 1, 7, "ocsp" }, /* 217 */
+ { 0x01, 219, 0, 8, "basic" }, /* 218 */
+ { 0x02, 220, 0, 8, "nonce" }, /* 219 */
+ { 0x03, 221, 0, 8, "crl" }, /* 220 */
+ { 0x04, 222, 0, 8, "response" }, /* 221 */
+ { 0x05, 223, 0, 8, "noCheck" }, /* 222 */
+ { 0x06, 224, 0, 8, "archiveCutoff" }, /* 223 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 224 */
+ { 0x02, 226, 0, 7, "caIssuers" }, /* 225 */
+ { 0x03, 227, 0, 7, "timeStamping" }, /* 226 */
+ { 0x05, 0, 0, 7, "caRepository" }, /* 227 */
+ { 0x0E, 234, 1, 1, "oiw" }, /* 228 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 229 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 230 */
+ { 0x07, 232, 0, 4, "des-cbc" }, /* 231 */
+ { 0x1A, 233, 0, 4, "sha-1" }, /* 232 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 233 */
+ { 0x24, 280, 1, 1, "TeleTrusT" }, /* 234 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 235 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 236 */
+ { 0x01, 241, 1, 4, "rsaSignature" }, /* 237 */
+ { 0x02, 239, 0, 5, "rsaSigWithripemd160" }, /* 238 */
+ { 0x03, 240, 0, 5, "rsaSigWithripemd128" }, /* 239 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 240 */
+ { 0x02, 0, 1, 4, "ecSign" }, /* 241 */
+ { 0x01, 243, 0, 5, "ecSignWithsha1" }, /* 242 */
+ { 0x02, 244, 0, 5, "ecSignWithripemd160" }, /* 243 */
+ { 0x03, 245, 0, 5, "ecSignWithmd2" }, /* 244 */
+ { 0x04, 246, 0, 5, "ecSignWithmd5" }, /* 245 */
+ { 0x05, 263, 1, 5, "ttt-ecg" }, /* 246 */
+ { 0x01, 251, 1, 6, "fieldType" }, /* 247 */
+ { 0x01, 0, 1, 7, "characteristictwoField" }, /* 248 */
+ { 0x01, 0, 1, 8, "basisType" }, /* 249 */
+ { 0x01, 0, 0, 9, "ipBasis" }, /* 250 */
+ { 0x02, 253, 1, 6, "keyType" }, /* 251 */
+ { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 252 */
+ { 0x03, 254, 0, 6, "curve" }, /* 253 */
+ { 0x04, 261, 1, 6, "signatures" }, /* 254 */
+ { 0x01, 256, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 255 */
+ { 0x02, 257, 0, 7, "ecgdsa-with-SHA1" }, /* 256 */
+ { 0x03, 258, 0, 7, "ecgdsa-with-SHA224" }, /* 257 */
+ { 0x04, 259, 0, 7, "ecgdsa-with-SHA256" }, /* 258 */
+ { 0x05, 260, 0, 7, "ecgdsa-with-SHA384" }, /* 259 */
+ { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 260 */
+ { 0x05, 0, 1, 6, "module" }, /* 261 */
+ { 0x01, 0, 0, 7, "1" }, /* 262 */
+ { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 263 */
+ { 0x01, 0, 1, 6, "ellipticCurve" }, /* 264 */
+ { 0x01, 0, 1, 7, "versionOne" }, /* 265 */
+ { 0x01, 267, 0, 8, "brainpoolP160r1" }, /* 266 */
+ { 0x02, 268, 0, 8, "brainpoolP160t1" }, /* 267 */
+ { 0x03, 269, 0, 8, "brainpoolP192r1" }, /* 268 */
+ { 0x04, 270, 0, 8, "brainpoolP192t1" }, /* 269 */
+ { 0x05, 271, 0, 8, "brainpoolP224r1" }, /* 270 */
+ { 0x06, 272, 0, 8, "brainpoolP224t1" }, /* 271 */
+ { 0x07, 273, 0, 8, "brainpoolP256r1" }, /* 272 */
+ { 0x08, 274, 0, 8, "brainpoolP256t1" }, /* 273 */
+ { 0x09, 275, 0, 8, "brainpoolP320r1" }, /* 274 */
+ { 0x0A, 276, 0, 8, "brainpoolP320t1" }, /* 275 */
+ { 0x0B, 277, 0, 8, "brainpoolP384r1" }, /* 276 */
+ { 0x0C, 278, 0, 8, "brainpoolP384t1" }, /* 277 */
+ { 0x0D, 279, 0, 8, "brainpoolP512r1" }, /* 278 */
+ { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 279 */
+ { 0x81, 0, 1, 1, "" }, /* 280 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 281 */
+ { 0x00, 0, 1, 3, "curve" }, /* 282 */
+ { 0x01, 284, 0, 4, "sect163k1" }, /* 283 */
+ { 0x02, 285, 0, 4, "sect163r1" }, /* 284 */
+ { 0x03, 286, 0, 4, "sect239k1" }, /* 285 */
+ { 0x04, 287, 0, 4, "sect113r1" }, /* 286 */
+ { 0x05, 288, 0, 4, "sect113r2" }, /* 287 */
+ { 0x06, 289, 0, 4, "secp112r1" }, /* 288 */
+ { 0x07, 290, 0, 4, "secp112r2" }, /* 289 */
+ { 0x08, 291, 0, 4, "secp160r1" }, /* 290 */
+ { 0x09, 292, 0, 4, "secp160k1" }, /* 291 */
+ { 0x0A, 293, 0, 4, "secp256k1" }, /* 292 */
+ { 0x0F, 294, 0, 4, "sect163r2" }, /* 293 */
+ { 0x10, 295, 0, 4, "sect283k1" }, /* 294 */
+ { 0x11, 296, 0, 4, "sect283r1" }, /* 295 */
+ { 0x16, 297, 0, 4, "sect131r1" }, /* 296 */
+ { 0x17, 298, 0, 4, "sect131r2" }, /* 297 */
+ { 0x18, 299, 0, 4, "sect193r1" }, /* 298 */
+ { 0x19, 300, 0, 4, "sect193r2" }, /* 299 */
+ { 0x1A, 301, 0, 4, "sect233k1" }, /* 300 */
+ { 0x1B, 302, 0, 4, "sect233r1" }, /* 301 */
+ { 0x1C, 303, 0, 4, "secp128r1" }, /* 302 */
+ { 0x1D, 304, 0, 4, "secp128r2" }, /* 303 */
+ { 0x1E, 305, 0, 4, "secp160r2" }, /* 304 */
+ { 0x1F, 306, 0, 4, "secp192k1" }, /* 305 */
+ { 0x20, 307, 0, 4, "secp224k1" }, /* 306 */
+ { 0x21, 308, 0, 4, "secp224r1" }, /* 307 */
+ { 0x22, 309, 0, 4, "secp384r1" }, /* 308 */
+ { 0x23, 310, 0, 4, "secp521r1" }, /* 309 */
+ { 0x24, 311, 0, 4, "sect409k1" }, /* 310 */
+ { 0x25, 312, 0, 4, "sect409r1" }, /* 311 */
+ { 0x26, 313, 0, 4, "sect571k1" }, /* 312 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 313 */
+ {0x60, 360, 1, 0, "" }, /* 314 */
+ { 0x86, 0, 1, 1, "" }, /* 315 */
+ { 0x48, 0, 1, 2, "" }, /* 316 */
+ { 0x01, 0, 1, 3, "organization" }, /* 317 */
+ { 0x65, 336, 1, 4, "gov" }, /* 318 */
+ { 0x03, 0, 1, 5, "csor" }, /* 319 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 320 */
+ { 0x01, 331, 1, 7, "aes" }, /* 321 */
+ { 0x02, 323, 0, 8, "id-aes128-CBC" }, /* 322 */
+ { 0x06, 324, 0, 8, "id-aes128-GCM" }, /* 323 */
+ { 0x07, 325, 0, 8, "id-aes128-CCM" }, /* 324 */
+ { 0x16, 326, 0, 8, "id-aes192-CBC" }, /* 325 */
+ { 0x1A, 327, 0, 8, "id-aes192-GCM" }, /* 326 */
+ { 0x1B, 328, 0, 8, "id-aes192-CCM" }, /* 327 */
+ { 0x2A, 329, 0, 8, "id-aes256-CBC" }, /* 328 */
+ { 0x2E, 330, 0, 8, "id-aes256-GCM" }, /* 329 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 330 */
+ { 0x02, 0, 1, 7, "hashalgs" }, /* 331 */
+ { 0x01, 333, 0, 8, "id-SHA-256" }, /* 332 */
+ { 0x02, 334, 0, 8, "id-SHA-384" }, /* 333 */
+ { 0x03, 335, 0, 8, "id-SHA-512" }, /* 334 */
+ { 0x04, 0, 0, 8, "id-SHA-224" }, /* 335 */
+ { 0x86, 0, 1, 4, "" }, /* 336 */
+ { 0xf8, 0, 1, 5, "" }, /* 337 */
+ { 0x42, 350, 1, 6, "netscape" }, /* 338 */
+ { 0x01, 345, 1, 7, "" }, /* 339 */
+ { 0x01, 341, 0, 8, "nsCertType" }, /* 340 */
+ { 0x03, 342, 0, 8, "nsRevocationUrl" }, /* 341 */
+ { 0x04, 343, 0, 8, "nsCaRevocationUrl" }, /* 342 */
+ { 0x08, 344, 0, 8, "nsCaPolicyUrl" }, /* 343 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 344 */
+ { 0x03, 348, 1, 7, "directory" }, /* 345 */
+ { 0x01, 0, 1, 8, "" }, /* 346 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 347 */
+ { 0x04, 0, 1, 7, "policy" }, /* 348 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 349 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 350 */
+ { 0x01, 0, 1, 7, "pki" }, /* 351 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 352 */
+ { 0x02, 354, 0, 9, "messageType" }, /* 353 */
+ { 0x03, 355, 0, 9, "pkiStatus" }, /* 354 */
+ { 0x04, 356, 0, 9, "failInfo" }, /* 355 */
+ { 0x05, 357, 0, 9, "senderNonce" }, /* 356 */
+ { 0x06, 358, 0, 9, "recipientNonce" }, /* 357 */
+ { 0x07, 359, 0, 9, "transID" }, /* 358 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 359 */
+ {0x67, 0, 1, 0, "" }, /* 360 */
+ { 0x81, 0, 1, 1, "" }, /* 361 */
+ { 0x05, 0, 1, 2, "" }, /* 362 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 363 */
+ { 0x01, 365, 0, 4, "tcg-at-tpmManufacturer" }, /* 364 */
+ { 0x02, 366, 0, 4, "tcg-at-tpmModel" }, /* 365 */
+ { 0x03, 367, 0, 4, "tcg-at-tpmVersion" }, /* 366 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 367 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index b6ee9a10d..61db061f7 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -66,149 +66,155 @@ extern const oid_t oid_names[];
#define OID_MD2_WITH_RSA 90
#define OID_MD5_WITH_RSA 91
#define OID_SHA1_WITH_RSA 92
-#define OID_SHA256_WITH_RSA 93
-#define OID_SHA384_WITH_RSA 94
-#define OID_SHA512_WITH_RSA 95
-#define OID_SHA224_WITH_RSA 96
-#define OID_PKCS7_DATA 98
-#define OID_PKCS7_SIGNED_DATA 99
-#define OID_PKCS7_ENVELOPED_DATA 100
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA 101
-#define OID_PKCS7_DIGESTED_DATA 102
-#define OID_PKCS7_ENCRYPTED_DATA 103
-#define OID_EMAIL_ADDRESS 105
-#define OID_UNSTRUCTURED_NAME 106
-#define OID_PKCS9_CONTENT_TYPE 107
-#define OID_PKCS9_MESSAGE_DIGEST 108
-#define OID_PKCS9_SIGNING_TIME 109
-#define OID_CHALLENGE_PASSWORD 111
-#define OID_EXTENSION_REQUEST 113
-#define OID_MD2 116
-#define OID_MD5 117
-#define OID_3DES_EDE_CBC 119
-#define OID_EC_PUBLICKEY 123
-#define OID_C2PNB163V1 126
-#define OID_C2PNB163V2 127
-#define OID_C2PNB163V3 128
-#define OID_C2PNB176W1 129
-#define OID_C2PNB191V1 130
-#define OID_C2PNB191V2 131
-#define OID_C2PNB191V3 132
-#define OID_C2PNB191V4 133
-#define OID_C2PNB191V5 134
-#define OID_C2PNB208W1 135
-#define OID_C2PNB239V1 136
-#define OID_C2PNB239V2 137
-#define OID_C2PNB239V3 138
-#define OID_C2PNB239V4 139
-#define OID_C2PNB239V5 140
-#define OID_C2PNB272W1 141
-#define OID_C2PNB304W1 142
-#define OID_C2PNB359V1 143
-#define OID_C2PNB368W1 144
-#define OID_C2PNB431R1 145
-#define OID_PRIME192V1 147
-#define OID_PRIME192V2 148
-#define OID_PRIME192V3 149
-#define OID_PRIME239V1 150
-#define OID_PRIME239V2 151
-#define OID_PRIME239V3 152
-#define OID_PRIME256V1 153
-#define OID_ECDSA_WITH_SHA1 155
-#define OID_ECDSA_WITH_SHA224 157
-#define OID_ECDSA_WITH_SHA256 158
-#define OID_ECDSA_WITH_SHA384 159
-#define OID_ECDSA_WITH_SHA512 160
-#define OID_USER_PRINCIPAL_NAME 175
-#define OID_STRONGSWAN 178
-#define OID_TCGID 185
-#define OID_AUTHORITY_INFO_ACCESS 190
-#define OID_IP_ADDR_BLOCKS 192
-#define OID_POLICY_QUALIFIER_CPS 194
-#define OID_POLICY_QUALIFIER_UNOTICE 195
-#define OID_SERVER_AUTH 197
-#define OID_CLIENT_AUTH 198
-#define OID_OCSP_SIGNING 205
-#define OID_XMPP_ADDR 207
-#define OID_AUTHENTICATION_INFO 209
-#define OID_ACCESS_IDENTITY 210
-#define OID_CHARGING_IDENTITY 211
-#define OID_GROUP 212
-#define OID_OCSP 215
-#define OID_BASIC 216
-#define OID_NONCE 217
-#define OID_CRL 218
-#define OID_RESPONSE 219
-#define OID_NO_CHECK 220
-#define OID_ARCHIVE_CUTOFF 221
-#define OID_SERVICE_LOCATOR 222
-#define OID_CA_ISSUERS 223
-#define OID_DES_CBC 229
-#define OID_SHA1 230
-#define OID_SHA1_WITH_RSA_OIW 231
-#define OID_ECGDSA_PUBKEY 250
-#define OID_ECGDSA_SIG_WITH_RIPEMD160 253
-#define OID_ECGDSA_SIG_WITH_SHA1 254
-#define OID_ECGDSA_SIG_WITH_SHA224 255
-#define OID_ECGDSA_SIG_WITH_SHA256 256
-#define OID_ECGDSA_SIG_WITH_SHA384 257
-#define OID_ECGDSA_SIG_WITH_SHA512 258
-#define OID_SECT163K1 281
-#define OID_SECT163R1 282
-#define OID_SECT239K1 283
-#define OID_SECT113R1 284
-#define OID_SECT113R2 285
-#define OID_SECT112R1 286
-#define OID_SECT112R2 287
-#define OID_SECT160R1 288
-#define OID_SECT160K1 289
-#define OID_SECT256K1 290
-#define OID_SECT163R2 291
-#define OID_SECT283K1 292
-#define OID_SECT283R1 293
-#define OID_SECT131R1 294
-#define OID_SECT131R2 295
-#define OID_SECT193R1 296
-#define OID_SECT193R2 297
-#define OID_SECT233K1 298
-#define OID_SECT233R1 299
-#define OID_SECT128R1 300
-#define OID_SECT128R2 301
-#define OID_SECT160R2 302
-#define OID_SECT192K1 303
-#define OID_SECT224K1 304
-#define OID_SECT224R1 305
-#define OID_SECT384R1 306
-#define OID_SECT521R1 307
-#define OID_SECT409K1 308
-#define OID_SECT409R1 309
-#define OID_SECT571K1 310
-#define OID_SECT571R1 311
-#define OID_AES128_CBC 320
-#define OID_AES128_GCM 321
-#define OID_AES128_CCM 322
-#define OID_AES192_CBC 323
-#define OID_AES192_GCM 324
-#define OID_AES192_CCM 325
-#define OID_AES256_CBC 326
-#define OID_AES256_GCM 327
-#define OID_AES256_CCM 328
-#define OID_SHA256 330
-#define OID_SHA384 331
-#define OID_SHA512 332
-#define OID_SHA224 333
-#define OID_NS_REVOCATION_URL 339
-#define OID_NS_CA_REVOCATION_URL 340
-#define OID_NS_CA_POLICY_URL 341
-#define OID_NS_COMMENT 342
-#define OID_EMPLOYEE_NUMBER 345
-#define OID_PKI_MESSAGE_TYPE 351
-#define OID_PKI_STATUS 352
-#define OID_PKI_FAIL_INFO 353
-#define OID_PKI_SENDER_NONCE 354
-#define OID_PKI_RECIPIENT_NONCE 355
-#define OID_PKI_TRANS_ID 356
+#define OID_RSAES_OAEP 93
+#define OID_SHA256_WITH_RSA 95
+#define OID_SHA384_WITH_RSA 96
+#define OID_SHA512_WITH_RSA 97
+#define OID_SHA224_WITH_RSA 98
+#define OID_PKCS7_DATA 100
+#define OID_PKCS7_SIGNED_DATA 101
+#define OID_PKCS7_ENVELOPED_DATA 102
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA 103
+#define OID_PKCS7_DIGESTED_DATA 104
+#define OID_PKCS7_ENCRYPTED_DATA 105
+#define OID_EMAIL_ADDRESS 107
+#define OID_UNSTRUCTURED_NAME 108
+#define OID_PKCS9_CONTENT_TYPE 109
+#define OID_PKCS9_MESSAGE_DIGEST 110
+#define OID_PKCS9_SIGNING_TIME 111
+#define OID_CHALLENGE_PASSWORD 113
+#define OID_UNSTRUCTURED_ADDRESS 114
+#define OID_EXTENSION_REQUEST 115
+#define OID_MD2 118
+#define OID_MD5 119
+#define OID_3DES_EDE_CBC 121
+#define OID_EC_PUBLICKEY 125
+#define OID_C2PNB163V1 128
+#define OID_C2PNB163V2 129
+#define OID_C2PNB163V3 130
+#define OID_C2PNB176W1 131
+#define OID_C2PNB191V1 132
+#define OID_C2PNB191V2 133
+#define OID_C2PNB191V3 134
+#define OID_C2PNB191V4 135
+#define OID_C2PNB191V5 136
+#define OID_C2PNB208W1 137
+#define OID_C2PNB239V1 138
+#define OID_C2PNB239V2 139
+#define OID_C2PNB239V3 140
+#define OID_C2PNB239V4 141
+#define OID_C2PNB239V5 142
+#define OID_C2PNB272W1 143
+#define OID_C2PNB304W1 144
+#define OID_C2PNB359V1 145
+#define OID_C2PNB368W1 146
+#define OID_C2PNB431R1 147
+#define OID_PRIME192V1 149
+#define OID_PRIME192V2 150
+#define OID_PRIME192V3 151
+#define OID_PRIME239V1 152
+#define OID_PRIME239V2 153
+#define OID_PRIME239V3 154
+#define OID_PRIME256V1 155
+#define OID_ECDSA_WITH_SHA1 157
+#define OID_ECDSA_WITH_SHA224 159
+#define OID_ECDSA_WITH_SHA256 160
+#define OID_ECDSA_WITH_SHA384 161
+#define OID_ECDSA_WITH_SHA512 162
+#define OID_USER_PRINCIPAL_NAME 177
+#define OID_STRONGSWAN 180
+#define OID_TCGID 187
+#define OID_AUTHORITY_INFO_ACCESS 192
+#define OID_IP_ADDR_BLOCKS 194
+#define OID_POLICY_QUALIFIER_CPS 196
+#define OID_POLICY_QUALIFIER_UNOTICE 197
+#define OID_SERVER_AUTH 199
+#define OID_CLIENT_AUTH 200
+#define OID_OCSP_SIGNING 207
+#define OID_XMPP_ADDR 209
+#define OID_AUTHENTICATION_INFO 211
+#define OID_ACCESS_IDENTITY 212
+#define OID_CHARGING_IDENTITY 213
+#define OID_GROUP 214
+#define OID_OCSP 217
+#define OID_BASIC 218
+#define OID_NONCE 219
+#define OID_CRL 220
+#define OID_RESPONSE 221
+#define OID_NO_CHECK 222
+#define OID_ARCHIVE_CUTOFF 223
+#define OID_SERVICE_LOCATOR 224
+#define OID_CA_ISSUERS 225
+#define OID_DES_CBC 231
+#define OID_SHA1 232
+#define OID_SHA1_WITH_RSA_OIW 233
+#define OID_ECGDSA_PUBKEY 252
+#define OID_ECGDSA_SIG_WITH_RIPEMD160 255
+#define OID_ECGDSA_SIG_WITH_SHA1 256
+#define OID_ECGDSA_SIG_WITH_SHA224 257
+#define OID_ECGDSA_SIG_WITH_SHA256 258
+#define OID_ECGDSA_SIG_WITH_SHA384 259
+#define OID_ECGDSA_SIG_WITH_SHA512 260
+#define OID_SECT163K1 283
+#define OID_SECT163R1 284
+#define OID_SECT239K1 285
+#define OID_SECT113R1 286
+#define OID_SECT113R2 287
+#define OID_SECT112R1 288
+#define OID_SECT112R2 289
+#define OID_SECT160R1 290
+#define OID_SECT160K1 291
+#define OID_SECT256K1 292
+#define OID_SECT163R2 293
+#define OID_SECT283K1 294
+#define OID_SECT283R1 295
+#define OID_SECT131R1 296
+#define OID_SECT131R2 297
+#define OID_SECT193R1 298
+#define OID_SECT193R2 299
+#define OID_SECT233K1 300
+#define OID_SECT233R1 301
+#define OID_SECT128R1 302
+#define OID_SECT128R2 303
+#define OID_SECT160R2 304
+#define OID_SECT192K1 305
+#define OID_SECT224K1 306
+#define OID_SECT224R1 307
+#define OID_SECT384R1 308
+#define OID_SECT521R1 309
+#define OID_SECT409K1 310
+#define OID_SECT409R1 311
+#define OID_SECT571K1 312
+#define OID_SECT571R1 313
+#define OID_AES128_CBC 322
+#define OID_AES128_GCM 323
+#define OID_AES128_CCM 324
+#define OID_AES192_CBC 325
+#define OID_AES192_GCM 326
+#define OID_AES192_CCM 327
+#define OID_AES256_CBC 328
+#define OID_AES256_GCM 329
+#define OID_AES256_CCM 330
+#define OID_SHA256 332
+#define OID_SHA384 333
+#define OID_SHA512 334
+#define OID_SHA224 335
+#define OID_NS_REVOCATION_URL 341
+#define OID_NS_CA_REVOCATION_URL 342
+#define OID_NS_CA_POLICY_URL 343
+#define OID_NS_COMMENT 344
+#define OID_EMPLOYEE_NUMBER 347
+#define OID_PKI_MESSAGE_TYPE 353
+#define OID_PKI_STATUS 354
+#define OID_PKI_FAIL_INFO 355
+#define OID_PKI_SENDER_NONCE 356
+#define OID_PKI_RECIPIENT_NONCE 357
+#define OID_PKI_TRANS_ID 358
+#define OID_TPM_MANUFACTURER 364
+#define OID_TPM_MODEL 365
+#define OID_TPM_VERSION 366
+#define OID_TPM_ID_LABEL 367
-#define OID_MAX 359
+#define OID_MAX 368
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index e2931c7dd..f16287cb2 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -91,6 +91,8 @@
0x02 "md2WithRSAEncryption" OID_MD2_WITH_RSA
0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA
0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA
+ 0x07 "id-RSAES-OAEP" OID_RSAES_OAEP
+ 0x09 "id-pSpecified"
0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA
0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA
0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA
@@ -110,7 +112,7 @@
0x05 "signingTime" OID_PKCS9_SIGNING_TIME
0x06 "counterSignature"
0x07 "challengePassword" OID_CHALLENGE_PASSWORD
- 0x08 "unstructuredAddress"
+ 0x08 "unstructuredAddress" OID_UNSTRUCTURED_ADDRESS
0x0E "extensionRequest" OID_EXTENSION_REQUEST
0x0F "S/MIME Capabilities"
0x02 "digestAlgorithm"
@@ -356,4 +358,11 @@
0x06 "recipientNonce" OID_PKI_RECIPIENT_NONCE
0x07 "transID" OID_PKI_TRANS_ID
0x08 "extensionReq"
-
+0x67 ""
+ 0x81 ""
+ 0x05 ""
+ 0x02 "tcg-attribute"
+ 0x01 "tcg-at-tpmManufacturer" OID_TPM_MANUFACTURER
+ 0x02 "tcg-at-tpmModel" OID_TPM_MODEL
+ 0x03 "tcg-at-tpmVersion" OID_TPM_VERSION
+ 0x0F "tcg-at-tpmIdLabel" OID_TPM_ID_LABEL
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index f94bdfbf2..63644ac78 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -175,7 +175,7 @@ static inline void chunk_clear(chunk_t *chunk)
{
if (chunk->ptr)
{
- memset(chunk->ptr, 0, chunk->len);
+ memwipe(chunk->ptr, chunk->len);
chunk_free(chunk);
}
}
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index edd76205b..ac3266f4c 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -180,8 +180,13 @@ static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type,
chunk = malloc_thing(chunk_t);
*chunk = *encoding;
this->lock->write_lock(this->lock);
- this->cache[type]->put(this->cache[type], cache, chunk);
+ chunk = this->cache[type]->put(this->cache[type], cache, chunk);
this->lock->unlock(this->lock);
+ if (chunk)
+ {
+ free(chunk->ptr);
+ free(chunk);
+ }
}
return success;
}
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index de5b85bae..fecc9910e 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -189,11 +189,11 @@ static char* get_string(private_ietf_attributes_t *this)
if (oid == OID_UNKNOWN)
{
- written = snprintf(pos, len, "0x#B", &attr->value);
+ written = snprintf(pos, len, "0x%#B", &attr->value);
}
else
{
- written = snprintf(pos, len, "%s", oid_names[oid]);
+ written = snprintf(pos, len, "%s", oid_names[oid].name);
}
break;
}
@@ -331,7 +331,7 @@ static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *
/* look for at least one common attribute */
while (TRUE)
{
- bool cmp = attr_a->compare(attr_a, attr_b);
+ int cmp = attr_a->compare(attr_a, attr_b);
if (cmp == 0)
{
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 276f4329a..4635dccea 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -247,7 +247,7 @@ METHOD(crypto_tester_t, test_crypter, bool,
{
DBG1(DBG_LIB,"disable %N[%s]: no key size supported",
encryption_algorithm_names, alg, plugin_name);
- return FALSE;
+ return FALSE;
}
else
{
@@ -263,7 +263,7 @@ METHOD(crypto_tester_t, test_crypter, bool,
{
*speed = bench_crypter(this, alg, create);
DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points",
- encryption_algorithm_names, alg, tested, plugin_name, *speed);
+ encryption_algorithm_names, alg, plugin_name, tested, *speed);
}
else
{
@@ -417,7 +417,7 @@ METHOD(crypto_tester_t, test_aead, bool,
{
DBG1(DBG_LIB,"disable %N[%s]: no key size supported",
encryption_algorithm_names, alg, plugin_name);
- return FALSE;
+ return FALSE;
}
else
{
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index 019c87c39..9ac665929 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -72,7 +72,7 @@ struct aead_test_vector_t {
struct signer_test_vector_t {
/** signer algorithm this test vector tests */
- pseudo_random_function_t alg;
+ integrity_algorithm_t alg;
/** key to use, with a length the algorithm expects */
u_char *key;
/** size of the input data */
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 10ab9fc23..d65955a2e 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -59,12 +59,12 @@ struct proposal_token {
u_int16_t keysize;
};
-#define TOTAL_KEYWORDS 117
+#define TOTAL_KEYWORDS 119
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 209
-/* maximum key range = 201, duplicates = 0 */
+#define MAX_HASH_VALUE 213
+/* maximum key range = 205, duplicates = 0 */
#ifdef __GNUC__
__inline
@@ -80,32 +80,32 @@ hash (str, len)
{
static const unsigned char asso_values[] =
{
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 16, 9,
- 4, 41, 66, 19, 8, 4, 5, 3, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 122, 210, 3, 22, 21,
- 3, 111, 103, 48, 7, 4, 210, 210, 3, 210,
- 57, 3, 210, 210, 78, 6, 3, 28, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
- 210, 210, 210, 210, 210, 210, 210
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 14, 9,
+ 4, 34, 66, 19, 8, 4, 5, 3, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 131, 214, 3, 22, 21,
