diff options
595 files changed, 32681 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..e47cdedcc --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*~ +*.old +*.orig +*.rej diff --git a/.pc/.quilt_patches b/.pc/.quilt_patches new file mode 100644 index 000000000..6857a8d44 --- /dev/null +++ b/.pc/.quilt_patches @@ -0,0 +1 @@ +debian/patches diff --git a/.pc/.quilt_series b/.pc/.quilt_series new file mode 100644 index 000000000..c2067066a --- /dev/null +++ b/.pc/.quilt_series @@ -0,0 +1 @@ +series diff --git a/.pc/.version b/.pc/.version new file mode 100644 index 000000000..0cfbf0888 --- /dev/null +++ b/.pc/.version @@ -0,0 +1 @@ +2 diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt.old b/.pc/applied-patches index e69de29bb..e69de29bb 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/index.txt.old +++ b/.pc/applied-patches diff --git a/Android.mk b/Android.mk index 4c90f6340..8bf74c7a5 100644 --- a/Android.mk +++ b/Android.mk @@ -53,7 +53,11 @@ strongswan_CFLAGS := \ -DUSE_VSTR \ -DROUTING_TABLE=0 \ -DROUTING_TABLE_PRIO=220 \ +<<<<<<< HEAD + -DVERSION=\"4.5.0\" \ +======= -DVERSION=\"4.5.1\" \ +>>>>>>> upstream/4.5.1 -DPLUGINS='"$(strongswan_PLUGINS)"' \ -DIPSEC_DIR=\"/system/bin\" \ -DIPSEC_PIDDIR=\"/data/misc/vpn\" \ diff --git a/Makefile.in b/Makefile.in index eba785b0c..514a36ad7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -229,7 +229,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -268,8 +274,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -1,3 +1,5 @@ +<<<<<<< HEAD +======= strongswan-4.5.1 ---------------- @@ -72,6 +74,7 @@ strongswan-4.5.1 - The revocation and x509 libstrongswan plugins and the pki tool gained basic support for delta CRLs. +>>>>>>> upstream/4.5.1 strongswan-4.5.0 ---------------- @@ -1,6 +1,10 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. +<<<<<<< HEAD +# Generated by GNU Autoconf 2.67 for strongSwan 4.5.0. +======= # Generated by GNU Autoconf 2.67 for strongSwan 4.5.1. +>>>>>>> upstream/4.5.1 # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -698,8 +702,13 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' +<<<<<<< HEAD +PACKAGE_VERSION='4.5.0' +PACKAGE_STRING='strongSwan 4.5.0' +======= PACKAGE_VERSION='4.5.1' PACKAGE_STRING='strongSwan 4.5.1' +>>>>>>> upstream/4.5.1 PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -753,18 +762,26 @@ USE_VSTR_FALSE USE_VSTR_TRUE USE_LIBCAP_FALSE USE_LIBCAP_TRUE +<<<<<<< HEAD +USE_FILE_CONFIG_FALSE +USE_FILE_CONFIG_TRUE +======= USE_IPSEC_SCRIPT_FALSE USE_IPSEC_SCRIPT_TRUE USE_FILE_CONFIG_FALSE USE_FILE_CONFIG_TRUE USE_LIBCHARON_FALSE USE_LIBCHARON_TRUE +>>>>>>> upstream/4.5.1 USE_LIBHYDRA_FALSE USE_LIBHYDRA_TRUE USE_LIBSTRONGSWAN_FALSE USE_LIBSTRONGSWAN_TRUE +<<<<<<< HEAD +======= USE_CONFTEST_FALSE USE_CONFTEST_TRUE +>>>>>>> upstream/4.5.1 USE_SCRIPTS_FALSE USE_SCRIPTS_TRUE USE_TOOLS_FALSE @@ -827,8 +844,11 @@ USE_SOCKET_RAW_FALSE USE_SOCKET_RAW_TRUE USE_SOCKET_DEFAULT_FALSE USE_SOCKET_DEFAULT_TRUE +<<<<<<< HEAD +======= USE_TNCCS_DYNAMIC_FALSE USE_TNCCS_DYNAMIC_TRUE +>>>>>>> upstream/4.5.1 USE_TNCCS_20_FALSE USE_TNCCS_20_TRUE USE_TNCCS_11_FALSE @@ -897,8 +917,11 @@ USE_MEDSRV_FALSE USE_MEDSRV_TRUE USE_STROKE_FALSE USE_STROKE_TRUE +<<<<<<< HEAD +======= USE_AF_ALG_FALSE USE_AF_ALG_TRUE +>>>>>>> upstream/4.5.1 USE_GCM_FALSE USE_GCM_TRUE USE_CCM_FALSE @@ -933,8 +956,11 @@ USE_PKCS1_FALSE USE_PKCS1_TRUE USE_PUBKEY_FALSE USE_PUBKEY_TRUE +<<<<<<< HEAD +======= USE_CONSTRAINTS_FALSE USE_CONSTRAINTS_TRUE +>>>>>>> upstream/4.5.1 USE_REVOCATION_FALSE USE_REVOCATION_TRUE USE_X509_FALSE @@ -961,8 +987,11 @@ USE_AES_FALSE USE_AES_TRUE USE_LDAP_FALSE USE_LDAP_TRUE +<<<<<<< HEAD +======= USE_SOUP_FALSE USE_SOUP_TRUE +>>>>>>> upstream/4.5.1 USE_CURL_FALSE USE_CURL_TRUE USE_TEST_VECTORS_FALSE @@ -994,14 +1023,22 @@ gtk_LIBS gtk_CFLAGS xml_LIBS xml_CFLAGS +<<<<<<< HEAD +======= soup_LIBS soup_CFLAGS +>>>>>>> upstream/4.5.1 PTHREADLIB RTLIB SOCKLIB BTLIB DLLIB ALLOCA +<<<<<<< HEAD +ipsecgid +ipsecuid +======= +>>>>>>> upstream/4.5.1 GPERF PERL YFLAGS @@ -1152,7 +1189,10 @@ with_xauth_module with_user with_group enable_curl +<<<<<<< HEAD +======= enable_soup +>>>>>>> upstream/4.5.1 enable_ldap enable_aes enable_des @@ -1166,7 +1206,10 @@ enable_gmp enable_random enable_x509 enable_revocation +<<<<<<< HEAD +======= enable_constraints +>>>>>>> upstream/4.5.1 enable_pubkey enable_pkcs1 enable_pgp @@ -1174,7 +1217,10 @@ enable_dnskey enable_pem enable_hmac enable_xcbc +<<<<<<< HEAD +======= enable_af_alg +>>>>>>> upstream/4.5.1 enable_test_vectors enable_mysql enable_sqlite @@ -1208,7 +1254,10 @@ enable_tnc_imc enable_tnc_imv enable_tnccs_11 enable_tnccs_20 +<<<<<<< HEAD +======= enable_tnccs_dynamic +>>>>>>> upstream/4.5.1 enable_kernel_netlink enable_kernel_pfkey enable_kernel_pfroute @@ -1232,7 +1281,10 @@ enable_threads enable_charon enable_tools enable_scripts +<<<<<<< HEAD +======= enable_conftest +>>>>>>> upstream/4.5.1 enable_updown enable_attr enable_attr_sql @@ -1278,8 +1330,11 @@ CPPFLAGS CPP YACC YFLAGS +<<<<<<< HEAD +======= soup_CFLAGS soup_LIBS +>>>>>>> upstream/4.5.1 xml_CFLAGS xml_LIBS gtk_CFLAGS @@ -1830,7 +1885,11 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF +<<<<<<< HEAD +\`configure' configures strongSwan 4.5.0 to adapt to many kinds of systems. +======= \`configure' configures strongSwan 4.5.1 to adapt to many kinds of systems. +>>>>>>> upstream/4.5.1 Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1900,7 +1959,11 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in +<<<<<<< HEAD + short | recursive ) echo "Configuration of strongSwan 4.5.0:";; +======= short | recursive ) echo "Configuration of strongSwan 4.5.1:";; +>>>>>>> upstream/4.5.1 esac cat <<\_ACEOF @@ -1910,8 +1973,11 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-curl enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl. +<<<<<<< HEAD +======= --enable-soup enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup. +>>>>>>> upstream/4.5.1 --enable-ldap enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP. --disable-aes disable AES software implementation plugin. @@ -1928,7 +1994,10 @@ Optional Features: --disable-random disable RNG implementation on top of /dev/(u)random. --disable-x509 disable X509 certificate implementation plugin. --disable-revocation disable X509 CRL/OCSP revocation check plugin. +<<<<<<< HEAD +======= --disable-constraints disable advanced X509 constraint checking plugin. +>>>>>>> upstream/4.5.1 --disable-pubkey disable RAW public key support plugin. --disable-pkcs1 disable PKCS1 key decoding plugin. --disable-pgp disable PGP key decoding plugin. @@ -1936,7 +2005,10 @@ Optional Features: --disable-pem disable PEM decoding plugin. --disable-hmac disable HMAC crypto implementation plugin. --disable-xcbc disable xcbc crypto implementation plugin. +<<<<<<< HEAD +======= --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API. +>>>>>>> upstream/4.5.1 --enable-test-vectors enable plugin providing crypto test vectors. --enable-mysql enable MySQL database support. Requires libmysqlclient_r. @@ -1980,7 +2052,10 @@ Optional Features: --enable-tnc-imv enable TNC IMV module. --enable-tnccs-11 enable TNCCS 1.1 protocol module. --enable-tnccs-20 enable TNCCS 2.0 protocol module. +<<<<<<< HEAD +======= --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module. +>>>>>>> upstream/4.5.1 --disable-kernel-netlink disable the netlink kernel interface. --enable-kernel-pfkey enable the PF_KEY kernel interface. @@ -2016,7 +2091,10 @@ Optional Features: pki). --disable-scripts disable additional utilities (found in directory scripts). +<<<<<<< HEAD +======= --enable-conftest enforce Suite B conformance test framework. +>>>>>>> upstream/4.5.1 --disable-updown disable updown firewall script plugin. --disable-attr disable strongswan.conf based configuration attribute plugin. @@ -2119,8 +2197,11 @@ Some influential environment variables: YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. +<<<<<<< HEAD +======= soup_CFLAGS C compiler flags for soup, overriding pkg-config soup_LIBS linker flags for soup, overriding pkg-config +>>>>>>> upstream/4.5.1 xml_CFLAGS C compiler flags for xml, overriding pkg-config xml_LIBS linker flags for xml, overriding pkg-config gtk_CFLAGS C compiler flags for gtk, overriding pkg-config @@ -2197,7 +2278,11 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF +<<<<<<< HEAD +strongSwan configure 4.5.0 +======= strongSwan configure 4.5.1 +>>>>>>> upstream/4.5.1 generated by GNU Autoconf 2.67 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2673,7 +2758,11 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. +<<<<<<< HEAD +It was created by strongSwan $as_me 4.5.0, which was +======= It was created by strongSwan $as_me 4.5.1, which was +>>>>>>> upstream/4.5.1 generated by GNU Autoconf 2.67. Invocation command line was $ $0 $@ @@ -3488,7 +3577,11 @@ fi # Define the identity of the package. PACKAGE='strongswan' +<<<<<<< HEAD + VERSION='4.5.0' +======= VERSION='4.5.1' +>>>>>>> upstream/4.5.1 cat >>confdefs.h <<_ACEOF @@ -3976,6 +4069,8 @@ else fi +<<<<<<< HEAD +======= # Check whether --enable-soup was given. if test "${enable_soup+set}" = set; then : enableval=$enable_soup; soup_given=true @@ -3991,6 +4086,7 @@ else fi +>>>>>>> upstream/4.5.1 # Check whether --enable-ldap was given. if test "${enable_ldap+set}" = set; then : enableval=$enable_ldap; ldap_given=true @@ -4186,6 +4282,8 @@ else fi +<<<<<<< HEAD +======= # Check whether --enable-constraints was given. if test "${enable_constraints+set}" = set; then : enableval=$enable_constraints; constraints_given=true @@ -4201,6 +4299,7 @@ else fi +>>>>>>> upstream/4.5.1 # Check whether --enable-pubkey was given. if test "${enable_pubkey+set}" = set; then : enableval=$enable_pubkey; pubkey_given=true @@ -4306,6 +4405,8 @@ else fi +<<<<<<< HEAD +======= # Check whether --enable-af-alg was given. if test "${enable_af_alg+set}" = set; then : enableval=$enable_af_alg; af_alg_given=true @@ -4321,6 +4422,7 @@ else fi +>>>>>>> upstream/4.5.1 # Check whether --enable-test-vectors was given. if test "${enable_test_vectors+set}" = set; then : enableval=$enable_test_vectors; test_vectors_given=true @@ -4816,6 +4918,8 @@ else fi +<<<<<<< HEAD +======= # Check whether --enable-tnccs-dynamic was given. if test "${enable_tnccs_dynamic+set}" = set; then : enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true @@ -4831,6 +4935,7 @@ else fi +>>>>>>> upstream/4.5.1 # Check whether --enable-kernel-netlink was given. if test "${enable_kernel_netlink+set}" = set; then : enableval=$enable_kernel_netlink; kernel_netlink_given=true @@ -5176,6 +5281,8 @@ else fi +<<<<<<< HEAD +======= # Check whether --enable-conftest was given. if test "${enable_conftest+set}" = set; then : enableval=$enable_conftest; conftest_given=true @@ -5191,6 +5298,7 @@ else fi +>>>>>>> upstream/4.5.1 # Check whether --enable-updown was given. if test "${enable_updown+set}" = set; then : enableval=$enable_updown; updown_given=true @@ -7873,6 +7981,15 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext +<<<<<<< HEAD + (eval echo "\"\$as_me:7772: $ac_compile\"" >&5) + (eval "$ac_compile" 2>conftest.err) + cat conftest.err >&5 + (eval echo "\"\$as_me:7775: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) + cat conftest.err >&5 + (eval echo "\"\$as_me:7778: output\"" >&5) +======= (eval echo "\"\$as_me:7876: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 @@ -7880,6 +7997,7 @@ else (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 (eval echo "\"\$as_me:7882: output\"" >&5) +>>>>>>> upstream/4.5.1 cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -9084,7 +9202,11 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. +<<<<<<< HEAD + echo '#line 8983 "configure"' > conftest.$ac_ext +======= echo '#line 9087 "configure"' > conftest.$ac_ext +>>>>>>> upstream/4.5.1 if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -10346,11 +10468,19 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` +<<<<<<< HEAD + (eval echo "\"\$as_me:10245: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 + echo "$as_me:10249: \$? = $ac_status" >&5 +======= (eval echo "\"\$as_me:10349: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 echo "$as_me:10353: \$? = $ac_status" >&5 +>>>>>>> upstream/4.5.1 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10685,11 +10815,19 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` +<<<<<<< HEAD + (eval echo "\"\$as_me:10584: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 + echo "$as_me:10588: \$? = $ac_status" >&5 +======= (eval echo "\"\$as_me:10688: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 echo "$as_me:10692: \$? = $ac_status" >&5 +>>>>>>> upstream/4.5.1 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10790,11 +10928,19 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` +<<<<<<< HEAD + (eval echo "\"\$as_me:10689: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 + echo "$as_me:10693: \$? = $ac_status" >&5 +======= (eval echo "\"\$as_me:10793: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 echo "$as_me:10797: \$? = $ac_status" >&5 +>>>>>>> upstream/4.5.1 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10845,11 +10991,19 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` +<<<<<<< HEAD + (eval echo "\"\$as_me:10744: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 + echo "$as_me:10748: \$? = $ac_status" >&5 +======= (eval echo "\"\$as_me:10848: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 echo "$as_me:10852: \$? = $ac_status" >&5 +>>>>>>> upstream/4.5.1 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13229,7 +13383,11 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF +<<<<<<< HEAD +#line 13128 "configure" +======= #line 13232 "configure" +>>>>>>> upstream/4.5.1 #include "confdefs.h" #if HAVE_DLFCN_H @@ -13325,7 +13483,11 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF +<<<<<<< HEAD +#line 13224 "configure" +======= #line 13328 "configure" +>>>>>>> upstream/4.5.1 #include "confdefs.h" #if HAVE_DLFCN_H @@ -13959,6 +14121,30 @@ else $as_echo "not found" >&6; } fi +<<<<<<< HEAD +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid of user \"$ipsecuser\"" >&5 +$as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; } +ipsecuid=`id -u $ipsecuser 2>/dev/null` +if test -n "$ipsecuid"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecuid" >&5 +$as_echo "$ipsecuid" >&6; } + +else + as_fn_error $? "not found" "$LINENO" 5 +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5 +$as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; } +ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` +if test -n "$ipsecgid"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecgid" >&5 +$as_echo "$ipsecgid" >&6; } + +else + as_fn_error $? "not found" "$LINENO" 5 +fi + +======= +>>>>>>> upstream/4.5.1 if test x$eap_aka_3gpp2 = xtrue; then gmp=true; @@ -13984,7 +14170,11 @@ if test x$fips_prf = xtrue; then fi fi +<<<<<<< HEAD +if test x$smp = xtrue; then +======= if test x$smp = xtrue -o x$tnccs_11 = xtrue; then +>>>>>>> upstream/4.5.1 xml=true fi @@ -15330,6 +15520,8 @@ fi fi +<<<<<<< HEAD +======= if test x$soup = xtrue; then pkg_failed=no @@ -15424,6 +15616,7 @@ fi fi +>>>>>>> upstream/4.5.1 if test x$xml = xtrue; then pkg_failed=no @@ -16108,6 +16301,20 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +<<<<<<< HEAD +if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then + ac_fn_c_check_header_mongrel "$LINENO" "libtnc.h" "ac_cv_header_libtnc_h" "$ac_includes_default" +if test "x$ac_cv_header_libtnc_h" = x""yes; then : + +else + as_fn_error $? "libtnc header libtnc.h not found!" "$LINENO" 5 +fi + + +fi + +======= +>>>>>>> upstream/4.5.1 if test x$uci = xtrue; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5 $as_echo_n "checking for main in -luci... " >&6; } @@ -16710,6 +16917,8 @@ if test x$curl = xtrue; then libcharon_plugins=${libcharon_plugins}" curl" pluto_plugins=${pluto_plugins}" curl" scepclient_plugins=${scepclient_plugins}" curl" +<<<<<<< HEAD +======= scripts_plugins=${scripts_plugins}" curl" fi @@ -16719,6 +16928,7 @@ if test x$soup = xtrue; then libcharon_plugins=${libcharon_plugins}" soup" pluto_plugins=${pluto_plugins}" soup" scripts_plugins=${scripts_plugins}" soup" +>>>>>>> upstream/4.5.1 fi @@ -16727,7 +16937,10 @@ if test x$ldap = xtrue; then libcharon_plugins=${libcharon_plugins}" ldap" pluto_plugins=${pluto_plugins}" ldap" scepclient_plugins=${scepclient_plugins}" ldap" +<<<<<<< HEAD +======= scripts_plugins=${scripts_plugins}" ldap" +>>>>>>> upstream/4.5.1 fi @@ -16857,12 +17070,15 @@ if test x$revocation = xtrue; then fi +<<<<<<< HEAD +======= if test x$constraints = xtrue; then s_plugins=${s_plugins}" constraints" libcharon_plugins=${libcharon_plugins}" constraints" fi +>>>>>>> upstream/4.5.1 if test x$pubkey = xtrue; then s_plugins=${s_plugins}" pubkey" libcharon_plugins=${libcharon_plugins}" pubkey" @@ -17007,6 +17223,8 @@ if test x$gcm = xtrue; then fi +<<<<<<< HEAD +======= if test x$af_alg = xtrue; then s_plugins=${s_plugins}" af-alg" libcharon_plugins=${libcharon_plugins}" af-alg" @@ -17019,6 +17237,7 @@ if test x$af_alg = xtrue; then fi +>>>>>>> upstream/4.5.1 if test x$xauth = xtrue; then p_plugins=${p_plugins}" xauth" pluto_plugins=${pluto_plugins}" xauth" @@ -17039,12 +17258,15 @@ if test x$attr_sql = xtrue; then fi +<<<<<<< HEAD +======= if test x$load_tester = xtrue; then c_plugins=${c_plugins}" load-tester" libcharon_plugins=${libcharon_plugins}" load-tester" fi +>>>>>>> upstream/4.5.1 if test x$kernel_pfkey = xtrue; then h_plugins=${h_plugins}" kernel-pfkey" libcharon_plugins=${libcharon_plugins}" kernel-pfkey" @@ -17080,6 +17302,15 @@ if test x$resolve = xtrue; then fi +<<<<<<< HEAD +if test x$load_tester = xtrue; then + c_plugins=${c_plugins}" load-tester" + libcharon_plugins=${libcharon_plugins}" load-tester" + + fi + +======= +>>>>>>> upstream/4.5.1 if test x$socket_default = xtrue; then c_plugins=${c_plugins}" socket-default" libcharon_plugins=${libcharon_plugins}" socket-default" @@ -17218,9 +17449,21 @@ if test x$eap_tnc = xtrue; then fi +<<<<<<< HEAD +if test x$tnc_imc = xtrue; then + c_plugins=${c_plugins}" tnc-imc" + libcharon_plugins=${libcharon_plugins}" tnc-imc" + + fi + +if test x$tnc_imv = xtrue; then + c_plugins=${c_plugins}" tnc-imv" + libcharon_plugins=${libcharon_plugins}" tnc-imv" +======= if test x$tnccs_20 = xtrue; then c_plugins=${c_plugins}" tnccs-20" libcharon_plugins=${libcharon_plugins}" tnccs-20" +>>>>>>> upstream/4.5.1 fi @@ -17230,6 +17473,11 @@ if test x$tnccs_11 = xtrue; then fi +<<<<<<< HEAD +if test x$tnccs_20 = xtrue; then + c_plugins=${c_plugins}" tnccs-20" + libcharon_plugins=${libcharon_plugins}" tnccs-20" +======= if test x$tnccs_dynamic = xtrue; then c_plugins=${c_plugins}" tnccs-dynamic" libcharon_plugins=${libcharon_plugins}" tnccs-dynamic" @@ -17245,6 +17493,7 @@ if test x$tnc_imc = xtrue; then if test x$tnc_imv = xtrue; then c_plugins=${c_plugins}" tnc-imv" libcharon_plugins=${libcharon_plugins}" tnc-imv" +>>>>>>> upstream/4.5.1 fi @@ -17347,6 +17596,8 @@ else USE_CURL_FALSE= fi +<<<<<<< HEAD +======= if test x$soup = xtrue; then USE_SOUP_TRUE= USE_SOUP_FALSE='#' @@ -17355,6 +17606,7 @@ else USE_SOUP_FALSE= fi +>>>>>>> upstream/4.5.1 if test x$ldap = xtrue; then USE_LDAP_TRUE= USE_LDAP_FALSE='#' @@ -17459,6 +17711,8 @@ else USE_REVOCATION_FALSE= fi +<<<<<<< HEAD +======= if test x$constraints = xtrue; then USE_CONSTRAINTS_TRUE= USE_CONSTRAINTS_FALSE='#' @@ -17467,6 +17721,7 @@ else USE_CONSTRAINTS_FALSE= fi +>>>>>>> upstream/4.5.1 if test x$pubkey = xtrue; then USE_PUBKEY_TRUE= USE_PUBKEY_FALSE='#' @@ -17603,6 +17858,8 @@ else USE_GCM_FALSE= fi +<<<<<<< HEAD +======= if test x$af_alg = xtrue; then USE_AF_ALG_TRUE= USE_AF_ALG_FALSE='#' @@ -17611,6 +17868,7 @@ else USE_AF_ALG_FALSE= fi +>>>>>>> upstream/4.5.1 if test x$stroke = xtrue; then USE_STROKE_TRUE= @@ -17884,6 +18142,8 @@ else USE_TNCCS_20_FALSE= fi +<<<<<<< HEAD +======= if test x$tnccs_dynamic = xtrue; then USE_TNCCS_DYNAMIC_TRUE= USE_TNCCS_DYNAMIC_FALSE='#' @@ -17892,6 +18152,7 @@ else USE_TNCCS_DYNAMIC_FALSE= fi +>>>>>>> upstream/4.5.1 if test x$socket_default = xtrue; then USE_SOCKET_DEFAULT_TRUE= USE_SOCKET_DEFAULT_FALSE='#' @@ -18143,6 +18404,9 @@ else USE_SCRIPTS_FALSE= fi +<<<<<<< HEAD + if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then +======= if test x$conftest = xtrue; then USE_CONFTEST_TRUE= USE_CONFTEST_FALSE='#' @@ -18152,6 +18416,7 @@ else fi if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then +>>>>>>> upstream/4.5.1 USE_LIBSTRONGSWAN_TRUE= USE_LIBSTRONGSWAN_FALSE='#' else @@ -18167,6 +18432,8 @@ else USE_LIBHYDRA_FALSE= fi +<<<<<<< HEAD +======= if test x$charon = xtrue -o x$conftest = xtrue; then USE_LIBCHARON_TRUE= USE_LIBCHARON_FALSE='#' @@ -18175,6 +18442,7 @@ else USE_LIBCHARON_FALSE= fi +>>>>>>> upstream/4.5.1 if test x$pluto = xtrue -o x$stroke = xtrue; then USE_FILE_CONFIG_TRUE= USE_FILE_CONFIG_FALSE='#' @@ -18183,6 +18451,8 @@ else USE_FILE_CONFIG_FALSE= fi +<<<<<<< HEAD +======= if test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then USE_IPSEC_SCRIPT_TRUE= USE_IPSEC_SCRIPT_FALSE='#' @@ -18191,6 +18461,7 @@ else USE_IPSEC_SCRIPT_FALSE= fi +>>>>>>> upstream/4.5.1 if test x$capabilities = xlibcap; then USE_LIBCAP_TRUE= USE_LIBCAP_FALSE='#' @@ -18248,7 +18519,11 @@ fi +<<<<<<< HEAD +ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile" +======= ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile" +>>>>>>> upstream/4.5.1 cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -18409,10 +18684,13 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then as_fn_error $? "conditional \"USE_CURL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_SOUP_TRUE}" && test -z "${USE_SOUP_FALSE}"; then as_fn_error $? "conditional \"USE_SOUP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then as_fn_error $? "conditional \"USE_LDAP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18465,10 +18743,13 @@ if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then as_fn_error $? "conditional \"USE_REVOCATION\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then as_fn_error $? "conditional \"USE_PUBKEY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18537,10 +18818,13 @@ if test -z "${USE_GCM_TRUE}" && test -z "${USE_GCM_FALSE}"; then as_fn_error $? "conditional \"USE_GCM\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_AF_ALG_TRUE}" && test -z "${USE_AF_ALG_FALSE}"; then as_fn_error $? "conditional \"USE_AF_ALG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then as_fn_error $? "conditional \"USE_STROKE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18677,10 +18961,13 @@ if test -z "${USE_TNCCS_20_TRUE}" && test -z "${USE_TNCCS_20_FALSE}"; then as_fn_error $? "conditional \"USE_TNCCS_20\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_TNCCS_DYNAMIC_TRUE}" && test -z "${USE_TNCCS_DYNAMIC_FALSE}"; then as_fn_error $? "conditional \"USE_TNCCS_DYNAMIC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18805,10 +19092,13 @@ if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then as_fn_error $? "conditional \"USE_SCRIPTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_CONFTEST_TRUE}" && test -z "${USE_CONFTEST_FALSE}"; then as_fn_error $? "conditional \"USE_CONFTEST\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18817,18 +19107,24 @@ if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_LIBCHARON_TRUE}" && test -z "${USE_LIBCHARON_FALSE}"; then as_fn_error $? "conditional \"USE_LIBCHARON\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +<<<<<<< HEAD +======= if test -z "${USE_IPSEC_SCRIPT_TRUE}" && test -z "${USE_IPSEC_SCRIPT_FALSE}"; then as_fn_error $? "conditional \"USE_IPSEC_SCRIPT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +>>>>>>> upstream/4.5.1 if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then as_fn_error $? "conditional \"USE_LIBCAP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -19257,7 +19553,11 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" +<<<<<<< HEAD +This file was extended by strongSwan $as_me 4.5.0, which was +======= This file was extended by strongSwan $as_me 4.5.1, which was +>>>>>>> upstream/4.5.1 generated by GNU Autoconf 2.67. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19314,7 +19614,11 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ +<<<<<<< HEAD +strongSwan config.status 4.5.0 +======= strongSwan config.status 4.5.1 +>>>>>>> upstream/4.5.1 configured by $0, generated by GNU Autoconf 2.67, with options \\"\$ac_cs_config\\" @@ -19708,14 +20012,20 @@ do "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;; "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;; "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;; +<<<<<<< HEAD +======= "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;; +>>>>>>> upstream/4.5.1 "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;; "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;; "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;; "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;; "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;; "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;; +<<<<<<< HEAD +======= "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;; +>>>>>>> upstream/4.5.1 "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;; "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;; "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;; @@ -19727,7 +20037,10 @@ do "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;; "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;; "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;; +<<<<<<< HEAD +======= "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;; +>>>>>>> upstream/4.5.1 "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;; "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;; "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;; @@ -19764,7 +20077,10 @@ do "src/libcharon/plugins/tnc_imv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imv/Makefile" ;; "src/libcharon/plugins/tnccs_11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_11/Makefile" ;; "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;; +<<<<<<< HEAD +======= "src/libcharon/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_dynamic/Makefile" ;; +>>>>>>> upstream/4.5.1 "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;; "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;; "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;; @@ -19800,7 +20116,10 @@ do "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;; "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;; "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;; +<<<<<<< HEAD +======= "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;; +>>>>>>> upstream/4.5.1 "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; diff --git a/configure.in b/configure.in index 823456239..c5edfe761 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,11 @@ dnl =========================== dnl initialize & set some vars dnl =========================== +<<<<<<< HEAD +AC_INIT(strongSwan,4.5.0) +======= AC_INIT(strongSwan,4.5.1) +>>>>>>> upstream/4.5.1 AM_INIT_AUTOMAKE(tar-ustar) AC_CONFIG_MACRO_DIR([m4/config]) PKG_PROG_PKG_CONFIG @@ -66,7 +70,10 @@ AC_ARG_WITH( m4_include(m4/macros/enable-disable.m4) ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.]) +<<<<<<< HEAD +======= ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.]) +>>>>>>> upstream/4.5.1 ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.]) ARG_DISBL_SET([aes], [disable AES software implementation plugin.]) ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.]) @@ -80,7 +87,10 @@ ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementa ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.]) +<<<<<<< HEAD +======= ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.]) +>>>>>>> upstream/4.5.1 ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.]) ARG_DISBL_SET([pkcs1], [disable PKCS1 key decoding plugin.]) ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.]) @@ -88,7 +98,10 @@ ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) ARG_DISBL_SET([pem], [disable PEM decoding plugin.]) ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) +<<<<<<< HEAD +======= ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.]) +>>>>>>> upstream/4.5.1 ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) ARG_ENABL_SET([mysql], [enable MySQL database support. Requires libmysqlclient_r.]) ARG_ENABL_SET([sqlite], [enable SQLite database support. Requires libsqlite3.]) @@ -122,7 +135,10 @@ ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.]) ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module.]) ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.]) +<<<<<<< HEAD +======= ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.]) +>>>>>>> upstream/4.5.1 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.]) ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.]) ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.]) @@ -146,7 +162,10 @@ ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon alw ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.]) ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) +<<<<<<< HEAD +======= ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.]) +>>>>>>> upstream/4.5.1 ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) ARG_DISBL_SET([attr], [disable strongswan.conf based configuration attribute plugin.]) ARG_ENABL_SET([attr-sql], [enable SQL based configuration attribute plugin.]) @@ -206,6 +225,27 @@ else AC_MSG_RESULT([not found]) fi +<<<<<<< HEAD +dnl translate user/group to numercial ids +AC_MSG_CHECKING([for uid of user "$ipsecuser"]) +ipsecuid=`id -u $ipsecuser 2>/dev/null` +if test -n "$ipsecuid"; then + AC_MSG_RESULT([$ipsecuid]) + AC_SUBST(ipsecuid) +else + AC_MSG_ERROR([not found]) +fi +AC_MSG_CHECKING([for gid of group "$ipsecgroup"]) +ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` +if test -n "$ipsecgid"; then + AC_MSG_RESULT([$ipsecgid]) + AC_SUBST(ipsecgid) +else + AC_MSG_ERROR([not found]) +fi + +======= +>>>>>>> upstream/4.5.1 dnl ========================= dnl dependency calculation dnl ========================= @@ -234,7 +274,11 @@ if test x$fips_prf = xtrue; then fi fi +<<<<<<< HEAD +if test x$smp = xtrue; then +======= if test x$smp = xtrue -o x$tnccs_11 = xtrue; then +>>>>>>> upstream/4.5.1 xml=true fi @@ -500,12 +544,15 @@ if test x$curl = xtrue; then AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])]) fi +<<<<<<< HEAD +======= if test x$soup = xtrue; then PKG_CHECK_MODULES(soup, [libsoup-2.4]) AC_SUBST(soup_CFLAGS) AC_SUBST(soup_LIBS) fi +>>>>>>> upstream/4.5.1 if test x$xml = xtrue; then PKG_CHECK_MODULES(xml, [libxml-2.0]) AC_SUBST(xml_CFLAGS) @@ -600,6 +647,13 @@ if test x$gcrypt = xtrue; then ) fi +<<<<<<< HEAD +if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then + AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])]) +fi + +======= +>>>>>>> upstream/4.5.1 if test x$uci = xtrue; then AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])]) AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])]) @@ -697,9 +751,14 @@ h_plugins= s_plugins= ADD_PLUGIN([test-vectors], [s libcharon pluto openac scepclient pki]) +<<<<<<< HEAD +ADD_PLUGIN([curl], [s libcharon pluto scepclient]) +ADD_PLUGIN([ldap], [s libcharon pluto scepclient]) +======= ADD_PLUGIN([curl], [s libcharon pluto scepclient scripts]) ADD_PLUGIN([soup], [s libcharon pluto scripts]) ADD_PLUGIN([ldap], [s libcharon pluto scepclient scripts]) +>>>>>>> upstream/4.5.1 ADD_PLUGIN([mysql], [s libcharon pluto pool manager medsrv]) ADD_PLUGIN([sqlite], [s libcharon pluto pool manager medsrv]) ADD_PLUGIN([aes], [s libcharon pluto openac scepclient pki scripts]) @@ -712,7 +771,10 @@ ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki]) ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv]) ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts]) ADD_PLUGIN([revocation], [s libcharon]) +<<<<<<< HEAD +======= ADD_PLUGIN([constraints], [s libcharon]) +>>>>>>> upstream/4.5.1 ADD_PLUGIN([pubkey], [s libcharon]) ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv]) ADD_PLUGIN([pgp], [s libcharon pluto]) @@ -730,16 +792,26 @@ ADD_PLUGIN([hmac], [s libcharon pluto scripts]) ADD_PLUGIN([ctr], [s libcharon scripts]) ADD_PLUGIN([ccm], [s libcharon scripts]) ADD_PLUGIN([gcm], [s libcharon scripts]) +<<<<<<< HEAD +ADD_PLUGIN([xauth], [p pluto]) +ADD_PLUGIN([attr], [h libcharon pluto]) +ADD_PLUGIN([attr-sql], [h libcharon pluto]) +======= ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv]) ADD_PLUGIN([xauth], [p pluto]) ADD_PLUGIN([attr], [h libcharon pluto]) ADD_PLUGIN([attr-sql], [h libcharon pluto]) ADD_PLUGIN([load-tester], [c libcharon]) +>>>>>>> upstream/4.5.1 ADD_PLUGIN([kernel-pfkey], [h libcharon pluto]) ADD_PLUGIN([kernel-pfroute], [h libcharon pluto]) ADD_PLUGIN([kernel-klips], [h libcharon pluto]) ADD_PLUGIN([kernel-netlink], [h libcharon pluto]) ADD_PLUGIN([resolve], [h libcharon pluto]) +<<<<<<< HEAD +ADD_PLUGIN([load-tester], [c libcharon]) +======= +>>>>>>> upstream/4.5.1 ADD_PLUGIN([socket-default], [c libcharon]) ADD_PLUGIN([socket-raw], [c libcharon]) ADD_PLUGIN([socket-dynamic], [c libcharon]) @@ -763,11 +835,18 @@ ADD_PLUGIN([eap-radius], [c libcharon]) ADD_PLUGIN([eap-tls], [c libcharon]) ADD_PLUGIN([eap-ttls], [c libcharon]) ADD_PLUGIN([eap-tnc], [c libcharon]) +<<<<<<< HEAD +ADD_PLUGIN([tnc-imc], [c libcharon]) +ADD_PLUGIN([tnc-imv], [c libcharon]) +ADD_PLUGIN([tnccs-11], [c libcharon]) +ADD_PLUGIN([tnccs-20], [c libcharon]) +======= ADD_PLUGIN([tnccs-20], [c libcharon]) ADD_PLUGIN([tnccs-11], [c libcharon]) ADD_PLUGIN([tnccs-dynamic], [c libcharon]) ADD_PLUGIN([tnc-imc], [c libcharon]) ADD_PLUGIN([tnc-imv], [c libcharon]) +>>>>>>> upstream/4.5.1 ADD_PLUGIN([medsrv], [c libcharon]) ADD_PLUGIN([medcli], [c libcharon]) ADD_PLUGIN([nm], [c libcharon]) @@ -803,7 +882,10 @@ dnl libstrongswan plugins dnl ===================== AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue) AM_CONDITIONAL(USE_CURL, test x$curl = xtrue) +<<<<<<< HEAD +======= AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue) +>>>>>>> upstream/4.5.1 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue) AM_CONDITIONAL(USE_AES, test x$aes = xtrue) AM_CONDITIONAL(USE_DES, test x$des = xtrue) @@ -817,7 +899,10 @@ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) AM_CONDITIONAL(USE_X509, test x$x509 = xtrue) AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue) +<<<<<<< HEAD +======= AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue) +>>>>>>> upstream/4.5.1 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue) AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue) AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue) @@ -835,7 +920,10 @@ AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue) AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue) AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue) AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue) +<<<<<<< HEAD +======= AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue) +>>>>>>> upstream/4.5.1 dnl charon plugins dnl ============== @@ -873,7 +961,10 @@ AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue) AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue) AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue) AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue) +<<<<<<< HEAD +======= AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue) +>>>>>>> upstream/4.5.1 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue) AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) @@ -914,12 +1005,18 @@ AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue) AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) +<<<<<<< HEAD +AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue) +AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue) +AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) +======= AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue) AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue) AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue) +>>>>>>> upstream/4.5.1 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue) AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue) @@ -965,14 +1062,20 @@ AC_OUTPUT( src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile +<<<<<<< HEAD +======= src/libstrongswan/plugins/constraints/Makefile +>>>>>>> upstream/4.5.1 src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile +<<<<<<< HEAD +======= src/libstrongswan/plugins/soup/Makefile +>>>>>>> upstream/4.5.1 src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile @@ -984,7 +1087,10 @@ AC_OUTPUT( src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile +<<<<<<< HEAD +======= src/libstrongswan/plugins/af_alg/Makefile +>>>>>>> upstream/4.5.1 src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile @@ -1021,7 +1127,10 @@ AC_OUTPUT( src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile +<<<<<<< HEAD +======= src/libcharon/plugins/tnccs_dynamic/Makefile +>>>>>>> upstream/4.5.1 src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile @@ -1057,7 +1166,10 @@ AC_OUTPUT( src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile +<<<<<<< HEAD +======= src/conftest/Makefile +>>>>>>> upstream/4.5.1 scripts/Makefile testing/Makefile ) diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 000000000..dfdd1a4a7 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,36 @@ +strongswan (4.5.0-1) unstable; urgency=low + + Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the + default. This can easily be changed using the keyexchange=ikev1 config + option (either in the respective "conn" section or by putting it in the + "default" section and therefore applying it to all existing connections). + + The IKEv2 protocol has less overhead, more features (e.g. NAT-Traversal by + default, MOBIKE, Mobile IPv6), and provides better error messages in case + the connection can not be established. It is therefore highly recommended + to use it when the other side also supports it. + + Addtionally, strongswan 4.5.0-1 now enables support for NAT Traversal in + combination with IPsec transport mode (the support for this has existed + for a long time, but was disabled due to security concerns). This is + required e.g. to let mobile phone clients (notably Android, iPhone) + connect to an L2TP/IPsec gateway using strongswan. The security + implications as described in the original README.NAT-Traversal file from + the openswan distribution are: + + * Transport Mode can't be used without NAT in the IPSec layer. Otherwise, + all packets for the NAT device (including all hosts behind it) would be + sent to the NAT-T Client. This would create a sort of blackhole between + the peer which is not behind NAT and the NAT device. + + * In Tunnel Mode with roadwarriors, we CAN'T accept any IP address, + otherwise, an evil roadwarrior could redirect all trafic for one host + (including a host on the private network) to himself. That's why, you have + to specify the private IP in the configuration file, use virtual IP + management, or DHCP-over-IPSec. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Nov 2010 13:16:00 +0200 + +Local variables: +mode: debian-changelog +End: diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..2dc3a5831 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,124 @@ +strongswan for Debian +---------------------- + +1) General Remarks + +This package has been created from the openswan package, which was again +created from the freeswan package, which was created from scratch with some +ideas from the freeswan 1.3 package by Tommi Virtanen and the freeswan 1.5 +package by Aaron Johnson merged in. + +The differences between the strongSwan and the Openswan packages are +documented at http://www.strongswan.org/ . + +2) Kernel Support + +Note: This package can make use of the in-kernel IPSec stack, which is +available in the stock Debian kernel images (>=2.4.24 and 2.6.x). + +If you want to use the strongswan utilities, you will need the appropriate +kernel modules. The Debian default kernel native IPSec stack (which is +included in Linux 2.6 kernels and has been backported to Debian's 2.4 kernels) +can be used out-of-the-box with strongswan pluto, the key management daemon. +This native Linux IPSec stack is of high quality, has all of the features of +the latest Debian freeswan and openswan packages (i.e. support for other +ciphers like AES and NAT Traversal support) and is well integrated into the +kernel networking subsystem (which is not true for the freeswan kernel +modules). This is the recommended kernel support for strongswan. + +If you do not want to use the in-kernel IPSec stack of newer 2.6 kernels or +are building a custom 2.4 kernel, then the KLIPS kernel part can be used. +strongswan no longer ships this part, but is instead focussing on the newer +native IPSec stack. However, strongswan is interoperable with the KLIPS part +shipped with openswan, both for 2.4 and 2.6 series kernels. Please install +either the linux-patch-openswan or the openswan-modules-source packages and +follow their respective README.Debian files when you want to use KLIPS. + +3) Getting Started + +For connecting two Debian boxes using this strongswan package, the +simplest connection block on each side would look something like this: + +On host A, use + +conn to_hostb + left=%defaultroute + right=hostb.example.com + leftcert=hosta.pem + rightcert=hostb.pem + keyexchange=ikev2 + type=transport + auto=add + +On host B, use +conn to_hosta + left=%defaultroute + right=hosta.example.com + leftcert=hostb.pem + rightcert=hosta.pem + keyexchange=ikev2 + type=transport + auto=add + +This assumes that the respective hostnames hosta.example.com and +hostb.example.com can be resolved and that the internal hostnames are hosta +and hostb (and thus installing the strongswan package created the certificates +hosta.pem and hostb.pem, respectively). +Then the certificates (and not the private keys!) need to be exchanged between +the hosts, e.g. with + scp /etc/ipsec.d/certs/hosta.pem hostb.example.com:/etc/ipsec.d/certs/ + scp hostb.example.com:/etc/ipsec.d/certs/hostb.com /etc/ipsec.d/certs/ +from host A. The IPSec transport connection (that is, no subnets behind these +hosts that should be tunneled) can be started from either side using +"ipsec up to_hostb" (e.g. from host A). +Note that this example explicitly uses IKEv2 due to its nicer error messages. + +A more complicated example is to connect a "roadwarrior" (e.g. laptop) +to an internal network wbile it is behind another NAT. On the gateway +side, i.e. for the internal network the roadwarrior should connect to, +the configuration block could look something like this: + +conn roadwwarrior + left=%defaultroute + leftcert=gatewayCert.pem + rightcert=laptopCert.pem + rightrsasigkey=%cert + leftrsasigkey=%cert + auto=add + leftsubnet=10.0.0.0/24 + rightsubnetwithin=0.0.0.0/0 + right=%any + compress=yes + type=tunnel + dpddelay=30 + dpdtimeout=120 + dpdaction=clear + +On the laptop side, you could use something along the lines: + +conn %default + rightrsasigkey=%cert + leftrsasigkey=%cert + authby=rsasig + leftcert=laptopCert.pem + leftsendcert=always + leftsubnet= + dpddelay=30 + dpdtimeout=120 + dpdaction=clear + esp=aes128-sha1 + ike=aes128-sha1-modp2048 + +conn esys + left=%defaultroute + right=gateway.example.com + rightsubnet=10.0.0.0/24 + rightcert=gatewayCert.pem + auto=add + +Then load these new configuration blocks on both sides using "ipsec reload" +and, on the laptop, start the tunnel with "ipsec up mynetwork". +These configuration blocks assume host names "gateway" and "laptop" and an +inner subnet of 10.0.0.0/24. + +-- Rene Mayrhofer <rmayr@debian.org>, Sun, Jul 09 12:31:00 2006 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000..8b83f34e5 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,607 @@ +strongswan (4.5.0-1ubuntu1) maverick; urgency=low + + * New upstream version + + -- René Mayrhofer <rene@earth> Sat, 05 Mar 2011 09:27:49 +0100 + +strongswan (4.5.0-1) unstable; urgency=low + + * New upstream version 4.5.0 + * Enabled new configure options for additional libstrongswan plugins: + --enable-ctr --enable-ccm --enable-gcm --enable-addrblock --enable-led + --enable-pkcs11 --enable-eap-tls --enable-eap-ttls --enable-eap-tnc + * Enable NAT-Traversal with transport mode support so that strongswan + can be used for an L2TP/IPsec gateway (e.g. for Windows or mobile phone + clients). + * Special handling for strongswan-nm package during build time: only build + and install if headers are really available. This supports easier + backporting by simply ignoring build-deps and therefore to build all + packages except the strongswan-nm without any changes to the source + package. + * Install test-vectors and revocation plugins for libstrongswan. + Closes: #600996: strongswan-starter: plugin 'revocation' failed to load + * Acknowledge translations NMU. + Closes: #598925: Intent to NMU or help for an l10n upload of strongswan + to fix pending po-debconf l10n bugs + Closes: #598925 #599888 #600354 #600409 #602449 #603723 #603779 + * Update Brazilian Portugese debconf translation. + Closes: #607404: strongswan: [INTL:pt_BR] Brazilian Portuguese debconf + templates translation + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Nov 2010 13:09:42 +0100 + +strongswan (4.4.1-5.1) unstable; urgency=low + + * Non-maintainer upload. + - Fix pending l10n issues. Debconf translations: + - Vietnamese (Clytie Siddall). Closes: #598925 + - Japanese (Hideki Yamane). Closes: #599888 + - Czech (Miroslav Kure). Closes: #600354 + - Spanish (Francisco Javier Cuadrado). Closes: #600409 + - Danish (Joe Hansen). Closes: #602449 + - Basque (Iñaki Larrañaga Murgoitio). Closes: #603723 + - Italian (Vincenzo Campanella). Closes: #603779 + + -- Christian Perrier <bubulle@debian.org> Wed, 17 Nov 2010 20:21:21 +0100 + +strongswan (4.4.1-5) unstable; urgency=medium + + * Fixed init script for restart to work when either pluto or charon + are not installed. + Closes: #598074: init script doesn't re-start the service on restart + * Enable built-in crypto test vectors. + Closes: #598136: strongswan: Please enable --enable-test-vectors + configure option + * Install libchecksum.so into correct directory (/usr/lib/ipsec instead of + /usr/lib). It still doesn't fix #598138 because of the size mismatch. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 26 Sep 2010 13:48:00 +0200 + +strongswan (4.4.1-4) unstable; urgency=medium + + * dh_clean should not be called by the install target. This caused the + arch: all package strongswan to be built but not included in the changes + file. + Closes: #593768: strongswan: 4.4.1 unavailable in testing notwhistanding + a freeze-exception request + * Rewrote parts of the init.d script to make stop/restart more robust + when pluto or charon fail. + * Closes: #595885: strongswan: FTBFS in squeeze: No package 'libnm_glib_vpn' + found + This bug was actually closed in 4.4.0 with changed dependencies. + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 19 Sep 2010 13:08:36 +0200 + +strongswan (4.4.1-3) unstable; urgency=low + + * Change make clean to make distclean to make package building + idempotent. + Really closes: Bug#593313: strongswan: FTBFS because clean rule fails + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 22 Aug 2010 21:39:03 +0200 + +strongswan (4.4.1-2) unstable; urgency=low + + * Recompiled with dpkg-buildpackage instead of svn-buildpackage to + make the clean target work. I am still looking for the root cause of + this quilt 3.0 format and svn-buildpackage incompatibility. + Closes: Bug#593313: strongswan: FTBFS because clean rule fails + * Removed the --enable-socket-* configure options again. Having multiple + socket variants for charon would force to explicitly enable one (in case + of pluto co-existance the socket-raw) in strongswan.conf. Disabling the + other variants for now at build-time relieves us from changing the + default config file and might be more future-proof concerning future + upstream changes to configure options. + Really closes: #587583 + + -- Rene Mayrhofer <rmayr@debian.org> Sat, 21 Aug 2010 23:28:47 +0200 + +strongswan (4.4.1-1) unstable; urgency=low + + * New upstream release. + Closes: #587583: strongswan 4.4.0-2 does not work here: charon seems not + to ignore all incoming requests/answers + Closes: #506320: strongswan: include directives error and ikev2 + * Fix typo in debconf templates. + Closes: #587564: strongswan: Minor typos in Debconf template + * Updated debconf translations. + Closes: #587562: strongswan: [INTL:de] updated German debconf translation + Closes: #580954: [INTL:es] Spanish debconf template translation for + strongswan + + -- Rene Mayrhofer <rmayr@debian.org> Mon, 09 Aug 2010 11:37:25 +0200 + +strongswan (4.4.0-3) unstable; urgency=low + + * Updated debconf translations. + Closes: #587562: strongswan: [INTL:de] updated German debconf translation + + -- Rene Mayrhofer <rmayr@debian.org> Wed, 30 Jun 2010 09:50:31 +0200 + +strongswan (4.4.0-2) unstable; urgency=low + + * Force enable-socket-raw configure option and enable list-missing option + for dh_install to make sure that all required plugins get built and + installed. + Closes: #587282: plugins missing + * Updated debconf translations. + Closes: #587052: strongswan: [INTL:fr] French debconf templates + translation update + Closes: #587159: strongswan: [INTL:ru] Russian debconf templates + translation update + Closes: #587255: strongswan: [INTL:pt] Updated Portuguese + translation for debconf messages + Closes: #587241: [INTL:sv] po-debconf file for strongswan + * Disabled cisco-quirks configure option, as it causes pluto to emit a + bogus Cicso vendor ID attribute. Some Cicso VPN clients might not work + without this, but it is less confusing for standards-compliant remote + gateways. + * Removed leftover attribute plugin source caused by incomplete svn-upgrade + call. + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 24 Jun 2010 22:32:18 +0200 + +strongswan (4.4.0-1) unstable; urgency=HIGH + + * New upstream release, now with a high-availability plugin. + * Added patch to fix snprintf bug. + * Enable building of ha, dhcp, and farp plugins. + * Enable capability dropping (now depends on libcap). Switching + user to new system user strongswan (with nogroup) after startup + is still disabled until the iptables updown script can be made + to work. + + -- Rene Mayrhofer <rmayr@debian.org> Tue, 25 May 2010 21:03:52 +0200 + +strongswan (4.3.6-1) unstable; urgency=low + + * UNRELEASED + + * New upstream release, now build-depends on gperf. + Closes: #577855: New upstream release 4.3.6 + Closes: #569553: strongswan: Certificates CNs containing email address + OIDs are not correctly parsed + Closes: #557635: strongswan charon does not rekey forever + Closes: #569299: Please update configure check to use new nm-glib + pkgconfig file name + * Switch to dpkg-source 3.0 (quilt) format + * Synchronize debconf handling with current openswan 2.6.25 package to keep + X509 certificate handling etc. similar. Thanks to Harald Jenny for + implementing these changes in openswan, which I just converted to + strongswan. + * Now also build a strongswan-dbg package to ship debugging symbols. + * Include attr plugin in strongswan-ikev2 package. Thanks to Christoph Lukas + for pointing out that this was missing. + Closes: #569550: strongswan: Please include attr plugin + + -- Rene Mayrhofer <rmayr@debian.org> Tue, 23 Feb 2010 10:39:21 +0000 + +strongswan (4.3.4-1) unstable; urgency=low + + * New upstream release. + * This release supports integrity checking of libraries, which is + now enabled at build-time and can be enabled at run-time using + libstrongswan { + integrity_test = yes + } + in /etc/strongswan.conf. + * Don't disable internal crypto libraries for pluto. They might be + required when working with older ipsec.conf files. + * charon now supports "include" directives in ipsec.secrets for + compatibility with how the maintainer script includes RSA private keys. + * Patched starter to also look at routing table "default" when table + "main" doesn't have a default entry. This makes dealing with + "%defaulroute" in ipsec.conf more flexible. + Update: It seems Astaro was quicker then me sending a patch with + exactly that aim to upstream. Now applied this one, which will be + part of future upstream releases and uses netlink to read routing + tables. + + -- Rene Mayrhofer <rmayr@debian.org> Wed, 21 Oct 2009 11:14:56 +0000 + +strongswan (4.3.2-1) unstable; urgency=HIGH + + Urgency high because of security issue and FTBFS. + * New upstream release, fixes security bug. + * Fix padlock handling for i386 in debian/rules. + Closes: #525652 (FTBFS on i386) + * Acknowledge NMUs by security team. + Closes: #533837, #531612 + * Add "Conflicts: strongswan (< 4.2.12-1)" to libstrongswan, + strongswan-starter, strongswan-ikev1, and strongswan-ikev2 to force + update of the strongswan package on installation and avoid conflicts + caused by package restructuring. + Closes: #526037: strongswan-ikev2 and strongswan: error when trying to + install together + Closes: #526486: strongswan and libstrongswan: error when trying to + install together + Closes: #526487: strongswan-ikev1 and strongswan: error when trying to + install together + Closes: #526488: strongswan-starter and strongswan: error when trying to + install together + * Debconf templates and debian/control reviewed by the debian-l10n- + english team as part of the Smith review project. Closes: #528073 + * Debconf translation updates: + Closes: #525234: [INTL:ja] Update po-debconf template translation (ja.po) + Closes: #528323: [INTL:sv] po-debconf file for strongswan + Closes: #528370: [INTL:vi] Vietnamese debconf templates translation update + Closes: #529027: [INTL:pt] Updated Portuguese translation for debconf messages + Closes: #529071: [INTL:fr] French debconf templates translation update + Closes: #529592: nb translation of debconf PO for strongSWAN + Closes: #529638: [INTL:ru] Russian debconf templates translation + Closes: #529661: Updated Czech translation of strongswan debconf messages + Closes: #529742: [INTL:eu] strongswan debconf basque translation + Closes: #530273: [INTL:fi] Finnish translation of the debconf templates + Closes: #529063: [INTL:gl] strongswan 4.2.14-2 debconf translation update + + -- Rene Mayrhofer <rmayr@debian.org> Sat, 18 Apr 2009 20:28:51 +0200 + +strongswan (4.2.14-1.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix build on i386 + Closes: #525652: FTBFS on i386: + libstrongswan-padlock.so*': No such file or directory + * Fix Two Denial of Service Vulnerabilities + Closes: #533837: strongSwan Two Denial of Service Vulnerabilities + + -- Ruben Puettmann <ruben@puettmann.net> Sun, 21 Jun 2009 17:50:02 +0200 + +strongswan (4.2.14-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix two possible null pointer dereferences leading to denial + of service via crafted IKE_SA_INIT, CREATE_CHILD_SA or + IKE_AUTH request (CVE-2009-1957; CVE-2009-1958; Closes: #531612). + + -- Nico Golde <nion@debian.org> Mon, 15 Jun 2009 13:06:05 +0200 + +strongswan (4.2.14-1) unstable; urgency=low + + * New upstream release, which incorporates the fix. Removed dpatch for it. + Closes: #521950: CVE-2009-0790: DoS + * New support for EAP RADIUS authentication, enabled for this package. + + -- Rene Mayrhofer <rmayr@debian.org> Wed, 01 Apr 2009 22:17:52 +0200 + +strongswan (4.2.13-2) unstable; urgency=low + + * Fix DoS issue via malicious Dead Peer Detection packet. Thanks to the + security team for providing the patch. + Closes: #521950: CVE-2009-0790: DoS + Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone + to a denial of service attack via a malicious packet. + + -- Rene Mayrhofer <rmayr@debian.org> Tue, 31 Mar 2009 12:00:51 +0200 + +strongswan (4.2.13-1) unstable; urgency=low + + * New upstream release. This is now compatible with network-manager 0.7 + in Debian, so start building the strongswan-side support. The actual + plugin will need to be another source package. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 22 Mar 2009 10:59:31 +0100 + +strongswan (4.2.12-1) unstable; urgency=low + + * New upstream release. Starting with this version, the strongswan + packages is modularized and includes support for plugins like the + NetworkManager plugin. Many details were adopted from Martin Willi's + packages. + * Dropping support for raw RSA public/private keypairs, as charon does + not support it. + * Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 01 Mar 2009 10:46:08 +0000 + +strongswan (4.2.9-1) unstable; urgency=low + + * New upstream release, fixes a MOBIKE issue. + Closes: #507542: strongswan: endless loop + * Explicitly enable compilation with libcurl for CRL fetching + Closes: #497756: strongswan: not compiled with curl support; crl + fetching not available + * Enable compilation with SSH agent support. + + -- Rene Mayrhofer <rmayr@debian.org> Fri, 05 Dec 2008 17:21:42 +0100 + +strongswan (4.2.4-5) unstable; urgency=high + + Reason for urgency high: this is potentially security relevant. + * Patch backported from 4.2.7 to fix a potential DoS issue. + Thanks to Thomas Kallenberg for the patch. + + -- Rene Mayrhofer <rmayr@debian.org> Mon, 29 Sep 2008 10:35:30 +0200 + +strongswan (4.2.4-4) unstable; urgency=low + + * Tweaked configure options for lenny to remove somewhat experimental, + incomplete, or unnecessary features. Removed --enable-xml, + --enable-padlock, and --enable-manager and added --disable-aes, + --disable-des, --disable-fips-prf, --disable-gmp, --disable-md5, + --disable-sha1, and --disable-sha2 because openssl already + contains this code, we depend on it and thus don't need it twice. + Padlock support does not do much, because the bulk encryption uses + it anyway (being done internally in the kernel) and using padlock + for IKEv2 key agreement adds complexity for little gain. + Thanks to Thomas Kallenberg of strongswan upstream team for + suggesting these changes. The package is now noticable smaller. + * Also remove dbus dependency, which is no longer necessary. + + -- Rene Mayrhofer <rmayr@debian.org> Mon, 01 Sep 2008 08:59:10 +0200 + +strongswan (4.2.4-3) unstable; urgency=low + + * Changed configure option to build peer-to-peer service again. + Closes: #494678: strongswan: configure option --enable-p2p changed to + --enable-mediation + + -- Rene Mayrhofer <rmayr@debian.org> Tue, 12 Aug 2008 20:08:26 +0200 + +strongswan (4.2.4-2) unstable; urgency=medium + + Urgency medium because this fixes an FTFBS bug on non-i386. + * Only compile padlock crypto acceleration support for i386. Thanks for + the patch! + Closes: #492455: strongswan: FTBFS: Uses i386 assembler on non-i386 + arches. + * Updated Swedish debconf translation. + Closes: #492902: [INTL:sv] po-debconf file for strongswan + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 07 Aug 2008 13:02:54 +0200 + +strongswan (4.2.4-1) unstable; urgency=medium + + Urgency medium because this new upstream versions no longer uses + dbus and thus fixed the grave bug from the last Debian package. This + version should transit to testing. + * New upstream release. Starting with version 4.2.0, crypto algorithms have + beeen modularized with existing code ported over. Among other improvments, + this version now supports AES-CCM (e.g. with esp=aes128ccm12) and AES-GCM + (e.g. with esp=aes256gcm16) starting with kernel 2.6.25 and enables dead + peer detection by default. + Note that charon (IKEv2) now uses the new /etc/strongswan.conf. + * Enabled building of VIA Padlock and openssl crypto plugins. + * Drop patch to rename AES_cbc_encrypt so as not to conflict with an + openssl method of the same name. This has been applied upstream. + * This new upstream version no longer uses dbus. + Closes: #475098: charon needs dbus but strongswan does not depend on dbus + Closes: #475099: charon does not work any more + * This new upstream version no longer prints error messages in its + init script. + Closes: #465718: strongswan: startup on booting returns error messages + * Apply patch to ipsec init script to fix bashism. + Closes: #473703: strongswan: bashism in /bin/sh script + * Updated Czech debconf translation. + Closes: #480928: [l10n] Updated Czech translation of strongswan debconf + messages + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 10 Jul 2008 14:40:43 +0200 + +strongswan (4.1.11-1) unstable; urgency=low + + * New upstream release. + * DBUS support now interacts with network-manager, so need to build-depend + on network-manager-dev. + * The web interface has been improved and now requires libfcgi-dev and + clearsilver-dev to compile, so build-depend on them. Also build-depend + on libxml2-dev, libdbus-1-dev, libtool, and libsqlite3-dev (which were + all build-deps before but were not listed explicitly so far - fix that). + * Add patch to rename internal AES_cbc_encrypt function and thus avoid + conflict with the openssl function. + Closes: #470721: pluto segfaults when using pkcs11 library linked with + OpenSSL + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 30 Mar 2008 10:35:16 +0200 + +strongswan (4.1.10-2) unstable; urgency=low + + * Enable new configure options: dbus, xml, nonblocking, thread, peer- + to-peer NAT-traversal and the manager interface support. + * Also set the default path to the opensc-pkcs11 engine explicitly. + + -- Rene Mayrhofer <rmayr@debian.org> Fri, 15 Feb 2008 10:25:49 +0100 + +strongswan (4.1.10-1) unstable; urgency=low + + * New upstream release. + Closes: #455711: New upstream version 4.1.9 + * Updated Japanese debconf translation. + Closes: #463321: strongswan: [INTL:ja] Update po-debconf template + translation (ja.po) + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 07 Feb 2008 15:15:14 +0100 + +strongswan (4.1.8-3) unstable; urgency=low + + * Force use of hardening-wrapper when building the package by setting + a Build-Dep to it and setting export DEB_BUILD_HARDENING=1 in + debian/rules. + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 07 Feb 2008 14:14:48 +0100 + +strongswan (4.1.8-2) unstable; urgency=medium + + * Ship our own init script, since upstream no longer does. This is still + installed as /etc/init.d/ipsec (and not /etc/init.d/strongswan) to be + backwards compatible. + Really closes: #442880: strongswan: postinst failure (missing + /etc/init.d/ipsec) + * Actually, need to be smarter with ipsec.conf and ipsec.secrets. Not + marking them as conffiles isn't the right thing either. Instead, now + use the includes feature to pull in config snippets that are + modified by debconf. It's not perfect, though, as the IKEv1/IKEv2 + protocols can't be enabled/disabled with includes. Therefore don't + support this option in debconf for the time being, but default to + enabled for both IKE versions. The files edited with debconf are kept + under /var/lib/strongswan. + * Cleanup debian/rules: no longer need to remove leftover files from + patching, as currently there are no Debian-specific patches (fortunately). + * More cleanup: drop debconf translations hack for woody compatibility, + depend on build-stamp instead of build in the install-strongswan target, + and remove the now unnecessary dh_clean -k call in install-strongswan so + that configure shouldn't run twice during building the package. + * Update French debconf translation. + Closes: #448327: strongswan: [INTL:fr] French debconf templates + translation update + + -- Rene Mayrhofer <rmayr@debian.org> Fri, 02 Nov 2007 21:55:29 +0100 + +strongswan (4.1.8-1) unstable; urgency=low + + The "I'm back from my long semi-vacation, and strongswan is now bug-free + again" release. + * New upstream release. + Closes: #442880: strongswan: postinst failure (missing /etc/init.d/ipsec) + Closes: #431874: strongswan - FTBFS: cannot create regular file + `/etc/ipsec.conf': Permission denied + * Explicitly use debhalper compatbility version 5m now using debian/compat + instead of DH_COMPAT. + * Since there's no configurability in dh_installdeb's mania to flag + everything below /etc as a conffile, now hack DEBIAN/conffiles directly + to remove ipsec.conf and ipsec.secrets. + Closes: #442929: strongswan: Maintainer script modifies conffiles + * Add/update debconf translations. + Closes: #432189: strongswan: [INTL:de] updated German debconf translation + Closes: #432212: [l10n] Updated Czech translation of strongswan debconf + messages + Closes: #432642: strongswan: [INTL:fr] French debconf templates + translation update + Closes: #444710: strongswan: [INTL:pt] Updated Portuguese translation for + debconf messages + + -- Rene Mayrhofer <rmayr@debian.org> Fri, 26 Oct 2007 16:16:51 +0200 + +strongswan (4.1.4-1) unstable; urgency=low + + * New upstream release. + * Fixed debconf descriptions. + Closes: #431157: strongswan: Minor errors in Debconf template + * Include Portugese and + Closes: #415178: strongswan: [INTL:pt] Portuguese translation for debconf + messages + Closes: #431154: strongswan: [INTL:de] initial German debconf translation + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 05 Jul 2007 00:53:01 +0100 + +strongswan (4.1.3-1) unreleased; urgency=low + + * New upstream release. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 03 Jun 2007 18:39:11 +0100 + +strongswan (4.1.1-1) unreleased; urgency=low + + Major new upstream release: + * IKEv2 support with the new "charon" daemon in addition to the old "pluto" + which is still used for IKEv1. + * Switches to auto* tools build system. + * The postinst script is still not quite as complete in updating the 2.8.x + config automatically to a new 4.x config, but I don't want to wait any + longer with the upload. It can be improved later on. + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 12 Apr 2007 21:33:56 +0100 + +strongswan (2.8.3-1) unstable; urgency=low + + * New upstream release with fixes for the SHA-512-HMAC function and + added SHA-384 and SHA-2 implementations. + + -- Rene Mayrhofer <rmayr@debian.org> Thu, 22 Feb 2007 20:19:45 +0000 + +strongswan (2.8.2-1) unstable; urgency=low + + * New upstream release with interoperability fixes for some VPN + clients. + + -- Rene Mayrhofer <rmayr@debian.org> Tue, 30 Jan 2007 12:21:20 +0000 + +strongswan (2.8.1+dfsg-1) unstable; urgency=low + + * New upstream release, now with XAUTH support. + * Explicitly enable smartcard and vendorid options as well as a + few more in debian/rules. + Closes: #407449: strongswan: smartcard support is disabled + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Jan 2007 21:06:25 +0000 + +strongswan (2.8.1-1) UNRELEASED; urgency=low + + * New upstream release. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Jan 2007 20:59:11 +0000 + +strongswan (2.8.0+dfsg-1) unstable; urgency=low + + * New upstream release. + * Update debconf templates. + Closes: #388672: strongswan: [INTL:fr] French debconf templates + translation update + Closes: #389253: [l10n] Updated Czech translation of strongswan + debconf messages + Closes: #391457: [INTL:nl] Updated dutch po-debconf translation + Closes: #396179: strongswan: [INTL:ja] Updated Japanese po-debconf + template translation (ja.po) + * Fix broken reference to a now non-existing config file. no_oe.conf + has been replaced by oe.conf, with the opposite meaning. Changed + postinst to deal with it correctly now, and also try to convert + older config file lines to newer (e.g. when updating from openswan + to strongswan). + Closes: #391565: fails to start : /etc/ipsec.conf:46: include + files found no matches + [/etc/ipsec.d/examples/no_oe.conf] + + -- Rene Mayrhofer <rmayr@debian.org> Mon, 6 Nov 2006 19:01:58 +0000 + +strongswan (2.7.3+dfsg-1) unstable; urgency=low + + * New upstream release. Another try on getting it into unstable. + Closes: #372267: ITP: strongswan -- second fork of freeswan. + * Call debian-updatepo in the clean target, in line with the openswan + change for its version 2.4.6+dfsg-1. + * Remove man2html, htmldoc, and lynx from the Build-Deps because we no + longer rebuild the documentation tree. + * Starting shipping a lintian overrides file to finally silence the + warnings about non-standard-(file|dir)-perms (they are intentional). + * Clean up /usr/lib/ipsec somehow, again owing to lintian warnings. + * Add po-debconf to build dependencies. + + -- Rene Mayrhofer <rmayr@debian.org> Wed, 23 Aug 2006 21:23:36 +0100 + +strongswan (2.7.2+dfsg-1) unstable; urgency=low + + * First upload to the main Debian archive. This does no longer build + the linux-patch-strongswan and strongswan-modules-source packages, + as KLIPS will be removed from the strongswan upstream source anyway + for the next major release. However, the openswan KLIPS could should + be interoperable with strongswan user space. + Closes: #372267: ITP: strongswan -- second fork of freeswan. + * This upload removes the draft RFCs, as they are not considered free under + the DFSG. + + -- Rene Mayrhofer <rmayr@debian.org> Sun, 9 Jul 2006 12:40:34 +0100 + +strongswan (2.7.2-1) unstable; urgency=low + + * New upstream release. This release fixes a potential DoS problem. + + -- Rene Mayrhofer <rmayr@debian.org> Mon, 26 Jun 2006 12:34:43 +0100 + +strongswan (2.7.0-1) unstable; urgency=low + + * Initial Debian packaging of strongswan. This is directly based on my + Debian package of openswan 2.4.5-3. + * Do not compile and ship fswcert right now, because it is not included + in strongswan upstream. If it turns out to be necessary for supporting + easy-to-use OE in the future (i.e. for generating the DNS format for the + public keys from generated X.509 certificates), I will re-add it to the + Debian package. + * Also disabled my patches to use /etc/default instead of /etc/sysconfig for + now. Something like that will be necessary in the future, but those parts + of strongswan differ significanty from openswan. + + -- Rene Mayrhofer <rmayr@debian.org> Mon, 22 May 2006 07:37:00 +0100 + +Local variables: +mode: debian-changelog +End: diff --git a/debian/compat b/debian/compat new file mode 100644 index 000000000..7f8f011eb --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/control b/debian/control new file mode 100644 index 000000000..dff3d1b61 --- /dev/null +++ b/debian/control @@ -0,0 +1,121 @@ +Source: strongswan +Section: net +Priority: optional +Maintainer: Rene Mayrhofer <rmayr@debian.org> +Standards-Version: 3.9.1 +Vcs-Browser: http://wiki.strongswan.org/repositories/show/strongswan +Vcs-Git: http://wiki.strongswan.org/repositories/show/strongswan +Build-Depends: debhelper (>= 7.1), libtool, libgmp3-dev, + libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, + libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, + libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, + hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, + libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), + libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), + gperf, libcap-dev +Homepage: http://www.strongswan.org + +Package: strongswan +Architecture: all +Depends: ${misc:Depends}, strongswan-ikev1, strongswan-ikev2 +Suggests: network-manager-strongswan +Description: IPsec VPN solution metapackage + The strongSwan VPN suite is based on the IPsec stack in standard Linux 2.6 + kernels. It supports both the IKEv1 and IKEv2 protocols. + . + StrongSwan is one of the two remaining forks of the original FreeS/WAN + project and focuses on IKEv2 support, X.509 authentication and complete PKI + support. For a focus on Opportunistic Encryption (OE) and interoperability + with non-standard IPsec features, see Openswan. + . + This metapackage installs the packages required to maintain IKEv1 and IKEv2 + connections via ipsec.conf or ipsec.secrets. + +Package: libstrongswan +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, openssl +Conflicts: strongswan (<< 4.2.12-1) +Description: strongSwan utility and crypto library + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + This package provides the underlying library of charon and other strongSwan + components. It is built in a modular way and is extendable through various + plugins. + +Package: strongswan-dbg +Architecture: any +Section: debug +Priority: extra +Depends: ${misc:Depends}, strongswan, libstrongswan +Description: strongSwan library and binaries - debugging symbols + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + This package provides the symbols needed for debugging of strongswan. + +Package: strongswan-starter +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 +Conflicts: strongswan (<< 4.2.12-1) +Description: strongSwan daemon starter and configuration file parser + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + The starter and the associated "ipsec" script control both pluto and charon + from the command line. It parses ipsec.conf and loads the configurations to + the daemons. While the IKEv2 daemon can use other configuration backends, the + IKEv1 daemon is limited to configurations from ipsec.conf. + +Package: strongswan-ikev1 +Architecture: any +Pre-Depends: debconf | debconf-2.0 +Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute +Suggests: curl +Provides: ike-server +Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1) +Replaces: openswan +Description: strongSwan Internet Key Exchange (v1) daemon + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + Pluto is an IPsec IKEv1 daemon. It was inherited from the FreeS/WAN + project, but provides improved X.509 certificate support and other features. + . + Pluto can run in parallel with charon, the newer IKEv2 daemon. + +Package: strongswan-ikev2 +Architecture: any +Pre-Depends: debconf | debconf-2.0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute +Suggests: curl +Provides: ike-server +Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1) +Description: strongSwan Internet Key Exchange (v2) daemon + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + Charon is an IPsec IKEv2 daemon. It is + written from scratch using a fully multi-threaded design and a modular + architecture. Various plugins provide additional functionality. + . + This build of charon can run in parallel with pluto, the IKEv1 daemon. + +Package: strongswan-nm +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-ikev2 +Recommends: network-manager-strongswan +Description: strongSwan plugin to interact with NetworkManager + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + This plugin provides an interface which allows NetworkManager to configure + and control the IKEv2 daemon directly through D-Bus. It is designed to work + in conjunction with the network-manager-strongswan package, providing + a simple graphical frontend to configure IPsec based VPNs. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 000000000..d0bd31ab9 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,418 @@ +This package was debianized by Rene Mayrhofer <rene.mayrhofer@gibraltar.at> on +Thu, 10 Aug 2000 10:50:33 +0200. + +The Debian package was created from scratch with some hints taken from +previous freeswan packages by Tommi Virtanen and Aaron Johnson. +The upstream software was downloaded from http://www.freeswan.org/ + +After the FreeS/WAN folks decided to cease development, we used the forked +code base at http://www.strongswan.org/. + +This project has multiple authors, please see the file CREDITS for details. +However, all of the code is DFSG-free and, since 2002-09-16, +the LICENSE file in the upstream distribution includes a special GPL addition +to allow linking with libdes (which contains an advertising clause). +This LICENSE file was added to the Debian package of freeswan version 1.98b +by me, but has been authorized by Michael Richardson of freeswan upstream +(who sent the file to a mailing list). + +The contents of this LICENSE file are: +------------------------------------------------------------------------------ +Except for the DES library, this software is under the GNU Public License, +see the file COPYING. + +The DES library is under a BSD style license, see + linux/crypto/ciphers/des/COPYRIGHT. +Note that this software has a advertising clause in it. + +In addition to the terms set out under the GPL, permission is granted to +link the software against the libdes library just mentioned. +------------------------------------------------------------------------------ +A copy of this COPYRIGHT file can be found below, starting with the copyright +by Eric Young. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +Rene Mayrhofer, 2006-08-25 + + + +These are various licenses from the code: + +--8<-- + * Copyright (C) 1996, 1997 John Ioannidis. + * Copyright (C) 1998, 1999 Richard Guy Briggs. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. +--8<-- + +The source tarball also includes several miscellanous libraries. + + + +An MD5 implementation: + +--8<-- +The MD5 implementation is from RSADSI, so this package must include the +following phrase: "derived from the RSA Data Security, Inc. MD5 +Message-Digest Algorithm". It is not under the GPL; see details in +klips/net/ipsec/ipsec_md5c.c. +--8<-- + +--8<-- +/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All +rights reserved. + +License to copy and use this software is granted provided that it +is identified as the "RSA Data Security, Inc. MD5 Message-Digest +Algorithm" in all material mentioning or referencing this software +or this function. + +License is also granted to make and use derivative works provided +that such works are identified as "derived from the RSA Data +Security, Inc. MD5 Message-Digest Algorithm" in all material +mentioning or referencing the derived work. + +RSA Data Security, Inc. makes no representations concerning either +the merchantability of this software or the suitability of this +software for any particular purpose. It is provided "as is" +without express or implied warranty of any kind. + +These notices must be retained in any copies of any part of this +documentation and/or software. + */ +--8<-- + + + +An implementation of DES: + +--8<-- +The LIBDES library by Eric Young is used. It is not under the GPL -- see +details in libdes/COPYRIGHT -- although he has graciously waived the +advertising clause for FreeS/WAN use of LIBDES. +--8<-- + +--8<-- +Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) +All rights reserved. + +This package is an DES implementation written by Eric Young (eay@cryptsoft.com). +The implementation was written so as to conform with MIT's libdes. + +This library is free for commercial and non-commercial use as long as +the following conditions are aheared to. The following conditions +apply to all code found in this distribution. + +Copyright remains Eric Young's, and as such any Copyright notices in +the code are not to be removed. +If this package is used in a product, Eric Young should be given attribution +as the author of that the SSL library. This can be in the form of a textual +message at program startup or in documentation (online or textual) provided +with the package. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by Eric Young (eay@cryptsoft.com) + +THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +The license and distribution terms for any publically available version or +derivative of this code cannot be changed. i.e. this code cannot simply be +copied and put under another distrubution license +[including the GNU Public License.] + +The reason behind this being stated in this direct manner is past +experience in code simply being copied and the attribution removed +from it and then being distributed as part of other packages. This +implementation was a non-trivial and unpaid effort. +--8<-- + +--8<-- +/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ +--8<-- + +An implementation of SHA-1: + +--8<-- +The SHA-1 code is derived from Steve Reid's; it is public domain. +--8<-- + +--8<-- +/* + * The rest of the code is derived from sha1.c by Steve Reid, which is + * public domain. + * Minor cosmetic changes to accommodate it in the Linux kernel by ji. + */ +--8<-- + + + +Portions of Linux kernel source code: + +--8<-- +Some bits of Linux code, notably drivers/net/new_tunnel.c and net/ipv4/ipip.c, +are used in heavily modified forms. +--8<-- + +The Linux kernel is licensed under the Gnu General Public License. + + + +Radix-tree library: + +--8<-- +The radix-tree code from 4.4BSD is used in a modified form. It is not +under the GPL; see details in klips/net/ipsec/radij.c. +--8<-- + +--8<-- +/* + * Copyright (c) 1988, 1989, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)radix.c 8.2 (Berkeley) 1/4/94 + */ +--8<-- + + +The license from the OpenSSL code that is included in the extension algorithm +patch (the kernel-patch-freeswan-ext package): + +--8<-- + The OpenSSL toolkit stays under a dual license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. Actually both licenses are BSD-style + Open Source licenses. In case of any license issues related to OpenSSL + please contact openssl-core@openssl.org. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ +--8<-- diff --git a/debian/info b/debian/info new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/debian/info diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto new file mode 100644 index 000000000..0fe54b65d --- /dev/null +++ b/debian/ipsec.secrets.proto @@ -0,0 +1,11 @@ +# This file holds shared secrets or RSA private keys for inter-Pluto +# authentication. See ipsec_pluto(8) manpage, and HTML documentation. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. Suitable public keys, for ipsec.conf, DNS, +# or configuration of other implementations, can be extracted conveniently +# with "ipsec showhostkey". + +# this file is managed with debconf and will contain the automatically created private key +include /var/lib/strongswan/ipsec.secrets.inc + diff --git a/debian/libstrongswan.dirs b/debian/libstrongswan.dirs new file mode 100644 index 000000000..0a2e0a6f0 --- /dev/null +++ b/debian/libstrongswan.dirs @@ -0,0 +1,5 @@ +/etc/logcheck/ignore.d.paranoid +/etc/logcheck/ignore.d.server +/etc/logcheck/ignore.d.workstation +/etc/logcheck/violations.ignore.d +/usr/share/lintian/overrides diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install new file mode 100644 index 000000000..9b6a10b3e --- /dev/null +++ b/debian/libstrongswan.install @@ -0,0 +1,31 @@ +usr/lib/libstrongswan.so* usr/lib/ +usr/lib/libhydra.so* usr/lib/ +usr/lib/libfast.so* usr/lib/ +usr/lib/ipsec/libchecksum.so* usr/lib/ipsec/ +usr/lib/ipsec/plugins/libstrongswan-gmp.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-openssl.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-x509.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-pgp.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-pem.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-pkcs1.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-pubkey.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-hmac.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-xcbc.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-random.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-aes.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-des.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-xcbc.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-md5.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-sha1.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-sha2.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-dhcp.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-dnskey.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-farp.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-fips-prf.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-resolve.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-sql.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-ha.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-xauth.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-revocation.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-test-vectors.so* usr/lib/ipsec/plugins/ +etc/strongswan.conf etc/ diff --git a/debian/libstrongswan.lintian-overrides b/debian/libstrongswan.lintian-overrides new file mode 100644 index 000000000..eec04b42c --- /dev/null +++ b/debian/libstrongswan.lintian-overrides @@ -0,0 +1,2 @@ +libstrongswan: package-name-doesnt-match-sonames libchecksum libfast0 libhydra0 libstrongswan0 +libstrongswan: possible-gpl-code-linked-with-openssl diff --git a/debian/logcheck.ignore.paranoid b/debian/logcheck.ignore.paranoid new file mode 100644 index 000000000..ca6c97dde --- /dev/null +++ b/debian/logcheck.ignore.paranoid @@ -0,0 +1,20 @@ +ipsec_setup: KLIPS debug \`none\' +ipsec_setup: Stopping FreeS/WAN IPsec\.\.\. +ipsec_setup: stop ordered +ipsec_setup: doing cleanup anywan... +ipsec_setup: \.\.\.FreeS/WAN IPsec stopped +ipsec_setup: Starting FreeS/WAN IPsec +ipsec_setup: \.\.\.FreeS/WAN IPsec started +ipsec_plutorun: .*: initiate +pluto.*: deleting state +pluto.*: forgetting secrets +pluto.*: shutting down +pluto.*: \| +pluto.*: .* bytes loaded +pluto.*: including X\.509 patch +pluto.*: Loading my X\.509 certificate +pluto.*: Starting pluto +pluto.*: adding interface +pluto.*: listening for IKE messages +pluto.*: loading secrets +pluto.*: regenerating DH private secret diff --git a/debian/logcheck.ignore.server b/debian/logcheck.ignore.server new file mode 100644 index 000000000..7ab04c524 --- /dev/null +++ b/debian/logcheck.ignore.server @@ -0,0 +1,25 @@ +ipsec_setup: KLIPS debug \`none\' +ipsec_setup: Stopping FreeS/WAN IPsec\.\.\. +ipsec_setup: stop ordered +ipsec_setup: doing cleanup anywan... +ipsec_setup: \.\.\.FreeS/WAN IPsec stopped +ipsec_setup: Starting FreeS/WAN IPsec +ipsec_setup: \.\.\.FreeS/WAN IPsec started +ipsec_plutorun: .*: initiate +pluto.*: deleting state +pluto.*: forgetting secrets +pluto.*: shutting down +pluto.*: \| +pluto.*: .* bytes loaded +pluto.*: including X\.509 patch +pluto.*: Loading my X\.509 certificate +pluto.*: Starting pluto +pluto.*: added connection description +pluto.*: adding interface +pluto.*: listening for IKE messages +pluto.*: loading secrets +pluto.*: .* SA established +pluto.*: .* SA expired +pluto.*: replacing stale .* SA +pluto.*: initiating Quick Mode +pluto.*: regenerating DH private secret diff --git a/debian/logcheck.violations.ignore b/debian/logcheck.violations.ignore new file mode 100644 index 000000000..1a190fc28 --- /dev/null +++ b/debian/logcheck.violations.ignore @@ -0,0 +1 @@ +ipsec_setup: KLIPS debug `none' diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/debian/patches/series diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 000000000..d98f2ea90 --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] strongswan-starter.templates diff --git a/debian/po/cs.po b/debian/po/cs.po new file mode 100644 index 000000000..abaab5d9a --- /dev/null +++ b/debian/po/cs.po @@ -0,0 +1,830 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-10-16 13:09+0200\n" +"Last-Translator: Miroslav Kure <kurem@debian.cz>\n" +"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Stará správa bÄ›hových úrovnà je pÅ™ekonána." + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"DÅ™ÃvÄ›jÅ¡Ã verze balÃku strongSwan dávaly na výbÄ›r mezi tÅ™emi různými Start/" +"Stop úrovnÄ›mi. DÃky zmÄ›nám ve způsobu zavádÄ›nà systému to již nenà nutné a " +"ani užiteÄné. Novým i stávajÃcÃm instalacÃm použÃvajÃcÃm nÄ›kterou ze třà " +"pÅ™edefinovaných úrovnà budou nynà automaticky nastaveny rozumné výchozà " +"úrovnÄ›. PÅ™echázÃte-li z dÅ™ÃvÄ›jÅ¡Ã verze strongSwanu, u které jste si " +"upravovali startovacà parametry, podÃvejte se prosÃm do souboru NEWS.Debian, " +"kde naleznete pokyny, jak si pÅ™ÃsluÅ¡nÄ› upravit nastavenÃ." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Restartovat nynà strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"Restartovánà strongSwan je dobrý nápad, protože v pÅ™ÃpadÄ›, že aktualizace " +"obsahuje bezpeÄnostnà záplatu, nebude tato funkÄnÃ, dokud se démon " +"nerestartuje. VÄ›tÅ¡ina lidà s restartem daemona poÄÃtá, nicménÄ› je možné, že " +"tÃm budou existujÃcà spojenà ukonÄena a následnÄ› znovu nahozena. Pokud tuto " +"aktualizaci provádÃte pÅ™es takovýto strongSwan tunel, restart nedoporuÄujeme." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Spustit strongSwan daemon IKEv1?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Pro podporu 1. verze protokolu Internet Key Exchange musà běžet daemon pluto." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Spustit strongSwan daemon IKEv2?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Pro podporu 2. verze protokolu Internet Key Exchange musà běžet daemon " +"charon." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "PoužÃt pro tento poÄÃtaÄ certifikát X.509?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Pro tento poÄÃtaÄ můžete automaticky vytvoÅ™it nebo importovat certifikát " +"X.509. Certifikát může být využit k autentizaci IPsec spojenà na dalÅ¡Ã " +"poÄÃtaÄe a je upÅ™ednostňovaným způsobem pro sestavovánà bezpeÄných IPsec " +"spojenÃ. DalÅ¡Ã možnostà autentizace je využità sdÃlených tajemstvà (hesel, " +"která jsou stejná na obou stranách tunelu), ale pro vÄ›tÅ¡Ã poÄet spojenà je " +"RSA autentizace snazÅ¡Ã na správu a mnohem bezpeÄnÄ›jÅ¡Ã." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"AlternativnÄ› můžete tuto nabÃdku zamÃtnout a pozdÄ›ji se k nà vrátit pÅ™Ãkazem " +"„dpkg-reconfigure strongswan“." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "vytvoÅ™it" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importovat" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "ZÃskánà certifikátu X.509 pro autentizaci tohoto poÄÃtaÄe:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Pro autentizaci IPsec spojenà můžete buÄ vytvoÅ™it nový certifikát X.509 na " +"základÄ› zadaných parametrů, nebo můžete naimportovat veÅ™ejný/soukromý pár " +"klÃÄů uložený v PEM souboru." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Rozhodnete-li se pro vytvoÅ™enà nového certifikátu X.509, budete nejprve " +"dotázáni na Å™adu otázek. Pokud chcete podepsat veÅ™ejný klÃÄ stávajÃcà " +"certifikaÄnà autoritou, nesmÃte zvolit certifikát podepsaný sám sebou a také " +"zadané odpovÄ›di musà splňovat požadavky dané certifikaÄnà autority. " +"NesplnÄ›nà požadavků může vést k zamÃtnutà požadavku na certifikát." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"ZvolÃte-li import stávajÃcÃho veÅ™ejného/soukromého páru klÃÄů, budete " +"dotázáni na názvy souborů, ve kterých se klÃÄe nacházà (může se také jednat " +"o jediný soubor, protože obÄ› Äásti mohou ležet v jednom souboru). VolitelnÄ› " +"můžete také zadat jméno souboru s veÅ™ejným klÃÄem certifikaÄnà autority, ale " +"zde to již musà být jiný soubor. MÄ›jte prosÃm na pamÄ›ti, že certifikát X.509 " +"musà být ve formátu PEM a že soukromý klÃÄ nesmà být zaÅ¡ifrován, jinak " +"import selže." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Jméno souboru s certifikátem X.509 ve formátu PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Zadejte cestu k souboru obsahujÃcÃmu váš certifikát X.509 ve formátu PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Jméno souboru se soukromým klÃÄem X.509 ve formátu PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Zadejte cestu k souboru obsahujÃcÃmu soukromý RSA klÃÄ odpovÃdajÃcà vaÅ¡emu " +"certifikátu X.509 ve formátu PEM. Může to být stejný soubor jako ten, ve " +"kterém se nacházà certifikát X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Jméno souboru s koÅ™enovou certifikaÄnà autoritou X.509 ve formátu PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Nynà můžete zadat cestu k souboru obsahujÃcÃmu certifikaÄnà autoritu X.509, " +"kterou použÃváte pro podpis svých certifikátů ve formátu PEM. Pokud takovou " +"certifikaÄnà autoritu nemáte, nebo ji nechcete použÃt, ponechte prázdné. " +"KoÅ™enovou certifikaÄnà autoritu nelze uchovávat ve stejném souboru se " +"soukromým klÃÄem nebo certifikátem X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Zadejte délku vytvářeného RSA klÃÄe:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Zadejte délku vytvářeného RSA klÃÄe. Kvůli bezpeÄnosti by nemÄ›la být menÅ¡Ã " +"než 1024 bitů a pravdÄ›podobnÄ› nepotÅ™ebujete vÃc než 4096 bitů, protože to " +"již jen zpomaluje proces autentizace." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "VytvoÅ™it certifikát X.509 podepsaný sám sebou?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Tento instalátor může automaticky vytvoÅ™it pouze certifikát X509 podepsaný " +"sám sebou, jelikož v opaÄném pÅ™ÃpadÄ› je k podpisu certifikátu potÅ™eba " +"certifikaÄnà autorita. Tento certifikát můžete ihned použÃt k pÅ™ipojenà na " +"dalÅ¡Ã poÄÃtaÄe s IPsec, které podporujà autentizaci pomocà certifikátu X509. " +"NicménÄ› chcete-li využÃt PKI možnostà strongSwanu, budete k vytvoÅ™enà " +"důvÄ›ryhodných cest potÅ™ebovat podepsat vÅ¡echny certifikáty X509 jedinou " +"certifikaÄnà autoritou." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Jestliže nechcete vytvoÅ™it certifikát podepsaný sebou samým, vytvořà se " +"pouze soukromý RSA klÃÄ a požadavek na certifikát. Vy potom musÃte podepsat " +"požadavek svou certifikaÄnà autoritou." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Kód státu pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Zadejte dvojpÃsmenný kód státu, ve kterém se server nacházà (napÅ™Ãklad „CZ“ " +"pro ÄŒeskou republiku)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"Nezadáte-li platný kód zemÄ› dle ISO-3166, OpenSSL odmÃtne certifikát " +"vygenerovat. Prázdné pole je dovoleno ve vÅ¡ech ostatnÃch polÃch certifikátu " +"X.509 kromÄ› tohoto." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Jméno zemÄ› nebo oblasti pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Zadejte celé jméno zemÄ› nebo oblasti, ve které se server nacházà (napÅ™Ãklad " +"„Morava“)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Jméno lokality pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Zadejte jméno lokality, ve které se server nacházà (Äasto mÄ›sto, napÅ™Ãklad " +"„Olomouc“)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Název organizace pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "Zadejte název organizace, které server patřà (napÅ™Ãklad „Debian“)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Název organizaÄnà jednotky pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Zadejte název organizaÄnà jednotky, které server patřà (napÅ™Ãklad „oddÄ›lenà " +"pro odhalovánà daňových úniků“)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Obecné jméno pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Zadejte obecné jméno (CN) tohoto poÄÃtaÄe (napÅ™Ãklad „cloud.example.org“)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "Emailová adresa pro požadavek na certifikát X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Zadejte emailovou adresu osoby nebo organizace zodpovÄ›dné za certifikát " +"X.509." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Povolit oportunistické Å¡ifrovánÃ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Tato verze strongSwan podporuje oportunistické Å¡ifrovánà (OE), které " +"uchovává autentizaÄnà informace IPsecu (napÅ™. veÅ™ejné RSA klÃÄe) v DNS " +"záznamech. Dokud nebude tato schopnost vÃce rozÅ¡ÃÅ™ena, způsobà jejà aktivace " +"výrazné zpomalenà každého nového odchozÃho spojenÃ." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Oportunistické Å¡ifrovánà byste mÄ›li povolit pouze v pÅ™ÃpadÄ›, že ho opravdu " +"chcete. PÅ™i startu daemona pluto je možné, že se vaÅ¡e probÃhajÃcà spojenà do " +"Internetu pÅ™eruÅ¡Ã (pÅ™esnÄ›ji pÅ™estane fungovat výchozà cesta)." + +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "PÅ™ejete si restartovat strongSwan?" + +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Zadejte cestu k souboru obsahujÃcÃmu váš certifikát X.509 ve formátu PEM." + +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Zadejte cestu k souboru obsahujÃcÃmu váš certifikát X.509 ve formátu PEM." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "" +#~ "Zadejte celou cestu k souboru obsahujÃcÃmu váš certifikát X.509 ve " +#~ "formátu PEM." + +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Zadejte dvoumÃstný ISO3166 kód své zemÄ›. Tento kód bude umÃstÄ›n do " +#~ "požadavku na certifikát." + +#~ msgid "Example: AT" +#~ msgstr "PÅ™Ãklad: CZ" + +#~ msgid "Example: Upper Austria" +#~ msgstr "PÅ™Ãklad: Morava" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Zadejte prosÃm organizaci pro kterou je certifikát vytvářen. Toto jméno " +#~ "bude umÃstÄ›no do požadavku na certifikát." + +#~ msgid "Example: Vienna" +#~ msgstr "PÅ™Ãklad: Olomouc" + +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Zadejte prosÃm organizaci pro kterou je certifikát vytvářen. Toto jméno " +#~ "bude umÃstÄ›no do požadavku na certifikát." + +#~ msgid "Example: Debian" +#~ msgstr "PÅ™Ãklad: Debian" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Zadejte prosÃm organizaci pro kterou je certifikát vytvářen. Toto jméno " +#~ "bude umÃstÄ›no do požadavku na certifikát." + +#~ msgid "Example: security group" +#~ msgstr "PÅ™Ãklad: bezpeÄnostnà oddÄ›lenÃ" + +#~ msgid "Example: gateway.debian.org" +#~ msgstr "PÅ™Ãklad: gateway.debian.org" + +#~ msgid "earliest" +#~ msgstr "co nejdÅ™Ãve" + +#~ msgid "after NFS" +#~ msgstr "po NFS" + +#~ msgid "after PCMCIA" +#~ msgstr "po PCMCIA" + +#~ msgid "When to start strongSwan:" +#~ msgstr "Kdy spustit strongSwan:" + +#~ msgid "" +#~ "StrongSwan starts during system startup so that it can protect " +#~ "filesystems that are automatically mounted." +#~ msgstr "" +#~ "strongSwan se spouÅ¡tà pÅ™i zavádÄ›nà systému, takže může chránit " +#~ "automaticky pÅ™ipojované souborové systémy." + +#~ msgid "" +#~ " * earliest: if /usr is not mounted through NFS and you don't use a\n" +#~ " PCMCIA network card, it is best to start strongSwan as soon as\n" +#~ " possible, so that NFS mounts can be secured by IPSec;\n" +#~ " * after NFS: recommended when /usr is mounted through NFS and no\n" +#~ " PCMCIA network card is used;\n" +#~ " * after PCMCIA: recommended if the IPSec connection uses a PCMCIA\n" +#~ " network card or if it needs keys to be fetched from a locally running " +#~ "DNS\n" +#~ " server with DNSSec support." +#~ msgstr "" +#~ " * co nejdÅ™Ãve: pokud nenà /usr pÅ™ipojeno pÅ™es NFS a nepoužÃváte\n" +#~ " sÃÅ¥ovou kartu PCMCIA, je lepÅ¡Ã spustit strongSwan co nejdÅ™Ãve,\n" +#~ " aby bylo NFS chránÄ›no pomocà IPSec;\n" +#~ " * po NFS: doporuÄeno, pokud je /usr pÅ™ipojeno pÅ™es NFS a pokud\n" +#~ " nepoužÃváte sÃÅ¥ovou kartu PCMCIA;\n" +#~ " * po PCMCIA: doporuÄeno pokud IPSec spojenà použÃvá sÃÅ¥ovou kartu\n" +#~ " PCMCIA, nebo pokud vyžaduje staženà klÃÄů z lokálnÄ› běžÃcÃho DNS\n" +#~ " serveru s podporou DNSSec." + +#~ msgid "" +#~ "If you don't restart strongSwan now, you should do so manually at the " +#~ "first opportunity." +#~ msgstr "" +#~ "Pokud nerestartujete strongSwan nynÃ, mÄ›li byste to provést pÅ™i nejbližšà " +#~ "pÅ™Ãležitosti." + +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "VytvoÅ™it veÅ™ejný/soukromý pár RSA klÃÄů pro tento poÄÃtaÄ?" + +#~ msgid "" +#~ "StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to " +#~ "authenticate IPSec connections to other hosts. RSA authentication is " +#~ "generally considered more secure and is easier to administer. You can use " +#~ "PSK and RSA authentication simultaneously." +#~ msgstr "" +#~ "strongSwan může pro autentizaci IPSec spojenà s jinými poÄÃtaÄi použÃvat " +#~ "pÅ™edsdÃlený klÃÄ (PSK), nebo veÅ™ejný/soukromý pár RSA klÃÄů. RSA " +#~ "autentizace se považuje za bezpeÄnÄ›jÅ¡Ã a jednoduÅ¡Å¡Ã na správu. " +#~ "Autentizace PSK a RSA můžete použÃvat souÄasnÄ›." + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Jestliže si nepÅ™ejete vytvoÅ™it nový pár klÃÄů pro tento poÄÃtaÄ, můžete " +#~ "si v pÅ™ÃÅ¡tÃm kroku zvolit existujÃcà klÃÄe." + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "PotÅ™ebné informace lze zÃskat automaticky z existujÃcÃho certifikátu " +#~ "X.509 s odpovÃdajÃcÃm soukromým RSA klÃÄem. Jedná-li se o formát PEM, " +#~ "mohou být obÄ› Äásti v jednom souboru. VlastnÃte-li takový certifikát a " +#~ "soubor s klÃÄem a chcete-li je použÃt pro autentizaci IPSec spojenÃ, " +#~ "odpovÄ›zte kladnÄ›." + +#~ msgid "RSA key length:" +#~ msgstr "Délka RSA klÃÄe:" + +#~ msgid "" +#~ "Please enter the length of RSA key you wish to generate. A value of less " +#~ "than 1024 bits is not considered secure. A value of more than 2048 bits " +#~ "will probably affect performance." +#~ msgstr "" +#~ "Zadejte prosÃm délku vytvářeného RSA klÃÄe. Z důvodu bezpeÄnosti by " +#~ "nemÄ›la být menÅ¡Ã než 1024 bitů. Hodnota vÄ›tÅ¡Ã než 2048 bitů může ovlivnit " +#~ "výkon." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a certificate authority is needed to sign the certificate " +#~ "request." +#~ msgstr "" +#~ "Automaticky lze vytvoÅ™it pouze certifikát podepsaný sám sebou, protože " +#~ "jinak je zapotÅ™ebà certifikaÄnà autorita, která by podepsala požadavek na " +#~ "certifikát." + +#~ msgid "" +#~ "If you accept this option, the certificate created can be used " +#~ "immediately to connect to other IPSec hosts that support authentication " +#~ "via an X.509 certificate. However, using strongSwan's PKI features " +#~ "requires a trust path to be created by having all X.509 certificates " +#~ "signed by a single authority." +#~ msgstr "" +#~ "OdpovÃte-li kladnÄ›, můžete nový certifikát ihned použÃt k pÅ™ipojenà na " +#~ "dalÅ¡Ã poÄÃtaÄe s IPSec, které podporujà autentizaci pomocà certifikátu " +#~ "X.509. NicménÄ› pro využità PKI možnostà ve strongSwanu je nutné, aby byly " +#~ "vÅ¡echny certifikáty v cestÄ› důvÄ›ry podepsány stejnou autoritou." + +#~ msgid "" +#~ "This field is mandatory; otherwise a certificate cannot be generated." +#~ msgstr "Toto pole je povinné, bez nÄ›j nenà možné certifikát vytvoÅ™it." + +#~ msgid "" +#~ "Please enter the locality name (often a city) that should be used in the " +#~ "certificate request." +#~ msgstr "" +#~ "Zadejte jméno lokality (napÅ™. mÄ›sta), které se má použÃt v požadavku na " +#~ "certifikát." + +#~ msgid "" +#~ "Please enter the organization name (often a company) that should be used " +#~ "in the certificate request." +#~ msgstr "" +#~ "Zadejte název organizace (firmy), který se má použÃt v požadavku na " +#~ "certifikát." + +#~ msgid "" +#~ "Please enter the organizational unit name (often a department) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Zadejte název organizaÄnà jednotky (napÅ™. oddÄ›lenÃ), který se má použÃt v " +#~ "požadavku na certifikát." + +#~ msgid "" +#~ "Please enter the common name (such as the host name of this machine) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Zadejte běžné jméno (napÅ™. jméno poÄÃtaÄe), které se má použÃt v " +#~ "požadavku na certifikát." + +#~ msgid "earliest, \"after NFS\", \"after PCMCIA\"" +#~ msgstr "\"co nejdÅ™Ãve\", \"po NFS\", \"po PCMCIA\"" + +#~ msgid "" +#~ "There are three possibilities when strongSwan can start: before or after " +#~ "the NFS services and after the PCMCIA services. The correct answer " +#~ "depends on your specific setup." +#~ msgstr "" +#~ "Existujà tÅ™i možnosti, kdy se dá strongSwan spouÅ¡tÄ›t: pÅ™ed NFS službami, " +#~ "po NFS službách nebo po PCMCIA službách. Správná odpovÄ›Ä závisà na vaÅ¡em " +#~ "konkrétnÃm nastavenÃ." + +#~ msgid "" +#~ "If you do not have your /usr tree mounted via NFS (either you only mount " +#~ "other, less vital trees via NFS or don't use NFS mounted trees at all) " +#~ "and don't use a PCMCIA network card, then it's best to start strongSwan " +#~ "at the earliest possible time, thus allowing the NFS mounts to be secured " +#~ "by IPSec. In this case (or if you don't understand or care about this " +#~ "issue), answer \"earliest\" to this question (the default)." +#~ msgstr "" +#~ "Jestliže nemáte svůj strom /usr pÅ™ipojen skrz NFS (buÄ pÅ™es NFS " +#~ "pÅ™ipojujete jiné, ne tak důležité stromy, nebo NFS vůbec nepoužÃváte) a " +#~ "nepoužÃváte sÃÅ¥ovou kartu PCMCIA, je nejlepÅ¡Ã spouÅ¡tÄ›t strongSwan co " +#~ "nejdÅ™Ãve, ÄÃmž umožnÃte aby byly NFS svazky chránÄ›ny pomocà IPSec. V " +#~ "takovém pÅ™ÃpadÄ› (nebo pokud si nejste jisti, nebo pokud vám na tom " +#~ "nezáležÃ) na otázku odpovÄ›zte „co nejdÅ™Ãve“ (výchozÃ)." + +#~ msgid "" +#~ "If you have your /usr tree mounted via NFS and don't use a PCMCIA network " +#~ "card, then you will need to start strongSwan after NFS so that all " +#~ "necessary files are available. In this case, answer \"after NFS\" to this " +#~ "question. Please note that the NFS mount of /usr can not be secured by " +#~ "IPSec in this case." +#~ msgstr "" +#~ "Jestliže máte strom /usr pÅ™ipojen skrz NFS a nepoužÃváte sÃÅ¥ovou kartu " +#~ "PCMCIA, musÃte spustit strongSwan po NFS, aby byly vÅ¡echny potÅ™ebné " +#~ "soubory dostupné. V tomto pÅ™ÃpadÄ› na otázku odpovÄ›zte „po NFS“. UvÄ›domte " +#~ "si prosÃm, že v tomto pÅ™ÃpadÄ› nemůže být NFS svazek /usr chránÄ›n pomocà " +#~ "IPSec." + +#~ msgid "" +#~ "If you use a PCMCIA network card for your IPSec connections, then you " +#~ "only have to choose to start it after the PCMCIA services. Answer \"after " +#~ "PCMCIA\" in this case. This is also the correct answer if you want to " +#~ "fetch keys from a locally running DNS server with DNSSec support." +#~ msgstr "" +#~ "Jestliže použÃváte PCMCIA sÃÅ¥ovou kartu pro vaÅ¡e IPSec pÅ™ipojenÃ, pak je " +#~ "jedinou možnostà jej spustit po PCMCIA službách. V tom pÅ™ÃpadÄ› odpovÄ›zte " +#~ "„po PCMCIA“. Toto je také správná odpovÄ›Ä, pokud chcete zÃskat klÃÄe z " +#~ "lokálnÃho DNS serveru s podporou DNSSec." + +#~ msgid "Do you wish to support IKEv1?" +#~ msgstr "PÅ™ejete si podporu IKEv1?" + +#~ msgid "" +#~ "strongSwan supports both versions of the Internet Key Exchange protocol, " +#~ "IKEv1 and IKEv2. Do you want to start the \"pluto\" daemon for IKEv1 " +#~ "support when strongSwan is started?" +#~ msgstr "" +#~ "strongSwan podporuje protokol Internet Key Exchange ve verzÃch 1 a 2 " +#~ "(IKEv1, IKEv2). PÅ™ejete si pÅ™i startu strongSwanu spustit daemona „pluto“ " +#~ "podporujÃcÃho IKEv1?" + +#~ msgid "Do you wish to support IKEv2?" +#~ msgstr "PÅ™ejete si podporu IKEv2?" + +#~ msgid "" +#~ "strongSwan supports both versions of the Internet Key Exchange protocol, " +#~ "IKEv1 and IKEv2. Do you want to start the \"charon\" daemon for IKEv2 " +#~ "support when strongSwan is started?" +#~ msgstr "" +#~ "strongSwan podporuje protokol Internet Key Exchange ve verzÃch 1 a 2 " +#~ "(IKEv1, IKEv2). PÅ™ejete si pÅ™i startu strongSwanu spustit daemona " +#~ "„charon“ podporujÃcÃho IKEv2?" + +#~ msgid "" +#~ "strongSwan comes with support for opportunistic encryption (OE), which " +#~ "stores IPSec authentication information (i.e. RSA public keys) in " +#~ "(preferably secure) DNS records. Until this is widely deployed, " +#~ "activating it will cause a significant slow-down for every new, outgoing " +#~ "connection. Since version 2.0, strongSwan upstream comes with OE enabled " +#~ "by default and is thus likely to break your existing connection to the " +#~ "Internet (i.e. your default route) as soon as pluto (the strongSwan " +#~ "keying daemon) is started." +#~ msgstr "" +#~ "strongSwan pÅ™icházà s podporou pro oportunistické Å¡ifrovánà (OE), které " +#~ "uchovává autentizaÄnà informace IPSecu (napÅ™. veÅ™ejné RSA klÃÄe) v " +#~ "(nejlépe zabezpeÄených) DNS záznamech. Dokud nebude tato schopnost vÃce " +#~ "rozÅ¡ÃÅ™ena, způsobà jejà aktivace výrazné zpomalenà každého nového " +#~ "odchozÃho spojenÃ. Od verze 2.0 pÅ™icházà strongSwan s implicitnÄ› zapnutou " +#~ "podporou OE ÄÃmž pravdÄ›podobnÄ› zruÅ¡Ã vaÅ¡e probÃhajÃcà spojenà do " +#~ "Internetu (tj. vaÅ¡i výchozà cestu - default route) v okamžiku, kdy " +#~ "spustÃte pluto (strongSwan keying démon)." + +#~ msgid "" +#~ "Please choose whether you want to enable support for OE. If unsure, do " +#~ "not enable it." +#~ msgstr "" +#~ "ProsÃm vyberte si zda chcete povolit podporu pro OE. Nejste-li si jisti, " +#~ "podporu nepovolujte." + +#~ msgid "x509, plain" +#~ msgstr "x509, prostý" + +#~ msgid "The type of RSA keypair to create:" +#~ msgstr "Typ páru RSA klÃÄů, který se vytvoÅ™Ã:" + +#~ msgid "" +#~ "It is possible to create a plain RSA public/private keypair for use with " +#~ "strongSwan or to create a X509 certificate file which contains the RSA " +#~ "public key and additionally stores the corresponding private key." +#~ msgstr "" +#~ "Je možné vytvoÅ™it prostý pár RSA klÃÄů pro použità se strongSwanem, nebo " +#~ "vytvoÅ™it soubor s certifikátem X509, který obsahuje veÅ™ejný RSA klÃÄ a " +#~ "dodateÄnÄ› uchovává odpovÃdajÃcà soukromý klÃÄ." + +#~ msgid "" +#~ "If you only want to build up IPSec connections to hosts also running " +#~ "strongSwan, it might be a bit easier using plain RSA keypairs. But if you " +#~ "want to connect to other IPSec implementations, you will need a X509 " +#~ "certificate. It is also possible to create a X509 certificate here and " +#~ "extract the RSA public key in plain format if the other side runs " +#~ "strongSwan without X509 certificate support." +#~ msgstr "" +#~ "Pokud chcete vytvoÅ™it IPSec spojenà jen k poÄÃtaÄům, na kterých taktéž " +#~ "běžà strongSwan, může být mnohem jednoduÅ¡Å¡Ã použÃt pár prostých RSA " +#~ "klÃÄů. Pokud se ale chcete pÅ™ipojit k jiným implementacÃm IPSec, budete " +#~ "potÅ™ebovat certifikát X509. Také je možné zde vytvoÅ™it certifikát X509 a " +#~ "pozdÄ›ji, pokud druhá strana použÃvá strongSwan bez podpory certifikátů " +#~ "X509, z nÄ›j zÃskat veÅ™ejný RSA klÃÄ v prostém formátu." + +#~ msgid "" +#~ "Therefore a X509 certificate is recommended since it is more flexible and " +#~ "this installer should be able to hide the complex creation of the X509 " +#~ "certificate and its use in strongSwan anyway." +#~ msgstr "" +#~ "Certifikát X509 je proto doporuÄován zejména dÃky své flexibilitÄ›. Tento " +#~ "instalátor by v mÄ›l být schopen skrýt komplexnost vytvářenà a použÃvánà " +#~ "certifikátu ve strongSwanu." diff --git a/debian/po/da.po b/debian/po/da.po new file mode 100644 index 000000000..0687e0219 --- /dev/null +++ b/debian/po/da.po @@ -0,0 +1,476 @@ +# Danish translation strongswan. +# Copyright (C) 2010 strongswan & nedenstÃ¥ende oversættere. +# This file is distributed under the same license as the strongswan package. +# Joe Hansen (joedalton2@yahoo.dk), 2010. +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-11-04 12:42+0000\n" +"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n" +"Language-Team: Danish <dansk@dansk-gruppen.dk>\n" +"Language: da\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Erstattede tidligere kørselsniveauhÃ¥ndtering" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Tidligere versioner af pakken strongSwan havde et valg mellem tre " +"forskellige start-/stopniveauer. PÃ¥ grund af ændringer i den normale " +"procedure for systemopstart, er dette ikke længere nødvendigt eller " +"brugbart. For alle nye installationer samt ældre installationer der kører i " +"en af de prædefinerede tilstande, vil standardniveauer for sane ikke blive " +"angivet. Hvis du opgraderer fra en tidligere version og ændrede dine " +"opstartsparametre i strongSwan, sÃ¥ kig venligst i NEWS.Debian for " +"instruktioner om hvordan du ændrer din opsætning, sÃ¥ den passer." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Genstart strongSwan nu?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"Genstart af strongSwan anbefales, da det er en sikkerhedsrettelse, rettelsen " +"vil ikke træde i kraft før dæmonen genstartes. De fleste forventer at " +"dæmonen genstartes, sÃ¥ dette er generelt en god ide. Det kan dog lægge " +"eksisterende forbindelser ned og sÃ¥ fÃ¥ dem op igen, sÃ¥ hvis du bruger sÃ¥dan " +"en strongSwan-tunneltil at forbinde for denne opdatering, anbefales en " +"genstart ikke." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Start strongSwans IKEv1-dæmon?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Dæmonen pluto skal køre for at understøtte version 1 af Internet Key " +"Exchange-protokollen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Start streongSwans IKEv2-dæmon?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Dæmonen charon skal køre for at understøtte version 2 af Internet Key " +"Exchange-protokollen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Brug et X.509-certifikat for denne vært?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Et X.509-certifikat for denne vært kan oprettes automatisk eller importeres. " +"Det kan bruges til at godkende IPsec-forbindelser til andre værter og er den " +"foretrukne mÃ¥de at opbygge sikre IPsec-forbindelser. Den anden mulighed " +"ville være at bruge delte hemmeligheder (adgangskoder der er de samme pÃ¥ " +"begge sider af tunnelen) til godkendelse af en forbindelse, men for et " +"større antal forbindelser, er nøglebaseret godkendelse nemmere at " +"administrere og mere sikkert." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Alternativt kan du afvise denne indstilling og senere bruge kommandoen »dpkg-" +"reconfigure strongswan«." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "opret" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importer" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" +"Metoder hvormed et X.509-certifikat kan bruges til at godkende denne vært:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Det er muligt at oprette et nyt X.509-certifikat med brugerdefineret " +"opsætning eller at importere en eksisterende offentlig og privat nøgle gemt " +"i PEM-filer for godkendelse af IPsec-forbindelser." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Hvis du vælger at oprette et nyt X.509-certifikat, vil du først blive spurgt " +"om et antal spørgsmÃ¥l, som skal besvares før oprettelsen kan begynde. Husk " +"venligst at hvis du ønsker at den offentlige nøgle skal underskrives af et " +"eksisterende Certificate Authority, sÃ¥ bør du ikke vælge at oprette et " +"certifikat underskrevet af dig selv og alle svarene skal svare præcis til " +"krævene i CA'en, ellers vil certifikatanmodningen blive afvist." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Hvis du ønsker at importere en eksisterende offentlig og privat nøgle, vil " +"du blive spurgt om deres filnavne (som kan være identiske, hvis begge er " +"gemt sammen i en fil). Du kan valgfrit angive et filnavn hvor de offentlige " +"nøgler fra Certificate Authority opbevares, men denne fil kan ikke være den " +"samme som den tidligere. Vær venligst ogsÃ¥ opmærksom pÃ¥ at formatet for " +"X.509-certifikatet skal være PEM, og at den private nøgle ikke mÃ¥ være " +"krypteret, ellers vil importproceduren fejle." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Filnavn pÃ¥ dit PEM-formateret X.509-certifikat:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Indtast venligst placeringen pÃ¥ filen der indeholder dit X.509-certifikat i " +"PEM-format." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Filnavn pÃ¥ din private PEM-formateret X.509-nøgle:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Indtast venligst placeringen pÃ¥ filen, der indeholder den private RSA-nøgle " +"der svarer til dit X.509-certifikat i PEM-format. Dette kan være den samme " +"fil som indeholder X.509-certifikatet." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Filnavn pÃ¥ dit PEM-formaterede X.509-RootCA:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Du kan nu valgfrit indtaste placeringen pÃ¥ filen, der indeholder X.509 " +"Certificate Authority-root brugt til at underskrive dit certifikat i PEM-" +"format. Hvis du ikke har et eller ikke ønsker at bruge det sÃ¥ efterlad dette " +"felt tomt. Bemærk venligst at det ikke er muligt at gemme RootCA'en i den " +"samme fil som dit X.509-certifikat eller din private nøgle." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Indtast venligst hvilken længde den oprettede RSA-nøgle skal have:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Indtast venligst længden pÃ¥ den oprettede RSA-nøgle. Den bør ike være mindre " +"end 1024 bit, da dette er usikkert, og du vil sikkert ikke have brug for " +"mere end 4096 bit, da det kun sløver godkendelsesprocessen ned og behovet " +"ikke er der i øjeblikket." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Opret et X.509-certifikat du selv har underskrevet?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Kun X.509-certifikater du selv har underskrevet kan oprettes automatisk, da " +"en Certifikat Authority ellers er nødvendig for at certifikatforespørgslen " +"biver underskrevet. Hvis du vælger at oprette et certifikat, du selv " +"underskriver, kan du umiddelbart bruge det efterfølgende til at forbinde til " +"andre IPsec-værter som understøtter X.509-certifikater til godkendelse af " +"IPsec-forbindelser. Brug af strongSwans PKI-funktioner kræver dog at alle " +"certifikater skal være underskrevet af en Certificate Authority for at " +"oprette en troværdighed." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Hvis du vælger ikke at oprette et certifikat, du selv har underskrevet, vil " +"kun den private RSA-nøgle og certifikatforespørgslen blive oprettet, og du " +"vil skulle underskrive certifikatforespørgslen med dit Certificate Authority." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Landekode for X.509-certifikatforespørgslen:" + +# hvad er det for en tobogstavskode de henviser til her? DA eller DK. +# ISO 3166 som de nævner efterfølgende er trecifret (DNK), men underdelen af +# 3166 er tocifret og DK for Danmark, men det dækker omrÃ¥derne i Danmark +# som Midtjylland DK-82 med flere. +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Indtast venligst koden, der bestÃ¥r af to bogstaver, for landet hvor serveren " +"befinder sig (sÃ¥som »DK« for Danmark)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"OpenSSL vil nægte at oprette et certifikat med mindre dette er en gyldig " +"ISO-3166 landekode. Et tomt felt er tilladt andre steder i X.509-" +"certifikatet men ikke her." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Stat eller provinsnavn for X.509-certifikatforespørgslen:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Indtast venligst det fulde navn pÃ¥ staten eller provinsen som serveren " +"befinder sig i (sÃ¥som »Nordjylland«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Lokalitetsnavn for X.509-certifikatforespørgslen:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Indtast venligst lokaliteten hvor serveren befinder sig (ofte en by, sÃ¥som " +"ȁrhus«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Organisationsnavn for X.509-certifikatforespørglsen:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Indtast venligst organisationen som serveren tilhører (sÃ¥som »Debian«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Organisationsgruppe for X.509-certifikatforespørgslen:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Indtast venligst organisationsgruppen som serveren tilhører (sÃ¥som " +"»sikkerhedsafdelingen«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Betegnelsen for X.509-certifikatforespørgslen:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Indtast venligst betegnelsen (navnet) for denne vært (sÃ¥som »gateway." +"eksempel.org«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "E-post-adresse for X.509-certifikatforespørgslen:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Indtast venligst e-post-adressen pÃ¥ personen eller organisationen der er " +"ansvarlig for X.509-certifikatet." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Aktiver opportunistisk kryptering?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Denne version af strongSwan understøtter opportunistisk kryptering (OE), som " +"gemmer IPSec-godkendelsesinformation i DNS-punkter. Indtil dette er udbredt, " +"vil aktivering medføre en væsentlig forsinkelse for hver ny udgÃ¥ende " +"forbindelse." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Du skal kun aktivere opportunistisk kryptering, hvis du er sikker pÃ¥, at du " +"ønsker det. Det kan fÃ¥ internetforbindelsen til at gÃ¥ ned (standardrute), " +"nÃ¥r plutodæmonen starter op." diff --git a/debian/po/de.po b/debian/po/de.po new file mode 100644 index 000000000..8930d6b5b --- /dev/null +++ b/debian/po/de.po @@ -0,0 +1,789 @@ +# German translation of strongswan templates +# Matthias Julius <mdeb@julius-net.net>, 2007. +# Martin Eberhard Schauer <Martin.E.Schauer@gmx.de>, 2010. +# Helge Kreutzmann <debian@helgefjell.de>, 2007, 2010. +# This file is distributed under the same license as the strongswan package. +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan 4.4.0-1\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-06-29 21:55+0200\n" +"Last-Translator: Helge Kreutzmann <debian@helgefjell.de>\n" +"Language-Team: German <debian-l10n-german@lists.debian.org>\n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +# (mes) andere Ãœbersetzungen für supersede: etw.Akk. ersetzen, für etw.Akk. Ersatz sein, an die Stelle von etw. Dat. treten, etw.Akk. überflüssig machen, etw.Akk. verdrängen +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Alte Verwaltung der Runlevel abgelöst" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Frühere Versionen von strongSwan ermöglichten eine Wahl zwischen drei " +"verschiedenen Start/Stop-Modi. Aufgrund von Änderungen des standardmäßigen " +"Systemstarts ist dies nicht mehr notwendig oder nützlich. Sowohl für alle " +"neuen als auch bestehende Installationen, die in einem der vordefinierten " +"Modi betrieben wurden, werden jetzt vernünftige Standardwerte gesetzt. Wenn " +"Sie jetzt ein Upgrade von einer früheren Version durchführen und Sie die " +"strongSwan-Startparameter angepasst haben, werfen Sie bitte einen Blick auf " +"NEWS.Debian. Die Datei enthält Anweisungen, wie Sie Ihren Installation " +"entsprechend ändern." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "StrongSwan jetzt starten?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"Es wird empfohlen, strongSwan neuzustarten, da eine Sicherheitskorrektur " +"erst nach dem Neustart des Daemons greift. Die meisten Leute erwarten, dass " +"der Daemon neu startet, daher ist diese Wahl eine gute Idee. Er kann " +"allerdings existierende Verbindungen beenden und erneut aufbauen. Falls Sie " +"solch eine Verbindung für diese Aktualisierung verwenden, wird der Neustart " +"nicht empfohlen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "strongSwans IKEv1-Daemon starten?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Der Pluto-Daemon muss laufen, um Version 1 des Internet Key Exchange-" +"Protokolls zu unterstützen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "strongSwans IKEv2-Daemon starten?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Der Charon-Daemon muss laufen, um Version 2 des Internet Key Exchange-" +"Protokolls zu unterstützen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Für diesen Rechner ein X.509-Zertifikat verwenden?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Für diesen Rechner kann ein X.509-Zertifikat automatisch erstellt oder " +"importiert werden, das zur Authentifizierung von IPSec-Verbindungen zu " +"anderen Rechnern verwendet werden kann. Dieses Vorgehen ist für den Aufbau " +"gesicherter IPSec-Verbindungen vorzuziehen. Die andere Möglichkeit ist die " +"Verwendung von gemeinsamen Geheimnissen (engl.: shared secrets, gleiche " +"Passwörter an beiden Enden des Tunnels) zur Authentifizierung einer " +"Verbindung. Für eine größere Anzahl von Verbindungen ist aber die RSA-" +"Authentifizierung einfacher zu verwalten und sicherer." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Alternativ können Sie diese Option ablehnen und später den Befehl »dpkg-" +"reconfigure strongswan« zur Rückkehr zu dieser Option verwenden." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "erstellen" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importieren" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" +"Methoden für die Authentifizierung dieses Rechners mittels eines X.509-" +"Zertifikats:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Es ist möglich, mit benutzerdefinierten Einstellungen ein neues X.509-" +"Zertifikat zu erstellen oder einen vorhandenen, in PEM-Datei(en) " +"gespeicherten, öffentlichen und privaten Schlüssel für die Authentifizierung " +"von IPSec-Verbindungen zu verwenden." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Wenn Sie sich für die Erstellung eines neuen X.509-Zertifikats entscheiden, " +"wird Ihnen zunächst eine Reihe von Fragen gestellt. Diese Fragen müssen " +"beantwortet werden, damit das Zertifikat erstellt werden kann. Bitte " +"beachten Sie: Wenn der öffentliche Schlüssel von einer bestehenden " +"Zertifizierungsstelle (Certificate Authority, CA) bestätigen lassen wollen, " +"sollten Sie nicht wählen, ein selbstsigniertes Zertifikat zu erstellen. " +"Außerdem müssen dann alle gegebenen Antworten exakt den Anforderungen der CA " +"entsprechen, da sonst der Antrag auf Zertifizierung zurückgewiesen werden " +"kann." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Wenn Sie bestehende öffentliche und private Schlüssel importieren wollen, " +"werden Sie nach deren Dateinamen gefragt. (Die Namen können übereinstimmen, " +"wenn beide Teile zusammen in einer Datei gespeichert werden.) Optional " +"können Sie auch den Namen einer Datei angeben, die den/die öffentlichen " +"Schlüssel Ihrer Zertifizierungsstelle enthält. Dieser Name muss von den " +"Erstgenannten verschieden sein. Bitte beachten Sie auch, dass Sie für die " +"X.509-Zertifikate das Format PEM verwenden und dass der private Schlüssel " +"nicht verschlüsselt sein darf, weil sonst der Import-Vorgang fehlschlagen " +"wird." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Dateiname Ihres X.509-Zertifikats im PEM-Format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Bitte geben Sie den Speicherort der Datei ein, die Ihr X.509-Zertifikat im " +"PEM-Format enthält." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Dateiname des privaten X.509-Schlüssels im PEM-Format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Bitte geben Sie den Speicherort der Datei ein, die den zu Ihrem X.509-" +"Zertifikat passenden privaten RSA-Schlüssel im PEM-Format enthält. Dies kann " +"dieselbe Datei sein, die das X.509-Zertifikat enthält." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Dateinamen Ihrer PEM-Format-X.509-RootCA:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Optional können Sie nun den Speicherort der Datei mit dem »X.509 Certificate " +"Authority Root« angeben, mit dem Ihr Zertifikat im PEM-Format unterzeichnet " +"wurde. Wenn Sie keine haben oder diese nicht verwenden wollen, lassen Sie " +"dieses Feld bitte leer. Bitte beachten Sie, dass es nicht möglich ist, die " +"RootCA in der gleichen Datei wie Ihr X.509-Zertifikat oder den privaten " +"Schlüssel zu speichern." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "" +"Bitte geben Sie ein, welche Länge der erstellte RSA-Schlüssels haben soll:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Bitte geben Sie die Länge des erstellten RSA-Schlüssels an. Er sollte nicht " +"kürzer als 1024 Bits sein, da dies als unsicher betrachtet werden könnte und " +"Sie benötigen nicht mehr als 4096 Bits, da dies nur den Authentifizierungs-" +"Prozess verlangsamt und derzeit nicht benötigt wird." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Selbstsigniertes X.509-Zertifikat erstellen?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Nur selbstsignierte X.509-Zertifikate können automatisch erstellt werden, da " +"da andernfalls eine Zertifizierungsstelle zur Signatur der " +"Zertifikatsanfrage benötigt wird. Falls Sie sich entscheiden, ein " +"selbstsigniertes Zertifikat zu erstellen, können Sie es sofort zur " +"Verbindung mit anderen IPSec-Rechnern verwenden, die X.509-Zertifikate zur " +"Authentifizierung von IPSec-Verbindungen verwenden. Die Verwendung der PKI-" +"Funktionalität von strongSwan verlangt allerdings, dass alle Zertifikate von " +"einer Zertifizierungsstelle signiert sind, um einen Vertrauenspfad zu " +"erstellen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Falls Sie kein selbstsigniertes Zertifikat erstellen möchten, wird nur der " +"private RSA-Schlüssel und die Zertifikatsanforderung erstellt. Sie müssen " +"diese Zertifikatsanforderung von Ihrer Zertifizierungsstelle signieren " +"lassen." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Ländercode für die X.509-Zertifikatsanforderung:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Geben Sie den Ländercode (zwei Zeichen) für das Land ein, in dem der Server " +"steht (z. B. »AT« für Österreich)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"Ohne einen gültigen Ländercode nach ISO-3166 wird es OpenSSL ablehnen, ein " +"Zertifikat zu generieren. Ein leeres Feld ist für andere Elemente des X.509-" +"Zertifikats zulässig, aber nicht für dieses." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Name des Landes oder der Provinz für diese X.509-Zertifikatsanfrage:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Bitte geben Sie den kompletten Namen des Landes oder der Provinz ein, in der " +"sich der Server befindet (wie »Oberösterreich«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Ort für die X.509-Zertifikatsanforderung:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Geben Sie bitte den Ort an, an dem der Server steht (oft ist das eine Stadt " +"wie beispielsweise »Wien«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Organisationsname für die X.509-Zertifikatsanforderung:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Bitte geben Sie die Organisation an, zu der der Server gehört (wie z.B. " +"»Debian«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Organisationseinheit für die X.509-Zertifikatsanforderung:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Bitte geben Sie die Organisationseinheit für die X.509-" +"Zertifikatsanforderung ein (z.B. »Sicherheitsgruppe«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "»Common Name« für die X.509-Zertifikatsanforderung:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Bitte geben Sie den »Common Name« für diesen Rechner ein (wie z.B. »gateway." +"example.org«)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "E-Mail-Adresse für die X.509-Zertifikatsanforderung:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Bitte geben Sie die E-Mail-Adresse der für das X.509-Zertifikat " +"verantwortlichen Person oder Organisation ein." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Opportunistische Verschlüsselung aktivieren?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Diese Version von strongSwan unterstützt opportunistische Verschlüsselung " +"(OE), die IPSec-Authentifizierungsinformationen in DNS-Einträgen speichert. " +"Bis dies weit verbreitet ist, führt die Verwendung zu einer deutlichen " +"Verzögerung bei jeder ausgehenden Verbindung." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Sie sollten opportunistische Verschlüsselung nur verwenden, falls Sie sich " +"sicher sind, dass Sie sie verwenden möchten. Beim Starten des Pluto-Daemons " +"könnte die Internetverbindung (Default Route) unterbrochen werden." + +#~ msgid "" +#~ "Previous versions of the Openswan package gave a choice between three " +#~ "different Start/Stop-Levels. Due to changes in the standard system " +#~ "startup procedure, this is no longer necessary or useful. For all new " +#~ "installations as well as old ones running in any of the predefined modes, " +#~ "sane default levels will now be set. If you are upgrading from a previous " +#~ "version and changed your Openswan startup parameters, then please take a " +#~ "look at NEWS.Debian for instructions on how to modify your setup " +#~ "accordingly." +#~ msgstr "" +#~ "Frühere Versionen von Openswan ermöglichten eine Wahl zwischen drei " +#~ "verschiedenen Start/Stop-Ebenen. Aufgrund von Änderungen des " +#~ "standardmäßigen Systemstarts ist dies nicht mehr notwendig oder nützlich. " +#~ "Sowohl für alle neuen als auch bestehende Installationen, die in einem " +#~ "der vordefinierten Modi betrieben wurden, werden jetzt vernünftige " +#~ "Standardwerte gesetzt. Wenn Sie jetzt ein Upgrade von einer früheren " +#~ "Version durchführen und Sie die Openswan-Startparameter angepasst haben, " +#~ "werfen Sie bitte einen Blick auf NEWS.Debian. Die Datei enthält " +#~ "Anweisungen, wie Sie Ihren Setup entsprechend ändern." + +#~ msgid "Restart Openswan now?" +#~ msgstr "Möchten Sie jetzt Openswan neu starten?" + +#~ msgid "" +#~ "Restarting Openswan is recommended, since if there is a security fix, it " +#~ "will not be applied until the daemon restarts. Most people expect the " +#~ "daemon to restart, so this is generally a good idea. However, this might " +#~ "take down existing connections and then bring them back up, so if you are " +#~ "using such an Openswan tunnel to connect for this update, restarting is " +#~ "not recommended." +#~ msgstr "" +#~ "Der Neustart von Openswan wird empfohlen. Wenn mit dieser Version ein " +#~ "Sicherheitsproblem beseitigt wurde, wird dies erst nach dem Neustart des " +#~ "Daemons wirksam. Da die meisten Anwender einen Neustart des Daemons " +#~ "erwarten, ist dies grundsätzlich eine gute Idee. Der Neustart kann aber " +#~ "bestehende Verbindungen schließen und anschließend wiederherstellen. Wenn " +#~ "Sie einen solchen Openswan-Tunnel für die Verbindung bei dieser " +#~ "Aktualisierung verwenden, wird von einem Neustart abgeraten." + +#~ msgid "" +#~ "Alternatively you can reject this option and later use the command \"dpkg-" +#~ "reconfigure openswan\" to come back." +#~ msgstr "" +#~ " Alternativ können Sie diese Option ablehnen und später mit dem Befehl " +#~ "»dpkg-reconfigure openswan« zurückzukommen." + +#~ msgid "Length of RSA key to be created:" +#~ msgstr "Länge des zu erstellenden RSA-Schlüssels:" + +#~ msgid "" +#~ "Please enter the required RSA key-length. Anything under 1024 bits should " +#~ "be considered insecure; anything more than 4096 bits slows down the " +#~ "authentication process and is not useful at present." +#~ msgstr "" +#~ "Bitte geben Sie die Länge des zu erstellenden RSA-Schlüssels ein. Sie " +#~ "sollte nicht weniger als 1024 Bit sein, da dies als unsicher betrachtet " +#~ "wird. Alles über 4098 Bit verlangsamt den Authentifizierungs-Prozess und " +#~ "ist zur Zeit nicht nützlich." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a Certificate Authority is needed to sign the certificate " +#~ "request. If you choose to create a self-signed certificate, you can use " +#~ "it immediately to connect to other IPsec hosts that support X.509 " +#~ "certificate for authentication of IPsec connections. However, using " +#~ "Openswan's PKI features requires all certificates to be signed by a " +#~ "single Certificate Authority to create a trust path." +#~ msgstr "" +#~ "Nur selbstsignierte X.509-Zertifikate können automatisch erstellt werden, " +#~ "da anderenfalls für die Unterzeichnung der Zertifikatsanforderung eine " +#~ "Zertifizierungsstelle benötigt wird. Falls Sie ein selbstsigniertes " +#~ "Zertifikat erstellen, können Sie dieses sofort verwenden, um sich mit " +#~ "anderen IPSec-Rechnern zu verbinden, die X.509-Zertifikate zur " +#~ "Authentifizierung von IPsec-Verbindungen benutzen. Falls Sie jedoch die " +#~ "PKI-Funktionen von Openswan verwenden möchten, müssen alle X.509-" +#~ "Zertifikate von einer einzigen Zertifizierungsstelle signiert sein, um " +#~ "einen Vertrauenspfad zu schaffen." + +#~ msgid "Modification of /etc/ipsec.conf" +#~ msgstr "Veränderung von /etc/ipsec.conf" + +#~ msgid "" +#~ "Due to a change in upstream Openswan, opportunistic encryption is no " +#~ "longer enabled by default. The no_oe.conf file that was shipped in " +#~ "earlier versions to explicitly disable it can therefore no longer be " +#~ "included by ipsec.conf. Any such include paragraph will now be " +#~ "automatically removed to ensure that Openswan can start correctly." +#~ msgstr "" +#~ "Aufgrund einer Änderung im Quelltext von Openswan ist opportunistische " +#~ "Verschlüsselung nicht mehr standardmäßig aktiviert. Ältere Versionen von " +#~ "Openswan enthielten die Datei no_oe.conf, die zur expliziten " +#~ "Deaktivierung der opportunistischen Verschlüsselung diente. Diese kann " +#~ "jetzt nicht mehr mittels ipsec.conf aufgenommen werden. Jeder " +#~ "entsprechende Absatz wird jetzt automatisch entfernt, um einen korrekten " +#~ "Start von Openswan sicherzustellen." + +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "Möchten Sie strongSwan neustarten?" + +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Bitte geben Sie den Ort der Datei an, der Ihr X509-Zertifikat im PEM-" +#~ "Format enthält." + +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Bitte geben Sie den Ort der Datei an, der Ihr X509-Zertifikat im PEM-" +#~ "Format enthält." + +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Bitte geben Sie den zweibuchstabigen Ländercode für Ihr Land ein. Dieser " +#~ "Code wird in der Zertifikatsanfrage verwendet." + +#~ msgid "Example: AT" +#~ msgstr "Beispiel: AT" + +#~ msgid "Example: Upper Austria" +#~ msgstr "Beispiel: Oberösterreich" + +#~ msgid "Example: Vienna" +#~ msgstr "Beispiel: Wien" + +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Bitte geben Sie die Organisation (z.B. Firma) ein, für die das X509-" +#~ "Zertifikat erstellt werden soll. Dieser Name wird in der " +#~ "Zertifikatsanfrage verwandt." + +#~ msgid "Example: Debian" +#~ msgstr "Beispiel: Debian" + +#~ msgid "Example: security group" +#~ msgstr "Beispiel: Sicherheitsgruppe" + +#~ msgid "Example: gateway.debian.org" +#~ msgstr "Beispiel: gateway.debian.org" + +#~ msgid "When to start strongSwan:" +#~ msgstr "Wann soll strongSwan gestartet werden:" + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Falls Sie kein neues öffentliches/privates Schlüsselpaar erstellen " +#~ "wollen, können Sie im nächsten Schritt ein existierendes auswählen." + +#~ msgid "earliest, \"after NFS\", \"after PCMCIA\"" +#~ msgstr "frühestmöglich, »nach NFS«, »nach PCMCIA«" + +#~ msgid "" +#~ "There are three possibilities when strongSwan can start: before or after " +#~ "the NFS services and after the PCMCIA services. The correct answer " +#~ "depends on your specific setup." +#~ msgstr "" +#~ "Es gibt drei Möglichkeiten, wann strongSwan starten kann: vor oder nach " +#~ "den NFS-Diensten und nach den PCMCIA-Diensten. Die richtige Antwort hängt " +#~ "von Ihrer spezifischen Einrichtung ab." + +#~ msgid "" +#~ "If you do not have your /usr tree mounted via NFS (either you only mount " +#~ "other, less vital trees via NFS or don't use NFS mounted trees at all) " +#~ "and don't use a PCMCIA network card, then it's best to start strongSwan " +#~ "at the earliest possible time, thus allowing the NFS mounts to be secured " +#~ "by IPSec. In this case (or if you don't understand or care about this " +#~ "issue), answer \"earliest\" to this question (the default)." +#~ msgstr "" +#~ "Falls Sie Ihren /usr-Baum nicht über NFS eingehängt haben (entweder weil " +#~ "Sie nur andere, weniger lebenswichtige Bäume über NFS einhängen, oder " +#~ "falls Sie NFS überhaupt nicht verwenden) und keine PCMCIA-Netzwerkkarte " +#~ "benutzen, ist es am besten, strongSwan so früh wie möglich zu starten und " +#~ "damit durch IPSec gesicherte NFS-Einhängungen zu erlauben. In diesem Fall " +#~ "(oder falls Sie dieses Problem nicht verstehen oder es Ihnen egal ist), " +#~ "antworten Sie »frühestmöglich« (Standardwert) auf diese Frage." + +#~ msgid "" +#~ "If you have your /usr tree mounted via NFS and don't use a PCMCIA network " +#~ "card, then you will need to start strongSwan after NFS so that all " +#~ "necessary files are available. In this case, answer \"after NFS\" to this " +#~ "question. Please note that the NFS mount of /usr can not be secured by " +#~ "IPSec in this case." +#~ msgstr "" +#~ "Falls Sie Ihren /usr-Baum über NFS eingehängt haben und keine PCMCIA-" +#~ "Netzwerkkarte benutzen, müssen Sie strongSwan nach NFS starten, so dass " +#~ "alle benötigten Dateien verfügbar sind. In diesem Fall antworten Sie " +#~ "»nach NFS« auf diese Frage. Bitte beachten Sie, dass NFS-Einhängungen " +#~ "von /usr in diesem Fall nicht über IPSec gesichert werden können." + +#~ msgid "" +#~ "If you use a PCMCIA network card for your IPSec connections, then you " +#~ "only have to choose to start it after the PCMCIA services. Answer \"after " +#~ "PCMCIA\" in this case. This is also the correct answer if you want to " +#~ "fetch keys from a locally running DNS server with DNSSec support." +#~ msgstr "" +#~ "Falls Sie eine PCMCIA-Netzwerkkarte für Ihre IPSec-Verbindungen benutzen, " +#~ "dann müssen Sie nur auswählen, dass er nach den PCMCIA-Diensten startet. " +#~ "Antworten Sie in diesem Fall »nach PCMCIA«. Dies ist auch die richtige " +#~ "Antwort, falls Sie Schlüssel von einem lokal laufenden DNS-Server mit " +#~ "DNSSec-Unterstützung abholen wollen." + +#~ msgid "Do you wish to support IKEv1?" +#~ msgstr "Möchten Sie IKEv1 unterstützen?" + +#~ msgid "" +#~ "strongSwan supports both versions of the Internet Key Exchange protocol, " +#~ "IKEv1 and IKEv2. Do you want to start the \"pluto\" daemon for IKEv1 " +#~ "support when strongSwan is started?" +#~ msgstr "" +#~ "strongSwan unterstützt beide Versionen des »Internet Key Exchange«-" +#~ "Protokolls (Schlüsselaustausch über Internet), IKEv1 und IKEv2. Möchten " +#~ "Sie den »pluto«-Daemon für IKEv1-Unterstützung starten, wenn strongSwan " +#~ "gestartet wird." + +#~ msgid "Do you wish to support IKEv2?" +#~ msgstr "Möchten Sie IKEv2 unterstützen?" + +#~ msgid "" +#~ "strongSwan supports both versions of the Internet Key Exchange protocol, " +#~ "IKEv1 and IKEv2. Do you want to start the \"charon\" daemon for IKEv2 " +#~ "support when strongSwan is started?" +#~ msgstr "" +#~ "strongSwan unterstützt beide Versionen des »Internet Key Exchange«-" +#~ "Protokolls (Schlüsselaustausch über Internet), IKEv1 und IKEv2. Möchten " +#~ "Sie den »charon«-Daemon für IKEv2-Unterstützung starten, wenn strongSwan " +#~ "gestartet wird." + +#~ msgid "" +#~ "strongSwan comes with support for opportunistic encryption (OE), which " +#~ "stores IPSec authentication information (i.e. RSA public keys) in " +#~ "(preferably secure) DNS records. Until this is widely deployed, " +#~ "activating it will cause a significant slow-down for every new, outgoing " +#~ "connection. Since version 2.0, strongSwan upstream comes with OE enabled " +#~ "by default and is thus likely to break your existing connection to the " +#~ "Internet (i.e. your default route) as soon as pluto (the strongSwan " +#~ "keying daemon) is started." +#~ msgstr "" +#~ "strongSwan enthält Unterstützung für opportunistische Verschlüsselung " +#~ "(OV), die Authentifizierungsinformationen von IPSec (z.B. öffentliche RSA-" +#~ "Schlüssel) in DNS-Datensätzen speichert. Solange dies nicht weit " +#~ "verbreitet ist, wird jede neue ausgehende Verbindung signifikant " +#~ "verlangsamt, falls diese Option aktiviert ist. Seit Version 2.0 wird " +#~ "strongSwan von den Autoren mit aktiviertem OV ausgeliefert und wird daher " +#~ "wahrscheinlich Ihre existierenden Verbindungen ins Internet (d.h. Ihre " +#~ "Standard-Route) stören, sobald Pluto (der strongSwan Schlüssel-Daemon) " +#~ "gestartet wird." + +#~ msgid "" +#~ "Please choose whether you want to enable support for OE. If unsure, do " +#~ "not enable it." +#~ msgstr "" +#~ "Bitte wählen Sie aus, ob Sie OV aktivieren möchten. Falls Sie unsicher " +#~ "sind, aktivieren Sie es nicht." + +#~ msgid "x509, plain" +#~ msgstr "x509, einfach" + +#~ msgid "The type of RSA keypair to create:" +#~ msgstr "Die Art des RSA-Schlüsselpaars, das erstellt werden soll:" + +#~ msgid "" +#~ "It is possible to create a plain RSA public/private keypair for use with " +#~ "strongSwan or to create a X509 certificate file which contains the RSA " +#~ "public key and additionally stores the corresponding private key." +#~ msgstr "" +#~ "Es besteht die Möglichkeit, ein einfaches öffentliches/privates " +#~ "Schlüsselpaar für den Einsatz mit strongSwan oder eine X509-" +#~ "Zertifikatsdatei zu erstellen, die den öffentlichen Schlüssel und " +#~ "zusätzlich den zugehörigen privaten Schlüssel enthält." + +#~ msgid "" +#~ "If you only want to build up IPSec connections to hosts also running " +#~ "strongSwan, it might be a bit easier using plain RSA keypairs. But if you " +#~ "want to connect to other IPSec implementations, you will need a X509 " +#~ "certificate. It is also possible to create a X509 certificate here and " +#~ "extract the RSA public key in plain format if the other side runs " +#~ "strongSwan without X509 certificate support." +#~ msgstr "" +#~ "Falls Sie nur IPSec-Verbindungen zu Rechnern aufbauen wollen, auf denen " +#~ "auch strongSwan läuft, könnte es etwas einfacher sein, einfache RSA-" +#~ "Schlüsselpaare zu verwenden. Falls Sie aber mit anderen IPSec-" +#~ "Implementierungen Verbindungen aufnehmen wollen, benötigen Sie ein X509-" +#~ "Zertifikat. Es besteht auch die Möglichkeit, hier ein X509-Zertifikat zu " +#~ "erstellen und den öffentlichen RSA-Schlüssel im einfachen Format zu " +#~ "extrahieren, falls die andere Seite strongSwan ohne X509-" +#~ "Zertifikatsunterstützung betreibt." + +#~ msgid "" +#~ "Therefore a X509 certificate is recommended since it is more flexible and " +#~ "this installer should be able to hide the complex creation of the X509 " +#~ "certificate and its use in strongSwan anyway." +#~ msgstr "" +#~ "Daher wird ein X509-Zertifikat empfohlen, da es flexibler ist und dieses " +#~ "Installationsprogramm in der Lage sein sollte, die komplexe Erstellung " +#~ "des X509-Zertifikates und seinen Einsatz in strongSwan zu verstecken." diff --git a/debian/po/es.po b/debian/po/es.po new file mode 100644 index 000000000..b1b8cb1f3 --- /dev/null +++ b/debian/po/es.po @@ -0,0 +1,659 @@ +# strongswan po-debconf translation to Spanish +# Copyright (C) 2010 Software in the Public Interest +# This file is distributed under the same license as the strongswan package. +# +# Changes: +# - Initial translation +# Francisco Javier Cuadrado <fcocuadrado@gmail.com>, 2010 +# +# Traductores, si no conocen el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/ +# especialmente las notas y normas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guÃa de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan 4.4.1-5\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-10-09 20:45+0100\n" +"Last-Translator: Francisco Javier Cuadrado <fcocuadrado@gmail.com>\n" +"Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n" +"Language: es\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Se ha sustituido la antigua gestión del nivel de ejecución" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Las versiones previas del paquete de StrongSwan daban la opción de elegir " +"entre tres niveles diferentes de Inicio/Parada. Debido a los cambios en el " +"procedimiento del sistema estándar de arranque, esto ya no es necesario ni " +"útil. Para todas las instalaciones nuevas, asà como para las antiguas que " +"ejecuten cualquiera de los modos predefinidos, se configurarán unos niveles " +"predeterminado válidos. Si está actualizando de una versión antigua y ha " +"cambiado los parámetros de arranque de StrongSwan, eche un vistazo al " +"archivo «NEWS.Debian» para leer las instrucciones sobre cómo modificar su " +"configuración apropiadamente." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "¿Desea reiniciar StrongSwan ahora mismo?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"Se recomienda reiniciar StrongSwan, porque si hay un parche de seguridad, " +"éste no se aplicará hasta que el demonio se reinicie. La mayorÃa de la gente " +"espera que el demonio se reinicie, asà que generalmente es una buena idea. " +"Sin embargo, esto puede cerrar las conexiones existentes y después volverlas " +"a abrir, de modo que si está utilizando un túnel de StrongSwan en la " +"conexión de esta actualización, no se recomienda reiniciar." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "¿Desea iniciar el demonio IKEv1 de StrongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"El demonio pluto se debe ejecutar para poder utilizar la versión 1 del " +"protocolo de intercambio de claves por internet («Internet Key Exchange»)." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "¿Desea iniciar el demonio IKEv2 de StrongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"El demonio charon se debe ejecutar para permitir utilizar la versión 2 del " +"protocolo de intercambio de claves por internet («Internet Key Exchange»)." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "¿Desea utilizar un certificado X.509 para esta máquina?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Se puede crear automáticamente o importar un certificado X.509 para esta " +"máquina. Esto se puede utilizar para autenticar conexiones IPsec de otras " +"máquinas y es la forma preferida para construir conexiones IPsec seguras. La " +"otra posibilidad serÃa utilizar secretos compartidos (contraseñas que son la " +"misma en ambos lados del túnel) para autenticar una conexión, pero para un " +"gran número de conexiones, la autenticación basada en claves es más sencilla " +"de administrar y más segura." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"También puede rechazar esta opción y utilizar más tarde la orden «dpkg-" +"reconfigure strongswan» para volver a este proceso." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "crear" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importar" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" +"Métodos para utilizar un certificado X.509 para autenticar esta máquina:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Es posible crear un certificado X.509 nuevo con la configuración definida " +"por el usuario o importar una clave pública/privada almacenada en archivo/s " +"PEM para autenticar las conexiones IPsec." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Si escoge crear un certificado X.509 nuevo, primero se le realizarán unas " +"cuantas preguntas que deberá contestar antes de que la creación comience. " +"Por favor, tenga en cuenta que si quiere que una Autoridad de Certificación " +"(CA) firme la clave pública no deberÃa escoger crear un certificado auto-" +"firmado y todas las respuestas deberán coincidir exactamente con los " +"requisitos de la CA, de otro modo puede que se rechace la petición del " +"certificado." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Si quiere importar una clave pública/privada, se le preguntará por los " +"nombres de los archivos (que deberán ser idénticos si ambas partes se " +"almacenan en un único archivo). Opcionalmente, puede indicar el nombre de un " +"archivo dónde las clave/s pública/s de la Autoridad de Certificación se " +"almacenen, pero este archivo no puede ser el mismo que los anteriores. Por " +"favor, tenga en cuenta que el formato para los certificados X.509 tiene que " +"ser PEM y que la clave privada no debe estar cifrada o el proceso de " +"importación fallará." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Nombre del archivo del certificado X.509 en el formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Introduzca la ubicación completa del archivo que contiene el certificado " +"X.509 en el formato PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "" +"Nombre del archivo de la clave privada del certificado X.509 en el formato " +"PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Introduzca la ubicación del archivo que contiene la clave privada RSA del " +"certificado X.509 en el formato PEM. Puede ser el mismo archivo que contiene " +"el del certificado X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "" +"Nombre del archivo del certificado X.509 de la raÃz de la Autoridad de " +"Certificación (CA) en el formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Opcionalmente, ahora puede introducir la ubicación del archivo que contiene " +"el certificado X.509 de la raÃz de la Autoridad de Certificación (CA) " +"utilizado para firmar su certificado en formato PEM. Si no tiene uno o no " +"quiere utilizarlo, deje este campo en blanco. Por favor, tenga en cuenta que " +"no es posible almacenar la raÃz de la CA en el mismo archivo que su " +"certificado X.509 o la clave privada." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Introduzca la longitud que deberÃa tener la clave RSA creada:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Introduzca la longitud de la clave RSA creada. No deberÃa ser menor de 1024 " +"bits porque se considera inseguro, además probablemente no necesite más de " +"4096 bits porque sólo ralentiza el proceso de autenticación y no es " +"necesario en estos momentos." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "¿Desea crear un certificado X.509 auto-firmado?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Sólo los certificados X.509 se pueden crear automáticamente, porque de otro " +"modo la Autoridad de Certificación (CA) se necesitará para firmar la " +"petición del certificado. Si escoge crear un certificado auto-firmado, puede " +"utilizarlo inmediatamente para conectar a otras máquinas IPsec que permitan " +"la autenticación de conexiones IPsec con certificados X.509. Sin embargo, si " +"se utilizan las funcionalidades PKI de StrongSwan se necesita que todos los " +"certificados estén firmados por una única Autoridad de Certificación para " +"crear una ruta segura." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Si no escoge crear un certificado auto-firmado, sólo se crearán las " +"peticiones de la clave privada y la petición del certificado, y tendrá que " +"firmar la petición del certificado con su Autoridad de Certificación." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Código del paÃs para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Introduzca el código de dos letras para el paÃs en el que el servidor está " +"ubicado (por ejemplo «ES» para España)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"OpenSSL rechazará generar un certificado a menos que este campo sea un " +"código de paÃs ISO-3166 válido, además no se permite que este campo se deje " +"en blanco." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Estado o provincia para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Introduzca el nombre completo del estado o la provincia en la que el " +"servidor está ubicado (por ejemplo «Comunidad de Madrid»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Localidad para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Introduzca la localidad en la que el servidor está ubicado (normalmente una " +"ciudad, por ejemplo «Madrid»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Nombre de la organización para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Introduzca la organización a la que el servidor pertenece (por ejemplo " +"«Debian»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Unidad de la organización para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Introduzca el nombre de la unidad de la organización (o departamento) a la " +"que el servidor pertenece (por ejemplo «departamento de seguridad»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Nombre Común (CN) para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Introduzca el Nombre Común (CN) de esta máquina (por ejemplo «gateway." +"example.org»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "" +"Dirección de correo electrónico para la petición del certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Introduzca la dirección de correo electrónico del responsable individual o " +"de la organización del certificado X.509." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "¿Desea activar el cifrado oportunÃstico?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Esta versión de StrongSwan permite utilizar cifrado oportunÃstico " +"(«Opportunistic Encryption», OE), que almacena la información de la " +"autenticación de IPSec en los registros del DNS. Hasta que esto esté " +"ampliamente difundido, activarlo puede causar un gran retraso para cada " +"conexión saliente." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Sólo deberÃa activar el cifrado oportunÃstico si está seguro que lo quiere. " +"Esto puede romper la conexión a internet (la ruta predeterminada) cuando el " +"demonio pluto se inicie." + +#~ msgid "earliest" +#~ msgstr "lo más pronto posible" + +#~ msgid "after NFS" +#~ msgstr "después de NFS" + +#~ msgid "after PCMCIA" +#~ msgstr "después de PCMCIA" + +#~ msgid "When to start strongSwan:" +#~ msgstr "Cuando se iniciará strongSwan:" + +#~ msgid "" +#~ "StrongSwan starts during system startup so that it can protect " +#~ "filesystems that are automatically mounted." +#~ msgstr "" +#~ "StrongSwan se inicia durante el arranque del sistema, de modo que pueda " +#~ "proteger los sistemas de archivos que se montan automáticamente." + +#~ msgid "" +#~ " * earliest: if /usr is not mounted through NFS and you don't use a\n" +#~ " PCMCIA network card, it is best to start strongSwan as soon as\n" +#~ " possible, so that NFS mounts can be secured by IPSec;\n" +#~ " * after NFS: recommended when /usr is mounted through NFS and no\n" +#~ " PCMCIA network card is used;\n" +#~ " * after PCMCIA: recommended if the IPSec connection uses a PCMCIA\n" +#~ " network card or if it needs keys to be fetched from a locally running " +#~ "DNS\n" +#~ " server with DNSSec support." +#~ msgstr "" +#~ " * lo más pronto posible: si «/usr» no está montado mediante NFS y no usa " +#~ "una\n" +#~ " tarjeta de red PCMCIA, es mejor iniciar strongSwan lo más pronto " +#~ "posible,\n" +#~ " de modo que el montaje de NFS se pueda asegurar mediante IPSec.\n" +#~ " * después de NFS: se recomienda cuando «/usr» se monta mediante NFS y " +#~ "no\n" +#~ " se usa una tarjeta de red PCMCIA.\n" +#~ " * después de PCMCIA: se recomienda si la conexión IPSec usa una tarjeta\n" +#~ " de red PCMCIA o si necesita obtener las claves desde un servidor de " +#~ "DNS local\n" +#~ " compatible con DNSSec." + +#~ msgid "" +#~ "If you don't restart strongSwan now, you should do so manually at the " +#~ "first opportunity." +#~ msgstr "" +#~ "Si no quiere reiniciar strongSwan ahora mismo, deberÃa realizarlo " +#~ "manualmente cuando considere oportuno." + +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "" +#~ "¿Desea crear un par de claves (pública/privada) RSA para este equipo?" + +#~ msgid "" +#~ "StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to " +#~ "authenticate IPSec connections to other hosts. RSA authentication is " +#~ "generally considered more secure and is easier to administer. You can use " +#~ "PSK and RSA authentication simultaneously." +#~ msgstr "" +#~ "StrongSwan puede utilizar una clave pre-compartida («Pre-Shared Key», " +#~ "PSK) o un par de claves RSA para autenticarse en las conexiones IPSec con " +#~ "otras máquinas. La autenticación con RSA se considera, generalmente, más " +#~ "segura y más fácil de administrar. Puede utilizar la autenticación con " +#~ "PSK y con RSA de forma simultánea." + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Si no quiere crear un nuevo par de claves, puede escoger utilizar un par " +#~ "existente en el siguiente paso." + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "La información necesaria se puede extraer automáticamente desde un " +#~ "certificado X.509 con una clave privada RSA correspondiente. Ambas partes " +#~ "pueden estar en un único archivo, si está en el formato PEM. DeberÃa " +#~ "escoger esta opción si tiene un certificado y un archivo de clave, y " +#~ "quiere utilizarlo para autenticar las conexiones IPSec." + +#~ msgid "RSA key length:" +#~ msgstr "Longitud de la clave RSA:" + +#~ msgid "" +#~ "Please enter the length of RSA key you wish to generate. A value of less " +#~ "than 1024 bits is not considered secure. A value of more than 2048 bits " +#~ "will probably affect performance." +#~ msgstr "" +#~ "Introduzca la longitud de la clave RSA que quiere generar. Un valor menor " +#~ "de 1024 bits no se considera seguro. Un valor de más de 2048 bits puede " +#~ "afectar al rendimiento." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a certificate authority is needed to sign the certificate " +#~ "request." +#~ msgstr "" +#~ "Sólo se pueden crear automáticamente certificados X.509 auto-firmados, " +#~ "porque de otro modo se necesitarÃa una autoridad de certificación para " +#~ "firmar la petición del certificado." + +#~ msgid "" +#~ "If you accept this option, the certificate created can be used " +#~ "immediately to connect to other IPSec hosts that support authentication " +#~ "via an X.509 certificate. However, using strongSwan's PKI features " +#~ "requires a trust path to be created by having all X.509 certificates " +#~ "signed by a single authority." +#~ msgstr "" +#~ "Si acepta esta opción, el certificado creado se puede utilizar " +#~ "inmediatamente para conectar a otras máquinas de IPSec que permitan la " +#~ "autenticación mediante un certificado X.509. Sin embargo, si se utilizan " +#~ "las funcionalidades PKI de strongSwan se requiere crear una ruta de " +#~ "confianza para tener todos los certificados X.509 firmados por una única " +#~ "autoridad." + +#~ msgid "" +#~ "Please enter the two-letter ISO3166 country code that should be used in " +#~ "the certificate request." +#~ msgstr "" +#~ "Introduzca el código ISO3166 de dos letras del paÃs que se deberÃa " +#~ "utilizar en la petición del certificado." + +#~ msgid "" +#~ "This field is mandatory; otherwise a certificate cannot be generated." +#~ msgstr "" +#~ "Este campo es obligatorio, de otro modo no se podrÃa generar un " +#~ "certificado." + +#~ msgid "" +#~ "Please enter the locality name (often a city) that should be used in the " +#~ "certificate request." +#~ msgstr "" +#~ "Introduzca el nombre de la localidad (normalmente una ciudad) que se " +#~ "deberÃa usar en la petición del certificado." + +#~ msgid "" +#~ "Please enter the organization name (often a company) that should be used " +#~ "in the certificate request." +#~ msgstr "" +#~ "Introduzca el nombre de la organización (normalmente una compañÃa) que se " +#~ "deberÃa usar en la petición del certificado." + +#~ msgid "" +#~ "Please enter the common name (such as the host name of this machine) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Introduzca el nombre común (como el nombre de la máquina) que se deberÃa " +#~ "usar en la petición del certificado." diff --git a/debian/po/eu.po b/debian/po/eu.po new file mode 100644 index 000000000..0b672b811 --- /dev/null +++ b/debian/po/eu.po @@ -0,0 +1,470 @@ +# translation of strongswan_4.4.1-5.1_eu.po to Basque +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Piarres Beobide <pi@beobide.net>, 2009. +# Iñaki Larrañaga Murgoitio <dooteo@zundan.com>, 2010. +msgid "" +msgstr "" +"Project-Id-Version: strongswan_4.4.1-5.1_eu\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-11-16 20:23+0100\n" +"Last-Translator: Iñaki Larrañaga Murgoitio <dooteo@zundan.com>\n" +"Language-Team: Basque <debian-l10n-basque@lists.debian.org>\n" +"Language: eu\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Exekuzio-mailaren kudeaketa zaharra ordeztuta" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"strongSwan paketearen aurreko bertsioak hiru Abiarazte-/Gelditzen-maila " +"desberdinen arteko aukera eskaintzen zuen. Sistemaren abioaren prozedura " +"arruntean aldaketak gertatu direnez, ez dira beharrezkoak edo erabilgarriak. " +"Instalazio berri guztientzako, aurredefinitutako moduetako batean " +"exekutatzen diren zaharretan ere, zentzuzko maila lehenetsiak ezarriko dira " +"orain. Aurreko bertsiotik eguneratzen ari bazara, eta strongSwan-en abioko " +"parametroak aldatu bazenituen, irakur ezazu NEWS.Debian fitxategia. " +"konfigurazioa modu egokian nola aldatzen den jakiteko." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Berrabiarazi StrongSwan orain?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"StrongSwan berrabiaraztea gomendatzen da segurtasunezko konponketa bat " +"badago ez baita ezarriko daemona berrabiarazi artea. Erabiltzaile gehienek " +"daemona berrabiaraztea espero dutenez, burutazio ona da hori. Hala ere, " +"honek martxan dauden konexioak itxi eta gero berriz abiaraziko ditu. Hori " +"dela eta, eguneraketa honetan strongSwan tunela erabiltzen ari bazara, ez da " +"gomendatzen berrabiaraztea." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "StrongSwan-ren IKEv1 daemona abiarazi?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"'pluto' daemona exekutatzen egon behar da Interneteko Gakoen Trukaketa (IKE) " +"protokoloaren lehen bertsioa onartzeko." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "StrongSwan-ren IKEv2 daemona abiarazi?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"'charon' daemona exekutatzen egon behar da Interneteko Gakoen Trukaketa " +"(IKE) protokoloaren lehen bertsioa onartzeko." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "X.509 ziurtagiria erabili ostalari honentzako?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Ostalari honentzako X.509 ziurtagiri bat automatikoki sor edo inportatu " +"daiteke. Beste ostalariekin IPsec bidez konektatzean autentifikatzeko " +"erabili daiteke, eta hobetsitako bidea da IPsec konexio seguruak " +"eraikitzeko. Beste aukera bat ezkutukoak (tunelaren bi aldeetan berdinak " +"diren pasahitzak) partekatzea litzateke konexio bat autentifikatzeko, baina " +"konexio kopuru handi batentzako gakoetan oinarritutako autentifikazioa " +"errazagoa eta askoz ere seguruagoa da kudeatzeko." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Bestela, aukera hau ukatu dezakezu eta beranduago itzuli \"dpkg-reconfigure " +"strongswan\" komandoa erabiliz." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "sortu" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "inportatu" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "Metodoa ostalari hau X.509 ziurtagiria erabiliz autentifikatzeko:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"X.509 ziurtagiri berri bat sor daiteke erabiltzaileak definitutako " +"ezarpenekin edo PEM fitxategietan gordetako gako publiko eta pribatuak " +"inportatu daiteke IPsec konexioak autentifikatzeko." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"X.509 ziurtagiri berri bat sortzea hautatzen baduzu aurrenik, eta sortzeko " +"lanak hasi aurretik, erantzun beharreko galdera batzuk egingo zaizkizu. " +"Jakin ezazu gako publikoa existitzen den Ziurtagiri-emaile batek sinatzea " +"nahi baduzu, ez zenukeela sortu beharko auto-sinatutako sinatzen duen " +"ziurtagiririk, eta emandako erantzun guztiak zehatz-meatz ZEren " +"eskakizunekin bat etorri beharko dutela, bestela ziurtagiriaren eskaera " +"ukatu egingo baita." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Existitzen den gako publiko eta pribatua inportatzea nahi izanez gero, haien " +"fitxategi-izenak eskatuko zaizkizu (berdinak izango dira bi zatiak fitxategi " +"batean gordeta badaude). Aukeran ziurtagiri-emailearen gako publikoa duen " +"fitxategia ere zehaz dezakezu, baina fitxategi hau ezin da aurrekoen berdina " +"izan. Kontuz ibili, X.509 ziurtagirien formatua PEM izan behar duelako, eta " +"gako pribatua ezin delako enkriptatuta egon, bestela inportatzeko prozesuak " +"huts egingo bait luke." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Zure PEM formatuko X.509 ziurtagiriaren fitxategi-izena :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Idatzi zure PEM formatuko X.509 ziurtagiria duen fitxategiaren bide-izen " +"osoa." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "PEM formatuko X.509 gako pribatuaren fitxategi-izena :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Idatzi dagoen zure PEM formatuko X.509 ziurtagiriaren pareko RSA gako " +"pribatua duen fitxategiaren kokapen osoa. Hau X.509 ziurtagiriaren fitxategi " +"berdina izan daiteke." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "PEM formatuko X.509 ziurtagiriaren fitxategi-izena:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Aukeran X.509 Ziurtagiri-emailearen erroa duen fitxategiaren kokalekua idatz " +"dezakezu zure ziurtagiria PEM formatuan sinatzeko. Ez badaukazu do ez baduzu " +"hori erabiltzerik nahi, utzi eremu hau hutsik. Jakin ezazu ezin dela gorde " +"erroko ZE (RootCA) zure X.509 ziurtagiria edo gako pribatua duen fitxategi " +"berdinean." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Sartu sortutako RSA gakoak edukiko duen luzera:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Sartu sortutako RSA gakoaren luzera. Ez luke 1024 bit baino txikiagoa izan " +"behar ez-segurutzat jotzen delako, eta litekeena da 4096 bit baino luzeagoa " +"behar ez izatea, autentifikatzeko prozesua soilik moteltzen duelako eta " +"unean ez delako behar." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Sortu auto-sinatutako X.509 ziurtagiria?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Soilik auto-sinatutako X.509 ziurtagiriak sor daitezke automatikoki, bestela " +"Ziurtagiri-emailea behar delako ziurtagiriaren eskaera sinatzeko. Auto-" +"sinatutako ziurtagiria sortzea aukeratzen baduzu, ziurtagiri hori berehala " +"erabil dezakezu X.509 ziurtagiria onartzen duten beste IPsec ostalariekin " +"IPsec konexioak autentifikatzeko. Hala ere, strongSwan-en PKI eginbidea " +"erabiltzeak ziurtagiri guztiak Ziurtagiri-emaile batek sinatuta egotea " +"eskatzen du bide fidagarri bat sortzeko." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Ez baduzu auto-sinatutako ziurtagiri bat sortzea aukeratzen, soilik RSAren " +"gako pribatua eta ziurtagiriaren eskaera sortuko dira, eta ziurtagiriaren " +"eskaera zure Ziurtagiri-emailearekin sinatu beharko duzu." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "X.509 ziurtagiriaren eskaeraren herrialdearen kodea:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Sartu zerbitzaria kokatuta dagoen herrialdeari dagokion bi hizkiko kodea " +"(hala nola \"AT\" Austriarentzako)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"OpenSSL-ek ukatu egingo du ziurtagiri bat sortzea baldin eta herrialdearen " +"baliozko ISO-3166 kodea ez bada. X.509 ziurtagiriko beste edozer eremu " +"hutsik egon daiteke, baina ez eremu hau." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "X.509 ziurtagiri eskaeraren estatu edo probintziaren izena:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Idatzi zerbitzaria kokatuta dagoen estatu edo probintziaren izen osoa " +"(adibidez, \"Goiko Austria\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "X.509 ziurtagiri eskaeraren herriaren izena:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Idatzi zerbitzaria kokatuta dagoen kokalekua (normalean herria, adibidez, " +"\"Bilbo\"). " + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "X.509 ziurtagiri eskaeraren erakundearen izena:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "Idatzi zerbitzaria duen erakundea (adibidez, \"Debian\")" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "X.509 ziurtagiri eskaeraren saila:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "Idatzi zerbitzaria duen saila (adibidez, \"segurtasunaren taldea\")" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "X.509 ziurtagiri eskaeraren izen arrunta:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Idatzi ostalari honen izen arrunta (adibidez, \"atebidea.adibidea.org\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "X.509 ziurtagiri eskaeraren helbide elektronikoa:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Idatzi X.509 ziurtagiriaren ardura duen pertsona edo erakundearen helbide " +"elektronikoa." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Gaitu enkriptazio oportunista?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"StrongSwan bertsio honek aukerako enkriptazio oportunistaren (OE) euskarria " +"du, honek IPSec autentifikazio informazioa DNS erregistroetan gordetzen " +"ditu. Hau guztiz garatua ez dagoenez gaitzeak kanporako konexio berri " +"guztien atzerapen esanguratsu bat eragin dezake." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Enkriptazio oportunista behar duzula ziur bazaude bakarrik gaitu beharko " +"zenuke. Interneteko konexioak moztuko dira (lehenetsitako atebidea) pluto " +"daemona abiaraztean." diff --git a/debian/po/fi.po b/debian/po/fi.po new file mode 100644 index 000000000..1b226f9a9 --- /dev/null +++ b/debian/po/fi.po @@ -0,0 +1,664 @@ +# Copyright (C) 2009 +# This file is distributed under the same license as the strongswan package. +# +# Esko Arajärvi <edu@iki.fi>, 2009. +msgid "" +msgstr "" +"Project-Id-Version: strongswan\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2009-05-25 14:49+0100\n" +"Last-Translator: Esko Arajärvi <edu@iki.fi>\n" +"Language-Team: Finnish <debian-l10n-finnish@lists.debian.org>\n" +"Language: fi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 0.3\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Käynnistetäänkö strongSwan uudelleen nyt?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +#, fuzzy +#| msgid "" +#| "Restarting strongSwan is recommended, because if there is a security fix, " +#| "it will not be applied until the daemon restarts. However, this might " +#| "close existing connections and then bring them back up." +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"On suositeltavaa käynnistää strongSwan-taustaohjelma uudelleen, koska " +"mahdolliset tietoturvapäivitykset eivät tule käyttöön ennen tätä. Tämä " +"saattaa kuitenkin katkaista olemassa olevat yhteydet ja avata ne sitten " +"uudelleen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Käynnistetäänkö strongSwanin IKEv1-taustaohjelma?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Internet Key Exchange -protokollan version 1 tuki vaatii, että pluto-" +"taustaohjelma on käynnissä." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Käynnistetäänkö strongSwanin IKEv2-taustaohjelma?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Internet Key Exchange -protokollan version 2 tuki vaatii, että charon-" +"taustaohjelma on käynnissä." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +#, fuzzy +#| msgid "Use an existing X.509 certificate for strongSwan?" +msgid "Use an X.509 certificate for this host?" +msgstr "Tulisiko strongSwanin käyttää olemassa olevaa X.509-varmennetiedostoa?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "File name of your X.509 certificate in PEM format:" +msgid "File name of your PEM format X.509 certificate:" +msgstr "PEM-muodossa olevan X.509-varmennetiedoston nimi:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing your X.509 " +#| "certificate in PEM format." +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Anna PEM-muodossa olevan, X.509-varmenteen sisältävän tiedoston täydellinen " +"polku." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "File name of your existing X.509 private key in PEM format:" +msgid "File name of your PEM format X.509 private key:" +msgstr "PEM-muotoisen, olemassa olevan, salaisen X.509-avaimen tiedostonimi:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing the private RSA key " +#| "matching your X.509 certificate in PEM format. This can be the same file " +#| "as the X.509 certificate." +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Anna PEM-muodossa olevaan X.509-varmenteeseen täsmäävän salaisen RSA-avaimen " +"täydellinen polku. Tämä voi olla sama tiedosto kuin X.509-varmenteen " +"sisältävä." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +#, fuzzy +#| msgid "File name of your X.509 certificate in PEM format:" +msgid "File name of your PEM format X.509 RootCA:" +msgstr "PEM-muodossa olevan X.509-varmennetiedoston nimi:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "Create a self-signed X.509 certificate?" +msgid "Create a self-signed X.509 certificate?" +msgstr "Luodaanko itseallekirjoitettu X.509-varmenne?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "" +#| "If you do not accept this option, only the RSA private key will be " +#| "created, along with a certificate request which you will need to have " +#| "signed by a certificate authority." +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Jos et valitse tätä vaihtoehtoa, luodaan vain salainen RSA-avain ja " +"varmennepyyntö, joka pitää lähettää ulkoisen varmentajan " +"allekirjoitettavaksi." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +#, fuzzy +#| msgid "Country code for the X.509 certificate request:" +msgid "Country code for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön maakoodi:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "State or province name for the X.509 certificate request:" +msgid "State or province name for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön osavaltio, lääni tai maakunta:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "" +#| "Please enter the full name of the state or province to include in the " +#| "certificate request." +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Anna varmennepyyntöön sisällytettävä osavaltion, läänin tai maakunnan koko " +"nimi." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +#, fuzzy +#| msgid "Locality name for the X.509 certificate request:" +msgid "Locality name for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön paikkakunta:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +#, fuzzy +#| msgid "Organization name for the X.509 certificate request:" +msgid "Organization name for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön järjestön nimi:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X.509 certificate request:" +msgid "Organizational unit for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön järjestön yksikkö:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X.509 certificate request:" +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "X.509-varmennepyynnön järjestön yksikkö:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +#, fuzzy +#| msgid "Common name for the X.509 certificate request:" +msgid "Common Name for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön yleinen nimi:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "Email address for the X.509 certificate request:" +msgid "Email address for the X.509 certificate request:" +msgstr "X.509-varmennepyynnön sähköpostiosoite:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "" +#| "Please enter the email address (for the individual or organization " +#| "responsible) that should be used in the certificate request." +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Anna varmennepyynnössä käytettävä sähköpostiosoite (yksityinen ja järjestön)." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Käytetäänkö opportunistista salausta?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"StrongSwanin tämä versio tukee opportunistista salausta (opportunistic " +"encryption, OE), joka tallentaa IPSec-varmennustietoja DNS-tietueisiin. " +"Ennen kuin tämä käytäntö yleistyy laajalti, sen käyttö aiheuttaa merkittävän " +"viiveen jokaiseen uuteen ulospäin otettavaan yhteyteen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Valitse opportunistinen salaus vain, jos olet varma, että haluat sen " +"käyttöön. Se saattaa rikkoa Internet-yhteyden (oletusreitityksen), kun pluto-" +"taustaohjelma käynnistyy." + +#, fuzzy +#~| msgid "When to start strongSwan:" +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "Koska strongSwan käynnistetään:" + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Anna PEM-muodossa olevan, X.509-varmenteen sisältävän tiedoston " +#~ "täydellinen polku." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Anna PEM-muodossa olevan, X.509-varmenteen sisältävän tiedoston " +#~ "täydellinen polku." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "" +#~ "Anna PEM-muodossa olevan, X.509-varmenteen sisältävän tiedoston " +#~ "täydellinen polku." + +#, fuzzy +#~| msgid "" +#~| "Please enter the two-letter ISO3166 country code that should be used in " +#~| "the certificate request." +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Anna varmennepyynnössä käytettävä kaksikirjaiminen ISO-3166-maakoodi." + +#, fuzzy +#~| msgid "" +#~| "Please enter the locality name (often a city) that should be used in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Anna varmennepyynnössä käytettävä paikkakunnan nimi (usein kaupunki)." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization name (often a company) that should be used " +#~| "in the certificate request." +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "Anna varmennepyynnössä käytettävä järjestön nimi (usein yritys)." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit name (often a department) that " +#~| "should be used in the certificate request." +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Valitse varmennepyynnössä käytettävä järjestön yksikkö (usein osasto)." + +#, fuzzy +#~| msgid "" +#~| "Please enter the common name (such as the host name of this machine) " +#~| "that should be used in the certificate request." +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Anna varmennepyynnössä käytettävä yleinen nimi (kuten tämän koneen " +#~ "verkkonimi)." + +#~ msgid "earliest" +#~ msgstr "mahdollisimman aikaisin" + +#~ msgid "after NFS" +#~ msgstr "NFS:n jälkeen" + +#~ msgid "after PCMCIA" +#~ msgstr "PCMCIA:n jälkeen" + +#~ msgid "" +#~ "StrongSwan starts during system startup so that it can protect " +#~ "filesystems that are automatically mounted." +#~ msgstr "" +#~ "StrongSwan käynnistetään järjestelmän käynnistyessä, jotta se voi " +#~ "suojella automaattisesti liitettäviä levyjärjestelmiä." + +#~ msgid "" +#~ " * earliest: if /usr is not mounted through NFS and you don't use a\n" +#~ " PCMCIA network card, it is best to start strongSwan as soon as\n" +#~ " possible, so that NFS mounts can be secured by IPSec;\n" +#~ " * after NFS: recommended when /usr is mounted through NFS and no\n" +#~ " PCMCIA network card is used;\n" +#~ " * after PCMCIA: recommended if the IPSec connection uses a PCMCIA\n" +#~ " network card or if it needs keys to be fetched from a locally running " +#~ "DNS\n" +#~ " server with DNSSec support." +#~ msgstr "" +#~ "* mahdollisimman aikaisin: Jos hakemistoa /usr ei liitetä NFS:n avulla,\n" +#~ " eikä käytössä ole PCMCIA-verkkokortteja, strongSwan kannattaa\n" +#~ " käynnistää mahdollisimman aikaisin, jotta liitettävät NFS-järjestelmät\n" +#~ " voidaan suojata IPSecillä.\n" +#~ "* NFS:n jälkeen: suositeltava, kun käytössä ei ole PCMCIA-verkkokortteja\n" +#~ " ja /usr liitetään NFS:n avulla.\n" +#~ "* PCMCIA:n jälkeen: suositeltava, jos IPSec-yhteys käyttää\n" +#~ " PCMCIA-verkkokorttia tai hakee avaimia paikalliselta DNS-palvelimelta\n" +#~ " DNSSec-tuen avulla." + +#~ msgid "" +#~ "If you don't restart strongSwan now, you should do so manually at the " +#~ "first opportunity." +#~ msgstr "" +#~ "Jos et käynnistä strongSwania nyt uudelleen, tee se käsin mahdollisimman " +#~ "pian." + +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "" +#~ "Luodaanko tälle koneelle julkisesta ja salaisesta avaimesta koostuva RSA-" +#~ "avainpari?" + +#~ msgid "" +#~ "StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to " +#~ "authenticate IPSec connections to other hosts. RSA authentication is " +#~ "generally considered more secure and is easier to administer. You can use " +#~ "PSK and RSA authentication simultaneously." +#~ msgstr "" +#~ "StrongSwan voi käyttää ennalta vaihdettua avainta (Pre-Shared Key, PSK) " +#~ "tai RSA-avainparia varmentaessaan IPSec-yhteyksiä toisiin koneisiin. RSA-" +#~ "varmennusta pidetään yleisesti turvallisempana ja helpommin " +#~ "ylläpidettävänä. PSK- ja RSA-varmennuksia voidaan käyttää yhtä aikaa." + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Jos et halua luoda uutta avainparia, voi valita olemassa olevan parin " +#~ "seuraavassa vaiheessa." + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "Vaadittavat tiedot voidaan automaattisesti erottaa olemassa olevasta " +#~ "X.509-varmennetiedostosta täsmäävällä salaisella RSA-avaimella. Avaimen " +#~ "molemmat osat voivat olla samassa tiedostossa, jos se on PEM-muodossa. " +#~ "Valitse tämä vaihtoehto, jos tällaiset varmenne- ja avaintiedostot ovat " +#~ "olemassa ja haluat käyttää niitä IPSec-yhteyksien varmentamiseen." + +#~ msgid "RSA key length:" +#~ msgstr "RSA-avaimen pituus:" + +#~ msgid "" +#~ "Please enter the length of RSA key you wish to generate. A value of less " +#~ "than 1024 bits is not considered secure. A value of more than 2048 bits " +#~ "will probably affect performance." +#~ msgstr "" +#~ "Anna luotavan RSA-avaimen pituus. 1024 bittiä lyhyempiä avaimia ei pidetä " +#~ "turvallisina. 2048 bittiä pidemmät avaimet luultavasti heikentävät " +#~ "suorituskykyä." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a certificate authority is needed to sign the certificate " +#~ "request." +#~ msgstr "" +#~ "Vain itseallekirjoitettu X.509-varmenne voidaan luoda automaattisesti, " +#~ "koska muussa tapauksessa tarvitaan ulkoinen varmentaja allekirjoittamaan " +#~ "varmennepyyntö." + +#~ msgid "" +#~ "If you accept this option, the certificate created can be used " +#~ "immediately to connect to other IPSec hosts that support authentication " +#~ "via an X.509 certificate. However, using strongSwan's PKI features " +#~ "requires a trust path to be created by having all X.509 certificates " +#~ "signed by a single authority." +#~ msgstr "" +#~ "Jos valitset tämän vaihtoehdon, luotua varmennetta voidaan heti käyttää " +#~ "yhteyksien ottamiseen toisiin IPSEc-koneisiin, jotka tukevat " +#~ "varmentamista X.509-varmenteilla. StrongSwanin PKI-ominaisuuksien käyttö " +#~ "kuitenkin vaatii varmennuspolun, jossa sama varmentaja on " +#~ "allekirjoittanut kaikki X.509-varmenteet." + +#~ msgid "" +#~ "This field is mandatory; otherwise a certificate cannot be generated." +#~ msgstr "Tämä kenttä on pakollinen. Ilman sitä varmennetta ei voida luoda." diff --git a/debian/po/fr.po b/debian/po/fr.po new file mode 100644 index 000000000..22a9f6bc7 --- /dev/null +++ b/debian/po/fr.po @@ -0,0 +1,1040 @@ +# Translation of strongswan debconf templates to French +# Copyright (C) 2005-2007 Christian Perrier <bubulle@debian.org> +# This file is distributed under the same license as the strongswan package. +# +# Christian Perrier <bubulle@debian.org>, 2005-2007, 2009, 2010. +msgid "" +msgstr "" +"Project-Id-Version: strongswan\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2010-06-24 22:17+0200\n" +"Last-Translator: Christian Perrier <bubulle@debian.org>\n" +"Language-Team: French <debian-l10n-french@lists.debian.org>\n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.0\n" +"Plural-Forms: Plural-Forms: nplurals=2; plural=n>1;\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Abandon de l'ancien système de lancement" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Les versions précédentes du paquet de stronSwan permettaient de choisir " +"entre trois séquences possibles de lancement au démarrage de la machine. " +"Comme l'organisation générale des scripts de lancement a été profondément " +"modifiée dans le système, cela n'est désormais plus utile. Pour toutes les " +"nouvelles installations, ainsi que pour les anciennes qui fonctionnaient " +"selon un des trois modes prédéfinis, une séquence de lancement sûre va être " +"mise en place. Si vous effectuez une mise à jour et aviez modifié les " +"paramètres de lancement de strongSwan, veuillez consulter le fichier NEWS." +"Debian pour trouver les informations qui vous permettront d'adapter vos " +"réglages." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Faut-il redémarrer StrongSwan maintenant ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"Redémarrer strongSwan est préférable car un éventuel correctif de sécurité " +"ne prendra effet que si le démon est redémarré. La plupart des utilisateurs " +"s'attendent à ce que le démon redémarre et c'est donc le plus souvent le " +"meilleur choix. Cependant, cela pourrait interrompre provisoirement des " +"connexions en cours, y compris la connexion utilisée actuellement pour cette " +"mise à jour. En conséquence, il est déconseillé de redémarrer si le tunnel " +"est utilisé pour l'administration du système." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Faut-il démarrer le démon IKEv1 de StrongSwan ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Le démon « pluto » doit fonctionner pour que la version 1 du protocole IKE " +"(Internet Key Exchange) puisse être gérée." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Faut-il démarrer le démon IKEv2 de StrongSwan ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Le démon « charon » doit fonctionner pour que la version 2 du protocole IKE " +"(Internet Key Exchange) puisse être gérée." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Faut-il utiliser un certificat X.509 existant avec cet hôte ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Un certificat X.509 peut être créé automatiquement ou importé, pour cet " +"hôte. Il peut servir à authentifier des connexions IPSec vers d'autres " +"hôtes, ce qui est la méthode conseillée pour l'établissement de liaisons " +"IPSec sûres. L'autre possibilité d'authentification à la connexion est " +"l'utilisation d'un secret partagé (« pre-shared key » : des mots de passe " +"identiques aux deux extrémités du tunnel). Toutefois, pour de nombreuses " +"connexions, l'authentification à base de clés est plus simple à administrer " +"et plus sûre." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Vous pouvez ne pas choisir cette option et y revenir plus tard avec la " +"commande « dpkg-reconfigure strongswan »." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "Créer" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "Importer" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" +"Méthode de mise en place d'un certificat X.509 pour l'authentification de " +"cet hôte :" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Pour l'authentification des connexions IPsec, il est possible de créer un " +"nouveau certificat X.509 avec des réglages personnalisés ou importer une " +"paire de clés publique et privée depuis un ou plusieurs fichiers PEM." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Si vous choisissez de créer un nouveau certificat X.509, vous devrez fournir " +"plusieurs informations avant la création. Veuillez noter que si vous " +"souhaitez utiliser un certificat signé par une autorité de certification, " +"vous ne devez pas choisir de créer un certificat auto-signé et devrez donner " +"exactement les réponses souhaitées par l'autorité de certification sinon la " +"requête de certificat risquerait d'être rejetée." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Si vous souhaitez importer une paire de clés, vous devrez en fournir les " +"noms de fichiers (qui peuvent être identiques si les parties privée et " +"publique sont dans le même fichier). Vous pourrez facultativement fournir le " +"nom d'un fichier contenant la ou les clés publiques de l'autorité de " +"certification. Ce fichier devra être différent des précédents. Le format des " +"certificats X.509 doit être PEM et la clé privée ne doit pas être chiffrée. " +"Dans le cas contraire, l'importation échouera." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Nom du fichier PEM contenant le certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Veuillez indiquer l'emplacement du fichier contenant votre certificat X.509 " +"au format PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Nom du fichier PEM contenant la clé privée X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Veuillez indiquer l'emplacement du fichier contenant la clé privée RSA " +"correspondant au certificat X.509 au format PEM. Cela peut être le fichier " +"qui contient le certificat X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "" +"Nom du fichier PEM contenant le certificat X.509 de l'autorité de " +"certification :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Veuillez indiquer facultativement l'emplacement du fichier (au format PEM) " +"contenant le certificat X.509 de l'autorité de certification qui a signé le " +"certificat que vous avez fourni. Si vous n'utilisez pas d'autorité de " +"certification, vous pouvez laisser ce champ vide. Veuillez noter que ce " +"fichier doit être différent du fichier de certificat X.509 et de la clé " +"privée que vous utilisez." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Longueur de la clé RSA à créer :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Veuillez indiquer la longueur de la clé RSA qui sera créée. Elle ne doit pas " +"être inférieure à 1024 bits car cela serait considéré comme insuffisamment " +"sûr. Un choix excédant 4096 bits est probablement inutile car cela ne fait " +"essentiellement que ralentir le processus d'authentification sans avoir " +"d'intérêt actuellement." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Souhaitez-vous créer un certificat X.509 auto-signé ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Seuls des certificats X.509 auto-signés peuvent être créés automatiquement " +"puisqu'une autorité de certification est indispensable pour signer la " +"demande de certificat. Si vous choisissez de créer un certificat auto-signé, " +"vous pourrez vous en servir immédiatement pour vous connecter aux hôtes qui " +"authentifient les connexions IPsec avec des certificats X.509. Cependant, si " +"vous souhaitez utiliser les nouvelles fonctionnalités PKI de strongSwan, " +"vous aurez besoin que tous les certificats soient signés par la même " +"autorité de certification afin de créer un chemin de confiance." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Si vous ne voulez pas créer de certificat auto-signé, seules la clé privée " +"RSA et la demande de certificat seront créées et vous devrez ensuite faire " +"signer la demande de certificat par votre autorité de certification." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Code du pays pour la demande de certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Veuillez indiquer le code à deux lettres du pays où est situé le serveur " +"(p. ex. « FR » pour la France)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"Il est impératif de choisir ici un code de pays ISO-3166 valable sinon " +"OpenSSL refusera de créer les certificats. Tous les autres champs d'un " +"certificat X.509 peuvent être vides, sauf celui-ci." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "État ou province pour la demande de certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Veuillez indiquer le nom complet de l'état ou de la province qui sera inclus " +"dans la demande de certificat (p. ex. « Québec »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Localité pour la demande de certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Veuillez indiquer la localité où est situé le serveur (ce sera souvent une " +"ville, comme « Montcuq »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Organisme pour la demande de certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Veuillez indiquer l'organisme propriétaire du serveur (p. ex. « Debian »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Unité d'organisation pour la demande de certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Veuillez indiquer l'unité d'organisation pour la demande de certificat X.509 " +"(p. ex. « Équipe sécurité »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Nom ordinaire pour la demande de certification X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Veuillez indiquer le nom ordinaire de ce serveur (ce sera souvent son nom " +"réseau)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "Adresse électronique pour la demande de certificat X.509 :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Veuillez indiquer l'adresse électronique de la personne ou de l'organisme " +"responsable du certificat X.509." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Faut-il activer le chiffrement opportuniste ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Cette version de strongSwan gère le chiffrement opportuniste (OE) qui " +"conserve les informations d'authentification IPSec dans des enregistrements " +"DNS. Tant que cette fonctionnalité n'est pas déployée largement, l'activer " +"augmentera notablement la durée d'établissement des connexions sortantes." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Vous ne devriez l'activer que s'il est indispensable de l'utiliser. Il est " +"possible que cela coupe la connexion Internet (la route par défaut) au " +"moment où le démon « pluto » démarre." + +#, fuzzy +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "Moment de démarrage de strongSwan :" + +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "Emplacement du certificat X509 :" + +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "Emplacement de la clé privée X509 :" + +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "Emplacement du certificat X509 de l'autorité de certification :" + +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Veuillez indiquer le code à deux lettres de votre pays. Ce code sera " +#~ "inclus dans la demande de certificat." + +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Veuillez indiquer la localité (p. ex. la ville) où vous résidez. Ce nom " +#~ "sera inclus dans la demande de certificat." + +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Veuillez indiquer l'organisme (p. ex. l'entreprise) pour qui sera créé le " +#~ "certificat X509. Ce nom sera inclus dans la demande de certificat." + +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Veuillez indiquer l'unité d'organisation (p. ex. département, division, " +#~ "etc.) pour qui sera créé le certificat X509. Ce nom sera inclus dans la " +#~ "demande de certificat." + +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Veuillez indiquer le nom ordinaire (p. ex. le nom réseau de cette " +#~ "machine) pour qui sera créé le certificat X509. Ce nom sera inclus dans " +#~ "la demande de certificat." + +#~ msgid "earliest" +#~ msgstr "Le plus tôt possible" + +#~ msgid "after NFS" +#~ msgstr "Après NFS" + +#~ msgid "after PCMCIA" +#~ msgstr "Après PCMCIA" + +#~ msgid "" +#~ "StrongSwan starts during system startup so that it can protect " +#~ "filesystems that are automatically mounted." +#~ msgstr "" +#~ "StrongSwan est lancé au démarrage du système afin de pouvoir protéger les " +#~ "systèmes de fichiers qui sont montés automatiquement." + +#~ msgid "" +#~ " * earliest: if /usr is not mounted through NFS and you don't use a\n" +#~ " PCMCIA network card, it is best to start strongSwan as soon as\n" +#~ " possible, so that NFS mounts can be secured by IPSec;\n" +#~ " * after NFS: recommended when /usr is mounted through NFS and no\n" +#~ " PCMCIA network card is used;\n" +#~ " * after PCMCIA: recommended if the IPSec connection uses a PCMCIA\n" +#~ " network card or if it needs keys to be fetched from a locally running " +#~ "DNS\n" +#~ " server with DNSSec support." +#~ msgstr "" +#~ " - Le plus tôt possible : conseillé si /usr n'est pas monté par NFS\n" +#~ " et que vous n'utilisez pas de carte réseau PCMCIA ;\n" +#~ " - Après NFS : recommandé si /usr est un montage NFS et qu'aucune\n" +#~ " carte réseau PCMCIA n'est utilisée ;\n" +#~ " - après PCMCIA : recommandé si la connexion IPSec utilise une carte\n" +#~ " réseau PCMCIA ou s'il est nécessaire de récupérer des clés\n" +#~ " depuis un serveur DNS qui gère DNSSec." + +#~ msgid "" +#~ "If you don't restart strongSwan now, you should do so manually at the " +#~ "first opportunity." +#~ msgstr "" +#~ "Si vous ne redémarrez pas StrongSwan maintenant, il est conseillé de le " +#~ "faire manuellement dès que possible." + +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "" +#~ "Faut-il créer une paire de clés RSA publique et privée pour cet hôte ?" + +#~ msgid "" +#~ "StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to " +#~ "authenticate IPSec connections to other hosts. RSA authentication is " +#~ "generally considered more secure and is easier to administer. You can use " +#~ "PSK and RSA authentication simultaneously." +#~ msgstr "" +#~ "StrongSwan peut utiliser une clé secrète partagée (PSK : « Pre-Shared " +#~ "Key ») ou une paire de clés RSA pour gérer l'authentification des " +#~ "connexions IPSec vers d'autres hôtes. L'authentification RSA est en " +#~ "général considérée comme plus sûre et plus simple à administrer. Les deux " +#~ "modes d'authentification peuvent être utilisés en même temps." + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Si vous ne souhaitez pas créer une paire de clés publique et privée, vous " +#~ "pouvez choisir d'en utiliser une existante." + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "L'information nécessaire peut être récupérée depuis un fichier de " +#~ "certificat X.509 existant, avec la clé privée RSA correspondante. Les " +#~ "deux parties peuvent se trouver dans un seul fichier, s'il est en format " +#~ "PEM. Vous devriez choisir cette option si vous possédez un tel certificat " +#~ "ainsi que la clé privée, et si vous souhaitez vous en servir pour " +#~ "l'authentification des connexions IPSec." + +#~ msgid "RSA key length:" +#~ msgstr "Taille de la clé RSA :" + +#~ msgid "" +#~ "Please enter the length of RSA key you wish to generate. A value of less " +#~ "than 1024 bits is not considered secure. A value of more than 2048 bits " +#~ "will probably affect performance." +#~ msgstr "" +#~ "Veuillez indiquer la taille de la clé RSA que vous souhaitez créer. Une " +#~ "valeur inférieure à 1024 bits n'est pas considérée comme sûre. Une valeur " +#~ "supérieure à 2048 bits risque d'altérer les performances." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a certificate authority is needed to sign the certificate " +#~ "request." +#~ msgstr "" +#~ "Seuls les certificats X.509 auto-signés peuvent être créés " +#~ "automatiquement car, pour les autres certificats, une autorité de " +#~ "certification est indispensable." + +#~ msgid "" +#~ "If you accept this option, the certificate created can be used " +#~ "immediately to connect to other IPSec hosts that support authentication " +#~ "via an X.509 certificate. However, using strongSwan's PKI features " +#~ "requires a trust path to be created by having all X.509 certificates " +#~ "signed by a single authority." +#~ msgstr "" +#~ "Si vous choisissez cette option, le certificat qui sera créé pourra être " +#~ "utilisé immédiatement pour la connexion à d'autres hôtes IPSec qui gèrent " +#~ "l'authentification par certificat X.509. Cependant l'utilisation des " +#~ "fonctionnalités PKI (« Public Key Infrastructure » : infrastructure " +#~ "publique de clés) de strongSwan impose la création d'un chemin de " +#~ "confiance avec tous les certificats X.509 signés par la même autorité de " +#~ "certification." + +#~ msgid "" +#~ "This field is mandatory; otherwise a certificate cannot be generated." +#~ msgstr "" +#~ "Ce champ est obligatoire, sinon le certificat ne pourra pas être créé." + +#~| msgid "" +#~| "Previous versions of the Openswan package allowed the user to choose " +#~| "between three different Start/Stop-Levels. Due to changes in the " +#~| "standard system startup procedure, this is no longer necessary and " +#~| "useful. For all new installations as well as old ones running in any of " +#~| "the predefined modes, sane default levels set will now be set. If you " +#~| "are upgrading from a previous version and changed your Openswan startup " +#~| "parameters, then please take a look at NEWS.Debian for instructions on " +#~| "how to modify your setup accordingly." +#~ msgid "" +#~ "Previous versions of the Openswan package gave a choice between three " +#~ "different Start/Stop-Levels. Due to changes in the standard system " +#~ "startup procedure, this is no longer necessary or useful. For all new " +#~ "installations as well as old ones running in any of the predefined modes, " +#~ "sane default levels will now be set. If you are upgrading from a previous " +#~ "version and changed your Openswan startup parameters, then please take a " +#~ "look at NEWS.Debian for instructions on how to modify your setup " +#~ "accordingly." +#~ msgstr "" +#~ "Les versions précédentes du paquet d'Openswan permettaient de choisir " +#~ "entre trois séquences possibles de lancement au démarrage de la machine. " +#~ "Comme l'organisation générale des scripts de lancement a été profondément " +#~ "modifiée dans le système, cela n'est désormais plus utile. Pour toutes " +#~ "les nouvelles installations, ainsi que pour les anciennes qui " +#~ "fonctionnaient selon un des trois modes prédéfinis, une séquence de " +#~ "lancement sûre va être mise en place. Si vous effectuez une mise à jour " +#~ "et aviez modifié les paramètres de lancement d'Openswan, veuillez " +#~ "consulter le fichier NEWS.Debian pour trouver les informations qui vous " +#~ "permettront d'adapter vos réglages." + +#~| msgid "Do you wish to restart Openswan?" +#~ msgid "Restart Openswan now?" +#~ msgstr "Souhaitez-vous redémarrer Openswan ?" + +#~| msgid "" +#~| "Restarting Openswan is a good idea, since if there is a security fix, it " +#~| "will not be fixed until the daemon restarts. Most people expect the " +#~| "daemon to restart, so this is generally a good idea. However, this might " +#~| "take down existing connections and then bring them back up (including " +#~| "the connection currently used for this update, so it is recommended not " +#~| "to restart if you are using any of the tunnel for administration)." +#~ msgid "" +#~ "Restarting Openswan is recommended, since if there is a security fix, it " +#~ "will not be applied until the daemon restarts. Most people expect the " +#~ "daemon to restart, so this is generally a good idea. However, this might " +#~ "take down existing connections and then bring them back up, so if you are " +#~ "using such an Openswan tunnel to connect for this update, restarting is " +#~ "not recommended." +#~ msgstr "" +#~ "Redémarrer Openswan est préférable car un éventuel correctif de sécurité " +#~ "ne sera actif que si le démon est redémarré. La plupart des utilisateurs " +#~ "s'attendent à ce que le démon redémarre et c'est donc le plus souvent le " +#~ "meilleur choix. Cependant, cela pourrait interrompre provisoirement des " +#~ "connexions en cours, y compris la connexion utilisée actuellement pour " +#~ "cette mise à jour. En conséquence, il est déconseillé de redémarrer si le " +#~ "tunnel est utilisé pour l'administration du système." + +#~| msgid "" +#~| "If you do not want to this now you can answer \"No\" and later use the " +#~| "command \"dpkg-reconfigure openswan\" to come back." +#~ msgid "" +#~ "Alternatively you can reject this option and later use the command \"dpkg-" +#~ "reconfigure openswan\" to come back." +#~ msgstr "" +#~ "Vous pouvez ne pas choisir cette option et y revenir plus tard avec la " +#~ "commande « dpkg-reconfigure openswan »." + +#~ msgid "Length of RSA key to be created:" +#~ msgstr "Longueur de la clé RSA à créer :" + +#~| msgid "" +#~| "Please enter the length of the created RSA key. It should not be less " +#~| "than 1024 bits because this should be considered unsecure and you will " +#~| "probably not need anything more than 4096 bits because it only slows the " +#~| "authentication process down and is not needed at the moment." +#~ msgid "" +#~ "Please enter the required RSA key-length. Anything under 1024 bits should " +#~ "be considered insecure; anything more than 4096 bits slows down the " +#~ "authentication process and is not useful at present." +#~ msgstr "" +#~ "Veuillez indiquer la longueur de la clé RSA qui sera créée. Elle ne doit " +#~ "pas être inférieure à 1024 bits car cela serait considéré comme " +#~ "insuffisamment sûr. Un choix excédant 4096 bits est probablement inutile " +#~ "car cela ne fait essentiellement que ralentir le processus " +#~ "d'authentification sans avoir d'intérêt actuellement." + +#~| msgid "" +#~| "This installer can only create self-signed X509 certificates " +#~| "automatically, because otherwise a certificate authority is needed to " +#~| "sign the certificate request. If you want to create a self-signed " +#~| "certificate, you can use it immediately to connect to other IPsec hosts " +#~| "that support X509 certificate for authentication of IPsec connections. " +#~| "However, if you want to use the new PKI features of Openswan >= 1.91, " +#~| "you will need to have all X509 certificates signed by a single " +#~| "certificate authority to create a trust path." +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a Certificate Authority is needed to sign the certificate " +#~ "request. If you choose to create a self-signed certificate, you can use " +#~ "it immediately to connect to other IPsec hosts that support X.509 " +#~ "certificate for authentication of IPsec connections. However, using " +#~ "Openswan's PKI features requires all certificates to be signed by a " +#~ "single Certificate Authority to create a trust path." +#~ msgstr "" +#~ "Seuls des certificats X.509 auto-signés peuvent être créés " +#~ "automatiquement puisqu'une autorité de certification est indispensable " +#~ "pour signer la demande de certificat. Si vous choisissez de créer un " +#~ "certificat auto-signé, vous pourrez vous en servir immédiatement pour " +#~ "vous connecter aux hôtes qui authentifient les connexions IPsec avec des " +#~ "certificats X.509. Cependant, si vous souhaitez utiliser les nouvelles " +#~ "fonctionnalités PKI d'Openswan, vous aurez besoin que tous les " +#~ "certificats soient signés par la même autorité de certification afin de " +#~ "créer un chemin de confiance." + +#~ msgid "Modification of /etc/ipsec.conf" +#~ msgstr "Modification de /etc/ipsec.conf" + +#~| msgid "" +#~| "Due to a change in upstream Openswan, opportunistic encryption is no " +#~| "longer enabled by default. The no_oe.conf file that was shipped in " +#~| "earlier versions to explicitly disable it can therefore no longer be " +#~| "included by ipsec.conf. A respective include paragraph will now be " +#~| "automatically removed to ensure that Openswan can start correctly." +#~ msgid "" +#~ "Due to a change in upstream Openswan, opportunistic encryption is no " +#~ "longer enabled by default. The no_oe.conf file that was shipped in " +#~ "earlier versions to explicitly disable it can therefore no longer be " +#~ "included by ipsec.conf. Any such include paragraph will now be " +#~ "automatically removed to ensure that Openswan can start correctly." +#~ msgstr "" +#~ "En raison de modifications dans la version amont d'Openswan, le " +#~ "chiffrement opportuniste n'est plus activé par défaut. Le fichier no_oe." +#~ "conf qui était fourni avec les versions précédentes pour le désactiver " +#~ "explicitement ne peut donc plus être inclus dans ipsec.conf. Toute " +#~ "instruction d'inclusion de ce fichier sera automatiquement retirée afin " +#~ "qu'Openswan puisse démarrer correctement." + +#~ msgid "Example: AT" +#~ msgstr "Exemple : FR" + +#~ msgid "" +#~ "Please enter the state or province name for the X509 certificate request:" +#~ msgstr "État, province ou région :" + +#~ msgid "" +#~ "Please enter the full name of the state or province you live in. This " +#~ "name will be placed in the certificate request." +#~ msgstr "" +#~ "Veuillez indiquer le nom complet de l'état, de la province ou de la " +#~ "région où vous résidez. Ce nom sera inclus dans la demande de certificat." + +#~ msgid "Example: Upper Austria" +#~ msgstr "" +#~ "Exemples : Rhône-Alpes, Brabant Wallon, Bouches du Rhône, Québec, Canton " +#~ "de Vaud" + +#~ msgid "Example: Vienna" +#~ msgstr "Exemple : Saint-Étienne" + +#~ msgid "Example: Debian" +#~ msgstr "Exemple : Debian" + +#~ msgid "Example: security group" +#~ msgstr "Exemple : Département Réseaux et Informatique Scientifique" + +#~ msgid "Example: gateway.debian.org" +#~ msgstr "Exemple : gateway.debian.org" + +#~ msgid "Do you want to create a RSA public/private keypair for this host?" +#~ msgstr "" +#~ "Souhaitez-vous créer une paire de clés RSA publique et privée pour cet " +#~ "hÃŽte ?" + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one." +#~ msgstr "" +#~ "Si vous ne souhaitez pas créer une paire de clés publique et privée, " +#~ "vous pouvez choisir d'en utiliser une existante." + +#~ msgid "x509" +#~ msgstr "X509" + +#~ msgid "plain" +#~ msgstr "Simple paire" + +#~ msgid "" +#~ "It is possible to create a plain RSA public/private keypair for use with " +#~ "Openswan or to create a X509 certificate file which contains the RSA " +#~ "public key and additionally stores the corresponding private key." +#~ msgstr "" +#~ "Il est possible de créer une simple paire de clés destinée àêtre " +#~ "utilisée avec Openswan ou de créer un fichier de certificat X509 qui " +#~ "contient la clé publique RSA et de conserver la clé privée " +#~ "correspondante par ailleurs." + +#, fuzzy +#~| msgid "" +#~| "If you only want to build up IPSec connections to hosts also running " +#~| "Openswan, it might be a bit easier using plain RSA keypairs. But if you " +#~| "want to connect to other IPSec implementations, you will need a X509 " +#~| "certificate. It is also possible to create a X509 certificate here and " +#~| "extract the RSA public key in plain format if the other side runs " +#~| "Openswan without X509 certificate support." +#~ msgid "" +#~ "If you only want to create IPsec connections to hosts also running " +#~ "Openswan, it might be a bit easier using plain RSA keypairs. But if you " +#~ "want to connect to other IPsec implementations, you will need a X509 " +#~ "certificate. It is also possible to create a X509 certificate here and " +#~ "extract the RSA public key in plain format if the other side runs " +#~ "Openswan without X509 certificate support." +#~ msgstr "" +#~ "Si vous ne prévoyez d'établir des connexions IPSec qu'avec des hÃŽtes " +#~ "utilisant Openswan, il sera probablement plus facile d'utiliser des clés " +#~ "RSA simples. Mais si vous souhaitez vous connecter àdes hÃŽtes " +#~ "utilisant d'autres implémentations d'IPSec, vous aurez besoin d'un " +#~ "certificat X509. Il est également possible de créer un certificat X509 " +#~ "puis d'en extraire une simple clé publique RSA, si l'autre extrémité " +#~ "de la connexion utilise Openswan sans la gestion des certificats X509." + +#, fuzzy +#~| msgid "" +#~| "Therefore a X509 certificate is recommended since it is more flexible " +#~| "and this installer should be able to hide the complex creation of the " +#~| "X509 certificate and its use in Openswan anyway." +#~ msgid "" +#~ "Therefore a X509 certificate is recommended since it is more flexible and " +#~ "this installer should be able to hide the complex creation of the X509 " +#~ "certificate and its use in Openswan." +#~ msgstr "" +#~ "Ainsi, il vous est conseillé d'utiliser un certificat X509 car cette " +#~ "méthode est plus souple. Cet outil d'installation devrait vous " +#~ "simplifier la tâche de création et d'utilisation de ce certificat X509." + +#, fuzzy +#~| msgid "" +#~| "This installer can automatically extract the needed information from an " +#~| "existing X509 certificate with a matching RSA private key. Both parts " +#~| "can be in one file, if it is in PEM format. Do you have such an existing " +#~| "certificate and key file and want to use it for authenticating IPSec " +#~| "connections?" +#~ msgid "" +#~ "This installer can automatically extract the needed information from an " +#~ "existing X509 certificate with a matching RSA private key. Both parts can " +#~ "be in one file, if it is in PEM format. If you have such an existing " +#~ "certificate and key file please select if want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "Cet outil d'installation est capable d'extraire automatiquement " +#~ "l'information nécessaire d'un fichier de certificat X509 existant, avec " +#~ "la clé privée RSA correspondante. Les deux parties peuvent se trouver " +#~ "dans un seul fichier, s'il est en format PEM. Indiquez si vous possédez " +#~ "un tel certificat ainsi que la clé privée, et si vous souhaitez vous en " +#~ "servir pour l'authentification des connexions IPSec." + +#~ msgid "x509, plain" +#~ msgstr "X509, Simple paire" + +#, fuzzy +#~| msgid "earliest, \"after NFS\", \"after PCMCIA\"" +#~ msgid "earliest, after NFS, after PCMCIA" +#~ msgstr "Le plus tÃŽt possible, AprÚs NFS, AprÚs PCMCIA" + +#, fuzzy +#~| msgid "" +#~| "With the current Debian startup levels (nearly everything starting in " +#~| "level 20), it is impossible for Openswan to always start at the correct " +#~| "time. There are three possibilities when Openswan can start: before or " +#~| "after the NFS services and after the PCMCIA services. The correct answer " +#~| "depends on your specific setup." +#~ msgid "" +#~ "With the default system startup levels (nearly everything starting in " +#~ "level 20), it is impossible for Openswan to always start at the correct " +#~ "time. There are three possibilities when Openswan can start: before or " +#~ "after the NFS services and after the PCMCIA services. The correct answer " +#~ "depends on your specific setup." +#~ msgstr "" +#~ "Avec les niveaux de démarrage actuellement utilisés par Debian (presque " +#~ "tout démarre au niveau 20), il est impossible de faire en sorte " +#~ "qu'Openswan démarre toujours au moment approprié. Il existe trois " +#~ "moments où il est opportun de le démarrer : avant ou aprÚs les " +#~ "services NFS, ou aprÚs les services PCMCIA. La réponse appropriée " +#~ "dépend de vos réglages spécifiques." + +#, fuzzy +#~| msgid "" +#~| "If you do not have your /usr tree mounted via NFS (either you only mount " +#~| "other, less vital trees via NFS or don't use NFS mounted trees at all) " +#~| "and don't use a PCMCIA network card, then it's best to start Openswan at " +#~| "the earliest possible time, thus allowing the NFS mounts to be secured " +#~| "by IPSec. In this case (or if you don't understand or care about this " +#~| "issue), answer \"earliest\" to this question (the default)." +#~ msgid "" +#~ "If the /usr tree of this system is not mounted via NFS (either you only " +#~ "mount other, less vital trees via NFS or don't use NFS mounted trees at " +#~ "all) and no PCMCIA network card is used, then it's best to start Openswan " +#~ "at the earliest possible time, thus allowing the NFS mounts to be secured " +#~ "by IPSec. In this case (or if you don't understand or care about this " +#~ "issue), answer \"earliest\" to this question (the default)." +#~ msgstr "" +#~ "Si votre arborescence /usr n'est pas un montage NFS (soit parce que vos " +#~ "montages NFS sont àd'autres endroits, moins critiques, soit parce que " +#~ "vous n'utilisez pas du tout de montage NFS) et si vous n'utilisez pas de " +#~ "carte réseau PCMCIA, il est préférable de démarrer Openswan le plus " +#~ "tÃŽt possible, ce qui permettra de sécuriser les montages NFS avec " +#~ "IPSec. Dans ce cas (ou bien si vous ne comprenez pas l'objet de la " +#~ "question ou qu'elle ne vous concerne pas), choisissez « le plus tÃŽt " +#~ "possible », qui est le choix par défaut." + +#, fuzzy +#~| msgid "" +#~| "If you have your /usr tree mounted via NFS and don't use a PCMCIA " +#~| "network card, then you will need to start Openswan after NFS so that all " +#~| "necessary files are available. In this case, answer \"after NFS\" to " +#~| "this question. Please note that the NFS mount of /usr can not be secured " +#~| "by IPSec in this case." +#~ msgid "" +#~ "If the /usr tree is mounted via NFS and no PCMCIA network card is used, " +#~ "then you will need to start Openswan after NFS so that all necessary " +#~ "files are available. In this case, answer \"after NFS\" to this question. " +#~ "Please note that the NFS mount of /usr can not be secured by IPSec in " +#~ "this case." +#~ msgstr "" +#~ "Si /usr est un montage NFS et que vous n'utilisez pas de carte réseau " +#~ "PCMCIA, vous devrez alors démarrer Openswan aprÚs les services NFS afin " +#~ "que tous les fichiers nécessaires soient disponibles. Dans ce cas, " +#~ "choisissez « AprÚs NFS ». Veuillez noter que le montage NFS de /usr " +#~ "n'est alors pas sécurisé par IPSec." + +#~ msgid "" +#~ "If you use a PCMCIA network card for your IPSec connections, then you " +#~ "only have to choose to start it after the PCMCIA services. Answer \"after " +#~ "PCMCIA\" in this case. This is also the correct answer if you want to " +#~ "fetch keys from a locally running DNS server with DNSSec support." +#~ msgstr "" +#~ "Si vous utilisez une carte PCMCIA pour vos connexions IPSec, votre seul " +#~ "choix possible est le démarrage aprÚs les services PCMCIA. Choisissez " +#~ "alors « AprÚs PCMCIA ». Faites également ce choix si vous souhaitez " +#~ "récupérer les clés d'authentification sur un serveur DNS reconnaissant " +#~ "DNSSec." + +#, fuzzy +#~| msgid "At which level do you wish to start Openswan?" +#~ msgid "Please select the level at which you wish to start Openswan:" +#~ msgstr "Étape de lancement d'Openswan :" + +#, fuzzy +#~| msgid "Which type of RSA keypair do you want to create?" +#~ msgid "Please select which type of RSA keypair you want to create:" +#~ msgstr "Type de paire de clés RSA àcréer :" + +#~ msgid "Do you wish to enable opportunistic encryption in Openswan?" +#~ msgstr "Souhaitez-vous activer le chiffrement opportuniste dans Openswan ?" + +#~ msgid "" +#~ "Openswan comes with support for opportunistic encryption (OE), which " +#~ "stores IPSec authentication information (i.e. RSA public keys) in " +#~ "(preferably secure) DNS records. Until this is widely deployed, " +#~ "activating it will cause a significant slow-down for every new, outgoing " +#~ "connection. Since version 2.0, Openswan upstream comes with OE enabled by " +#~ "default and is thus likely to break your existing connection to the " +#~ "Internet (i.e. your default route) as soon as pluto (the Openswan keying " +#~ "daemon) is started." +#~ msgstr "" +#~ "Openswan gÚre le chiffrement opportuniste (« opportunistic " +#~ "encryption » : OE) qui permet de conserver les informations " +#~ "d'authentification IPSec (c'est-à-dire les clés publiques RSA) dans des " +#~ "enregistrements DNS, de préférence sécurisés. Tant que cette " +#~ "fonctionnalité ne sera pas déployée largement, son activation " +#~ "provoquera un ralentissement significatif pour toute nouvelle connexion " +#~ "sortante. À partir de la version 2.0, cette fonctionnalité est activée " +#~ "par défaut dans Openswan, ce qui peut interrompre le fonctionnement de " +#~ "votre connexion àl'Internet (c'est-à-dire votre route par défaut) " +#~ "dÚs le démarrage de pluto, le démon de gestion de clés d'Openswan." + +#~ msgid "" +#~ "Please choose whether you want to enable support for OE. If unsure, do " +#~ "not enable it." +#~ msgstr "" +#~ "Veuillez choisir si vous souhaitez activer la gestion du chiffrement " +#~ "opportuniste. Ne l'activez pas si vous n'êtes pas certain d'en avoir " +#~ "besoin." diff --git a/debian/po/gl.po b/debian/po/gl.po new file mode 100644 index 000000000..e92bbd1ea --- /dev/null +++ b/debian/po/gl.po @@ -0,0 +1,668 @@ +# Copyright (C) 2009 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the strongswan package. +# +# marce villarino <mvillarino@users.sourceforge.net>, 2009. +msgid "" +msgstr "" +"Project-Id-Version: templates_[kI6655]\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2009-05-25 14:50+0100\n" +"Last-Translator: marce villarino <mvillarino@users.sourceforge.net>\n" +"Language-Team: Galician <proxecto@trasno.ent>\n" +"Language: gl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 0.2\n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Desexa reiniciar strongSwan agora?