+ 3, 1, 101, 48, 3, 4, 214, 214, 3, 214,
+ 57, 4, 214, 214, 94, 6, 3, 32, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
+ 214, 214, 214, 214, 214, 214, 214
};
register int hval = len;
@@ -143,14 +143,19 @@ hash (str, len)
static const struct proposal_token wordlist[] =
{
{"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
+ {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{"null", ENCRYPTION_ALGORITHM, ENCR_NULL, 0},
{"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
+ {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
{"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
+ {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192},
+ {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192},
{"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128},
{"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
{"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
+ {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256},
{"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192},
{"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
{"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
@@ -209,81 +214,79 @@ static const struct proposal_token wordlist[] =
{"aes128gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128},
{"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192},
{"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128},
- {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192},
- {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128},
{"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0},
+ {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0},
{"aes256gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256},
{"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256},
{"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256},
- {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0},
- {"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
{"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0},
+ {"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
+ {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0},
{"aes256gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
{"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
- {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0},
- {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256},
{"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0},
- {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0},
+ {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192},
+ {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128},
+ {"noesn", EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0},
{"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
{"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
- {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0},
{"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192},
{"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128},
- {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
- {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128},
- {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192},
{"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0},
- {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
+ {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256},
+ {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
{"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0},
{"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
{"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0},
- {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256},
{"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0},
- {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
- {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
- {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
{"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192},
- {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256},
+ {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
{"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
+ {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
+ {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128},
{"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0},
+ {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
{"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192},
{"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128},
+ {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0},
+ {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256},
+ {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256},
{"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
{"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
- {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
- {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256},
{"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256},
+ {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
{"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0},
{"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0},
- {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
{"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0},
- {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0}
+ {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0},
+ {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}
};
static const short lookup[] =
{
-1, -1, -1, -1, -1, -1, -1, -1, -1, 0,
- 1, -1, -1, -1, -1, -1, 2, -1, -1, -1,
- -1, 3, 4, -1, -1, -1, -1, -1, 5, 6,
- 7, 8, -1, -1, -1, 9, 10, 11, 12, 13,
- 14, 15, 16, 17, 18, 19, 20, 21, 22, -1,
- -1, -1, -1, 23, 24, 25, 26, 27, 28, 29,
- 30, -1, 31, -1, 32, 33, 34, 35, 36, 37,
- 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
- 48, -1, 49, -1, 50, -1, 51, -1, 52, -1,
- 53, -1, 54, 55, 56, 57, 58, 59, 60, 61,
- 62, 63, 64, 65, 66, 67, 68, 69, -1, 70,
- -1, 71, -1, 72, 73, 74, 75, 76, -1, 77,
- 78, 79, 80, 81, -1, 82, 83, 84, 85, -1,
- -1, 86, 87, 88, 89, 90, 91, 92, -1, -1,
- 93, 94, 95, 96, 97, 98, 99, 100, 101, 102,
- 103, 104, -1, -1, -1, -1, -1, -1, 105, 106,
- 107, 108, -1, -1, -1, -1, 109, -1, 110, -1,
- -1, -1, -1, -1, 111, -1, -1, -1, -1, 112,
- 113, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ 1, 2, -1, -1, -1, -1, 3, 4, -1, -1,
+ -1, 5, 6, -1, -1, 7, -1, 8, 9, 10,
+ 11, 12, -1, 13, -1, 14, 15, 16, 17, 18,
+ 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,
+ -1, -1, -1, -1, 29, 30, 31, 32, 33, 34,
+ 35, -1, 36, -1, 37, 38, 39, 40, 41, 42,
+ 43, 44, 45, 46, 47, 48, 49, 50, 51, 52,
+ 53, -1, 54, -1, 55, -1, 56, -1, 57, -1,
+ 58, -1, 59, 60, 61, 62, 63, 64, 65, 66,
+ 67, 68, 69, 70, 71, 72, -1, 73, -1, 74,
+ -1, 75, -1, 76, 77, 78, 79, 80, -1, 81,
+ 82, 83, 84, 85, -1, 86, 87, -1, 88, -1,
+ -1, 89, 90, -1, 91, -1, -1, 92, -1, 93,
+ 94, 95, 96, -1, 97, -1, 98, 99, 100, 101,
+ 102, 103, -1, -1, -1, 104, -1, -1, 105, 106,
+ -1, 107, -1, -1, -1, 108, 109, -1, -1, 110,
+ 111, -1, -1, -1, 112, 113, -1, 114, 115, -1,
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, 114, 115, -1, -1, -1, 116
+ -1, -1, -1, -1, -1, 116, -1, -1, -1, 117,
+ -1, -1, -1, 118
};
#ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
index 208c6715b..4ef664d8f 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -146,3 +146,5 @@ ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0
modp1024s160, DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0
modp2048s224, DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0
modp2048s256, DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0
+noesn, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0
+esn, EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0
diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c
index cec90a616..1e108f1de 100644
--- a/src/libstrongswan/crypto/transform.c
+++ b/src/libstrongswan/crypto/transform.c
@@ -28,3 +28,8 @@ ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS,
"EXTENDED_SEQUENCE_NUMBERS");
ENUM_END(transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
+
+ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
+ "NO_EXT_SEQ",
+ "EXT_SEQ",
+);
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index 1a2660199..1393c674c 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -45,4 +45,17 @@ enum transform_type_t {
*/
extern enum_name_t *transform_type_names;
+/**
+ * Extended sequence numbers, as in IKEv2 RFC 3.3.2.
+ */
+enum extended_sequence_numbers_t {
+ NO_EXT_SEQ_NUMBERS = 0,
+ EXT_SEQ_NUMBERS = 1
+};
+
+/**
+ * enum strings for extended_sequence_numbers_t.
+ */
+extern enum_name_t *extended_sequence_numbers_names;
+
#endif /** TRANSFORM_H_ @}*/
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
index 71734017a..11b475d8f 100644
--- a/src/libstrongswan/eap/eap.c
+++ b/src/libstrongswan/eap/eap.c
@@ -44,11 +44,15 @@ ENUM_NEXT(eap_type_names, EAP_TTLS, EAP_TTLS, EAP_SIM,
"EAP_TTLS");
ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_TTLS,
"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+ENUM_NEXT(eap_type_names, EAP_PEAP, EAP_MSCHAPV2, EAP_AKA,
+ "EAP_PEAP",
"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2,
+ENUM_NEXT(eap_type_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
+ "EAP_MSTLV");
+ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
"EAP_TNC");
-ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC,
+ENUM_NEXT(eap_type_names, EAP_DYNAMIC, EAP_EXPERIMENTAL, EAP_TNC,
+ "EAP_DYNAMIC",
"EAP_RADIUS",
"EAP_EXPANDED",
"EAP_EXPERIMENTAL");
@@ -69,11 +73,15 @@ ENUM_NEXT(eap_type_short_names, EAP_TTLS, EAP_TTLS, EAP_SIM,
"TTLS");
ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_TTLS,
"AKA");
-ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+ENUM_NEXT(eap_type_short_names, EAP_PEAP, EAP_MSCHAPV2, EAP_AKA,
+ "PEAP",
"MSCHAPV2");
-ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2,
+ENUM_NEXT(eap_type_short_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
+ "MSTLV");
+ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
"TNC");
-ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC,
+ENUM_NEXT(eap_type_short_names, EAP_DYNAMIC, EAP_EXPERIMENTAL, EAP_TNC,
+ "DYN",
"RAD",
"EXP",
"XP");
@@ -115,6 +123,7 @@ eap_type_t eap_type_from_string(char *name)
{"ttls", EAP_TTLS},
{"sim", EAP_SIM},
{"aka", EAP_AKA},
+ {"peap", EAP_PEAP},
{"mschapv2", EAP_MSCHAPV2},
{"tnc", EAP_TNC},
{"radius", EAP_RADIUS},
diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h
index e98a3a211..945e4bc59 100644
--- a/src/libstrongswan/eap/eap.h
+++ b/src/libstrongswan/eap/eap.h
@@ -60,8 +60,12 @@ enum eap_type_t {
EAP_SIM = 18,
EAP_TTLS = 21,
EAP_AKA = 23,
+ EAP_PEAP = 25,
EAP_MSCHAPV2 = 26,
+ EAP_MSTLV = 33,
EAP_TNC = 38,
+ /** select EAP method dynamically based on i.e. EAP-Identity */
+ EAP_DYNAMIC = 252,
/** not a method, but an implementation providing different methods */
EAP_RADIUS = 253,
EAP_EXPANDED = 254,
@@ -79,6 +83,17 @@ extern enum_name_t *eap_type_names;
extern enum_name_t *eap_type_short_names;
/**
+ * EAP packet format
+ */
+typedef struct __attribute__((packed)) {
+ u_int8_t code;
+ u_int8_t identifier;
+ u_int16_t length;
+ u_int8_t type;
+ u_int8_t data;
+} eap_packet_t;
+
+/**
* Lookup the EAP method type from a string.
*
* @param name EAP method name (such as "md5", "aka")
diff --git a/src/libstrongswan/fetcher/fetcher.c b/src/libstrongswan/fetcher/fetcher.c
new file mode 100644
index 000000000..ca5a72165
--- /dev/null
+++ b/src/libstrongswan/fetcher/fetcher.c
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "fetcher.h"
+
+/**
+ * See header.
+ */
+bool fetcher_default_callback(void *userdata, chunk_t chunk)
+{
+ chunk_t *accu = userdata;
+
+ accu->ptr = realloc(accu->ptr, accu->len + chunk.len);
+ if (accu->ptr)
+ {
+ memcpy(&accu->ptr[accu->len], chunk.ptr, chunk.len);
+ accu->len += chunk.len;
+ return TRUE;
+ }
+ return FALSE;
+}
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index f312206bb..5b734da3d 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -1,6 +1,7 @@
/*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2011 Martin Willi
* Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -25,6 +26,23 @@ typedef struct fetcher_t fetcher_t;
typedef enum fetcher_option_t fetcher_option_t;
#include <stdarg.h>
+#include <chunk.h>
+
+/**
+ * Constructor function which creates fetcher instances.
+ *
+ * @return fetcher instance
+ */
+typedef fetcher_t* (*fetcher_constructor_t)();
+
+/**
+ * Callback function used with FETCH_CALLBACK.
+ *
+ * @param userdata userdata passed to fetcher_t.fetch()
+ * @param chunk chunk with next chunk of data
+ * @return TRUE to continue with transfer, FALSE to abort
+ */
+typedef bool (*fetcher_callback_t)(void *userdata, chunk_t chunk);
#include <library.h>
@@ -64,19 +82,20 @@ enum fetcher_option_t {
FETCH_TIMEOUT,
/**
+ * Callback to invoke with each chunk of data.
+ * Additional argument fetch_callback_t.
+ * If this option is not given, the fetcher_default_callback is used,
+ * which accumulates the data into an allocated chunk.
+ */
+ FETCH_CALLBACK,
+
+ /**
* end of fetching options
*/
FETCH_END,
};
/**
- * Constructor function which creates fetcher instances.
- *
- * @return fetcher instance
- */
-typedef fetcher_t* (*fetcher_constructor_t)();
-
-/**
* Fetcher interface, an implementation fetches data from an URL.
*/
struct fetcher_t {
@@ -87,15 +106,18 @@ struct fetcher_t {
* The fetcher returns NOT_SUPPORTED to indicate that it is uncappable
* to handle such URLs. Other return values indicate a failure, and
* fetching of that URL gets cancelled.
+ * If no FETCH_CALLBACK function is set as option, userdata must be
+ * a chunk_t*. This chunk gets allocated, accumulated data using the
+ * fetcher_default_callback() function.
*
* @param uri URI to fetch from
- * @param result chunk which receives allocated data
+ * @param userdata userdata to pass to callback function.
* @return
* - SUCCESS if fetch was successful
* - NOT_SUPPORTED if fetcher does not support such URLs
* - FAILED, NOT_FOUND, PARSE_ERROR on failure
*/
- status_t (*fetch)(fetcher_t *this, char *uri, chunk_t *result);
+ status_t (*fetch)(fetcher_t *this, char *uri, void *userdata);
/**
* Set a fetcher option, as defined in fetcher_option_t.
@@ -114,4 +136,13 @@ struct fetcher_t {
void (*destroy)(fetcher_t *this);
};
+/**
+ * Default fetcher callback function, accumulates data to a chunk.
+ *
+ * @param userdata chunk for allocated data, empty on first invocation
+ * @param chunk current chunk of data
+ * @return FALSE if chunk too large to allocate
+ */
+bool fetcher_default_callback(void *userdata, chunk_t chunk);
+
#endif /** FETCHER_H_ @}*/
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index b007c8b08..9b363c7eb 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -58,11 +58,8 @@ static void entry_destroy(entry_t *entry)
free(entry);
}
-/**
- * Implementation of fetcher_manager_t.fetch.
- */
-static status_t fetch(private_fetcher_manager_t *this,
- char *url, chunk_t *response, ...)
+METHOD(fetcher_manager_t, fetch, status_t,
+ private_fetcher_manager_t *this, char *url, void *userdata, ...)
{
enumerator_t *enumerator;
status_t status = NOT_SUPPORTED;
@@ -89,25 +86,31 @@ static status_t fetch(private_fetcher_manager_t *this,
{
continue;
}
- va_start(args, response);
+ va_start(args, userdata);
while (good)
{
opt = va_arg(args, int);
switch (opt)
{
case FETCH_REQUEST_DATA:
- good = fetcher->set_option(fetcher, opt, va_arg(args, chunk_t));
+ good = fetcher->set_option(fetcher, opt,
+ va_arg(args, chunk_t));
continue;
case FETCH_REQUEST_TYPE:
case FETCH_REQUEST_HEADER:
- good = fetcher->set_option(fetcher, opt, va_arg(args, char*));
+ good = fetcher->set_option(fetcher, opt,
+ va_arg(args, char*));
continue;
case FETCH_HTTP_VERSION_1_0:
good = fetcher->set_option(fetcher, opt);
continue;
case FETCH_TIMEOUT:
- good = fetcher->set_option(fetcher, opt, va_arg(args, u_int));
+ good = fetcher->set_option(fetcher, opt,
+ va_arg(args, u_int));
continue;
+ case FETCH_CALLBACK:
+ good = fetcher->set_option(fetcher, opt,
+ va_arg(args, fetcher_callback_t));
case FETCH_END:
break;
}
@@ -120,7 +123,7 @@ static status_t fetch(private_fetcher_manager_t *this,
continue;
}
- status = fetcher->fetch(fetcher, url, response);
+ status = fetcher->fetch(fetcher, url, userdata);
fetcher->destroy(fetcher);
/* try another fetcher only if this one does not support that URL */
if (status == NOT_SUPPORTED)
@@ -139,27 +142,22 @@ static status_t fetch(private_fetcher_manager_t *this,
return status;
}
-/**
- * Implementation of fetcher_manager_t.add_fetcher.
- */
-static void add_fetcher(private_fetcher_manager_t *this,
- fetcher_constructor_t create, char *url)
+METHOD(fetcher_manager_t, add_fetcher, void,
+ private_fetcher_manager_t *this, fetcher_constructor_t create, char *url)
{
- entry_t *entry = malloc_thing(entry_t);
-
- entry->url = strdup(url);
- entry->create = create;
+ entry_t *entry;
+ INIT(entry,
+ .url = strdup(url),
+ .create = create,
+ );
this->lock->write_lock(this->lock);
this->fetchers->insert_last(this->fetchers, entry);
this->lock->unlock(this->lock);
}
-/**
- * Implementation of fetcher_manager_t.remove_fetcher.
- */
-static void remove_fetcher(private_fetcher_manager_t *this,
- fetcher_constructor_t create)
+METHOD(fetcher_manager_t, remove_fetcher, void,
+ private_fetcher_manager_t *this, fetcher_constructor_t create)
{
enumerator_t *enumerator;
entry_t *entry;
@@ -178,10 +176,8 @@ static void remove_fetcher(private_fetcher_manager_t *this,
this->lock->unlock(this->lock);
}
-/**
- * Implementation of fetcher_manager_t.destroy
- */
-static void destroy(private_fetcher_manager_t *this)
+METHOD(fetcher_manager_t, destroy, void,
+ private_fetcher_manager_t *this)
{
this->fetchers->destroy_function(this->fetchers, (void*)entry_destroy);
this->lock->destroy(this->lock);
@@ -193,15 +189,18 @@ static void destroy(private_fetcher_manager_t *this)
*/
fetcher_manager_t *fetcher_manager_create()
{
- private_fetcher_manager_t *this = malloc_thing(private_fetcher_manager_t);
-
- this->public.fetch = (status_t(*)(fetcher_manager_t*, char *url, chunk_t *response, ...))fetch;
- this->public.add_fetcher = (void(*)(fetcher_manager_t*, fetcher_constructor_t,char*))add_fetcher;
- this->public.remove_fetcher = (void(*)(fetcher_manager_t*, fetcher_constructor_t))remove_fetcher;
- this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
-
- this->fetchers = linked_list_create();
- this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+ private_fetcher_manager_t *this;
+
+ INIT(this,
+ .public = {
+ .fetch = _fetch,
+ .add_fetcher = _add_fetcher,
+ .remove_fetcher = _remove_fetcher,
+ .destroy = _destroy,
+ },
+ .fetchers = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ );
return &this->public;
}
diff --git a/src/libstrongswan/fetcher/fetcher_manager.h b/src/libstrongswan/fetcher/fetcher_manager.h
index a7ac6611e..15250d531 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.h
+++ b/src/libstrongswan/fetcher/fetcher_manager.h
@@ -31,17 +31,20 @@ typedef struct fetcher_manager_t fetcher_manager_t;
struct fetcher_manager_t {
/**
- * Fetch data from URI into chunk.
+ * Fetch data from URI.
*
* The variable argument list contains fetcher_option_t's, followed
* by a option specific data argument.
+ * If no FETCH_CALLBACK function is given as option, userdata must be
+ * a chunk_t*. This chunk gets allocated, accumulated data using the
+ * fetcher_default_callback() function.
*
* @param uri URI to fetch from
- * @param result chunk which receives allocated data
+ * @param userdata userdata to pass to callback function.
* @param options FETCH_END terminated fetcher_option_t arguments
* @return status indicating result of fetch
*/
- status_t (*fetch)(fetcher_manager_t *this, char *url, chunk_t *response, ...);
+ status_t (*fetch)(fetcher_manager_t *this, char *url, void *userdata, ...);
/**
* Register a fetcher implementation.
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9835cd5b9..c93f84ca7 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index f13e33492..2a1fed944 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -1518,6 +1518,7 @@ METHOD(crypter_t, set_key, void,
METHOD(crypter_t, destroy, void,
private_aes_crypter_t *this)
{
+ memwipe(this, sizeof(*this));
free(this);
}
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 1c060b6c8..d17355d1d 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "aes_crypter.h"
-static const char *plugin_name = "aes";
-
typedef struct private_aes_plugin_t private_aes_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_aes_plugin_t {
aes_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_aes_plugin_t *this)
+{
+ return "aes";
+}
+
METHOD(plugin_t, destroy, void,
private_aes_plugin_t *this)
{
@@ -51,12 +55,14 @@ plugin_t *aes_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this),
(crypter_constructor_t)aes_crypter_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index aa8df979e..00b54b026 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
index 3416ad8d2..7b3c062aa 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
@@ -63,6 +63,7 @@ static struct {
size_t iv_size;
} algs[] = {
{ENCR_DES, "cbc(des)", 8, 8, 8, 8, },
+ {ENCR_DES_ECB, "ecb(des)", 8, 8, 8, 0, },
{ENCR_3DES, "cbc(des3_ede)", 8, 24, 24, 8, },
{ENCR_AES_CBC, "cbc(aes)", 16, 16, 16, 16, },
{ENCR_AES_CBC, "cbc(aes)", 16, 24, 24, 16, },
@@ -91,7 +92,7 @@ static struct {
/**
* See header.
*/
-void af_alg_crypter_probe()
+void af_alg_crypter_probe(char *plugin)
{
encryption_algorithm_t prev = -1;
af_alg_ops_t *ops;
@@ -105,7 +106,7 @@ void af_alg_crypter_probe()
if (ops)
{
ops->destroy(ops);
- lib->crypto->add_crypter(lib->crypto, algs[i].id, af_alg_plugin_name,
+ lib->crypto->add_crypter(lib->crypto, algs[i].id, plugin,
(crypter_constructor_t)af_alg_crypter_create);
}
}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.h b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
index 711d2fc35..ed7799cc8 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
@@ -48,7 +48,9 @@ af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo,
/**
* Probe algorithms and register af_alg_crypter_create().
+ *
+ * @param plugin plugin name to register algorithms for
*/
-void af_alg_crypter_probe();
+void af_alg_crypter_probe(char *plugin);
#endif /** AF_ALG_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
index 7c6297d44..11074c4bd 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
@@ -59,7 +59,7 @@ static struct {
/**
* See header.
*/
-void af_alg_hasher_probe()
+void af_alg_hasher_probe(char *plugin)
{
af_alg_ops_t *ops;
int i;
@@ -70,7 +70,7 @@ void af_alg_hasher_probe()
if (ops)
{
ops->destroy(ops);
- lib->crypto->add_hasher(lib->crypto, algs[i].id, af_alg_plugin_name,
+ lib->crypto->add_hasher(lib->crypto, algs[i].id, plugin,
(hasher_constructor_t)af_alg_hasher_create);
}
}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.h b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
index e0833e23a..f44ba2938 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
@@ -46,7 +46,9 @@ af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo);
/**
* Probe algorithms and register af_alg_hasher_create().
+ *
+ * @param plugin plugin name to register algorithms for
*/
-void af_alg_hasher_probe();
+void af_alg_hasher_probe(char *plugin);
#endif /** af_alg_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
index 7bf1d90db..82a227d97 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_ops.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
@@ -21,8 +21,6 @@
#include <debug.h>
-const char *af_alg_plugin_name = "af-alg";
-
typedef struct private_af_alg_ops_t private_af_alg_ops_t;
/**
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.h b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
index b7d642c00..ad164029f 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_ops.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
@@ -33,8 +33,6 @@
#define SOL_ALG 279
#endif /* SOL_ALG */
-extern const char *af_alg_plugin_name;
-
typedef struct af_alg_ops_t af_alg_ops_t;
/**
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.c b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
index 54e39f1a0..280ea4e98 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
@@ -35,6 +35,12 @@ struct private_af_alg_plugin_t {
af_alg_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_af_alg_plugin_t *this)
+{
+ return "af-alg";
+}
+
METHOD(plugin_t, destroy, void,
private_af_alg_plugin_t *this)
{
@@ -60,15 +66,17 @@ plugin_t *af_alg_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- af_alg_hasher_probe();
- af_alg_signer_probe();
- af_alg_prf_probe();
- af_alg_crypter_probe();
+ af_alg_hasher_probe(get_name(this));
+ af_alg_signer_probe(get_name(this));
+ af_alg_prf_probe(get_name(this));
+ af_alg_crypter_probe(get_name(this));
return &this->public.plugin;
}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
index 575906bae..1c1174abb 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_prf.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
@@ -70,7 +70,7 @@ static struct {
/**
* See header.
*/
-void af_alg_prf_probe()
+void af_alg_prf_probe(char *plugin)
{
af_alg_ops_t *ops;
int i;
@@ -81,7 +81,7 @@ void af_alg_prf_probe()
if (ops)
{
ops->destroy(ops);
- lib->crypto->add_prf(lib->crypto, algs[i].id, af_alg_plugin_name,
+ lib->crypto->add_prf(lib->crypto, algs[i].id, plugin,
(prf_constructor_t)af_alg_prf_create);
}
}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.h b/src/libstrongswan/plugins/af_alg/af_alg_prf.h
index a3dea5649..d3275e7be 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_prf.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.h
@@ -46,7 +46,9 @@ af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo);
/**
* Probe algorithms and register af_alg_prf_create().
+ *
+ * @param plugin plugin name to register algorithms for
*/
-void af_alg_prf_probe();
+void af_alg_prf_probe(char *plugin);
#endif /** AF_ALG_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
index 3d6f907bf..34534a06b 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -71,7 +71,7 @@ static struct {
/**
* See header.
*/
-void af_alg_signer_probe()
+void af_alg_signer_probe(char *plugin)
{
af_alg_ops_t *ops;
int i;
@@ -82,7 +82,7 @@ void af_alg_signer_probe()
if (ops)
{
ops->destroy(ops);
- lib->crypto->add_signer(lib->crypto, algs[i].id, af_alg_plugin_name,
+ lib->crypto->add_signer(lib->crypto, algs[i].id, plugin,
(signer_constructor_t)af_alg_signer_create);
}
}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
index b1d90707f..21487a118 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
@@ -46,7 +46,9 @@ af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo);
/**
* Probe algorithms and register af_alg_signer_create().
+ *
+ * @param plugin plugin name to register algorithms for
*/
-void af_alg_signer_probe();
+void af_alg_signer_probe(char *plugin);
#endif /** AF_ALG_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 1a3533f03..ce333660d 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index bd3c1ac75..79c13b7c1 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -31,6 +31,12 @@ struct private_agent_plugin_t {
agent_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_agent_plugin_t *this)
+{
+ return "agent";
+}
+
METHOD(plugin_t, destroy, void,
private_agent_plugin_t *this)
{
@@ -49,6 +55,8 @@ plugin_t *agent_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 251722f60..be8ba72ee 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index 784c07eaf..fc3649b36 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -160,6 +160,7 @@ METHOD(crypter_t, set_key, void,
METHOD(crypter_t, destroy, void,
private_blowfish_crypter_t *this)
{
+ memwipe(this, sizeof(*this));
free(this);
}
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 5232eca28..9dc8dfe7f 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -19,8 +19,6 @@
#include <library.h>
#include "blowfish_crypter.h"
-static const char *plugin_name = "blowfish";
-
typedef struct private_blowfish_plugin_t private_blowfish_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_blowfish_plugin_t {
blowfish_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_blowfish_plugin_t *this)
+{
+ return "blowfish";
+}
+
METHOD(plugin_t, destroy, void,
private_blowfish_plugin_t *this)
{
@@ -52,12 +56,14 @@ plugin_t *blowfish_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, get_name(this),
(crypter_constructor_t)blowfish_crypter_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 371e5b2f4..b2bc4a51f 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c
index a4c89b548..2865c2ae4 100644
--- a/src/libstrongswan/plugins/ccm/ccm_plugin.c
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c
@@ -19,8 +19,6 @@
#include "ccm_aead.h"
-static const char *plugin_name = "ccm";
-
typedef struct private_ccm_plugin_t private_ccm_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_ccm_plugin_t {
ccm_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_ccm_plugin_t *this)
+{
+ return "ccm";
+}
+
METHOD(plugin_t, destroy, void,
private_ccm_plugin_t *this)
{
@@ -52,29 +56,35 @@ plugin_t *ccm_plugin_create()
crypter_t *crypter;
INIT(this,
- .public.plugin.destroy = _destroy,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
);
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0);
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, get_name(this),
(aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, get_name(this),
(aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, get_name(this),
(aead_constructor_t)ccm_aead_create);
}
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 0);
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, get_name(this),
(aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, get_name(this),
(aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, get_name(this),
(aead_constructor_t)ccm_aead_create);
}
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 382bfef98..8be502a9c 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c
index 1c3f0c835..502c83559 100644
--- a/src/libstrongswan/plugins/constraints/constraints_plugin.c
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c
@@ -36,6 +36,12 @@ struct private_constraints_plugin_t {
constraints_validator_t *validator;
};
+METHOD(plugin_t, get_name, char*,
+ private_constraints_plugin_t *this)
+{
+ return "constraints";
+}
+
METHOD(plugin_t, destroy, void,
private_constraints_plugin_t *this)
{
@@ -54,6 +60,8 @@ plugin_t *constraints_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 2f6be07e2..0db640829 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c
index 9f1bf957f..6850cacf0 100644
--- a/src/libstrongswan/plugins/ctr/ctr_plugin.c
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c
@@ -19,8 +19,6 @@
#include "ctr_ipsec_crypter.h"
-static const char *plugin_name = "ctr";
-
typedef struct private_ctr_plugin_t private_ctr_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_ctr_plugin_t {
ctr_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_ctr_plugin_t *this)
+{
+ return "ctr";
+}
+
METHOD(plugin_t, destroy, void,
private_ctr_plugin_t *this)
{
@@ -54,6 +58,8 @@ plugin_t *ctr_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -63,14 +69,14 @@ plugin_t *ctr_plugin_create()
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, get_name(this),
(crypter_constructor_t)ctr_ipsec_crypter_create);
}
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16);
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, get_name(this),
(crypter_constructor_t)ctr_ipsec_crypter_create);
}
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index e61c73041..cdfb2b801 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 82e24e810..7f8c0aec2 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -43,31 +43,49 @@ struct private_curl_fetcher_t {
* Optional HTTP headers
*/
struct curl_slist *headers;
+
+ /**
+ * Callback function
+ */
+ fetcher_callback_t cb;
};
/**
- * writes data into a dynamically resizeable chunk_t
+ * Data to pass to curl callback
+ */
+typedef struct {
+ fetcher_callback_t cb;
+ void *user;
+} cb_data_t;
+
+/**
+ * Curl callback function, invokes fetcher_callback_t function
*/
-static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
+static size_t curl_cb(void *ptr, size_t size, size_t nmemb, cb_data_t *data)
{
size_t realsize = size * nmemb;
- data->ptr = (u_char*)realloc(data->ptr, data->len + realsize);
- if (data->ptr)
+ if (data->cb(data->user, chunk_create(ptr, realsize)))
{
- memcpy(&data->ptr[data->len], ptr, realsize);
- data->len += realsize;
+ return realsize;
}
- return realsize;
+ return 0;
}
METHOD(fetcher_t, fetch, status_t,
- private_curl_fetcher_t *this, char *uri, chunk_t *result)
+ private_curl_fetcher_t *this, char *uri, void *userdata)
{
char error[CURL_ERROR_SIZE];
status_t status;
+ cb_data_t data = {
+ .cb = this->cb,
+ .user = userdata,
+ };
- *result = chunk_empty;
+ if (this->cb == fetcher_default_callback)
+ {
+ *(chunk_t*)userdata = chunk_empty;
+ }
if (curl_easy_setopt(this->curl, CURLOPT_URL, uri) != CURLE_OK)
{ /* URL type not supported by curl */
@@ -77,8 +95,8 @@ METHOD(fetcher_t, fetch, status_t,
curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, DEFAULT_TIMEOUT);
- curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)append);
- curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void*)result);
+ curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)curl_cb);
+ curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, &data);
if (this->headers)
{
curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
@@ -146,6 +164,11 @@ METHOD(fetcher_t, set_option, bool,
va_arg(args, u_int));
break;
}
+ case FETCH_CALLBACK:
+ {
+ this->cb = va_arg(args, fetcher_callback_t);
+ break;
+ }
default:
supported = FALSE;
break;
@@ -178,6 +201,7 @@ curl_fetcher_t *curl_fetcher_create()
},
},
.curl = curl_easy_init(),
+ .cb = fetcher_default_callback,
);
if (!this->curl)
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index 387da03aa..d0e532055 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -34,6 +34,12 @@ struct private_curl_plugin_t {
curl_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_curl_plugin_t *this)
+{
+ return "curl";
+}
+
METHOD(plugin_t, destroy, void,
private_curl_plugin_t *this)
{
@@ -54,6 +60,8 @@ plugin_t *curl_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index e45988ca9..d24ac40f8 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 7d9fbe852..695e7e4c4 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1552,6 +1552,7 @@ METHOD(crypter_t, set_key3, void,
METHOD(crypter_t, destroy, void,
private_des_crypter_t *this)
{
+ memwipe(this, sizeof(*this));
free(this);
}
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index d420d789e..78b73347d 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "des_crypter.h"
-static const char *plugin_name = "des";
-
typedef struct private_des_plugin_t private_des_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_des_plugin_t {
des_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_des_plugin_t *this)
+{
+ return "des";
+}
+
METHOD(plugin_t, destroy, void,
private_des_plugin_t *this)
{
@@ -51,16 +55,18 @@ plugin_t *des_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_3DES, get_name(this),
(crypter_constructor_t)des_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES, get_name(this),
(crypter_constructor_t)des_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, get_name(this),
(crypter_constructor_t)des_crypter_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index d1dce4679..62c52498c 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index d11b149df..4e08746f8 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -31,6 +31,12 @@ struct private_dnskey_plugin_t {
dnskey_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_dnskey_plugin_t *this)
+{
+ return "dnskey";
+}
+
METHOD(plugin_t, destroy, void,
private_dnskey_plugin_t *this)
{
@@ -49,6 +55,8 @@ plugin_t *dnskey_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index ab1ed6d00..e88a102b8 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
index 3cce6ad91..7038da146 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "fips_prf.h"
-static const char *plugin_name = "fips-prf";
-
typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_fips_prf_plugin_t {
fips_prf_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_fips_prf_plugin_t *this)
+{
+ return "fips-prf";
+}
+
METHOD(plugin_t, destroy, void,
private_fips_prf_plugin_t *this)
{
@@ -52,6 +56,8 @@ plugin_t *fips_prf_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -61,7 +67,7 @@ plugin_t *fips_prf_plugin_create()
if (prf)
{
prf->destroy(prf);
- lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, get_name(this),
(prf_constructor_t)fips_prf_create);
}
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 9e0b49776..202849eb6 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
index a438fb073..4b46f0ee4 100644
--- a/src/libstrongswan/plugins/gcm/gcm_plugin.c
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c
@@ -19,8 +19,6 @@
#include "gcm_aead.h"
-static const char *plugin_name = "gcm";
-
typedef struct private_gcm_plugin_t private_gcm_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_gcm_plugin_t {
gcm_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_gcm_plugin_t *this)
+{
+ return "gcm";
+}
+
METHOD(plugin_t, destroy, void,
private_gcm_plugin_t *this)
{
@@ -52,18 +56,24 @@ plugin_t *gcm_plugin_create()
crypter_t *crypter;
INIT(this,
- .public.plugin.destroy = _destroy,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
);
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0);
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, get_name(this),
(aead_constructor_t)gcm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, get_name(this),
(aead_constructor_t)gcm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, plugin_name,
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, get_name(this),
(aead_constructor_t)gcm_aead_create);
}
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 1bcada7dc..bedb918b9 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index a53fed448..e26277b0b 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -29,8 +29,6 @@
#include <errno.h>
#include <gcrypt.h>
-static const char *plugin_name = "gcrypt";
-
typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t;
/**
@@ -95,6 +93,12 @@ static struct gcry_thread_cbs thread_functions = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
+METHOD(plugin_t, get_name, char*,
+ private_gcrypt_plugin_t *this)
+{
+ return "gcrypt";
+}
+
METHOD(plugin_t, destroy, void,
private_gcrypt_plugin_t *this)
{
@@ -144,85 +148,87 @@ plugin_t *gcrypt_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
/* hashers */
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD4, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, get_name(this),
(hasher_constructor_t)gcrypt_hasher_create);
/* crypters */
- lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_3DES, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAST, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
#ifdef HAVE_GCRY_CIPHER_CAMELLIA
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
- lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, get_name(this),
(crypter_constructor_t)gcrypt_crypter_create);
/* random numbers */
- lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_WEAK, get_name(this),
(rng_constructor_t)gcrypt_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG, get_name(this),
(rng_constructor_t)gcrypt_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE, get_name(this),
(rng_constructor_t)gcrypt_rng_create);
/* diffie hellman groups, using modp */
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT, get_name(this),
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, get_name(this),
(dh_constructor_t)gcrypt_dh_create_custom);
/* RSA */
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index f73bfb406..18592ab4a 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index e9bfbcc28..55ccd4a4f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -20,8 +20,6 @@
#include "gmp_rsa_private_key.h"
#include "gmp_rsa_public_key.h"
-static const char *plugin_name = "gmp";
-
typedef struct private_gmp_plugin_t private_gmp_plugin_t;
/**
@@ -35,6 +33,12 @@ struct private_gmp_plugin_t {
gmp_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_gmp_plugin_t *this)
+{
+ return "gmp";
+}
+
METHOD(plugin_t, destroy, void,
private_gmp_plugin_t *this)
{
@@ -61,35 +65,37 @@ plugin_t *gmp_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, get_name(this),
(dh_constructor_t)gmp_diffie_hellman_create_custom);
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 72cc23b72..b9e2cd817 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index c7b2739df..397a1ea11 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -147,8 +147,8 @@ METHOD(hmac_t, destroy, void,
private_hmac_t *this)
{
this->h->destroy(this->h);
- free(this->opaded_key.ptr);
- free(this->ipaded_key.ptr);
+ chunk_clear(&this->opaded_key);
+ chunk_clear(&this->ipaded_key);
free(this);
}
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index 76d6157ae..47d6d3cde 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -19,8 +19,6 @@
#include "hmac_signer.h"
#include "hmac_prf.h"
-static const char *plugin_name = "hmac";
-
typedef struct private_hmac_plugin_t private_hmac_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_hmac_plugin_t {
hmac_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_hmac_plugin_t *this)
+{
+ return "hmac";
+}
+
METHOD(plugin_t, destroy, void,
private_hmac_plugin_t *this)
{
@@ -55,6 +59,8 @@ plugin_t *hmac_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -64,24 +70,24 @@ plugin_t *hmac_plugin_create()
if (hasher)
{
hasher->destroy(hasher);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, get_name(this),
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, get_name(this),
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, get_name(this),
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, get_name(this),
(signer_constructor_t)hmac_signer_create);
}
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA256);
if (hasher)
{
hasher->destroy(hasher);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, get_name(this),
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, get_name(this),
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, get_name(this),
(signer_constructor_t)hmac_signer_create);
}
@@ -89,31 +95,31 @@ plugin_t *hmac_plugin_create()
if (hasher)
{
hasher->destroy(hasher);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, get_name(this),
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, get_name(this),
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, get_name(this),
(signer_constructor_t)hmac_signer_create);
}
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA384);
if (hasher)
{
hasher->destroy(hasher);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, get_name(this),
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, get_name(this),
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, get_name(this),
(signer_constructor_t)hmac_signer_create);
}
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
if (hasher)
{
hasher->destroy(hasher);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, get_name(this),
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, get_name(this),
(signer_constructor_t)hmac_signer_create);
}
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 7235784e2..b496ace28 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index e6c592217..fc6114b0a 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -101,7 +101,7 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
METHOD(fetcher_t, fetch, status_t,
- private_ldap_fetcher_t *this, char *url, chunk_t *result)
+ private_ldap_fetcher_t *this, char *url, void *userdata)
{
LDAP *ldap;
LDAPURLDesc *lurl;
@@ -110,6 +110,7 @@ METHOD(fetcher_t, fetch, status_t,
int ldap_version = LDAP_VERSION3;
struct timeval timeout;
status_t status = FAILED;
+ chunk_t *result = userdata;
if (!strneq(url, "ldap", 4))
{
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
index 3682ddd1f..08d9748ce 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.c
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -31,6 +31,12 @@ struct private_ldap_plugin_t {
ldap_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_ldap_plugin_t *this)
+{
+ return "ldap";
+}
+
METHOD(plugin_t, destroy, void,
private_ldap_plugin_t *this)
{
@@ -49,6 +55,8 @@ plugin_t *ldap_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index ea1a7a69a..82781054b 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
index cea1a61f3..371bba280 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.c
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "md4_hasher.h"
-static const char *plugin_name = "md4";
-
typedef struct private_md4_plugin_t private_md4_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_md4_plugin_t {
md4_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_md4_plugin_t *this)
+{
+ return "md4";
+}
+
METHOD(plugin_t, destroy, void,
private_md4_plugin_t *this)
{
@@ -51,12 +55,14 @@ plugin_t *md4_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD4, get_name(this),
(hasher_constructor_t)md4_hasher_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 05f101564..0e3c37e7e 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index d11173817..c72284193 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "md5_hasher.h"
-static const char *plugin_name = "md5";
-
typedef struct private_md5_plugin_t private_md5_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_md5_plugin_t {
md5_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_md5_plugin_t *this)
+{
+ return "md5";
+}
+
METHOD(plugin_t, destroy, void,
private_md5_plugin_t *this)
{
@@ -51,12 +55,14 @@ plugin_t *md5_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, get_name(this),
(hasher_constructor_t)md5_hasher_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 4880415b3..32067d5b4 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index 65d8681cb..579df4d50 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -32,6 +32,12 @@ struct private_mysql_plugin_t {
mysql_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_mysql_plugin_t *this)
+{
+ return "mysql";
+}
+
METHOD(plugin_t, destroy, void,
private_mysql_plugin_t *this)
{
@@ -57,6 +63,8 @@ plugin_t *mysql_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index b43be29f1..d1c8fce81 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -247,6 +247,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -270,6 +272,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 2ed07ff0c..cd9a3bd4a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -152,7 +152,7 @@ METHOD(crypter_t, set_key, void,
METHOD(crypter_t, destroy, void,
private_openssl_crypter_t *this)
{
- free(this->key.ptr);
+ chunk_clear(&this->key);
free(this);
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 32fc2bccd..78ed2811a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -257,7 +257,7 @@ METHOD(diffie_hellman_t, destroy, void,
{
EC_POINT_clear_free(this->pub_key);
EC_KEY_free(this->key);
- chunk_free(&this->shared_secret);
+ chunk_clear(&this->shared_secret);
free(this);
}
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 0050572ee..96aa38bb6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -41,8 +41,6 @@
#include "openssl_x509.h"
#include "openssl_crl.h"
-static const char *plugin_name = "openssl";
-
typedef struct private_openssl_plugin_t private_openssl_plugin_t;
/**
@@ -195,6 +193,12 @@ static void threading_cleanup()
mutex = NULL;
}
+METHOD(plugin_t, get_name, char*,
+ private_openssl_plugin_t *this)
+{
+ return "openssl";
+}
+
METHOD(plugin_t, destroy, void,
private_openssl_plugin_t *this)
{
@@ -250,6 +254,8 @@ plugin_t *openssl_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -274,85 +280,85 @@ plugin_t *openssl_plugin_create()
}
/* crypter */
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_3DES, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_RC5, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_RC5, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAST, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_NULL, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_NULL, get_name(this),
(crypter_constructor_t)openssl_crypter_create);
/* hasher */
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD2, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD4, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, get_name(this),
(hasher_constructor_t)openssl_hasher_create);
/* prf */
- lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, get_name(this),
(prf_constructor_t)openssl_sha1_prf_create);
/* (ec) diffie hellman */
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
#ifndef OPENSSL_NO_EC
- lib->crypto->add_dh(lib->crypto, ECP_256_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, ECP_256_BIT, get_name(this),
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_384_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, ECP_384_BIT, get_name(this),
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_521_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, ECP_521_BIT, get_name(this),
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_224_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, ECP_224_BIT, get_name(this),
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_192_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, ECP_192_BIT, get_name(this),
(dh_constructor_t)openssl_ec_diffie_hellman_create);
#endif /* OPENSSL_NO_EC */
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
+ lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, get_name(this),
(dh_constructor_t)openssl_diffie_hellman_create);
/* rsa */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 0b607c386..d1afd94cc 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -455,6 +455,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
return NULL;
}
+#ifndef OPENSSL_NO_ENGINE
/**
* Login to engine with a PIN specified for a keyid
*/
@@ -496,6 +497,7 @@ static bool login(ENGINE *engine, chunk_t keyid)
}
return success;
}
+#endif /* OPENSSL_NO_ENGINE */
/**
* See header.
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 7c89d0abd..7bc342995 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index 06c20292f..119de86aa 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -105,6 +105,8 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
*dst = chunk_alloc(src.len);
padlock_crypt(key_aligned, &cword, src.ptr, dst->ptr,
src.len / AES_BLOCK_SIZE, iv_aligned);
+
+ memwipe(key_aligned, sizeof(key_aligned));
}
METHOD(crypter_t, decrypt, void,
@@ -146,7 +148,7 @@ METHOD(crypter_t, set_key, void,
METHOD(crypter_t, destroy, void,
private_padlock_aes_crypter_t *this)
{
- free(this->key.ptr);
+ chunk_clear(&this->key);
free(this);
}
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 695823acf..9d4afd8e8 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -23,8 +23,6 @@
#include <library.h>
#include <debug.h>
-static const char *plugin_name = "padlock";
-
typedef struct private_padlock_plugin_t private_padlock_plugin_t;
typedef enum padlock_feature_t padlock_feature_t;
@@ -103,6 +101,12 @@ static padlock_feature_t get_padlock_features()
return 0;
}
+METHOD(plugin_t, get_name, char*,
+ private_padlock_plugin_t *this)
+{
+ return "padlock";
+}
+
METHOD(plugin_t, destroy, void,
private_padlock_plugin_t *this)
{
@@ -138,6 +142,8 @@ plugin_t *padlock_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -163,21 +169,21 @@ plugin_t *padlock_plugin_create()
if (this->features & PADLOCK_RNG_ENABLED)
{
- lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE, get_name(this),
(rng_constructor_t)padlock_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG, get_name(this),
(rng_constructor_t)padlock_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_WEAK, get_name(this),
(rng_constructor_t)padlock_rng_create);
}
if (this->features & PADLOCK_ACE2_ENABLED)
{
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this),
(crypter_constructor_t)padlock_aes_crypter_create);
}
if (this->features & PADLOCK_PHE_ENABLED)
{
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
(hasher_constructor_t)padlock_sha1_hasher_create);
}
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 60740eb35..92c7fa2fe 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index f2415a318..c81605ae5 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -33,6 +33,12 @@ struct private_pem_plugin_t {
pem_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_pem_plugin_t *this)
+{
+ return "pem";
+}
+
METHOD(plugin_t, destroy, void,
private_pem_plugin_t *this)
{
@@ -55,6 +61,8 @@ plugin_t *pem_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index ab14f8ced..6be915f29 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index eaf0a1088..52e9d96b1 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -33,6 +33,12 @@ struct private_pgp_plugin_t {
pgp_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_pgp_plugin_t *this)
+{
+ return "pgp";
+}
+
METHOD(plugin_t, destroy, void,
private_pgp_plugin_t *this)
{
@@ -59,6 +65,8 @@ plugin_t *pgp_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 8ed4a08e9..1ae880c3b 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 88c848899..a605fabc7 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -57,7 +57,7 @@ static public_key_t *parse_public_key(chunk_t blob)
int oid = asn1_parse_algorithmIdentifier(object,
parser->get_level(parser)+1, NULL);
- if (oid == OID_RSA_ENCRYPTION)
+ if (oid == OID_RSA_ENCRYPTION || oid == OID_RSAES_OAEP)
{
type = KEY_RSA;
}
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index 33732f8a4..e0e24cab2 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -32,6 +32,12 @@ struct private_pkcs1_plugin_t {
pkcs1_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_pkcs1_plugin_t *this)
+{
+ return "pkcs1";
+}
+
METHOD(plugin_t, destroy, void,
private_pkcs1_plugin_t *this)
{
@@ -55,6 +61,8 @@ plugin_t *pkcs1_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 6c03b0497..1a67f88cc 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 9308e9c25..431cd6a2c 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -369,7 +369,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
if (!entry->path)
{
- DBG1(DBG_CFG, "PKCS11 module '%s' misses library path", module);
+ DBG1(DBG_CFG, "PKCS11 module '%s' lacks library path", module);
free(entry);
continue;
}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 071d2f782..7b537cfa7 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -26,8 +26,6 @@
#include "pkcs11_public_key.h"
#include "pkcs11_hasher.h"
-static const char *plugin_name = "pkcs11";
-
typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
/**
@@ -103,6 +101,12 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
}
}
+METHOD(plugin_t, get_name, char*,
+ private_pkcs11_plugin_t *this)
+{
+ return "pkcs11";
+}
+
METHOD(plugin_t, destroy, void,
private_pkcs11_plugin_t *this)
{
@@ -136,6 +140,8 @@ plugin_t *pkcs11_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -148,17 +154,17 @@ plugin_t *pkcs11_plugin_create()
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
{
- lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD2, get_name(this),
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, get_name(this),
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, get_name(this),
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, get_name(this),
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, get_name(this),
(hasher_constructor_t)pkcs11_hasher_create);
}
diff --git a/src/libstrongswan/plugins/plugin.h b/src/libstrongswan/plugins/plugin.h
index 6d8a370fb..5c92fd1d8 100644
--- a/src/libstrongswan/plugins/plugin.h
+++ b/src/libstrongswan/plugins/plugin.h
@@ -21,6 +21,8 @@
#ifndef PLUGIN_H_
#define PLUGIN_H_
+#include <utils.h>
+
typedef struct plugin_t plugin_t;
/**
@@ -29,6 +31,20 @@ typedef struct plugin_t plugin_t;
struct plugin_t {
/**
+ * Get the name of the plugin.
+ *
+ * @return plugin name
+ */
+ char* (*get_name)(plugin_t *this);
+
+ /**
+ * Try to reload plugin configuration.
+ *
+ * @return TRUE if reloaded, FALSE if reloading not supporty by plugin
+ */
+ bool (*reload)(plugin_t *this);
+
+ /**
* Destroy a plugin instance.
*/
void (*destroy)(plugin_t *this);
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 473db5ccf..b4d7bf7c7 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -43,11 +43,6 @@ struct private_plugin_loader_t {
* list of loaded plugins
*/
linked_list_t *plugins;
-
- /**
- * names of loaded plugins
- */
- linked_list_t *names;
};
/**
@@ -70,8 +65,6 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle,
constructor = dlsym(handle, create);
if (constructor == NULL)
{
- DBG2(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
- create);
return NOT_FOUND;
}
if (integrity && lib->integrity)
@@ -153,12 +146,12 @@ static bool plugin_loaded(private_plugin_loader_t *this, char *name)
{
enumerator_t *enumerator;
bool found = FALSE;
- char *current;
+ plugin_t *plugin;
- enumerator = this->names->create_enumerator(this->names);
- while (enumerator->enumerate(enumerator, &current))
+ enumerator = this->plugins->create_enumerator(this->plugins);
+ while (enumerator->enumerate(enumerator, &plugin))
{
- if (streq(name, current))
+ if (streq(plugin->get_name(plugin), name))
{
found = TRUE;
break;
@@ -168,10 +161,8 @@ static bool plugin_loaded(private_plugin_loader_t *this, char *name)
return found;
}
-/**
- * Implementation of plugin_loader_t.load_plugins.
- */
-static bool load(private_plugin_loader_t *this, char *path, char *list)
+METHOD(plugin_loader_t, load_plugins, bool,
+ private_plugin_loader_t *this, char *path, char *list)
{
enumerator_t *enumerator;
char *token;
@@ -205,7 +196,6 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
if (plugin)
{
this->plugins->insert_last(this->plugins, plugin);
- this->names->insert_last(this->names, token);
}
else
{
@@ -214,20 +204,17 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
critical_failed = TRUE;
DBG1(DBG_LIB, "loading critical plugin '%s' failed", token);
}
- free(token);
}
+ free(token);
}
enumerator->destroy(enumerator);
return !critical_failed;
}
-/**
- * Implementation of plugin_loader_t.unload
- */
-static void unload(private_plugin_loader_t *this)
+METHOD(plugin_loader_t, unload, void,
+ private_plugin_loader_t *this)
{
plugin_t *plugin;
- char *name;
/* unload plugins in reverse order */
while (this->plugins->remove_last(this->plugins,
@@ -235,27 +222,64 @@ static void unload(private_plugin_loader_t *this)
{
plugin->destroy(plugin);
}
- while (this->names->remove_last(this->names, (void**)&name) == SUCCESS)
- {
- free(name);
- }
}
-/**
- * Implementation of plugin_loader_t.create_plugin_enumerator
- */
-static enumerator_t* create_plugin_enumerator(private_plugin_loader_t *this)
+METHOD(plugin_loader_t, create_plugin_enumerator, enumerator_t*,
+ private_plugin_loader_t *this)
{
- return this->names->create_enumerator(this->names);
+ return this->plugins->create_enumerator(this->plugins);
}
/**
- * Implementation of plugin_loader_t.destroy
+ * Reload a plugin by name, NULL for all
*/
-static void destroy(private_plugin_loader_t *this)
+static u_int reload_by_name(private_plugin_loader_t *this, char *name)
+{
+ u_int reloaded = 0;
+ enumerator_t *enumerator;
+ plugin_t *plugin;
+
+ enumerator = create_plugin_enumerator(this);
+ while (enumerator->enumerate(enumerator, &plugin))
+ {
+ if (name == NULL || streq(name, plugin->get_name(plugin)))
+ {
+ if (plugin->reload(plugin))
+ {
+ DBG2(DBG_LIB, "reloaded configuration of '%s' plugin",
+ plugin->get_name(plugin));
+ reloaded++;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ return reloaded;
+}
+
+METHOD(plugin_loader_t, reload, u_int,
+ private_plugin_loader_t *this, char *list)
+{
+ u_int reloaded = 0;
+ enumerator_t *enumerator;
+ char *name;
+
+ if (list == NULL)
+ {
+ return reload_by_name(this, NULL);
+ }
+ enumerator = enumerator_create_token(list, " ", "");
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ reloaded += reload_by_name(this, name);
+ }
+ enumerator->destroy(enumerator);
+ return reloaded;
+}
+
+METHOD(plugin_loader_t, destroy, void,
+ private_plugin_loader_t *this)
{
this->plugins->destroy_offset(this->plugins, offsetof(plugin_t, destroy));
- this->names->destroy_function(this->names, free);
free(this);
}
@@ -264,15 +288,18 @@ static void destroy(private_plugin_loader_t *this)
*/
plugin_loader_t *plugin_loader_create()
{
- private_plugin_loader_t *this = malloc_thing(private_plugin_loader_t);
-
- this->public.load = (bool(*)(plugin_loader_t*, char *path, char *prefix))load;
- this->public.unload = (void(*)(plugin_loader_t*))unload;
- this->public.create_plugin_enumerator = (enumerator_t*(*)(plugin_loader_t*))create_plugin_enumerator;
- this->public.destroy = (void(*)(plugin_loader_t*))destroy;
+ private_plugin_loader_t *this;
- this->plugins = linked_list_create();
- this->names = linked_list_create();
+ INIT(this,
+ .public = {
+ .load = _load_plugins,
+ .reload = _reload,
+ .unload = _unload,
+ .create_plugin_enumerator = _create_plugin_enumerator,
+ .destroy = _destroy,
+ },
+ .plugins = linked_list_create(),
+ );
return &this->public;
}
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index f72c91c60..e03da4543 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -44,14 +44,22 @@ struct plugin_loader_t {
bool (*load)(plugin_loader_t *this, char *path, char *list);
/**
+ * Reload the configuration of one or multiple plugins.
+ *
+ * @param space separated plugin names to reload, NULL for all
+ * @return number of plugins that did support reloading
+ */
+ u_int (*reload)(plugin_loader_t *this, char *list);
+
+ /**
* Unload all loaded plugins.
*/
void (*unload)(plugin_loader_t *this);
/**
- * Create an enumerator over all loaded plugin names.
+ * Create an enumerator over all loaded plugins.
*
- * @return enumerator over char*
+ * @return enumerator over plugin_t*
*/
enumerator_t* (*create_plugin_enumerator)(plugin_loader_t *this);
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 46349f9ba..97fba22fc 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index cc12217a4..ae6607e5a 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -31,6 +31,12 @@ struct private_pubkey_plugin_t {
pubkey_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_pubkey_plugin_t *this)
+{
+ return "pubkey";
+}
+
METHOD(plugin_t, destroy, void,
private_pubkey_plugin_t *this)
{
@@ -49,6 +55,8 @@ plugin_t *pubkey_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 21f8aff11..761d2c96e 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index cc5cb0a3c..00202a5a6 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "random_rng.h"
-static const char *plugin_name = "random";
-
typedef struct private_random_plugin_t private_random_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_random_plugin_t {
random_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_random_plugin_t *this)
+{
+ return "random";
+}
+
METHOD(plugin_t, destroy, void,
private_random_plugin_t *this)
{
@@ -51,14 +55,16 @@ plugin_t *random_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG, get_name(this),
(rng_constructor_t)random_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE, get_name(this),
(rng_constructor_t)random_rng_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 4ed4b9694..e8856b7d7 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -244,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -267,6 +269,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index 02393b907..fa04fb2a2 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -36,6 +36,12 @@ struct private_revocation_plugin_t {
revocation_validator_t *validator;
};
+METHOD(plugin_t, get_name, char*,
+ private_revocation_plugin_t *this)
+{
+ return "revocation";
+}
+
METHOD(plugin_t, destroy, void,
private_revocation_plugin_t *this)
{
@@ -54,6 +60,8 @@ plugin_t *revocation_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 3d96f4339..b4b275648 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index dda2cbc1a..a9b84e790 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -19,8 +19,6 @@
#include "sha1_hasher.h"
#include "sha1_prf.h"
-static const char *plugin_name = "sha1";
-
typedef struct private_sha1_plugin_t private_sha1_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_sha1_plugin_t {
sha1_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_sha1_plugin_t *this)
+{
+ return "sha1";
+}
+
METHOD(plugin_t, destroy, void,
private_sha1_plugin_t *this)
{
@@ -54,14 +58,16 @@ plugin_t *sha1_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
(hasher_constructor_t)sha1_hasher_create);
- lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, get_name(this),
(prf_constructor_t)sha1_prf_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index fcbfa0c44..bdc235555 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -240,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -263,6 +265,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index a5937dbb2..4ec03a268 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -18,8 +18,6 @@
#include <library.h>
#include "sha2_hasher.h"
-static const char *plugin_name = "sha2";
-
typedef struct private_sha2_plugin_t private_sha2_plugin_t;
/**
@@ -33,6 +31,12 @@ struct private_sha2_plugin_t {
sha2_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_sha2_plugin_t *this)
+{
+ return "sha2";
+}
+
METHOD(plugin_t, destroy, void,
private_sha2_plugin_t *this)
{
@@ -51,18 +55,20 @@ plugin_t *sha2_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224, get_name(this),
(hasher_constructor_t)sha2_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, get_name(this),
(hasher_constructor_t)sha2_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, get_name(this),
(hasher_constructor_t)sha2_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, get_name(this),
(hasher_constructor_t)sha2_hasher_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 35d175f95..ec370d38c 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c
index fd97631bd..3e5786b12 100644
--- a/src/libstrongswan/plugins/soup/soup_fetcher.c
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.c
@@ -58,44 +58,77 @@ struct private_soup_fetcher_t {
* HTTP request version
*/
SoupHTTPVersion version;
+
+ /**
+ * Fetcher callback function
+ */
+ fetcher_callback_t cb;
};
+/**
+ * Data to pass to soup callback
+ */
+typedef struct {
+ fetcher_callback_t cb;
+ void *user;
+ SoupSession *session;
+} cb_data_t;
+
+/**
+ * Soup callback invoking our callback
+ */
+static void soup_cb(SoupMessage *message, SoupBuffer *chunk, cb_data_t *data)
+{
+ if (!data->cb(data->user, chunk_create((u_char*)chunk->data, chunk->length)))
+ {
+ soup_session_cancel_message(data->session, message,
+ SOUP_STATUS_CANCELLED);
+ }
+}
+
METHOD(fetcher_t, fetch, status_t,
- private_soup_fetcher_t *this, char *uri, chunk_t *result)
+ private_soup_fetcher_t *this, char *uri, void *userdata)
{
- SoupSession *session;
SoupMessage *message;
status_t status = FAILED;
+ cb_data_t data = {
+ .cb = this->cb,
+ .user = userdata,
+ };
message = soup_message_new(this->method, uri);
if (!message)
{
return NOT_SUPPORTED;
}
+ if (this->cb == fetcher_default_callback)
+ {
+ *(chunk_t*)userdata = chunk_empty;
+ }
if (this->type)
{
soup_message_set_request(message, this->type, SOUP_MEMORY_STATIC,
this->data.ptr, this->data.len);
}
soup_message_set_http_version(message, this->version);
- session = soup_session_sync_new();
- g_object_set(G_OBJECT(session),
+ soup_message_body_set_accumulate(message->response_body, FALSE);
+ g_signal_connect(message, "got-chunk", G_CALLBACK(soup_cb), &data);
+ data.session = soup_session_sync_new();
+ g_object_set(G_OBJECT(data.session),
SOUP_SESSION_TIMEOUT, (guint)this->timeout, NULL);
DBG2(DBG_LIB, "sending http request to '%s'...", uri);
- soup_session_send_message(session, message);
+ soup_session_send_message(data.session, message);
if (SOUP_STATUS_IS_SUCCESSFUL(message->status_code))
{
- *result = chunk_clone(chunk_create((u_char*)message->response_body->data,
- message->response_body->length));
status = SUCCESS;
}
else
{
- DBG1(DBG_LIB, "HTTP request failed, code %d", message->status_code);
+ DBG1(DBG_LIB, "HTTP request failed: %s", message->reason_phrase);
}
g_object_unref(G_OBJECT(message));
- g_object_unref(G_OBJECT(session));
+ g_object_unref(G_OBJECT(data.session));
return status;
}
@@ -121,6 +154,9 @@ METHOD(fetcher_t, set_option, bool,
case FETCH_TIMEOUT:
this->timeout = va_arg(args, u_int);
break;
+ case FETCH_CALLBACK:
+ this->cb = va_arg(args, fetcher_callback_t);
+ break;
default:
supported = FALSE;
break;
@@ -153,6 +189,7 @@ soup_fetcher_t *soup_fetcher_create()
.method = SOUP_METHOD_GET,
.version = SOUP_HTTP_1_1,
.timeout = DEFAULT_TIMEOUT,
+ .cb = fetcher_default_callback,
);
return &this->public;
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
index 970e32472..22c8762e0 100644
--- a/src/libstrongswan/plugins/soup/soup_plugin.c
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -34,6 +34,12 @@ struct private_soup_plugin_t {
soup_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_soup_plugin_t *this)
+{
+ return "soup";
+}
+
METHOD(plugin_t, destroy, void,
private_soup_plugin_t *this)
{
@@ -58,6 +64,8 @@ plugin_t *soup_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index ae015d1a8..e2ec799a9 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -243,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -266,6 +268,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
index e0b8e6ce1..d8c6a560c 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -31,6 +31,12 @@ struct private_sqlite_plugin_t {
sqlite_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_sqlite_plugin_t *this)
+{
+ return "sqlite";
+}
+
METHOD(plugin_t, destroy, void,
private_sqlite_plugin_t *this)
{
@@ -49,6 +55,8 @@ plugin_t *sqlite_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 9dccb05e3..70cdfd600 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -248,6 +248,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -271,6 +273,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/des.c b/src/libstrongswan/plugins/test_vectors/test_vectors/des.c
index 80b5f1010..b4bf1fe6a 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/des.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/des.c
@@ -25,7 +25,6 @@
crypter_test_vector_t des_ecb1 = {
.alg = ENCR_DES_ECB, .key_size = 8, .len = 8,
.key = "\x00\x01\x02\x03\x04\x05\x06\x07",
- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
.plain = "\x41\xAD\x06\x85\x48\x80\x9D\x02",
.cipher = "\x00\x11\x22\x33\x44\x55\x66\x77"
};
@@ -36,7 +35,6 @@ crypter_test_vector_t des_ecb1 = {
crypter_test_vector_t des_ecb2 = {
.alg = ENCR_DES_ECB, .key_size = 8, .len = 8,
.key = "\x2B\xD6\x45\x9F\x82\xC5\xB3\x00",
- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
.plain = "\xB1\x0F\x84\x30\x97\xA0\xF9\x32",
.cipher = "\xEA\x02\x47\x14\xAD\x5C\x4D\x84"
};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 176bc438d..4a8743289 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -104,6 +104,12 @@ struct private_test_vectors_plugin_t {
test_vectors_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_test_vectors_plugin_t *this)
+{
+ return "test-vectors";
+}
+
METHOD(plugin_t, destroy, void,
private_test_vectors_plugin_t *this)
{
@@ -121,6 +127,8 @@ plugin_t *test_vectors_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 57deab98e..58cdf2c7c 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -242,6 +242,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -265,6 +267,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 526dbe8c6..8b228a2b6 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -937,15 +937,15 @@ static const asn1Object_t certificatePoliciesObject[] = {
{ 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
{ 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
{ 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
- { 2, "qualifier", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 3 */
+ { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
{ 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
{ 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
{ 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
{ 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
- { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
+ { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
{ 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
{ 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
+ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
@@ -1117,7 +1117,7 @@ static const asn1Object_t ipAddrBlocksObjects[] = {
{ 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
{ 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
{ 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
- { 2, "end choice/loop", ASN1_EOC, ASN1_END }, /* 12 */
+ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 829f47f81..4cbe3f718 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -453,7 +453,7 @@ static const asn1Object_t basicResponseObjects[] = {
{ 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
ASN1_DEF }, /* 16 */
{ 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
- { 4, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
+ { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
{ 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
{ 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index d40cc3567..bfeb74b0e 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -36,6 +36,12 @@ struct private_x509_plugin_t {
x509_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_x509_plugin_t *this)
+{
+ return "x509";
+}
+
METHOD(plugin_t, destroy, void,
private_x509_plugin_t *this)
{
@@ -72,6 +78,8 @@ plugin_t *x509_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 06d7a2121..35f868de4 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index be18d92b8..8ddde962c 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -236,13 +236,17 @@ METHOD(xcbc_t, set_key, void,
memset(k1.ptr, 0x01, this->b);
this->k1->encrypt(this->k1, k1, iv, NULL);
this->k1->set_key(this->k1, k1);
+
+ memwipe(k1.ptr, k1.len);
}
METHOD(xcbc_t, destroy, void,
private_xcbc_t *this)
{
this->k1->destroy(this->k1);
+ memwipe(this->k2, this->b);
free(this->k2);
+ memwipe(this->k3, this->b);
free(this->k3);
free(this->e);
free(this->remaining);
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 65e88335c..0fcb093c8 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -19,8 +19,6 @@
#include "xcbc_signer.h"
#include "xcbc_prf.h"
-static const char *plugin_name = "xcbc";
-
typedef struct private_xcbc_plugin_t private_xcbc_plugin_t;
/**
@@ -34,6 +32,12 @@ struct private_xcbc_plugin_t {
xcbc_plugin_t public;
};
+METHOD(plugin_t, get_name, char*,
+ private_xcbc_plugin_t *this)
+{
+ return "xcbc";
+}
+
METHOD(plugin_t, destroy, void,
private_xcbc_plugin_t *this)
{
@@ -55,6 +59,8 @@ plugin_t *xcbc_plugin_create()
INIT(this,
.public = {
.plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
.destroy = _destroy,
},
},
@@ -64,18 +70,18 @@ plugin_t *xcbc_plugin_create()
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, get_name(this),
(prf_constructor_t)xcbc_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, get_name(this),
(signer_constructor_t)xcbc_signer_create);
}
crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16);
if (crypter)
{
crypter->destroy(crypter);
- lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, plugin_name,
+ lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, get_name(this),
(prf_constructor_t)xcbc_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, plugin_name,
+ lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, get_name(this),
(signer_constructor_t)xcbc_signer_create);
}
return &this->public.plugin;
diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
index 556cbd907..0043a9cdb 100644
--- a/src/libstrongswan/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -29,6 +30,7 @@ typedef struct private_callback_job_t private_callback_job_t;
* Private data of an callback_job_t Object.
*/
struct private_callback_job_t {
+
/**
* Public callback_job_t interface.
*/
@@ -111,10 +113,8 @@ static void unregister(private_callback_job_t *this)
}
}
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_callback_job_t *this)
+METHOD(job_t, destroy, void,
+ private_callback_job_t *this)
{
this->mutex->lock(this->mutex);
unregister(this);
@@ -133,10 +133,8 @@ static void destroy(private_callback_job_t *this)
free(this);
}
-/**
- * Implementation of callback_job_t.cancel.
- */
-static void cancel(private_callback_job_t *this)
+METHOD(callback_job_t, cancel, void,
+ private_callback_job_t *this)
{
callback_job_t *child;
sem_t *terminated = NULL;
@@ -177,10 +175,8 @@ static void cancel(private_callback_job_t *this)
}
}
-/**
- * Implementation of job_t.execute.
- */
-static void execute(private_callback_job_t *this)
+METHOD(job_t, execute, void,
+ private_callback_job_t *this)
{
bool cleanup = FALSE, requeue = FALSE;
@@ -226,8 +222,7 @@ static void execute(private_callback_job_t *this)
thread_cancellation_point();
if (requeue)
{
- lib->processor->queue_job(lib->processor,
- &this->public.job_interface);
+ lib->processor->queue_job(lib->processor, &this->public.job);
}
thread_cleanup_pop(cleanup);
}
@@ -239,24 +234,24 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
callback_job_cleanup_t cleanup,
callback_job_t *parent)
{
- private_callback_job_t *this = malloc_thing(private_callback_job_t);
-
- /* interface functions */
- this->public.job_interface.execute = (void (*) (job_t *)) execute;
- this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
- this->public.cancel = (void(*)(callback_job_t*))cancel;
+ private_callback_job_t *this;
- /* private variables */
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- this->callback = cb;
- this->data = data;
- this->cleanup = cleanup;
- this->thread = 0;
- this->children = linked_list_create();
- this->parent = (private_callback_job_t*)parent;
- this->cancelled = FALSE;
- this->destroyable = condvar_create(CONDVAR_TYPE_DEFAULT);
- this->terminated = NULL;
+ INIT(this,
+ .public = {
+ .job = {
+ .execute = _execute,
+ .destroy = _destroy,
+ },
+ .cancel = _cancel,
+ },
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .callback = cb,
+ .data = data,
+ .cleanup = cleanup,
+ .children = linked_list_create(),
+ .parent = (private_callback_job_t*)parent,
+ .destroyable = condvar_create(CONDVAR_TYPE_DEFAULT),
+ );
/* register us at parent */
if (parent)
diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
index 62da1edd1..1eb5664d3 100644
--- a/src/libstrongswan/processing/jobs/callback_job.h
+++ b/src/libstrongswan/processing/jobs/callback_job.h
@@ -1,5 +1,6 @@
/*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -30,7 +31,7 @@ typedef struct callback_job_t callback_job_t;
typedef enum job_requeue_t job_requeue_t;
/**
- * Job requeueing policy
+ * Job requeueing policy.
*
* The job requeueing policy defines how a job is handled when the callback
* function returns.
@@ -84,15 +85,19 @@ typedef void (*callback_job_cleanup_t)(void *data);
* of asynchronous methods, without to manage threads.
*/
struct callback_job_t {
+
/**
* The job_t interface.
*/
- job_t job_interface;
+ job_t job;
/**
- * Cancel the job's thread and wait for its termination. This only works
- * reliably for jobs that always use JOB_REQUEUE_FAIR or JOB_REQUEUE_DIRECT,
- * otherwise the job may already be destroyed when cancel is called. */
+ * Cancel the job's thread and wait for its termination.
+ *
+ * This only works reliably for jobs that always use JOB_REQUEUE_FAIR or
+ * JOB_REQUEUE_DIRECT, otherwise the job may already be destroyed when
+ * cancel is called.
+ */
void (*cancel)(callback_job_t *this);
};
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index 723aec908..de556f86b 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -1,5 +1,6 @@
/*
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -136,50 +137,46 @@ static void process_jobs(private_processor_t *this)
thread_cleanup_pop(FALSE);
this->mutex->lock(this->mutex);
}
+ this->total_threads--;
+ this->thread_terminated->signal(this->thread_terminated);
this->mutex->unlock(this->mutex);
- restart(this);
}
-/**
- * Implementation of processor_t.get_total_threads.
- */
-static u_int get_total_threads(private_processor_t *this)
+METHOD(processor_t, get_total_threads, u_int,
+ private_processor_t *this)
{
u_int count;
+
this->mutex->lock(this->mutex);
count = this->total_threads;
this->mutex->unlock(this->mutex);
return count;
}
-/**
- * Implementation of processor_t.get_idle_threads.
- */
-static u_int get_idle_threads(private_processor_t *this)
+METHOD(processor_t, get_idle_threads, u_int,
+ private_processor_t *this)
{
u_int count;
+
this->mutex->lock(this->mutex);
count = this->idle_threads;
this->mutex->unlock(this->mutex);
return count;
}
-/**
- * implements processor_t.get_job_load
- */
-static u_int get_job_load(private_processor_t *this)
+METHOD(processor_t, get_job_load, u_int,
+ private_processor_t *this)
{
u_int load;
+
this->mutex->lock(this->mutex);
load = this->list->get_count(this->list);
this->mutex->unlock(this->mutex);
return load;
}
-/**
- * implements function processor_t.queue_job
- */
-static void queue_job(private_processor_t *this, job_t *job)
+METHOD(processor_t, queue_job, void,
+ private_processor_t *this, job_t *job)
{
this->mutex->lock(this->mutex);
this->list->insert_last(this->list, job);
@@ -187,10 +184,8 @@ static void queue_job(private_processor_t *this, job_t *job)
this->mutex->unlock(this->mutex);
}
-/**
- * Implementation of processor_t.set_threads.
- */
-static void set_threads(private_processor_t *this, u_int count)
+METHOD(processor_t, set_threads, void,
+ private_processor_t *this, u_int count)
{
this->mutex->lock(this->mutex);
if (count > this->total_threads)
@@ -218,12 +213,11 @@ static void set_threads(private_processor_t *this, u_int count)
this->mutex->unlock(this->mutex);
}
-/**
- * Implementation of processor_t.destroy.
- */
-static void destroy(private_processor_t *this)
+METHOD(processor_t, destroy, void,
+ private_processor_t *this)
{
thread_t *current;
+
set_threads(this, 0);
this->mutex->lock(this->mutex);
while (this->total_threads > 0)
@@ -250,23 +244,23 @@ static void destroy(private_processor_t *this)
*/
processor_t *processor_create()
{
- private_processor_t *this = malloc_thing(private_processor_t);
-
- this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
- this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
- this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
- this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
- this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
- this->public.destroy = (void(*)(processor_t*))destroy;
-
- this->list = linked_list_create();
- this->threads = linked_list_create();
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
- this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
- this->total_threads = 0;
- this->desired_threads = 0;
- this->idle_threads = 0;
+ private_processor_t *this;
+
+ INIT(this,
+ .public = {
+ .get_total_threads = _get_total_threads,
+ .get_idle_threads = _get_idle_threads,
+ .get_job_load = _get_job_load,
+ .queue_job = _queue_job,
+ .set_threads = _set_threads,
+ .destroy = _destroy,
+ },
+ .list = linked_list_create(),
+ .threads = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .job_added = condvar_create(CONDVAR_TYPE_DEFAULT),
+ .thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT),
+ );
return &this->public;
}
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index e23f04598..7d9bcd70f 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -232,10 +232,8 @@ static job_requeue_t schedule(private_scheduler_t * this)
return JOB_REQUEUE_DIRECT;
}
-/**
- * Implements scheduler_t.get_job_load
- */
-static u_int get_job_load(private_scheduler_t *this)
+METHOD(scheduler_t, get_job_load, u_int,
+ private_scheduler_t *this)
{
int count;
this->mutex->lock(this->mutex);
@@ -244,10 +242,8 @@ static u_int get_job_load(private_scheduler_t *this)
return count;
}
-/**
- * Implements scheduler_t.schedule_job_tv.
- */
-static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
+METHOD(scheduler_t, schedule_job_tv, void,
+ private_scheduler_t *this, job_t *job, timeval_t tv)
{
event_t *event;
u_int position;
@@ -283,10 +279,8 @@ static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
this->mutex->unlock(this->mutex);
}
-/**
- * Implements scheduler_t.schedule_job.
- */
-static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
+METHOD(scheduler_t, schedule_job, void,
+ private_scheduler_t *this, job_t *job, u_int32_t s)
{
timeval_t tv;
@@ -296,10 +290,8 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
schedule_job_tv(this, job, tv);
}
-/**
- * Implements scheduler_t.schedule_job_ms.
- */
-static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
+METHOD(scheduler_t, schedule_job_ms, void,
+ private_scheduler_t *this, job_t *job, u_int32_t ms)
{
timeval_t tv, add;
@@ -312,10 +304,8 @@ static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
schedule_job_tv(this, job, tv);
}
-/**
- * Implementation of scheduler_t.destroy.
- */
-static void destroy(private_scheduler_t *this)
+METHOD(scheduler_t, destroy, void,
+ private_scheduler_t *this)
{
event_t *event;
this->job->cancel(this->job);
@@ -334,22 +324,23 @@ static void destroy(private_scheduler_t *this)
*/
scheduler_t * scheduler_create()
{
- private_scheduler_t *this = malloc_thing(private_scheduler_t);
-
- this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
- this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
- this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
- this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
- this->public.destroy = (void(*)(scheduler_t*)) destroy;
+ private_scheduler_t *this;
+
+ INIT(this,
+ .public = {
+ .get_job_load = _get_job_load,
+ .schedule_job = _schedule_job,
+ .schedule_job_ms = _schedule_job_ms,
+ .schedule_job_tv = _schedule_job_tv,
+ .destroy = _destroy,
+ },
+ .heap_size = HEAP_SIZE_DEFAULT,
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+ );
- /* Note: the root of the heap is at index 1 */
- this->event_count = 0;
- this->heap_size = HEAP_SIZE_DEFAULT;
this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
lib->processor->queue_job(lib->processor, (job_t*)this->job);
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index bd279f51d..8a2248b46 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -20,8 +20,14 @@
#include <stdio.h>
#include <errno.h>
#include <limits.h>
-#include <glob.h>
#include <libgen.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#ifdef HAVE_GLOB_H
+#include <glob.h>
+#endif /* HAVE_GLOB_H */
#include "settings.h"
@@ -146,6 +152,17 @@ static void section_destroy(section_t *this)
}
/**
+ * Purge contents of a section
+ */
+static void section_purge(section_t *this)
+{
+ this->kv->destroy_function(this->kv, (void*)kv_destroy);
+ this->kv = linked_list_create();
+ this->sections->destroy_function(this->sections, (void*)section_destroy);
+ this->sections = linked_list_create();
+}
+
+/**
* callback to find a section by name
*/
static bool section_find(section_t *this, char *name)
@@ -914,14 +931,30 @@ static bool parse_file(linked_list_t *contents, char *file, int level,
{
bool success;
char *text, *pos;
+ struct stat st;
FILE *fd;
int len;
DBG2(DBG_LIB, "loading config file '%s'", file);
+ if (stat(file, &st) == -1)
+ {
+ if (errno == ENOENT)
+ {
+ DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
+ return TRUE;
+ }
+ DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
+ return FALSE;
+ }
+ else if (!S_ISREG(st.st_mode))
+ {
+ DBG1(DBG_LIB, "'%s' is not a regular file", file);
+ return FALSE;
+ }
fd = fopen(file, "r");
if (fd == NULL)
{
- DBG1(DBG_LIB, "'%s' does not exist or is not readable", file);
+ DBG1(DBG_LIB, "'%s' is not readable", file);
return FALSE;
}
fseek(fd, 0, SEEK_END);
@@ -950,16 +983,15 @@ static bool parse_file(linked_list_t *contents, char *file, int level,
}
/**
- * Load the files matching "pattern", which is resolved with glob(3).
+ * Load the files matching "pattern", which is resolved with glob(3), if
+ * available.
* If the pattern is relative, the directory of "file" is used as base.
*/
static bool parse_files(linked_list_t *contents, char *file, int level,
char *pattern, section_t *section)
{
bool success = TRUE;
- int status;
- glob_t buf;
- char **expanded, pat[PATH_MAX];
+ char pat[PATH_MAX];
if (level > MAX_INCLUSION_LEVEL)
{
@@ -994,28 +1026,39 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
}
free(dir);
}
- status = glob(pat, GLOB_ERR, NULL, &buf);
- if (status == GLOB_NOMATCH)
- {
- DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
- }
- else if (status != 0)
+#ifdef HAVE_GLOB_H
{
- DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat);
- success = FALSE;
- }
- else
- {
- for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
+ int status;
+ glob_t buf;
+
+ status = glob(pat, GLOB_ERR, NULL, &buf);
+ if (status == GLOB_NOMATCH)
+ {
+ DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
+ }
+ else if (status != 0)
{
- success &= parse_file(contents, *expanded, level + 1, section);
- if (!success)
+ DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat);
+ success = FALSE;
+ }
+ else
+ {
+ char **expanded;
+ for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
{
- break;
+ success &= parse_file(contents, *expanded, level + 1, section);
+ if (!success)
+ {
+ break;
+ }
}
}
+ globfree(&buf);
}
- globfree(&buf);
+#else /* HAVE_GLOB_H */
+ /* if glob(3) is not available, try to load pattern directly */
+ success = parse_file(contents, pat, level + 1, section);
+#endif /* HAVE_GLOB_H */
return success;
}
@@ -1070,12 +1113,17 @@ static void section_extend(section_t *base, section_t *extension)
* All files (even included ones) have to be loaded successfully.
*/
static bool load_files_internal(private_settings_t *this, section_t *parent,
- char *pattern)
+ char *pattern, bool merge)
{
char *text;
linked_list_t *contents = linked_list_create();
section_t *section = section_create(NULL);
+ if (pattern == NULL)
+ {
+ pattern = STRONGSWAN_CONF;
+ }
+
if (!parse_files(contents, NULL, 0, pattern, section))
{
contents->destroy_function(contents, (void*)free);
@@ -1084,6 +1132,10 @@ static bool load_files_internal(private_settings_t *this, section_t *parent,
}
this->lock->write_lock(this->lock);
+ if (!merge)
+ {
+ section_purge(parent);
+ }
/* extend parent section */
section_extend(parent, section);
/* move contents of loaded files to main store */
@@ -1099,13 +1151,13 @@ static bool load_files_internal(private_settings_t *this, section_t *parent,
}
METHOD(settings_t, load_files, bool,
- private_settings_t *this, char *pattern)
+ private_settings_t *this, char *pattern, bool merge)
{
- return load_files_internal(this, this->top, pattern);
+ return load_files_internal(this, this->top, pattern, merge);
}
METHOD(settings_t, load_files_section, bool,
- private_settings_t *this, char *pattern, char *key, ...)
+ private_settings_t *this, char *pattern, bool merge, char *key, ...)
{
section_t *section;
va_list args;
@@ -1118,7 +1170,7 @@ METHOD(settings_t, load_files_section, bool,
{
return FALSE;
}
- return load_files_internal(this, section, pattern);
+ return load_files_internal(this, section, pattern, merge);
}
METHOD(settings_t, destroy, void,
@@ -1160,12 +1212,7 @@ settings_t *settings_create(char *file)
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
);
- if (file == NULL)
- {
- file = STRONGSWAN_CONF;
- }
-
- load_files(this, file);
+ load_files(this, file, FALSE);
return &this->public;
}
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index bc3df3706..9ccd02327 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -261,22 +261,25 @@ struct settings_t {
/**
* Load settings from the files matching the given pattern.
*
- * Existing sections are extended, existing values replaced, by those found
- * in the loaded files.
+ * If merge is TRUE, existing sections are extended, existing values
+ * replaced, by those found in the loaded files. If it is FALSE, existing
+ * sections are purged before reading the new config.
*
* @note If any of the files matching the pattern fails to load, no settings
* are added at all. So, it's all or nothing.
*
* @param pattern file pattern
+ * @param merge TRUE to merge config with existing values
* @return TRUE, if settings were loaded successfully
*/
- bool (*load_files)(settings_t *this, char *pattern);
+ bool (*load_files)(settings_t *this, char *pattern, bool merge);
/**
* Load settings from the files matching the given pattern.
*
- * Existing sections are extended, existing values replaced, by those found
- * in the loaded files.
+ * If merge is TRUE, existing sections are extended, existing values
+ * replaced, by those found in the loaded files. If it is FALSE, existing
+ * sections are purged before reading the new config.
*
* All settings are loaded relative to the given section. The section is
* created, if it does not yet exist.
@@ -285,11 +288,12 @@ struct settings_t {
* are added at all. So, it's all or nothing.
*
* @param pattern file pattern
+ * @param merge TRUE to merge config with existing values
* @param section section name of parent section, printf style
* @param ... argument list for section
* @return TRUE, if settings were loaded successfully
*/
- bool (*load_files_section)(settings_t *this, char *pattern,
+ bool (*load_files_section)(settings_t *this, char *pattern, bool merge,
char *section, ...);
/**
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 3751bb749..fcc0019d8 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -205,6 +205,7 @@ static void *join(private_thread_t *this)
{
pthread_t thread_id;
void *val;
+
this->mutex->lock(this->mutex);
if (pthread_equal(this->thread_id, pthread_self()))
{
@@ -231,6 +232,7 @@ static void *join(private_thread_t *this)
this->mutex->unlock(this->mutex);
}
pthread_join(thread_id, &val);
+
return val;
}
@@ -240,6 +242,7 @@ static void *join(private_thread_t *this)
static private_thread_t *thread_create_internal()
{
private_thread_t *this = malloc_thing(private_thread_t);
+
this->public.cancel = (void(*)(thread_t*))cancel;
this->public.kill = (void(*)(thread_t*,int))_kill;
this->public.detach = (void(*)(thread_t*))detach;
@@ -281,11 +284,13 @@ static void thread_cleanup(private_thread_t *this)
static void *thread_main(private_thread_t *this)
{
void *res;
+
sem_wait(&this->created);
current_thread->set(current_thread, this);
pthread_cleanup_push((thread_cleanup_t)thread_cleanup, this);
res = this->main(this->arg);
pthread_cleanup_pop(TRUE);
+
return res;
}
@@ -295,6 +300,7 @@ static void *thread_main(private_thread_t *this)
thread_t *thread_create(thread_main_t main, void *arg)
{
private_thread_t *this = thread_create_internal();
+
this->main = main;
this->arg = arg;
if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0)
@@ -308,6 +314,7 @@ thread_t *thread_create(thread_main_t main, void *arg)
this->id = next_id++;
id_mutex->unlock(id_mutex);
sem_post(&this->created);
+
return &this->public;
}
@@ -325,7 +332,8 @@ thread_t *thread_current()
u_int thread_current_id()
{
private_thread_t *this = (private_thread_t*)thread_current();
- return this->id;
+
+ return this ? this->id : 0;
}
/**
@@ -335,6 +343,7 @@ void thread_cleanup_push(thread_cleanup_t cleanup, void *arg)
{
private_thread_t *this = (private_thread_t*)thread_current();
cleanup_handler_t *handler;
+
this->mutex->lock(this->mutex);
handler = malloc_thing(cleanup_handler_t);
handler->cleanup = cleanup;
@@ -350,6 +359,7 @@ void thread_cleanup_pop(bool execute)
{
private_thread_t *this = (private_thread_t*)thread_current();
cleanup_handler_t *handler;
+
this->mutex->lock(this->mutex);
if (this->cleanup_handlers->remove_last(this->cleanup_handlers,
(void**)&handler) != SUCCESS)
@@ -374,14 +384,18 @@ bool thread_cancelability(bool enable)
{
#ifdef HAVE_PTHREAD_CANCEL
int old;
+
pthread_setcancelstate(enable ? PTHREAD_CANCEL_ENABLE
: PTHREAD_CANCEL_DISABLE, &old);
+
return old == PTHREAD_CANCEL_ENABLE;
#else
sigset_t new, old;
+
sigemptyset(&new);
sigaddset(&new, SIG_CANCEL);
pthread_sigmask(enable ? SIG_UNBLOCK : SIG_BLOCK, &new, &old);
+
return sigismember(&old, SIG_CANCEL) == 0;
#endif /* HAVE_PTHREAD_CANCEL */
}
@@ -392,6 +406,7 @@ bool thread_cancelability(bool enable)
void thread_cancellation_point()
{
bool old = thread_cancelability(TRUE);
+
#ifdef HAVE_PTHREAD_CANCEL
pthread_testcancel();
#endif /* HAVE_PTHREAD_CANCEL */
@@ -412,6 +427,7 @@ void thread_exit(void *val)
void threads_init()
{
private_thread_t *main_thread = thread_create_internal();
+
main_thread->id = 0;
main_thread->thread_id = pthread_self();
current_thread = thread_value_create(NULL);
@@ -434,6 +450,7 @@ void threads_init()
void threads_deinit()
{
private_thread_t *main_thread = (private_thread_t*)thread_current();
+
main_thread->mutex->lock(main_thread->mutex);
thread_destroy(main_thread);
current_thread->destroy(current_thread);
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 2ab061a74..6ffb62aaf 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -102,6 +102,14 @@ void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
/**
* Described in header.
*/
+void memwipe_noinline(void *ptr, size_t n)
+{
+ memwipe_inline(ptr, n);
+}
+
+/**
+ * Described in header.
+ */
void *memstr(const void *haystack, const char *needle, size_t n)
{
unsigned const char *pos = haystack;
@@ -287,7 +295,7 @@ bool ref_put(refcount_t *ref)
bool more_refs;
pthread_mutex_lock(&ref_mutex);
- more_refs = --(*ref);
+ more_refs = --(*ref) > 0;
pthread_mutex_unlock(&ref_mutex);
return !more_refs;
}
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index ed61895ee..a334954ae 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -337,6 +337,51 @@ void *clalloc(void *pointer, size_t size);
void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
/**
+ * Safely overwrite n bytes of memory at ptr with zero, non-inlining variant.
+ */
+void memwipe_noinline(void *ptr, size_t n);
+
+/**
+ * Safely overwrite n bytes of memory at ptr with zero, inlining variant.
+ */
+static inline void memwipe_inline(void *ptr, size_t n)
+{
+ volatile char *c = (volatile char*)ptr;
+ int m, i;
+
+ /* byte wise until long aligned */
+ for (i = 0; (uintptr_t)&c % sizeof(long) && i < n; i++)
+ {
+ c[i] = 0;
+ }
+ /* word wize */
+ for (m = n - sizeof(long); i <= m; i += sizeof(long))
+ {
+ *(volatile long*)&c[i] = 0;
+ }
+ /* byte wise of the rest */
+ for (; i < n; i++)
+ {
+ c[i] = 0;
+ }
+}
+
+/**
+ * Safely overwrite n bytes of memory at ptr with zero, auto-inlining variant.
+ */
+static inline void memwipe(void *ptr, size_t n)
+{
+ if (__builtin_constant_p(n))
+ {
+ memwipe_inline(ptr, n);
+ }
+ else
+ {
+ memwipe_noinline(ptr, n);
+ }
+}
+
+/**
* A variant of strstr with the characteristics of memchr, where haystack is not
* a null-terminated string but simply a memory area of length n.
*/
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index 41224e8c2..5744439f8 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -80,7 +80,7 @@ static void log_(private_backtrace_t *this, FILE *file, bool detailed)
}
if (info.dli_sname)
{
- fprintf(file, " \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%x) [%p]\n",
+ fprintf(file, " \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%tx) [%p]\n",
info.dli_fname, info.dli_fbase, info.dli_sname,
this->frames[i] - info.dli_saddr, this->frames[i]);
}
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index ffeebd05c..615d85c95 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -625,5 +625,6 @@ host_t *host_create_any(int family)
default:
break;
}
+ free(this);
return NULL;
}
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index fd2716deb..252cfa28e 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -64,32 +64,34 @@ typedef struct {
} x501rdn_t;
static const x501rdn_t x501rdns[] = {
- {"ND", OID_NAME_DISTINGUISHER, ASN1_PRINTABLESTRING},
- {"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING},
- {"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING},
- {"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING},
- {"S", OID_SURNAME, ASN1_PRINTABLESTRING},
- {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
- {"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
- {"C", OID_COUNTRY, ASN1_PRINTABLESTRING},
- {"L", OID_LOCALITY, ASN1_PRINTABLESTRING},
- {"ST", OID_STATE_OR_PROVINCE, ASN1_PRINTABLESTRING},
- {"O", OID_ORGANIZATION, ASN1_PRINTABLESTRING},
- {"OU", OID_ORGANIZATION_UNIT, ASN1_PRINTABLESTRING},
- {"T", OID_TITLE, ASN1_PRINTABLESTRING},
- {"D", OID_DESCRIPTION, ASN1_PRINTABLESTRING},
- {"N", OID_NAME, ASN1_PRINTABLESTRING},
- {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING},
- {"I", OID_INITIALS, ASN1_PRINTABLESTRING},
- {"ID", OID_UNIQUE_IDENTIFIER, ASN1_PRINTABLESTRING},
- {"EN", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING},
- {"employeeNumber", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING},
- {"E", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
- {"Email", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
- {"emailAddress", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
- {"UN", OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
- {"unstructuredName",OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
- {"TCGID", OID_TCGID, ASN1_PRINTABLESTRING}
+ {"ND", OID_NAME_DISTINGUISHER, ASN1_PRINTABLESTRING},
+ {"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING},
+ {"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING},
+ {"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING},
+ {"S", OID_SURNAME, ASN1_PRINTABLESTRING},
+ {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
+ {"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
+ {"C", OID_COUNTRY, ASN1_PRINTABLESTRING},
+ {"L", OID_LOCALITY, ASN1_PRINTABLESTRING},
+ {"ST", OID_STATE_OR_PROVINCE, ASN1_PRINTABLESTRING},
+ {"O", OID_ORGANIZATION, ASN1_PRINTABLESTRING},
+ {"OU", OID_ORGANIZATION_UNIT, ASN1_PRINTABLESTRING},
+ {"T", OID_TITLE, ASN1_PRINTABLESTRING},
+ {"D", OID_DESCRIPTION, ASN1_PRINTABLESTRING},
+ {"N", OID_NAME, ASN1_PRINTABLESTRING},
+ {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING},
+ {"I", OID_INITIALS, ASN1_PRINTABLESTRING},
+ {"ID", OID_UNIQUE_IDENTIFIER, ASN1_PRINTABLESTRING},
+ {"EN", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING},
+ {"employeeNumber", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING},
+ {"E", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
+ {"Email", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
+ {"emailAddress", OID_EMAIL_ADDRESS, ASN1_IA5STRING},
+ {"UN", OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
+ {"unstructuredName", OID_UNSTRUCTURED_NAME, ASN1_IA5STRING},
+ {"UA", OID_UNSTRUCTURED_ADDRESS, ASN1_PRINTABLESTRING},
+ {"unstructuredAddress", OID_UNSTRUCTURED_ADDRESS, ASN1_PRINTABLESTRING},
+ {"TCGID", OID_TCGID, ASN1_PRINTABLESTRING}
};
/**
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 52e92951b..39505d3f3 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -165,6 +165,7 @@ char *whitelist[] = {
"__gmtime_r",
"localtime_r",
"tzset",
+ "time_printf_hook",
"inet_ntoa",
"strerror",
"getprotobyname",
@@ -190,6 +191,7 @@ char *whitelist[] = {
"dlopen",
"dlerror",
"dlclose",
+ "dlsym",
/* mysql functions */
"mysql_init_character_set",
"init_client_errs",
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index 4aa8ea6ca..9b37359dc 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -289,6 +289,7 @@ static void insert_before(private_iterator_t * iterator, void *item)
if (iterator->current == NULL)
{
iterator->list->public.insert_first(&(iterator->list->public), item);
+ return;
}
element_t *element = element_create(item);
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 93e8b4a9b..5a1aa81c0 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -216,6 +216,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -239,6 +241,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 20141f235..ea527b122 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -73,7 +73,11 @@ ENUM_NEXT(tls_extension_names,
TLS_EXT_SIGNATURE_ALGORITHMS, TLS_EXT_SIGNATURE_ALGORITHMS,
TLS_EXT_EC_POINT_FORMATS,
"signature algorithms");
-ENUM_END(tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
+ENUM_NEXT(tls_extension_names,
+ TLS_EXT_RENEGOTIATION_INFO, TLS_EXT_RENEGOTIATION_INFO,
+ TLS_EXT_SIGNATURE_ALGORITHMS,
+ "renegotiation info");
+ENUM_END(tls_extension_names, TLS_EXT_RENEGOTIATION_INFO);
/**
* TLS record
@@ -433,6 +437,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
{
case TLS_PURPOSE_EAP_TLS:
case TLS_PURPOSE_EAP_TTLS:
+ case TLS_PURPOSE_EAP_PEAP:
case TLS_PURPOSE_GENERIC:
break;
default:
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index e2c377ad3..54b0621b5 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -96,6 +96,8 @@ enum tls_purpose_t {
TLS_PURPOSE_EAP_TLS,
/** outer authentication and protection in EAP-TTLS */
TLS_PURPOSE_EAP_TTLS,
+ /** outer authentication and protection in EAP-PEAP */
+ TLS_PURPOSE_EAP_PEAP,
/** non-EAP TLS */
TLS_PURPOSE_GENERIC,
/** EAP binding for TNC */
@@ -124,6 +126,12 @@ enum tls_extension_t {
TLS_EXT_EC_POINT_FORMATS = 11,
/** list supported signature algorithms */
TLS_EXT_SIGNATURE_ALGORITHMS = 13,
+ /** cryptographic binding for RFC 5746 renegotiation indication */
+ TLS_EXT_RENEGOTIATION_INFO = 65281,
+};
+
+enum tls_name_type_t {
+ TLS_NAME_TYPE_HOST_NAME = 0,
};
/**
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index b4eaf4d79..b000f9d47 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -1659,6 +1659,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
switch (tls->get_purpose(tls))
{
case TLS_PURPOSE_EAP_TLS:
+ case TLS_PURPOSE_EAP_PEAP:
/* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
this->msk_label = "client EAP encryption";
build_cipher_suite_list(this, FALSE);
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 8204a3441..685904fdf 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -1,3 +1,4 @@
+
/*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
@@ -41,6 +42,11 @@ struct private_tls_eap_t {
eap_type_t type;
/**
+ * Current value of EAP identifier
+ */
+ u_int8_t identifier;
+
+ /**
* TLS stack
*/
tls_t *tls;
@@ -51,6 +57,13 @@ struct private_tls_eap_t {
bool is_server;
/**
+ * If FALSE include the total length of an EAP message
+ * in the first fragment of fragmented messages only.
+ * If TRUE also include the length in non-fragmented messages.
+ */
+ bool include_length;
+
+ /**
* First fragment of a multi-fragment record?
*/
bool first_fragment;
@@ -75,14 +88,15 @@ struct private_tls_eap_t {
* Flags of an EAP-TLS/TTLS/TNC message
*/
typedef enum {
- EAP_TLS_LENGTH = (1<<7), /* shared with EAP-TTLS/TNC */
- EAP_TLS_MORE_FRAGS = (1<<6), /* shared with EAP-TTLS/TNC */
- EAP_TLS_START = (1<<5), /* shared with EAP-TTLS/TNC */
- EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC */
+ EAP_TLS_LENGTH = (1<<7), /* shared with EAP-TTLS/TNC/PEAP */
+ EAP_TLS_MORE_FRAGS = (1<<6), /* shared with EAP-TTLS/TNC/PEAP */
+ EAP_TLS_START = (1<<5), /* shared with EAP-TTLS/TNC/PEAP */
+ EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP */
} eap_tls_flags_t;
#define EAP_TTLS_SUPPORTED_VERSION 0
#define EAP_TNC_SUPPORTED_VERSION 1
+#define EAP_PEAP_SUPPORTED_VERSION 0
/**
* EAP-TLS/TTLS packet format
@@ -113,18 +127,19 @@ METHOD(tls_eap_t, initiate, status_t,
case EAP_TNC:
pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
break;
+ case EAP_PEAP:
+ pkt.flags |= EAP_PEAP_SUPPORTED_VERSION;
+ break;
default:
break;
}
htoun16(&pkt.length, sizeof(eap_tls_packet_t));
- do
- { /* start with non-zero random identifier */
- pkt.identifier = random();
- }
- while (!pkt.identifier);
+ pkt.identifier = this->identifier;
- DBG2(DBG_IKE, "sending %N start packet", eap_type_names, this->type);
*out = chunk_clone(chunk_from_thing(pkt));
+ DBG2(DBG_TLS, "sending %N start packet (%u bytes)",
+ eap_type_names, this->type, sizeof(eap_tls_packet_t));
+ DBG3(DBG_TLS, "%B", out);
return NEED_MORE;
}
return FAILED;
@@ -163,8 +178,7 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
/**
* Build a packet to send
*/
-static status_t build_pkt(private_tls_eap_t *this,
- u_int8_t identifier, chunk_t *out)
+static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
{
char buf[this->frag_size];
eap_tls_packet_t *pkt;
@@ -172,9 +186,13 @@ static status_t build_pkt(private_tls_eap_t *this,
status_t status;
char *kind;
+ if (this->is_server)
+ {
+ this->identifier++;
+ }
pkt = (eap_tls_packet_t*)buf;
pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE;
- pkt->identifier = this->is_server ? identifier + 1 : identifier;
+ pkt->identifier = this->identifier;
pkt->type = this->type;
pkt->flags = 0;
@@ -186,13 +204,15 @@ static status_t build_pkt(private_tls_eap_t *this,
case EAP_TNC:
pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
break;
+ case EAP_PEAP:
+ pkt->flags |= EAP_PEAP_SUPPORTED_VERSION;
+ break;
default:
break;
}
if (this->first_fragment)
{
- pkt->flags |= EAP_TLS_LENGTH;
len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
sizeof(u_int32_t), &len, &reclen);
@@ -210,13 +230,21 @@ static status_t build_pkt(private_tls_eap_t *this,
kind = "further fragment";
if (this->first_fragment)
{
+ pkt->flags |= EAP_TLS_LENGTH;
this->first_fragment = FALSE;
kind = "first fragment";
}
break;
case ALREADY_DONE:
- kind = "packet";
- if (!this->first_fragment)
+ if (this->first_fragment)
+ {
+ if (this->include_length)
+ {
+ pkt->flags |= EAP_TLS_LENGTH;
+ }
+ kind = "packet";
+ }
+ else
{
this->first_fragment = TRUE;
kind = "final fragment";
@@ -225,39 +253,58 @@ static status_t build_pkt(private_tls_eap_t *this,
default:
return status;
}
- DBG2(DBG_TLS, "sending %N %s (%u bytes)",
- eap_type_names, this->type, kind, len);
if (reclen)
{
- htoun32(pkt + 1, reclen);
- len += sizeof(u_int32_t);
- pkt->flags |= EAP_TLS_LENGTH;
+ if (pkt->flags & EAP_TLS_LENGTH)
+ {
+ htoun32(pkt + 1, reclen);
+ len += sizeof(u_int32_t);
+ pkt->flags |= EAP_TLS_LENGTH;
+ }
+ else
+ {
+ /* get rid of the reserved length field */
+ memcpy(buf+sizeof(eap_packet_t),
+ buf+sizeof(eap_packet_t)+sizeof(u_int32_t), len);
+ }
}
len += sizeof(eap_tls_packet_t);
htoun16(&pkt->length, len);
*out = chunk_clone(chunk_create(buf, len));
+ DBG2(DBG_TLS, "sending %N %s (%u bytes)",
+ eap_type_names, this->type, kind, len);
+ DBG3(DBG_TLS, "%B", out);
return NEED_MORE;
}
/**
* Send an ack to request next fragment
*/
-static chunk_t create_ack(private_tls_eap_t *this, u_int8_t identifier)
+static chunk_t create_ack(private_tls_eap_t *this)
{
eap_tls_packet_t pkt = {
.code = this->is_server ? EAP_REQUEST : EAP_RESPONSE,
- .identifier = this->is_server ? identifier + 1 : identifier,
.type = this->type,
};
+
+ if (this->is_server)
+ {
+ this->identifier++;
+ }
+ pkt.identifier = this->identifier;
htoun16(&pkt.length, sizeof(pkt));
+
switch (this->type)
{
case EAP_TTLS:
pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
- break;
+ break;
case EAP_TNC:
pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
break;
+ case EAP_PEAP:
+ pkt.flags |= EAP_PEAP_SUPPORTED_VERSION;
+ break;
default:
break;
}
@@ -274,23 +321,30 @@ METHOD(tls_eap_t, process, status_t,
if (++this->processed > this->max_msg_count)
{
- DBG1(DBG_IKE, "%N packet count exceeded (%d > %d)",
+ DBG1(DBG_TLS, "%N packet count exceeded (%d > %d)",
eap_type_names, this->type,
this->processed, this->max_msg_count);
return FAILED;
}
pkt = (eap_tls_packet_t*)in.ptr;
- if (in.len < sizeof(eap_tls_packet_t) ||
- untoh16(&pkt->length) != in.len)
+ if (in.len < sizeof(eap_tls_packet_t) || untoh16(&pkt->length) != in.len)
{
- DBG1(DBG_IKE, "invalid %N packet length",
- eap_type_names, this->type);
+ DBG1(DBG_TLS, "invalid %N packet length", eap_type_names, this->type);
return FAILED;
}
+
+ /* update EAP identifier */
+ if (!this->is_server)
+ {
+ this->identifier = pkt->identifier;
+ }
+ DBG3(DBG_TLS, "%N payload %B", eap_type_names, this->type, &in);
+
if (pkt->flags & EAP_TLS_START)
{
- if (this->type == EAP_TTLS || this->type == EAP_TNC)
+ if (this->type == EAP_TTLS || this->type == EAP_TNC ||
+ this->type == EAP_PEAP)
{
DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
pkt->flags & EAP_TTLS_VERSION);
@@ -302,7 +356,7 @@ METHOD(tls_eap_t, process, status_t,
{
DBG2(DBG_TLS, "received %N acknowledgement packet",
eap_type_names, this->type);
- status = build_pkt(this, pkt->identifier, out);
+ status = build_pkt(this, out);
if (status == INVALID_STATE && this->tls->is_complete(this->tls))
{
return SUCCESS;
@@ -320,16 +374,16 @@ METHOD(tls_eap_t, process, status_t,
return status;
}
}
- status = build_pkt(this, pkt->identifier, out);
+ status = build_pkt(this, out);
switch (status)
{
case INVALID_STATE:
- *out = create_ack(this, pkt->identifier);
+ *out = create_ack(this);
return NEED_MORE;
case FAILED:
if (!this->is_server)
{
- *out = create_ack(this, pkt->identifier);
+ *out = create_ack(this);
return NEED_MORE;
}
return FAILED;
@@ -344,6 +398,18 @@ METHOD(tls_eap_t, get_msk, chunk_t,
return this->tls->get_eap_msk(this->tls);
}
+METHOD(tls_eap_t, get_identifier, u_int8_t,
+ private_tls_eap_t *this)
+{
+ return this->identifier;
+}
+
+METHOD(tls_eap_t, set_identifier, void,
+ private_tls_eap_t *this, u_int8_t identifier)
+{
+ this->identifier = identifier;
+}
+
METHOD(tls_eap_t, destroy, void,
private_tls_eap_t *this)
{
@@ -355,7 +421,7 @@ METHOD(tls_eap_t, destroy, void,
* See header
*/
tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
- int max_msg_count)
+ int max_msg_count, bool include_length)
{
private_tls_eap_t *this;
@@ -369,6 +435,8 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
.initiate = _initiate,
.process = _process,
.get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
.destroy = _destroy,
},
.type = type,
@@ -376,8 +444,18 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
.first_fragment = TRUE,
.frag_size = frag_size,
.max_msg_count = max_msg_count,
+ .include_length = include_length,
.tls = tls,
);
+ if (this->is_server)
+ {
+ do
+ { /* start with non-zero random identifier */
+ this->identifier = random();
+ }
+ while (!this->identifier);
+ }
+
return &this->public;
}
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
index ebda2636d..c7da832cb 100644
--- a/src/libtls/tls_eap.h
+++ b/src/libtls/tls_eap.h
@@ -62,6 +62,21 @@ struct tls_eap_t {
chunk_t (*get_msk)(tls_eap_t *this);
/**
+ * Get the current EAP identifier.
+ *
+ * @return identifier
+ */
+ u_int8_t (*get_identifier)(tls_eap_t *this);
+
+ /**
+ * Set the EAP identifier to a deterministic value, overwriting
+ * the randomly initialized default value.
+ *
+ * @param identifier EAP identifier
+ */
+ void (*set_identifier) (tls_eap_t *this, u_int8_t identifier);
+
+ /**
* Destroy a tls_eap_t.
*/
void (*destroy)(tls_eap_t *this);
@@ -74,8 +89,9 @@ struct tls_eap_t {
* @param tls TLS implementation
* @param frag_size maximum size of a TLS fragment we send
* @param max_msg_count maximum number of processed messages
+ * @param include_length if TRUE include length in non-fragmented packets
*/
tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
- int max_msg_count);
+ int max_msg_count, bool include_length);
#endif /** TLS_EAP_H_ @}*/
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index c1fd33eea..621f1729d 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -502,8 +502,6 @@ static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader)
{
DBG1(DBG_TLS, "server requested a certificate, but client "
"authentication disabled");
- this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
- return NEED_MORE;
}
this->crypto->append_handshake(this->crypto,
TLS_CERTIFICATE_REQUEST, reader->peek(reader));
@@ -541,19 +539,22 @@ static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader)
authorities->destroy(authorities);
return NEED_MORE;
}
- id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
- cert = lib->credmgr->get_cert(lib->credmgr,
- CERT_X509, KEY_ANY, id, TRUE);
- if (cert)
- {
- DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
- this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
- }
- else
+ if (this->peer)
{
- DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
+ id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
+ cert = lib->credmgr->get_cert(lib->credmgr,
+ CERT_X509, KEY_ANY, id, TRUE);
+ if (cert)
+ {
+ DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
+ this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
+ }
+ else
+ {
+ DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
+ }
+ id->destroy(id);
}
- id->destroy(id);
}
authorities->destroy(authorities);
this->state = STATE_CERTREQ_RECEIVED;
@@ -738,6 +739,20 @@ static status_t send_client_hello(private_tls_peer_t *this,
extensions->write_uint8(extensions, 1);
extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
}
+ if (this->server->get_type(this->server) == ID_FQDN)
+ {
+ tls_writer_t *names;
+
+ DBG2(DBG_TLS, "sending Server Name Indication for '%Y'", this->server);
+
+ names = tls_writer_create(8);
+ names->write_uint8(names, TLS_NAME_TYPE_HOST_NAME);
+ names->write_data16(names, this->server->get_encoding(this->server));
+ names->wrap16(names);
+ extensions->write_uint16(extensions, TLS_EXT_SERVER_NAME);
+ extensions->write_data16(extensions, names->get_buf(names));
+ names->destroy(names);
+ }
writer->write_data16(writer, extensions->get_buf(extensions));
extensions->destroy(extensions);
@@ -802,39 +817,42 @@ static status_t send_certificate(private_tls_peer_t *this,
this->private = find_private_key(this);
if (!this->private)
{
- DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer);
- this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
- return NEED_MORE;
+ DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
+ "skipping client authentication", this->peer);
+ this->peer = NULL;
}
/* generate certificate payload */
certs = tls_writer_create(256);
- cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
- if (cert)
- {
- if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
- {
- DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
- cert->get_subject(cert));
- certs->write_data24(certs, data);
- free(data.ptr);
- }
- }
- enumerator = this->peer_auth->create_enumerator(this->peer_auth);
- while (enumerator->enumerate(enumerator, &rule, &cert))
+ if (this->peer)
{
- if (rule == AUTH_RULE_IM_CERT)
+ cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
+ if (cert)
{
if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
{
- DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
+ DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
cert->get_subject(cert));
certs->write_data24(certs, data);
free(data.ptr);
}
}
+ enumerator = this->peer_auth->create_enumerator(this->peer_auth);
+ while (enumerator->enumerate(enumerator, &rule, &cert))
+ {
+ if (rule == AUTH_RULE_IM_CERT)
+ {
+ if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+ {
+ DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
+ cert->get_subject(cert));
+ certs->write_data24(certs, data);
+ free(data.ptr);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
}
- enumerator->destroy(enumerator);
writer->write_data24(writer, certs->get_buf(certs));
certs->destroy(certs);
diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c
index e87c2efea..57c60fdaf 100644
--- a/src/libtls/tls_writer.c
+++ b/src/libtls/tls_writer.c
@@ -143,7 +143,7 @@ METHOD(tls_writer_t, wrap8, void,
{
increase(this);
}
- memmove(this->buf.ptr + 1, this->buf.ptr, 1);
+ memmove(this->buf.ptr + 1, this->buf.ptr, this->used);
this->buf.ptr[0] = this->used;
this->used += 1;
}
@@ -155,7 +155,7 @@ METHOD(tls_writer_t, wrap16, void,
{
increase(this);
}
- memmove(this->buf.ptr + 2, this->buf.ptr, 2);
+ memmove(this->buf.ptr + 2, this->buf.ptr, this->used);
htoun16(this->buf.ptr, this->used);
this->used += 2;
}
@@ -169,7 +169,7 @@ METHOD(tls_writer_t, wrap24, void,
{
increase(this);
}
- memmove(this->buf.ptr + 3, this->buf.ptr, 3);
+ memmove(this->buf.ptr + 3, this->buf.ptr, this->used);
len = htonl(this->used);
memcpy(this->buf.ptr, ((char*)&len) + 1, 3);
@@ -183,7 +183,7 @@ METHOD(tls_writer_t, wrap32, void,
{
increase(this);
}
- memmove(this->buf.ptr + 4, this->buf.ptr, 4);
+ memmove(this->buf.ptr + 4, this->buf.ptr, this->used);
htoun32(this->buf.ptr, this->used);
this->used += 4;
}
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 2e139f839..4b9c0ebae 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -257,6 +257,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -280,6 +282,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 9c9662f7f..99a8cc135 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -247,6 +247,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -270,6 +272,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index ec4657e55..54544b665 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -241,6 +241,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -264,6 +266,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 5de8f5b7c..745988750 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -39,8 +39,8 @@
#include <credentials/sets/mem_cred.h>
#include <utils/optionsfrom.h>
-#define OPENAC_PATH IPSEC_CONFDIR "/openac"
-#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
+#define OPENAC_PATH IPSEC_CONFDIR "/openac"
+#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
#define DEFAULT_VALIDITY 24*3600 /* seconds */
@@ -133,7 +133,7 @@ static void write_serial(chunk_t serial)
DBG1(DBG_LIB, " serial number is %#B", &serial);
hex_serial = chunk_to_hex(serial, NULL, FALSE);
- fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
+ fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr);
fclose(fd);
free(hex_serial.ptr);
}
@@ -300,6 +300,7 @@ int main(int argc, char **argv)
if (*optarg == '/') /* absolute pathname */
{
strncpy(path, optarg, BUF_LEN);
+ path[BUF_LEN-1] = '\0';
}
else /* relative pathname */
{
@@ -326,7 +327,7 @@ int main(int argc, char **argv)
continue;
case 'p': /* --key */
- if (strlen(optarg) > BUF_LEN)
+ if (strlen(optarg) >= BUF_LEN)
{
usage("passphrase too long");
goto end;
@@ -490,7 +491,8 @@ int main(int argc, char **argv)
notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
/* build and parse attribute certificate */
- if (userCert != NULL && signerCert != NULL && signerKey != NULL)
+ if (userCert != NULL && signerCert != NULL && signerKey != NULL &&
+ outfile != NULL)
{
/* read the serial number and increment it by one */
serial = read_serial();
@@ -522,7 +524,7 @@ int main(int argc, char **argv)
}
else
{
- usage("some of the mandatory parameters --usercert --cert --key "
+ usage("some of the mandatory parameters --usercert --cert --key --out "
"are missing");
}
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index c6651fdf5..b29174680 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -218,6 +218,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -241,6 +243,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index d1ca45e1a..087a97b3e 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -85,7 +85,8 @@ static int req()
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
{
- return command_usage("invalid output format");
+ error = "invalid output format";
+ goto usage;
}
continue;
case EOF:
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 4b1c12e5c..9a21bd99c 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -238,7 +238,8 @@ static int sign_crl()
}
else
{
- return command_usage( "invalid revocation reason");
+ error = "invalid revocation reason";
+ goto usage;
}
continue;
case 'd':
@@ -252,7 +253,8 @@ static int sign_crl()
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
{
- return command_usage("invalid output format");
+ error = "invalid output format";
+ goto usage;
}
continue;
case EOF:
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 1428854ee..92e66db17 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -325,6 +325,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -348,6 +350,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/pluto/adns.c b/src/pluto/adns.c
index 95e22b96f..5d6979447 100644
--- a/src/pluto/adns.c
+++ b/src/pluto/adns.c
@@ -224,6 +224,7 @@ worker(int qfd, int afd)
a.amagic = ADNS_A_MAGIC;
a.serial = q.serial;
+ a.continuation = NULL;
a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans));
a.h_errno_val = h_errno;
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index d06e09007..fe27c10b2 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -539,7 +539,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
buflen -= np;
if (esp_info->esp_ealg_keylen)
{
- np = snprintf(ptr, buflen, "_%u", esp_info->esp_ealg_keylen);
+ np = snprintf(ptr, buflen, "_%zu", esp_info->esp_ealg_keylen);
ptr += np;
buflen -= np;
}
@@ -571,7 +571,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
buflen -= np;
if (ike_info->ike_eklen)
{
- np = snprintf(ptr, buflen, "_%u", ike_info->ike_eklen);
+ np = snprintf(ptr, buflen, "_%zu", ike_info->ike_eklen);
ptr += np;
buflen -= np;
}
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 9f277e135..2194362d2 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -673,7 +673,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this,
}
else if (subnetisnone(&this->client))
{
- strcpy(client, "?");
+ strncpy(client, "?", sizeof(client));
}
else
{
@@ -685,7 +685,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this,
/* we are mode config client, or a server with a pool */
client_sep = "===";
client[0] = '%';
- strcpy(client+1, this->pool ? this->pool : "modecfg");
+ strncpy(client+1, this->pool ?: "modecfg", sizeof(client)-1);
}
/* host */
@@ -1443,11 +1443,11 @@ static connection_t *instantiate(connection_t *c, const ip_address *him,
connect_to_host_pair(d);
- return d;
if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop))
{
d->spd.this.host_nexthop = *him;
}
+ return d;
}
connection_t *rw_instantiate(connection_t *c, const ip_address *him,
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 1c9c9a8cc..38db0f2fd 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -163,7 +163,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
{
/* keep any known CRL distribution points */
add_distribution_points(x509crl->distributionPoints,
- oldcrl->distributionPoints);
+ oldcrl->distributionPoints);
/* now delete the old CRL */
free_first_crl();
@@ -199,7 +199,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
chunk_t hex, encoding;
hex = chunk_to_hex(crl->get_authKeyIdentifier(crl), NULL, FALSE);
- snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex);
+ snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex.ptr);
free(hex.ptr);
if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding))
@@ -425,7 +425,8 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
lock_authcert_list("verify_by_crl");
issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
- trusted = cert_crl->issued_by(cert_crl, issuer_cert->cert);
+ trusted = issuer_cert ? cert_crl->issued_by(cert_crl, issuer_cert->cert)
+ : FALSE;
unlock_authcert_list("verify_by_crl");
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 249e645ed..294601295 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -770,7 +770,7 @@ check_msg_errqueue(const struct iface *ifp, short interest)
/* note dirty trick to suppress ~ at start of format
* if we know what state to blame.
*/
- if ((packet_len == 1) && (buffer[0] = 0xff)
+ if ((packet_len == 1) && (buffer[0] == 0xff)
#ifdef DEBUG
&& ((cur_debugging & DBG_NATT) == 0)
#endif
@@ -966,7 +966,9 @@ malloc_md(void)
* - .note = NOTHING_WRONG
* - .encrypted = FALSE
*/
- static const struct msg_digest blank_md;
+ static const struct msg_digest blank_md = {
+ .next = NULL,
+ };
if (md == NULL)
{
@@ -1142,13 +1144,14 @@ read_packet(struct msg_digest *md)
, ifp->rname
, ip_str(&md->sender), (unsigned)md->sender_port));
}
-
+ free(buffer);
return FALSE;
}
else if (from_ugh != NULL)
{
plog("recvfrom on %s returned malformed source sockaddr: %s"
, ifp->rname, from_ugh);
+ free(buffer);
return FALSE;
}
cur_from = &md->sender;
@@ -1162,6 +1165,7 @@ read_packet(struct msg_digest *md)
{
plog("recvfrom %s:%u too small packet (%d)"
, ip_str(cur_from), (unsigned) cur_from_port, packet_len);
+ free(buffer);
return FALSE;
}
memcpy(&non_esp, buffer, sizeof(u_int32_t));
@@ -1169,6 +1173,7 @@ read_packet(struct msg_digest *md)
{
plog("recvfrom %s:%u has no Non-ESP marker"
, ip_str(cur_from), (unsigned) cur_from_port);
+ free(buffer);
return FALSE;
}
packet_len -= sizeof(u_int32_t);
@@ -1661,7 +1666,7 @@ process_packet(struct msg_digest **mdp)
* Look up the appropriate microcode based on state and
* possibly Oakley Auth type.
*/
- passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
+ passert(STATE_IKE_FLOOR <= from_state && from_state < STATE_IKE_ROOF);
smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
if (st != NULL)
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index 1d2d13371..3dfc1386f 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -309,8 +309,9 @@ static char* complete_uri(char *distPoint, const char *ldaphost)
char uri[BUF_LEN];
/* insert the ldaphost into the uri */
- snprintf(uri, BUF_LEN, "%.*s%s%.*s", strlen(distPoint)-len,
- distPoint, ldaphost, len, symbol);
+ snprintf(uri, BUF_LEN, "%.*s%s%.*s",
+ (int)strlen(distPoint) - len, distPoint, ldaphost,
+ len, symbol);
return strdup(uri);
}
}
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index a36b5ce4e..3061630e0 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -149,7 +149,6 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
struct alg_info_ike *ai = c->alg_info_ike;
struct db_context *db_ctx = NULL;
struct ike_info *ike_info;
- struct encrypt_desc *enc_desc;
u_int ealg, halg, modp, eklen = 0;
int i;
@@ -191,7 +190,6 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
enum_show(&oakley_group_names, modp));
continue;
}
- enc_desc = ike_alg_get_crypter(ealg);
if (policy & POLICY_PUBKEY)
{
@@ -312,7 +310,7 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type,
{
char alg_name[BUF_LEN];
int alg_name_len;
-
+
alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type),
plugin_name);
if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 7ec547b0c..c8a347b45 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -104,6 +104,14 @@
#define RETURN_STF_FAILURE(f) \
{ int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; }
+/* The endpoint(s) for which an SA is getting installed, so keying material
+ * can be properly wiped.
+ */
+enum endpoint {
+ EP_LOCAL = 1,
+ EP_REMOTE = 1 << 1,
+};
+
/* create output HDR as replica of input HDR */
void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
{
@@ -2196,9 +2204,9 @@ static void decode_cert(struct msg_digest *md)
cert_t x509cert = cert_empty;
x509cert.cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_BLOB_ASN1_DER, blob,
- BUILD_END);
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB_ASN1_DER, blob,
+ BUILD_END);
if (x509cert.cert)
{
if (verify_x509cert(&x509cert, strict_crl_policy, &valid_until))
@@ -2741,13 +2749,59 @@ static bool has_preloaded_public_key(struct state *st)
return FALSE;
}
+/* Compute keying material for an SA
+ */
+static void compute_keymat_internal(struct state *st, u_int8_t protoid,
+ ipsec_spi_t spi, size_t needed_len,
+ u_char **keymat_out)
+{
+ size_t i = 0, prf_block_size, needed_space;
+ chunk_t protoid_chunk = chunk_from_thing(protoid);
+ chunk_t spi_chunk = chunk_from_thing(spi);
+ pseudo_random_function_t prf_alg = oakley_to_prf(st->st_oakley.hash);
+ prf_t *prf = lib->crypto->create_prf(lib->crypto, prf_alg);
+
+ prf->set_key(prf, st->st_skeyid_d);
+ prf_block_size = prf->get_block_size(prf);
+
+ /* Although only needed_len bytes are desired, we must round up to a
+ * multiple of prf_block_size so that the buffer isn't overrun */
+ needed_space = needed_len + pad_up(needed_len, prf_block_size);
+ replace(*keymat_out, malloc(needed_space));
+
+ for (;;)
+ {
+ char *keymat_i = (*keymat_out) + i;
+ chunk_t keymat = { keymat_i, prf_block_size };
+
+ if (st->st_shared.ptr != NULL)
+ { /* PFS: include the g^xy */
+ prf->get_bytes(prf, st->st_shared, NULL);
+ }
+ prf->get_bytes(prf, protoid_chunk, NULL);
+ prf->get_bytes(prf, spi_chunk, NULL);
+ prf->get_bytes(prf, st->st_ni, NULL);
+ prf->get_bytes(prf, st->st_nr, keymat_i);
+
+ i += prf_block_size;
+ if (i >= needed_space)
+ {
+ break;
+ }
+
+ /* more keying material needed: prepare to go around again */
+ prf->get_bytes(prf, keymat, NULL);
+ }
+ prf->destroy(prf);
+}
+
/*
* Produce the new key material of Quick Mode.
* RFC 2409 "IKE" section 5.5
* specifies how this is to be done.
*/
static void compute_proto_keymat(struct state *st, u_int8_t protoid,
- struct ipsec_proto_info *pi)
+ struct ipsec_proto_info *pi, enum endpoint ep)
{
size_t needed_len = 0; /* bytes of keying material needed */
@@ -2833,82 +2887,57 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
pi->keymat_len = needed_len;
- /* Allocate space for the keying material. Although only needed_len bytes
- * are desired, we must round up to a multiple of hash_size
- * so that our buffer isn't overrun.
- */
+ if (ep & EP_LOCAL)
{
- size_t needed_space; /* space needed for keying material (rounded up) */
- size_t i, prf_block_size;
- chunk_t protoid_chunk = chunk_from_thing(protoid);
- chunk_t spi_our = chunk_from_thing(pi->our_spi);
- chunk_t spi_peer = chunk_from_thing(pi->attrs.spi);
- pseudo_random_function_t prf_alg;
- prf_t *prf_our, *prf_peer;
-
- prf_alg = oakley_to_prf(st->st_oakley.hash);
- prf_our = lib->crypto->create_prf(lib->crypto, prf_alg);
- prf_peer = lib->crypto->create_prf(lib->crypto, prf_alg);
- prf_our->set_key(prf_our, st->st_skeyid_d);
- prf_peer->set_key(prf_peer, st->st_skeyid_d);
- prf_block_size = prf_our->get_block_size(prf_our);
-
- needed_space = needed_len + pad_up(needed_len, prf_block_size);
- replace(pi->our_keymat, malloc(needed_space));
- replace(pi->peer_keymat, malloc(needed_space));
-
- for (i = 0;; )
- {
- char *keymat_i_our = pi->our_keymat + i;
- char *keymat_i_peer = pi->peer_keymat + i;
- chunk_t keymat_our = { keymat_i_our, prf_block_size };
- chunk_t keymat_peer = { keymat_i_peer, prf_block_size };
-
- if (st->st_shared.ptr != NULL)
- {
- /* PFS: include the g^xy */
- prf_our->get_bytes(prf_our, st->st_shared, NULL);
- prf_peer->get_bytes(prf_peer, st->st_shared, NULL);
- }
- prf_our->get_bytes(prf_our, protoid_chunk, NULL);
- prf_peer->get_bytes(prf_peer, protoid_chunk, NULL);
-
- prf_our->get_bytes(prf_our, spi_our, NULL);
- prf_peer->get_bytes(prf_peer, spi_peer, NULL);
-
- prf_our->get_bytes(prf_our, st->st_ni, NULL);
- prf_peer->get_bytes(prf_peer, st->st_ni, NULL);
-
- prf_our->get_bytes(prf_our, st->st_nr, keymat_i_our);
- prf_peer->get_bytes(prf_peer, st->st_nr, keymat_i_peer);
+ compute_keymat_internal(st, protoid, pi->our_spi, needed_len,
+ &pi->our_keymat);
+ DBG(DBG_CRYPT,
+ DBG_dump("KEYMAT computed:\n", pi->our_keymat,
+ pi->keymat_len));
+ }
+ if (ep & EP_REMOTE)
+ {
+ compute_keymat_internal(st, protoid, pi->attrs.spi, needed_len,
+ &pi->peer_keymat);
+ DBG(DBG_CRYPT,
+ DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat,
+ pi->keymat_len));
+ }
+}
- i += prf_block_size;
- if (i >= needed_space)
- {
- break;
- }
+static void compute_keymats(struct state *st, enum endpoint ep)
+{
+ if (st->st_ah.present)
+ {
+ compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, ep);
+ }
+ if (st->st_esp.present)
+ {
+ compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, ep);
+ }
+}
- /* more keying material needed: prepare to go around again */
- prf_our->get_bytes(prf_our, keymat_our, NULL);
- prf_peer->get_bytes(prf_peer, keymat_peer, NULL);
- }
- prf_our->destroy(prf_our);
- prf_peer->destroy(prf_peer);
+static void wipe_proto_keymat(struct ipsec_proto_info *pi, enum endpoint ep)
+{
+ if (ep & EP_LOCAL)
+ {
+ memwipe(pi->our_keymat, pi->keymat_len);
+ }
+ if (ep & EP_REMOTE)
+ {
+ memwipe(pi->peer_keymat, pi->keymat_len);
}
- DBG(DBG_CRYPT,
- DBG_dump("KEYMAT computed:\n", pi->our_keymat, pi->keymat_len);
- DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, pi->keymat_len));
}
-static void compute_keymats(struct state *st)
+static void wipe_keymats(struct state *st, enum endpoint ep)
{
if (st->st_ah.present)
{
- compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah);
+ wipe_proto_keymat(&st->st_ah, ep);
}
if (st->st_esp.present)
{
- compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp);
+ wipe_proto_keymat(&st->st_esp, ep);
}
}
@@ -3824,7 +3853,7 @@ main_id_and_auth(struct msg_digest *md
case XAUTHInitRSA:
case XAUTHRespRSA:
r = check_signature(KEY_RSA, peer, st, hash,
- &md->chain[ISAKMP_NEXT_SIG]->pbs,
+ &md->chain[ISAKMP_NEXT_SIG]->pbs,
#ifdef USE_KEYRR
kc == NULL ? NULL : kc->ac.keys_from_dns,
#endif /* USE_KEYRR */
@@ -4975,6 +5004,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
/* now that we are sure of our connection, create our new state */
{
+ enum endpoint ep = EP_LOCAL;
struct state *const st = duplicate_state(p1st);
/* first: fill in missing bits of our new state object
@@ -5152,7 +5182,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
, st, &st->st_msgid, TRUE);
/* Derive new keying material */
- compute_keymats(st);
+ compute_keymats(st, ep);
/* Tell the kernel to establish the new inbound SA
* (unless the commit bit is set -- which we don't support).
@@ -5161,8 +5191,10 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
*/
if (!install_inbound_ipsec_sa(st))
{
+ wipe_keymats(st, ep);
return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
}
+ wipe_keymats(st, ep);
/* encrypt message, except for fixed part of header */
@@ -5206,6 +5238,7 @@ static void dpd_init(struct state *st)
*/
stf_status quick_inR1_outI2(struct msg_digest *md)
{
+ enum endpoint ep = EP_LOCAL | EP_REMOTE;
struct state *const st = md->st;
const connection_t *c = st->st_connection;
@@ -5325,7 +5358,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
}
/* Derive new keying material */
- compute_keymats(st);
+ compute_keymats(st, ep);
/* Tell the kernel to establish the inbound, outbound, and routing part
* of the new SA (unless the commit bit is set -- which we don't support).
@@ -5334,8 +5367,10 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
*/
if (!install_ipsec_sa(st, TRUE))
{
+ wipe_keymats(st, ep);
return STF_INTERNAL_ERROR;
}
+ wipe_keymats(st, ep);
/* encrypt message, except for fixed part of header */
@@ -5374,12 +5409,16 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
*/
stf_status quick_inI2(struct msg_digest *md)
{
+ enum endpoint ep = EP_REMOTE;
struct state *const st = md->st;
/* HASH(3) in */
CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st)
, "HASH(3)", "Quick I2");
+ /* Derive keying material */
+ compute_keymats(st, ep);
+
/* Tell the kernel to establish the outbound and routing part of the new SA
* (the previous state established inbound)
* (unless the commit bit is set -- which we don't support).
@@ -5388,8 +5427,11 @@ stf_status quick_inI2(struct msg_digest *md)
*/
if (!install_ipsec_sa(st, FALSE))
{
+ wipe_keymats(st, ep);
return STF_INTERNAL_ERROR;
}
+ wipe_keymats(st, ep);
+
DBG(DBG_CONTROLMORE,
DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
, st->st_connection->name
@@ -5851,6 +5893,7 @@ dpd_timeout(struct state *st)
/* caching the connection name before deletion */
strncpy(cname, c->name, BUF_LEN);
+ cname[BUF_LEN-1] = '\0';
if (c->kind == CK_INSTANCE)
{
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 104b6c2d4..8bed1fcfc 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1185,7 +1185,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
AUTH_UNDEFINED, chunk_empty, mode,
- st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE,
+ st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, FALSE,
inbound, NULL, NULL) != SUCCESS)
{
goto fail;
@@ -1294,7 +1294,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
host_dst, esp_spi, said_next->proto, c->spd.reqid,
mark, 0, &lt_none, enc_alg, enc_key,
auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
- encap, inbound, NULL, NULL) != SUCCESS)
+ encap, FALSE, inbound, NULL, NULL) != SUCCESS)
{
goto fail;
}
@@ -1327,7 +1327,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
host_dst, ah_spi, said_next->proto, c->spd.reqid,
mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
- FALSE, inbound, NULL, NULL) != SUCCESS)
+ FALSE, FALSE, inbound, NULL, NULL) != SUCCESS)
{
goto fail;
}
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index c82c376f8..eab2a8f06 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -404,7 +404,7 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type)
{
char alg_name[BUF_LEN];
int alg_name_len;
-
+
alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type));
if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
{
@@ -633,12 +633,11 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
* malloced pointer (this quirk allows easier spdb.c change)
*/
struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info,
- lset_t policy )
+ lset_t policy)
{
const struct esp_info *esp_info;
struct esp_info tmp_esp_info;
struct db_context *ctx_new = NULL;
- struct db_prop *prop;
u_int trans_cnt = esp_ealg_num * esp_aalg_num;
if (!(policy & POLICY_ENCRYPT)) /* not possible, I think */
@@ -659,7 +658,6 @@ struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info,
kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
}
}
- prop = db_prop_get(ctx_new);
return ctx_new;
}
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 86b46c6c1..4b0e08791 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -494,7 +494,6 @@ static err_t process_rsa_secret(private_key_t **key)
if (ugh)
{
ugh = builddiag("RSA data malformed (%s): %s", ugh, tok);
- part++;
goto end;
}
rsa_chunk[part] = chunk_create(buf, sz);
diff --git a/src/pluto/log.c b/src/pluto/log.c
index 6e70898a5..c5f1776ec 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -337,16 +337,16 @@ open_peerlog(connection_t *c)
/* copy IP address, turning : and . into / */
{
- char c, *p, *q;
+ char ch, *p, *q;
p = peername;
q = dname;
do {
- c = *p++;
- if (c == '.' || c == ':')
- c = '/';
- *q++ = c;
- } while (c != '\0');
+ ch = *p++;
+ if (ch == '.' || ch == ':')
+ ch = '/';
+ *q++ = ch;
+ } while (ch != '\0');
}
lf_len = peernamelen * 2
@@ -834,7 +834,8 @@ DBG_dump(const char *label, const void *p, size_t len)
static void show_loaded_plugins()
{
- char buf[BUF_LEN], *plugin;
+ char buf[BUF_LEN];
+ plugin_t *plugin;
int len = 0;
enumerator_t *enumerator;
@@ -842,7 +843,7 @@ static void show_loaded_plugins()
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
{
- len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
+ len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin));
}
enumerator->destroy(enumerator);
whack_log(RC_COMMENT, "loaded plugins: %s", buf);
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index a2acce23a..8298ea601 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -120,9 +120,10 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list)
int family;
family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6;
+ DESTROY_IF(requested_vip);
requested_vip = (ca->value.len) ?
host_create_from_chunk(family, ca->value, 0) :
- host_create_any(family);
+ host_create_any(family);
plog("peer requested virtual IP %H", requested_vip);
break;
}
@@ -166,7 +167,7 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list)
requested_vip->destroy(requested_vip);
/* if we have a virtual IP address - send it */
- if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
+ if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
{
vip = c->spd.that.host_srcip;
plog("assigning virtual IP %H to peer", vip);
@@ -179,7 +180,7 @@ static void get_attributes(connection_t *c, linked_list_t *ca_list)
/* set the remote client subnet to virtual IP */
c->spd.that.client.addr = *(ip_address*)vip->get_sockaddr(vip);
- c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128;
+ c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128;
c->spd.that.has_client = TRUE;
}
@@ -264,8 +265,8 @@ static bool set_attributes(connection_t *c, linked_list_t *ca_list)
setportof(0, &c->spd.this.client.addr);
c->spd.this.has_client = TRUE;
- vip_set = TRUE;
- }
+ vip_set = TRUE;
+ }
continue;
case APPLICATION_VERSION:
#ifdef CISCO_QUIRKS
@@ -420,7 +421,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
}
enumerator->destroy(enumerator);
close_output_pbs(&strattr);
-
+
modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
close_message(rbody);
encrypt_message(rbody, st);
@@ -653,7 +654,7 @@ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy);
return stat;
}
-
+
/* discard the parsed attributes and look for another payload */
while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {}
}
@@ -670,7 +671,7 @@ stf_status modecfg_send_request(struct state *st)
{
connection_t *c = st->st_connection;
stf_status stat;
- modecfg_attribute_t *ca;
+ modecfg_attribute_t *ca;
enumerator_t *enumerator;
int family;
chunk_t value;
@@ -685,7 +686,7 @@ stf_status modecfg_send_request(struct state *st)
value);
ca_list->insert_last(ca_list, ca);
- register_attribute_handlers(c);
+ register_attribute_handlers(c);
enumerator = c->requested->create_enumerator(c->requested);
while (enumerator->enumerate(enumerator, &ca))
{
@@ -800,7 +801,7 @@ stf_status modecfg_send_set(struct state *st)
* Used in ModeCfg push mode on the client (initiator)
* called in demux.c from STATE_MODE_CFG_I0
* client <- CFG_SET
- * client -> CFG_ACK
+ * client -> CFG_ACK
* STF_OK transitions to STATE_MODE_CFG_I3
*/
stf_status modecfg_inI0(struct msg_digest *md)
@@ -865,7 +866,7 @@ stf_status modecfg_inI0(struct msg_digest *md)
/**
* Used in ModeCfg push mode on the server (responder)
* called in demux.c from STATE_MODE_CFG_R3
- * server <- CFG_ACK
+ * server <- CFG_ACK
* STF_OK transitions to STATE_MODE_CFG_R4
*/
stf_status modecfg_inR3(struct msg_digest *md)
@@ -1140,7 +1141,7 @@ stf_status xauth_inR1(struct msg_digest *md)
xauth_user_name.ptr)
)
DESTROY_IF(c->xauth_identity);
- c->xauth_identity = identification_create_from_data(xauth_user_name);
+ c->xauth_identity = identification_create_from_data(xauth_user_name);
DBG(DBG_PRIVATE,
DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len,
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index a3694b7b5..f5ee07398 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -192,7 +192,7 @@ static const asn1Object_t basicResponseObjects[] = {
{ 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
ASN1_DEF }, /* 16 */
{ 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
- { 4, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
+ { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
{ 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
{ 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in
index 358805cc4..3ae6ea12b 100644
--- a/src/pluto/plugins/xauth/Makefile.in
+++ b/src/pluto/plugins/xauth/Makefile.in
@@ -239,6 +239,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -262,6 +264,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c
index 74e16eacd..bfc4820ed 100644
--- a/src/pluto/plugins/xauth/xauth_plugin.c
+++ b/src/pluto/plugins/xauth/xauth_plugin.c
@@ -18,10 +18,15 @@
#include "xauth_plugin.h"
#include "xauth_default_provider.h"
#include "xauth_default_verifier.h"
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(xauth_plugin_t *this)
+
+METHOD(plugin_t, get_name, char*,
+ xauth_plugin_t *this)
+{
+ return "xauth";
+}
+
+METHOD(plugin_t, destroy, void,
+ xauth_plugin_t *this)
{
free(this);
}
@@ -31,9 +36,15 @@ static void destroy(xauth_plugin_t *this)
*/
plugin_t *xauth_plugin_create()
{
- xauth_plugin_t *this = malloc_thing(xauth_plugin_t);
+ xauth_plugin_t *this;
- this->plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ );
pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create());
pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create());
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 627176c1b..309bde649 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -239,7 +239,8 @@ options_t *options;
*/
static void print_plugins()
{
- char buf[BUF_LEN], *plugin;
+ char buf[BUF_LEN];
+ plugin_t *plugin;
int len = 0;
enumerator_t *enumerator;
@@ -247,7 +248,7 @@ static void print_plugins()
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
{
- len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
+ len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin));
}
enumerator->destroy(enumerator);
DBG1(DBG_DMN, "loaded plugins: %s", buf);
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index 2ed07bdfc..48585432b 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -591,7 +591,7 @@ static u_int32_t decode_long_duration(pb_stream *pbs)
if (pbs_left(pbs) > sizeof(val))
{
/* "clamp" too large value to max representable value */
- val -= 1; /* portable way to get to maximum value */
+ val = UINT32_MAX;
DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu"
, (unsigned long)val));
}
@@ -881,7 +881,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
lset_t seen_attrs = 0;
lset_t seen_durations = 0;
u_int16_t life_type = 0;
- struct oakley_trans_attrs ta;
+ struct oakley_trans_attrs ta = { .encrypter = NULL };
err_t ugh = NULL; /* set to diagnostic when problem detected */
/* initialize only optional field in ta */
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 3639f944d..e4234bc87 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -166,7 +166,10 @@ static struct state **state_hash(const u_char *icookie, const u_char *rcookie,
*/
struct state *new_state(void)
{
- static const struct state blank_state; /* initialized all to zero & NULL */
+ /* initialized all to zero & NULL */
+ static const struct state blank_state = {
+ .st_serialno = 0,
+ };
static so_serial_t next_so = SOS_FIRST;
struct state *st;
@@ -347,19 +350,20 @@ void delete_state(struct state *st)
DESTROY_IF(st->st_dh);
- free(st->st_tpacket.ptr);
- free(st->st_rpacket.ptr);
- free(st->st_p1isa.ptr);
- free(st->st_gi.ptr);
- free(st->st_gr.ptr);
- free(st->st_shared.ptr);
- free(st->st_ni.ptr);
- free(st->st_nr.ptr);
- free(st->st_skeyid.ptr);
- free(st->st_skeyid_d.ptr);
- free(st->st_skeyid_a.ptr);
- free(st->st_skeyid_e.ptr);
- free(st->st_enc_key.ptr);
+ chunk_clear(&st->st_tpacket);
+ chunk_clear(&st->st_rpacket);
+ chunk_clear(&st->st_p1isa);
+ chunk_clear(&st->st_gi);
+ chunk_clear(&st->st_gr);
+ chunk_clear(&st->st_shared);
+ chunk_clear(&st->st_ni);
+ chunk_clear(&st->st_nr);
+ chunk_clear(&st->st_skeyid);
+ chunk_clear(&st->st_skeyid_d);
+ chunk_clear(&st->st_skeyid_a);
+ chunk_clear(&st->st_skeyid_e);
+ chunk_clear(&st->st_enc_key);
+
free(st->st_ah.our_keymat);
free(st->st_ah.peer_keymat);
free(st->st_esp.our_keymat);
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 623585f65..9f8ac874e 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -249,6 +249,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -272,6 +274,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 448854acd..d9f6b0925 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -279,14 +279,15 @@ usage(const char *message)
*/
static void print_plugins()
{
- char buf[BUF_LEN], *plugin;
+ char buf[BUF_LEN];
+ plugin_t *plugin;
int len = 0;
enumerator_t *enumerator;
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
{
- len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin);
+ len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin));
}
enumerator->destroy(enumerator);
DBG1(DBG_LIB, " loaded plugins: %s", buf);
@@ -1019,6 +1020,7 @@ int main(int argc, char **argv)
*/
if (filetype_out & CERT)
{
+ bool stored = FALSE;
certificate_t *cert;
enumerator_t *enumerator;
char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
@@ -1128,7 +1130,6 @@ int main(int argc, char **argv)
enumerator = certs->create_enumerator(certs);
while (enumerator->enumerate(enumerator, &cert))
{
- bool stored = FALSE;
x509_t *x509 = (x509_t*)cert;
if (!(x509->get_flags(x509) & X509_CA))
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index f1c370ad9..72adbf7bc 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -227,6 +227,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -250,6 +252,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/starter/args.c b/src/starter/args.c
index 87307f1aa..4d8003aab 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -542,6 +542,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
}
}
}
+ /* fall through */
default:
return TRUE;
}
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index ef26cdce5..4a2ae0a57 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -153,6 +153,7 @@ get_defaultroute(defaultroute_t *defaultroute)
}
strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ);
+ defaultroute->iface[IFNAMSIZ-1] = '\0';
defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr);
defaultroute->nexthop.u.v4.sin_family = AF_INET;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index f8aa5e6a9..e88939415 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -147,7 +147,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
char *pos = cfg->setup.charondebug;
char *buf_pos = buffer;
- while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
+ while (pos && sscanf(pos, "%3s %d,", type, &level) == 2)
{
snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "--debug-%s", type);
arg[argc++] = buf_pos;
diff --git a/src/starter/starter.c b/src/starter/starter.c
index c3ba54f1d..fcef2f7ff 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -714,7 +714,7 @@ int main (int argc, char **argv)
if (conn->startup == STARTUP_START)
{
- if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+ if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
{
if (starter_charon_pid())
{
@@ -731,7 +731,7 @@ int main (int argc, char **argv)
}
else if (conn->startup == STARTUP_ROUTE)
{
- if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+ if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
{
if (starter_charon_pid())
{
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index f251667c7..7272b2530 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -118,7 +118,7 @@ static char* connection_name(starter_conn_t *conn)
if (streq(conn->name, "%auto"))
{
- sprintf(buf, "conn_%ld", conn->id);
+ sprintf(buf, "conn_%lu", conn->id);
return buf;
}
return conn->name;
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index d621f21ca..4e8318e0f 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -218,6 +218,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -241,6 +243,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index a88fa10d7..2c5a03d77 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -285,9 +285,9 @@ static int reread(stroke_keyword_t kw)
static int purge_flags[] = {
PURGE_OCSP,
- PURGE_IKE,
PURGE_CRLS,
PURGE_CERTS,
+ PURGE_IKE,
};
static int purge(stroke_keyword_t kw)
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 3af2b7042..9800d4319 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -105,12 +105,12 @@ enum purge_flag_t {
PURGE_NONE = 0x0000,
/** purge ocsp cache entries */
PURGE_OCSP = 0x0001,
- /** purge IKE_SAs without a CHILD_SA */
- PURGE_IKE = 0x0002,
/** purge CRL cache entries */
- PURGE_CRLS = 0x0004,
+ PURGE_CRLS = 0x0002,
/** purge X509 cache entries */
- PURGE_CERTS = 0x0008,
+ PURGE_CERTS = 0x0004,
+ /** purge IKE_SAs without a CHILD_SA */
+ PURGE_IKE = 0x0008,
};
typedef enum export_flag_t export_flag_t;
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index b51056a38..f62c2bfc0 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -217,6 +217,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -240,6 +242,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/src/whack/whack.c b/src/whack/whack.c
index c5fe3b458..ac2d3ea40 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -1155,6 +1155,7 @@ int main(int argc, char **argv)
case OPT_STATUSALL: /* --statusall */
msg.whack_statusall = TRUE;
+ /* fall through */
case OPT_STATUS: /* --status */
msg.whack_status = TRUE;
diff --git a/testing/Makefile.in b/testing/Makefile.in
index cbb7555f0..67cdc194a 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -196,6 +196,8 @@ nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
@@ -219,6 +221,7 @@ soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 27ad200fb..2c5c07278 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -117,13 +117,7 @@ done
KERNEL_VERSION=`basename $KERNEL .tar.bz2`
IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2`
-cat > $INDEX <<@EOF
-<html>
-<head>
- <title>strongSwan UML Tests</title>
-</head>
-<body>
- <h2>strongSwan UML Tests</h2>
+ENVIRONMENT_HEADER=$(cat <<@EOF
<table border="0" cellspacing="2">
<tr valign="top">
<td><b>Host:</b></td>
@@ -148,9 +142,27 @@ cat > $INDEX <<@EOF
<td >&nbsp;</td>
</tr>
@EOF
+)
-cat $INDEX > $TESTRESULTSHTML
-cat >> $TESTRESULTSHTML <<@EOF
+cat > $INDEX <<@EOF
+<html>
+<head>
+ <title>strongSwan UML Tests</title>
+</head>
+<body>
+ <h2>strongSwan UML Tests</h2>
+ $ENVIRONMENT_HEADER
+@EOF
+
+cat > $TESTRESULTSHTML <<@EOF
+<html>
+<head>
+ <title>strongSwan UML Tests - All Tests</title>
+</head>
+<body>
+ <div><a href="index.html">strongSwan UML Tests</a> / All Tests</div>
+ <h2>All Tests</h2>
+ $ENVIRONMENT_HEADER
<tr align="left">
<th>Number</th>
<th>Test</th>
@@ -213,6 +225,7 @@ do
<title>strongSwan $SUBDIR Tests</title>
</head>
<body>
+ <div><a href="../index.html">strongSwan UML Tests</a> / $SUBDIR</div>
<h2>strongSwan $SUBDIR Tests</h2>
<table border="0" cellspacing="2">
<tr valign="top">
@@ -455,8 +468,9 @@ do
<title>Test $testname</title>
</head>
<body>
-<table border="0" width="600">
+<table border="0" cellpadding="0" cellspacing="0" width="600">
<tr><td>
+ <div><a href="../../index.html">strongSwan UML Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
<h2>Test $testname</h2>
<h3>Description</h3>
@EOF
@@ -576,9 +590,6 @@ do
cat >> $TESTRESULTDIR/index.html <<@EOF
</td></tr>
- <tr><td align="right">
- <b><a href="../index.html">Back</a></b>
- </td></tr>
</table>
</body>
</html>
@@ -670,7 +681,7 @@ do
cat >> $TESTRESULTSHTML << @EOF
<tr>
<td>$testnumber</td>
- <td><a href="$testname/">$testname</a></td>
+ <td><a href="$testname/index.html">$testname</a></td>
<td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
<td>&nbsp;</td>
</tr>
@@ -678,7 +689,7 @@ do
cat >> $SUBTESTSINDEX << @EOF
<tr>
<td>$testnumber</td>
- <td><a href="$name/">$name</a></td>
+ <td><a href="$name/index.html">$name</a></td>
<td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td>
<td>&nbsp;</td>
</tr>
@@ -705,11 +716,16 @@ done
#
cat >> $TESTRESULTSHTML << @EOF
+ <tr>
+ <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td><b>Passed:</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td><b>Failed:</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+ </tr>
</table>
- <p>
- <b>Passed: &nbsp; <font color="green">$passed_cnt</font></b><br>
- <b>Failed: &nbsp; <font color="red">$failed_cnt</font></b><br>
- <p>
</body>
</html>
@EOF
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 023b71750..182feab7d 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -182,6 +182,11 @@ then
echo -n " --enable-eap-ttls" >> $INSTALLSHELL
fi
+if [ "$USE_EAP_PEAP" = "yes" ]
+then
+ echo -n " --enable-eap-peap" >> $INSTALLSHELL
+fi
+
if [ "$USE_EAP_TNC" = "yes" ]
then
echo -n " --enable-eap-tnc" >> $INSTALLSHELL
@@ -307,6 +312,16 @@ then
echo -n " --enable-ha" >> $INSTALLSHELL
fi
+if [ "$USE_AF_ALG" = "yes" ]
+then
+ echo -n " --enable-af-alg" >> $INSTALLSHELL
+fi
+
+if [ "$USE_WHITELIST" = "yes" ]
+then
+ echo -n " --enable-whitelist" >> $INSTALLSHELL
+fi
+
if [ "$USE_CISCO_QUIRKS" = "yes" ]
then
echo -n " --enable-cisco-quirks" >> $INSTALLSHELL
diff --git a/testing/testing.conf b/testing/testing.conf
index b078ab2c0..9b5609424 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing
# Bzipped kernel sources
# (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2
# Extract kernel version
KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
# Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.36
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.38
# Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2
+UMLPATCH=$UMLTESTDIR/ha-2.6.37.patch.bz2
# Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.5.2.tar.bz2
# strongSwan compile options (use "yes" or "no")
USE_LIBCURL="yes"
@@ -44,6 +44,7 @@ USE_EAP_IDENTITY="yes"
USE_EAP_RADIUS="yes"
USE_EAP_TLS="yes"
USE_EAP_TTLS="yes"
+USE_EAP_PEAP="yes"
USE_EAP_TNC="yes"
USE_TNC_IMC="yes"
USE_TNC_IMV="yes"
@@ -69,6 +70,8 @@ USE_CTR="yes"
USE_CCM="yes"
USE_GCM="yes"
USE_HA="yes"
+USE_AF_ALG="yes"
+USE_WHITELIST="yes"
USE_CISCO_QUIRKS="no"
# Gentoo linux root filesystem
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/description.txt b/testing/tests/af-alg-ikev1/alg-camellia/description.txt
new file mode 100644
index 000000000..a9633ee84
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and
+<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to
+<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..93f82906e
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
+moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..cf51269a5
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug="control crypt"
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=camellia128-sha256-modp2048!
+ esp=camellia128-sha256!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..04c2358ed
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..5571dc086
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug="control crypt"
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=camellia128-sha256-modp2048!
+ esp=camellia128-sha256!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ rightid=carol@strongswan.org
+ auto=add
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..04c2358ed
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat
new file mode 100644
index 000000000..6d2eeb5f9
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/test.conf b/testing/tests/af-alg-ikev1/alg-camellia/test.conf
new file mode 100644
index 000000000..6abbb89a9
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/alg-camellia/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/af-alg-ikev1/rw-cert/description.txt b/testing/tests/af-alg-ikev1/rw-cert/description.txt
new file mode 100644
index 000000000..d0c5e9200
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b>
+of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric
+encryption and hash functions whereas roadwarrior <b>dave</b> uses the default
+<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat
new file mode 100644
index 000000000..1a9b9159f
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::IPsec SA established::YES
+carol::ipsec statusall::IPsec SA established::YES
+dave::ipsec statusall::IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..80dae3719
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=3des-sha1-modp1536!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fd687c13a
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ integrity_test = yes
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..73167caad
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes256-sha256-modp2048!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cc54b24f
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ integrity_test = yes
+ crypto_test {
+ required = yes
+ on_add = yes
+ }
+}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f365b07da
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fd687c13a
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pluto {
+ load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink
+}
+
+# pluto uses optimized DH exponent sizes (RFC 3526)
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ integrity_test = yes
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/af-alg-ikev1/rw-cert/test.conf b/testing/tests/af-alg-ikev1/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/af-alg-ikev1/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/description.txt b/testing/tests/af-alg-ikev2/alg-camellia/description.txt
new file mode 100644
index 000000000..b3515c333
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
+HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
+the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..d77c4806e
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..37f8a7ecf
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=camellia256-sha512-modp2048!
+ esp=camellia192-sha1!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..3cd390829
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f8d7e3fe9
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=camellia256-sha512-modp2048!
+ esp=camellia192-sha1!
+
+conn rw
+ left=PH_IP_MOON
+ leftfirewall=yes
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3cd390829
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/test.conf b/testing/tests/af-alg-ikev2/alg-camellia/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg-ikev2/rw-cert/description.txt b/testing/tests/af-alg-ikev2/rw-cert/description.txt
new file mode 100644
index 000000000..d0c5e9200
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b>
+of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric
+encryption and hash functions whereas roadwarrior <b>dave</b> uses the default
+<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4a8baa3ae
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=3des-sha1-modp1536!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1c71b885f
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ integrity_test = yes
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..42f03aab3
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes256-sha256-modp2048!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..e483eba9d
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ integrity_test = yes
+ crypto_test {
+ required = yes
+ on_add = yes
+ }
+}
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2e84f2e6a
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ auto=add
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1c71b885f
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ integrity_test = yes
+ crypto_test {
+ on_add = yes
+ }
+}
diff --git a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/af-alg-ikev2/rw-cert/test.conf b/testing/tests/af-alg-ikev2/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/af-alg-ikev2/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
index 7256743ac..3fb52f927 100644
--- a/testing/tests/ha/both-active/evaltest.dat
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -1,13 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES
-alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES
+alice::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
+alice::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES
+moon::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES
carol::ipsec statusall::home.*ESTABLISHED::YES
dave::ipsec statusall::home.*ESTABLISHED::YES
-alice::cat /var/log/daemon.log::HA segment 1 activated::YES
moon::cat /var/log/daemon.log::HA segment 2 activated::YES
-alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES
-moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES
+alice::cat /var/log/daemon.log::HA segment 1 activated::YES
+moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES
+alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/description.txt b/testing/tests/ikev2/rw-eap-peap-md5/description.txt
new file mode 100644
index 000000000..7f9ade88a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-PEAP).
+<p/>
+With the setting <b>charon.plugins.eap-peap.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request
+right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
+and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
new file mode 100644
index 000000000..0908e1c97
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2f8b9dfda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..2c06d26a6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3a29329d5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..2c06d26a6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..129486c05
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=eap-peap
+ leftfirewall=yes
+ rightauth=eap-peap
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..68d2cd95a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ multiple_authentication=no
+ plugins {
+ eap-peap {
+ phase2_method = md5
+ phase2_piggyback = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt b/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt
new file mode 100644
index 000000000..ef2d24f2f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MSCHAPv2</b> (phase2 of EAP-PEAP).
+<p/>
+Client <b>carol</b> presents the correct MSCHAPv2 password and succeeds whereas client
+<b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
new file mode 100644
index 000000000..8743b9643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2f8b9dfda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..2cbfb2484
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3a29329d5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..2cbfb2484
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..129486c05
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=eap-peap
+ leftfirewall=yes
+ rightauth=eap-peap
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..19d12447f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ multiple_authentication=no
+ plugins {
+ eap-peap {
+ phase2_method = mschapv2
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/description.txt b/testing/tests/ikev2/rw-eap-peap-radius/description.txt
new file mode 100644
index 000000000..89db03a38
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-PEAP</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
+wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
new file mode 100644
index 000000000..39a24f15e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -0,0 +1,21 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+ secret = gv6URkSs
+ shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..df50901d5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,18 @@
+eap {
+ md5 {
+ }
+ default_eap_type = peap
+ tls {
+ private_key_file = /etc/raddb/certs/aaaKey.pem
+ certificate_file = /etc/raddb/certs/aaaCert.pem
+ CA_file = /etc/raddb/certs/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = /etc/raddb/certs/dh
+ random_file = /etc/raddb/certs/random
+ }
+ peap {
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# listen: Make the server listen on a particular IP address, and send
+listen {
+ type = auth
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ type = acct
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Core dumps are a bad thing. This should only be set to 'yes'
+allow_core_dumps = no
+
+# Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+# Logging section. The various "log_*" configuration items
+log {
+ destination = files
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# Security considerations
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/modules/
+ $INCLUDE eap.conf
+ $INCLUDE sql.conf
+ $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b2eef5785
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..2c06d26a6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3c8ea5c58
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..2c06d26a6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MobIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow RADIUS protocol with alice
+ iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=pubkey
+ leftfirewall=yes
+ rightauth=eap-radius
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+ multiple_authentication=no
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
new file mode 100644
index 000000000..cbe1ae229
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
new file mode 100644
index 000000000..e6a786a94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol winnetou dave moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
index a02755148..f7d78d1ca 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
@@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..b1c694107
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
index a5a9a68f3..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
@@ -1,3 +1,4 @@
#IMC configuration file for strongSwan client
-IMC "Dummy" /usr/local/lib/libdummyimc.so
+IMC "Dummy" /usr/local/lib/libdummyimc.so
+#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..b1c694107
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
index a5a9a68f3..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
@@ -1,3 +1,4 @@
#IMC configuration file for strongSwan client
-IMC "Dummy" /usr/local/lib/libdummyimc.so
+IMC "Dummy" /usr/local/lib/libdummyimc.so
+#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy
@@ -0,0 +1 @@
+1
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy
new file mode 100644
index 000000000..d8215dd3c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy
@@ -0,0 +1,40 @@
+#FTP - File Transfer Protocol
+TCP 20 = whatever
+TCP 21 = close
+
+#SSH - Secure Shell
+TCP 22 = whatever
+
+#Telnet
+TCP 23 = close
+
+#E-Mail
+#
+#SMTP - Simple Mail Transfer Protocol
+TCP 25 = close
+TCP 587 = close
+#POP3 - Post Office Protocol version 3
+TCP 110 = close
+TCP 995 = close
+
+#DNS - Domain Name System
+UDP 53 = close
+TCP 53 = close
+
+#BOOTP/DHCP - Bootstrap Protocol /
+#Dynamic Host Configuration Protocol
+UDP 67 = close
+#UDP 68 = open
+UDP 68 = whatever
+
+#www - World Wide Web
+#HTTP - Hypertext Transfer Protocol
+TCP 80 = close
+#HTTPS - Hypertext Transfer Protocol Secure
+TCP 443 = close
+
+#examples
+TCP 8080 = close
+TCP 5223 = whatever
+UDP 4444 = close
+UDP 631 = whatever
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..122d798b3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
index ac436a344..140caa98f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
@@ -1,3 +1,4 @@
#IMV configuration file for strongSwan server
-IMV "Dummy" /usr/local/lib/libdummyimv.so
+IMV "Dummy" /usr/local/lib/libdummyimv.so
+#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
index ce897d181..9896b1e4a 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
@@ -6,9 +6,9 @@ carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
index f1753c208..e3c482441 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
@@ -5,8 +5,10 @@ carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/3
dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'no access'::YES
moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy
new file mode 100644
index 000000000..573541ac9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy
@@ -0,0 +1 @@
+0
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
index bbc0603b6..c871bb6da 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
@@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy
new file mode 100644
index 000000000..573541ac9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy
@@ -0,0 +1 @@
+0
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
index 737c9b9ef..d334a9b97 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
@@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..b1c694107
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
index 3797993fa..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
@@ -1,4 +1,4 @@
#IMC configuration file for strongSwan client
IMC "Dummy" /usr/local/lib/libdummyimc.so
-IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
+#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..b1c694107
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
index 3797993fa..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
@@ -1,4 +1,4 @@
#IMC configuration file for strongSwan client
IMC "Dummy" /usr/local/lib/libdummyimc.so
-IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
+#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy
@@ -0,0 +1 @@
+1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy
new file mode 100644
index 000000000..d8215dd3c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy
@@ -0,0 +1,40 @@
+#FTP - File Transfer Protocol
+TCP 20 = whatever
+TCP 21 = close
+
+#SSH - Secure Shell
+TCP 22 = whatever
+
+#Telnet
+TCP 23 = close
+
+#E-Mail
+#
+#SMTP - Simple Mail Transfer Protocol
+TCP 25 = close
+TCP 587 = close
+#POP3 - Post Office Protocol version 3
+TCP 110 = close
+TCP 995 = close
+
+#DNS - Domain Name System
+UDP 53 = close
+TCP 53 = close
+
+#BOOTP/DHCP - Bootstrap Protocol /
+#Dynamic Host Configuration Protocol
+UDP 67 = close
+#UDP 68 = open
+UDP 68 = whatever
+
+#www - World Wide Web
+#HTTP - Hypertext Transfer Protocol
+TCP 80 = close
+#HTTPS - Hypertext Transfer Protocol Secure
+TCP 443 = close
+
+#examples
+TCP 8080 = close
+TCP 5223 = whatever
+UDP 4444 = close
+UDP 631 = whatever
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..122d798b3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
index 67896d543..140caa98f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
@@ -1,4 +1,4 @@
#IMV configuration file for strongSwan server
IMV "Dummy" /usr/local/lib/libdummyimv.so
-IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
+#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
index ce897d181..1c8eebad5 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
@@ -6,9 +6,9 @@ carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
carol::sleep 1
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
index 2c7a2dbd7..593ac4505 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
@@ -8,14 +8,16 @@ dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
-moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
-moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
+moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
+moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
index 3797993fa..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
@@ -1,4 +1,4 @@
#IMC configuration file for strongSwan client
IMC "Dummy" /usr/local/lib/libdummyimc.so
-IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
+#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
index 3797993fa..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
@@ -1,4 +1,4 @@
#IMC configuration file for strongSwan client
IMC "Dummy" /usr/local/lib/libdummyimc.so
-IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
+#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy
@@ -0,0 +1 @@
+1
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
index 67896d543..140caa98f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
+++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
@@ -1,4 +1,4 @@
#IMV configuration file for strongSwan server
IMV "Dummy" /usr/local/lib/libdummyimv.so
-IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
+#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-whitelist/description.txt b/testing/tests/ikev2/rw-whitelist/description.txt
new file mode 100644
index 000000000..6f52861e2
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/description.txt
@@ -0,0 +1,3 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+<b>moon</b> uses whitelisting to grant access to <b>carol</b> with ID <b>carol@strongswan.org</b>
+whereas since ID <b>dave@strongswan.org</b> is not listed, <b>dave</b> gets rejected.
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
new file mode 100644
index 000000000..733cfd844
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -0,0 +1,19 @@
+moon::cat /var/log/daemon.log::whitelist functionality was already enabled::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon::cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
+dave::ipsec status::home.*INSTALLED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::NO
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a19f6cfae
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1a89f4e5d
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0b4cded6c
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/28
+ auto=add
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..938b45518
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown
+ plugins {
+ whitelist {
+ enable = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat
new file mode 100644
index 000000000..1777f439f
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat
new file mode 100644
index 000000000..c4ac77d77
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+moon::ipsec whitelist add alice@strongswan.org
+moon::ipsec whitelist add bob@strongswan.org
+moon::ipsec whitelist add carol@strongswan.org
+moon::ipsec whitelist enable
+moon::ipsec whitelist list
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/rw-whitelist/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"