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +#, fuzzy +#| msgid "" +#| "Restarting strongSwan is recommended, because if there is a security fix, " +#| "it will not be applied until the daemon restarts. However, this might " +#| "close existing connections and then bring them back up." +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"Recoméndase reiniciar strongSwan porque se houbese algunha actualización de " +"seguridade non se aplicará até que se reinicie o daemon. Porén, pode pechar " +"as conexións existentes e logo volver a recuperalas." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Desexa iniciar o daemon IKEv1 de strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"O daemon pluto debe estar en execución para soportar a versión 1 do " +"protocolo Internet Key Exchange." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Desexa iniciar o IKEv2 de strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"O daemon charon debe estar en execución para soportar a versión 2 do " +"protocolo Internet Key Exchange." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +#, fuzzy +#| msgid "Use an existing X.509 certificate for strongSwan?" +msgid "Use an X.509 certificate for this host?" +msgstr "Desexa empregar un certificado X.509 xa existente para strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "File name of your X.509 certificate in PEM format:" +msgid "File name of your PEM format X.509 certificate:" +msgstr "Nome do ficheiro do certificado X.509 en formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing your X.509 " +#| "certificate in PEM format." +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Indique a rota completa ao ficheiro que contén o certificado X.509 en " +"formato PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "File name of your existing X.509 private key in PEM format:" +msgid "File name of your PEM format X.509 private key:" +msgstr "Nome do ficheiro coa chave privada X.509 en formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing the private RSA key " +#| "matching your X.509 certificate in PEM format. This can be the same file " +#| "as the X.509 certificate." +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Indique a rota completa ao ficheiro que contén a chave privada RSA que se " +"corresponde do certificado X.509 en formato PEM. Este pode ser o mesmo " +"ficheiro que o do certificado X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +#, fuzzy +#| msgid "File name of your X.509 certificate in PEM format:" +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Nome do ficheiro do certificado X.509 en formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "Create a self-signed X.509 certificate?" +msgid "Create a self-signed X.509 certificate?" +msgstr "Desexa crear un certificado X.509 autoasinado?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "" +#| "If you do not accept this option, only the RSA private key will be " +#| "created, along with a certificate request which you will need to have " +#| "signed by a certificate authority." +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Se non acepta esta opción só se creará a chave privada RSA, xunto cun pedido " +"de certificado que precisará que lle asine unha autoridade de certificación." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +#, fuzzy +#| msgid "Country code for the X.509 certificate request:" +msgid "Country code for the X.509 certificate request:" +msgstr "Código de paÃs para o pedido do certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "State or province name for the X.509 certificate request:" +msgid "State or province name for the X.509 certificate request:" +msgstr "Nome do estado ou provincia para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "" +#| "Please enter the full name of the state or province to include in the " +#| "certificate request." +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Indique o nome completo do estado ou provincia a incluÃr no pedido de " +"certificado." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +#, fuzzy +#| msgid "Locality name for the X.509 certificate request:" +msgid "Locality name for the X.509 certificate request:" +msgstr "Nome de localidade para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +#, fuzzy +#| msgid "Organization name for the X.509 certificate request:" +msgid "Organization name for the X.509 certificate request:" +msgstr "Nome da organización para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X.509 certificate request:" +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Unidade organizacional para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X.509 certificate request:" +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "Unidade organizacional para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +#, fuzzy +#| msgid "Common name for the X.509 certificate request:" +msgid "Common Name for the X.509 certificate request:" +msgstr "Nome común para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "Email address for the X.509 certificate request:" +msgid "Email address for the X.509 certificate request:" +msgstr "Enderezo de correo electrónico para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "" +#| "Please enter the email address (for the individual or organization " +#| "responsible) that should be used in the certificate request." +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Indique o enderezo de correo electrónico (do individuo ou do responsábel da " +"organización) que se debe empregar no pedido de certificado." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Desexa activar a cifraxe oportunista?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Esta versión de strongSwan soporta a cifraxe oportunista (OE) que garda a " +"información de autenticación de IPSec en rexistros de DNS. Até que estea " +"amplamente utilizado activalo provocará un retardo significativo en cada " +"nova conexión saÃnte." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Só deberÃa activar a cifraxe oportunista se está certo de que a desexa. Pode " +"estragar a conexión a Internet (a rota por omisión) segundo se inicie o " +"daemon pluto." + +#, fuzzy +#~| msgid "When to start strongSwan:" +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "Cando iniciar strongSwan:" + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Indique a rota completa ao ficheiro que contén o certificado X.509 en " +#~ "formato PEM." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Indique a rota completa ao ficheiro que contén o certificado X.509 en " +#~ "formato PEM." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "" +#~ "Indique a rota completa ao ficheiro que contén o certificado X.509 en " +#~ "formato PEM." + +#, fuzzy +#~| msgid "" +#~| "Please enter the two-letter ISO3166 country code that should be used in " +#~| "the certificate request." +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Indique o código de paÃs ISO3166 de dúas letras que se debe empregar no " +#~ "pedido de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the locality name (often a city) that should be used in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Indique o nome da localidade (xeralmente unha cidade) que se debe " +#~ "empregar no pedido de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization name (often a company) that should be used " +#~| "in the certificate request." +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Indique o nome da organización (xeralmente unha empresa) que se debe " +#~ "empregar no pedido de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit name (often a department) that " +#~| "should be used in the certificate request." +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Indique o nome da unidade organizacional (xeralmente un departamento) que " +#~ "debe empregarse no pedido de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the common name (such as the host name of this machine) " +#~| "that should be used in the certificate request." +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Indique o nome común (como o nome desta máquina) que se debe empregar no " +#~ "pedido de certificado." + +#~ msgid "earliest" +#~ msgstr "o primeiro" + +#~ msgid "after NFS" +#~ msgstr "despois do NFS" + +#~ msgid "after PCMCIA" +#~ msgstr "despois do PCMCIA" + +#~ msgid "" +#~ "StrongSwan starts during system startup so that it can protect " +#~ "filesystems that are automatically mounted." +#~ msgstr "" +#~ "StrongSwan iniciase durante o arrinque do sistema de maneira que poda " +#~ "protexer sistemas de ficheiros que se monten automaticamente." + +#~ msgid "" +#~ " * earliest: if /usr is not mounted through NFS and you don't use a\n" +#~ " PCMCIA network card, it is best to start strongSwan as soon as\n" +#~ " possible, so that NFS mounts can be secured by IPSec;\n" +#~ " * after NFS: recommended when /usr is mounted through NFS and no\n" +#~ " PCMCIA network card is used;\n" +#~ " * after PCMCIA: recommended if the IPSec connection uses a PCMCIA\n" +#~ " network card or if it needs keys to be fetched from a locally running " +#~ "DNS\n" +#~ " server with DNSSec support." +#~ msgstr "" +#~ " * o primeiro: se /usr non se monta mediante NFS e non se emprega unha\n" +#~ " tarxeta PCMCIA, é mellor iniciar strongSwan tan axiña como se poda,\n" +#~ " para que as montaxes NFS podan asegurarse mediante IPSec,\n" +#~ " * despois do NFS: recoméndase cando /usr se monte mediante NFS e non\n" +#~ " se empregue ningunha tarxeta PCMCIA,\n" +#~ " * despois do PCMCIA: recoméndase se a conexión IPSec emprega unha " +#~ "tarxeta\n" +#~ " de rede PCMCIA ou se fose preciso que as chaves se obteñan desde un\n" +#~ " servidor DNS a executarse localmente con soporte para DNSSec." + +#~ msgid "" +#~ "If you don't restart strongSwan now, you should do so manually at the " +#~ "first opportunity." +#~ msgstr "" +#~ "Se non reinicia agora strongSwan deberÃa facelo manualmente en canto poda." + +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "" +#~ "Desexa crear un par de chaves pública/privada RSA para este servidor?" + +#~ msgid "" +#~ "StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to " +#~ "authenticate IPSec connections to other hosts. RSA authentication is " +#~ "generally considered more secure and is easier to administer. You can use " +#~ "PSK and RSA authentication simultaneously." +#~ msgstr "" +#~ "StrongSwan pode empregar unha chave precompartida (PSK) ou un par de " +#~ "chaves RSA para autenticar as conexións IPSec con outros servidores. A " +#~ "autenticación RSA xeralmente considérase máis segura e é máis fácil de " +#~ "administrar. Pode empregar as autenticacións PSK e RSA á vez." + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Se son quer crear un novo par de chaves pública/privada, no seguinte paso " +#~ "pode escoller empregar unha xa existente." + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "A información requirida pode extraerse automaticamente a partir dun " +#~ "certificado X.509 xa existente coa chave privada RSA que corresponda. " +#~ "Ambas as partes poden estar nun ficheiro se este está no formato PEM. " +#~ "Debe escoller esta opción se ten tal certificado e chave e quere " +#~ "empregalo para autenticar conexións IPSec." + +#~ msgid "RSA key length:" +#~ msgstr "Lonxitude da chave RSA:" + +#~ msgid "" +#~ "Please enter the length of RSA key you wish to generate. A value of less " +#~ "than 1024 bits is not considered secure. A value of more than 2048 bits " +#~ "will probably affect performance." +#~ msgstr "" +#~ "Indique a lonxitude da chave RSA que desexe xerar. Os valores menores de " +#~ "1024 bits non se consideran seguros, mentres que os maiores de 2048 bits " +#~ "posibelmente afecten ao rendemento." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a certificate authority is needed to sign the certificate " +#~ "request." +#~ msgstr "" +#~ "Só se poden crear automaticamente certificados X.509 autoasinados, porque " +#~ "noutro caso é precisa unha autoridade de certificación para asinar o " +#~ "pedido de certificado." + +#~ msgid "" +#~ "If you accept this option, the certificate created can be used " +#~ "immediately to connect to other IPSec hosts that support authentication " +#~ "via an X.509 certificate. However, using strongSwan's PKI features " +#~ "requires a trust path to be created by having all X.509 certificates " +#~ "signed by a single authority." +#~ msgstr "" +#~ "Se acepta esta opción o certificado que se cree pode empregarse " +#~ "inmediatamente para conectarse con outros servidores IPSec que soporten a " +#~ "autenticación mediante un certificado X.509. Porén, par empregar as " +#~ "funcionalidades PKI de strongSwan requÃrese que se cree unha rota de " +#~ "confianza asinando todos os certificados X.509 por unha única autoridade." + +#~ msgid "" +#~ "This field is mandatory; otherwise a certificate cannot be generated." +#~ msgstr "" +#~ "Este campo é obrigatorio, caso contrario non se poderá xerar un " +#~ "certificado." diff --git a/debian/po/it.po b/debian/po/it.po new file mode 100644 index 000000000..e9f11d539 --- /dev/null +++ b/debian/po/it.po @@ -0,0 +1,476 @@ +# ITALIAN TRANSLATION OF STRONGSWAN'S PO-DEBCONF FILE. +# COPYRIGHT (C) YEAR THE STRONGSWAN'S COPYRIGHT HOLDER +# This file is distributed under the same license as the strongswan package. +# +# Vincenzo Campanella <vinz65@gmail.com>, 2010. +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-11-13 16:03+0100\n" +"Last-Translator: Vincenzo Campanella <vinz65@gmail.com>\n" +"Language-Team: Italian <tp@lists.linux.it>\n" +"Language: it\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Vecchia gestione del runlevel sostituita" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Le versioni precedenti di strongSwan lasciavano la scelta fra tre diversi " +"livelli di avvio/arresto. A seguito dei cambiamenti nella procedura standard " +"di avvio, questo non è più necessario né utile. Per tutte le nuove " +"installazioni e per quelle già esistenti che vengono eseguite in qualsiasi " +"modalità predefinita vengono ora impostati dei livelli predefiniti " +"ragionevoli. Se si sta aggiornando da una versione precedente e si sono " +"modificati i parametri di strongSwan, consultare le NEWS.Debian su come " +"modificare le impostazioni." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Riavviare strongSwan adesso?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"È raccomandato il riavvio di strongSwan, in quanto un'eventuale correzione " +"di sicurezza non verrà applicata fino al riavvio del demone. La maggior " +"parte degli utenti si attende che il demone si riavvii, per cui in genere è " +"una buona scelta. Il riavvio potrebbe però interrompere e riavviare le " +"connessioni esistenti, per cui se si sta utilizzando un tunnel strongSwan " +"per l'aggiornamento il riavvio non è raccomandabile." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Avviare il demone di strongSwan IKEv1?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Per il supporto alla versione 1 del protocollo IKE (Internet Key Exchange) è " +"necessario che il demone pluto sia in esecuzione." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Avviare il demone di strongSwan IKEv2?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Per il supporto alla versione 2 del protocollo IKE (Internet Key Exchange) è " +"necessario che il demone charon sia in esecuzione." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Utilizzare un certificato X.509 per questo host?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Per questo host è possibile la creazione o la creazione automatica di un " +"certificato X.509 per l'autenticazione di connessioni IPsec ad altri host; è " +"la modalità preferita per la creazione di connessioni IPsec sicure. L'altra " +"possibilità è l'utilizzo di password segrete condivise e identiche fra le " +"due estremità del tunnel, ma il funzionamento tramite chiavi è più agevole " +"da amministrare e più sicuro per un elevato numero di connessioni." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"In alternativa è possibile rifiutare questa opzione e ritornare sulla scelta " +"in un secondo tempo, eseguendo «dpkg-reconfigure strongswan»." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "creare" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importare" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" +"Metodi per l'utilizzo di un certificato X.509 per autenticare questo host:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"È possibile creare un nuovo certificato X.509 con impostazioni definite " +"dall'utente, oppure importare una chiave esistente pubblica e privata " +"memorizzata in file PEM per l'autenticazione di connessioni IPsec." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Se si sceglie di creare un nuovo certificato X.509 verranno poste alcune " +"domande cui è necessario rispondere prima che la creazione venga avviata. È " +"da ricordare che, se si desidera che la chiave pubblica venga firmata da " +"un'autorità di certificazione (CA) esistente, non si dovrebbe creare un " +"certificato auto-firmato e inoltre tutte le risposte fornite devono " +"adempiere esattamente i requisiti della CA, in quanto altrimenti la " +"richiesta di certificato potrebbe essere rifiutata." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Se si desidera importare una chiave esistente pubblica e privata verrà " +"richiesto il loro nome file, che può essere identico se entrambe le parti " +"sono memorizzate insieme in un solo file. Opzionalmente si può specificare " +"un nome file in cui vengono mantenute le chiavi pubbliche dell'autorità di " +"certificazione, ma in questo caso il file non può essere il medesimo dei " +"precedenti. Si presti attenzione anche al fatto che il formato dei " +"certificati X.509 deve essere PEM e che la chiave privata non deve essere " +"cifrata, altrimenti la procedura d'importazione fallirà ." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Nome file del proprio certificato X.509 formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Inserire la posizione del file che contiene il proprio certificato X.509 in " +"formato PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Nome file della propria chiave privata X.509 formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Inserire la posizione del file che contiene la chiave privata RSA " +"corrispondente al proprio certificato X.509 in formato PEM. Può essere il " +"medesimo file che contiene il certificato X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Nome file del proprio RootCA X.509 formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Opzionalmente è possibile inserire la posizione del file che contiene " +"l'autorità di certificazione root (RootCA) utilizzata per la firma del " +"proprio certificato in formato PEM. Se non se ne possiede uno o non si " +"desidera utilizzarlo lasciare il campo vuoto. Notare che non è possibile " +"memorizzare il RootCA nello stesso file del proprio certificato o chiave " +"privata X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Inserire la lunghezza che la chiave RSA creata dovrà avere:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Inserire la lunghezza della chiave RSA creata. Non dovrebbe essere minore di " +"1024 bit, in quanto altrimenti potrebbe essere considerata insicura, né " +"superiore a 4096 bit, in quanto altrimenti rallenterebbe il processo di " +"autenticazione e al momento attuale non è una misura necessaria." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Creare un certificato X.509 auto-firmato?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"È possibile creare automaticamente solo certificati X.509 auto-firmati, in " +"quanto altrimenti è necessario l'intervento di un'autorità di certificazione " +"per firmare la richiesta di certificato. Se si sceglie di creare un " +"certificato auto-firmato è possibile utilizzarlo immediatamente per " +"collegarsi ad altri host IPsec che supportano il certificato X.509 per " +"l'autenticazione di connessioni IPsec. L'utilizzo delle funzionalità PKI di " +"strongSwan richiede però che tutti i certificati vengano firmati da una " +"singola autorità di certificazione per creare un percorso fidato." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Se non si sceglie di creare un certificato auto-firmato verranno creati solo " +"la chiave privata RSA e la richiesta di certificato che andrà poi firmata " +"con l'autorità di certificazione scelta." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Codice paese per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Inserire il codice a due lettere corrispondente al paese in cui il server " +"risiede (per esempio, «IT» per l'Italia)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"OpenSSL rifiuterà di generare un certificato se il codice paese non è valido " +"e conforme a ISO-3166. È permesso un campo vuoto altrove nel certificato " +"X.509, ma non in questo campo." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "" +"Nome dello stato o della provincia per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Inserire il nome completo dello stato o della provincia il in cui il server " +"risiede (per esempio, «Milano»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Nome della località per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Inserire il nome della località in cui il server risiede (spesso una città , " +"per esempio «Milano»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Nome dell'organizzazione per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Inserire il nome dell'organizzazione cui il server appartiene (per esempio, " +"«Debian»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Unità organizzativa per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Inserire l'unità organizzativa cui il server appartiene (per esempio, " +"«gruppo sicurezza»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Nome comune host per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Inserire il nome comune di questo host (per esempio, «gateway.esempio.it»)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "Indirizzo e-mail per la richiesta di certificato X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Inserire l'indirizzo di posta elettronica della persona o " +"dell'organizzazione responsabile per il certificato X.509." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Abilitare la cifratura opportunistica?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Questa versione di strongSwan supporta la cifratura opportunistica (OE), la " +"quale memorizza le informazioni di autenticazione IPsec in record DNS. " +"Finché non sarà una soluzione largamente applicata, l'attivazione dell'OE " +"causerà un ritardo significativo per ogni connessione in uscita." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Si dovrebbe abilitare l'OE solo se lo si desidera veramente. Potrebbe " +"interrompere la connessione Internet (route predefinita) durante l'avvio del " +"demone pluto." diff --git a/debian/po/ja.po b/debian/po/ja.po new file mode 100644 index 000000000..979b31dcc --- /dev/null +++ b/debian/po/ja.po @@ -0,0 +1,621 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan 4.4.1-4\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-09-27 20:52+0900\n" +"Last-Translator: Hideki Yamane <henrich@debian.org>\n" +"Language-Team: Japanese <debian-japanese@lists.debian.org>\n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "以å‰ã®ãƒ©ãƒ³ãƒ¬ãƒ™ãƒ«ç®¡ç†ã¯ä¸è¦ã«ãªã‚Šã¾ã—ãŸ" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"strongSwan パッケージã®ä»¥å‰ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã§ã¯ã€3 ã¤ã®ç•°ãªã£ãŸ Start/Stop レベル" +"ã‹ã‚‰é¸ã¹ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã—ãŸã€‚標準ã®ã‚·ã‚¹ãƒ†ãƒ èµ·å‹•æ‰‹é †ãŒå¤‰æ›´ã•ã‚ŒãŸã“ã¨ã«ã‚ˆã£" +"ã¦ã€ã“ã‚Œã¯ã‚‚ã†å¿…è¦ã§ã¯ãªããªã£ãŸã‚Šã‚ã‚‹ã„ã¯å½¹ç«‹ãŸãªããªã£ãŸã‚Šã—ã¦ã„ã¾ã™ã€‚ã“ã‚Œ" +"ã¾ã§äº‹å‰å®šç¾©ã•ã‚Œã¦ã„ãŸãƒ¢ãƒ¼ãƒ‰ã§å‹•ä½œã—ã¦ã„ãŸã®ã‚‚ã®ã¨åŒæ§˜ã«ã€æ–°è¦ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«" +"ã—ãŸã‚‚ã®ã¯é©åˆ‡ãªãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ãƒ¬ãƒ™ãƒ«ãŒè¨å®šã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚以å‰ã®ãƒãƒ¼" +"ジョンã‹ã‚‰ã®ã‚¢ãƒƒãƒ—グレード㧠strongSwan ã®èµ·å‹•ãƒ‘ラメータを変更ã—ã¦ã„ãŸå ´åˆ" +"ã¯ã€ã©ã®ã‚ˆã†ã«è¨å®šã‚’ä¿®æ£ã™ã‚‹ã‹ã¯ NEWS.Debian ã®æŒ‡ç¤ºã‚’å‚ç…§ã—ã¦ãã ã•ã„。" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "strongSwan を今ã™ãå†èµ·å‹•ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"ã‚»ã‚ュリティ修æ£ãŒã‚ã£ãŸå ´åˆãªã©ã€ãƒ‡ãƒ¼ãƒ¢ãƒ³ãŒå†èµ·å‹•ã•ã‚Œã‚‹ã¾ã§ã¯ä¿®æ£ãŒåæ˜ ã•ã‚Œ" +"ãªã„ã®ã§ã€strongSwan ã®å†èµ·å‹•ã‚’ãŠå‹§ã‚ã—ã¾ã™ã€‚多ãã®äººã¯ãƒ‡ãƒ¼ãƒ¢ãƒ³ãŒå†èµ·å‹•ã™ã‚‹ã®" +"を予期ã—ã¦ã„ã¾ã™ã®ã§ã€ã“ã‚Œã¯å¤§æŠµã®å ´åˆå•é¡Œã‚ã‚Šã¾ã›ã‚“。ã—ã‹ã—ã€ã“ã®ä½œæ¥ã§ã¯ç¾" +"在ã®æŽ¥ç¶šãŒä¸€æ—¦åˆ‡æ–ã•ã‚Œã¦ã‹ã‚‰å†åº¦ç¹‹ãŽãªãŠã™ã“ã¨ã«ãªã‚‹ã®ã§ã€ä»Šå›žã®ã‚¢ãƒƒãƒ—デート" +"ã« strongSwan ã®ãƒˆãƒ³ãƒãƒ«ã‚’使ã£ã¦ã„るよã†ãªå ´åˆã¯ã€å†èµ·å‹•ã¯ãŠå‹§ã‚ã—ã¾ã›ã‚“。" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "strongSwan ã® IKEv1 デーモンを起動ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Internet Key Exchange プãƒãƒˆã‚³ãƒ«ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 1 をサãƒãƒ¼ãƒˆã™ã‚‹ã«ã¯ pluto デーモ" +"ンãŒå®Ÿè¡Œã•ã‚Œã¦ã„ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "strongSwan ã® IKEv2 デーモンを起動ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Internet Key Exchange プãƒãƒˆã‚³ãƒ«ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 2 をサãƒãƒ¼ãƒˆã™ã‚‹ã«ã¯ charon デーモ" +"ンãŒå®Ÿè¡Œã•ã‚Œã¦ã„ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "ã“ã®ãƒ›ã‚¹ãƒˆã«å¯¾ã—㦠X.509 証明書を利用ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"ã“ã®ãƒ›ã‚¹ãƒˆç”¨ã« X.509 証明書を自動的ã«ç”Ÿæˆã‚ã‚‹ã„ã¯ã‚¤ãƒ³ãƒãƒ¼ãƒˆã§ãã¾ã™ã€‚ä»–ã®ãƒ›ã‚¹" +"トã¨ã® IPSec 通信ã§ã®èªè¨¼ã«åˆ©ç”¨å¯èƒ½ã§ã€ã‚»ã‚ュア㪠IPSec 通信を確立ã™ã‚‹æ–¹æ³•ã¨" +"ã—ã¦å¥½ã¾ã‚Œã¦ã„ã¾ã™ã€‚ä»–ã«åˆ©ç”¨å¯èƒ½ãªæ–¹æ³•ã¨ã—ã¦ã¯å…±é€šéµ (PSKã€ãƒˆãƒ³ãƒãƒ«ã®åŒæ–¹ã§åŒ" +"ã˜ãƒ‘スワードを利用ã™ã‚‹) を通信ã®èªè¨¼ã«åˆ©ç”¨ã™ã‚‹ã¨ã„ã†ã®ãŒã‚ã‚Šã¾ã™ãŒã€å¤šæ•°ã®æŽ¥" +"続ã«å¯¾ã—ã¦ã¯ RSA èªè¨¼ã®ã»ã†ãŒç®¡ç†ãŒã‚ˆã‚Šç°¡å˜ã§ã‚ˆã‚Šã‚»ã‚ュアã§ã™ã€‚" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"ã¾ãŸã¯ã€ã“ã®é¸æŠžè‚¢ã‚’é¸ã°ãªã„ã§ãŠã„ã¦ã€å¾Œã»ã©ã€Œdpkg-reconfigure strongswanã€ã‚’" +"実行ã—ã¦å†åº¦å‘¼ã³å‡ºã™ã“ã¨ã‚‚ã§ãã¾ã™ã€‚" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "作æˆã™ã‚‹" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "インãƒãƒ¼ãƒˆã™ã‚‹" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "ã“ã®ãƒ›ã‚¹ãƒˆã‚’èªè¨¼ã™ã‚‹ã®ã«åˆ©ç”¨ã™ã‚‹ X.509 証明書をã©ã†ã™ã‚‹ã‹:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"ユーザãŒå®šç¾©ã—ãŸè¨å®šã§æ–°è¦ã« X.509 証明書を作æˆã™ã‚‹ã“ã¨ã‚‚ã€IPsec 接続èªè¨¼ç”¨ã®" +"æ—¢å˜ã® PEM ファイル形å¼ã§ä¿å˜ã•ã‚Œã¦ã„る公開éµãŠã‚ˆã³ç§˜å¯†éµã‚’インãƒãƒ¼ãƒˆã™ã‚‹ã“ã¨" +"ã‚‚å¯èƒ½ã§ã™ã€‚" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"æ–°è¦ã« X.509 証明書を作るã®ã‚’é¸æŠžã—ãŸå ´åˆã¯ã€ä½œæˆã‚’始ã‚ã‚‹å‰ã«ç”ãˆã‚‹å¿…è¦ãŒã‚ã‚‹" +"質å•ã‚’ã¾ãšå¤§é‡ã«å°‹ãられã¾ã™ã€‚æ—¢å˜ã®èªè¨¼å±€ã«ã‚ˆã£ã¦ç½²åã•ã‚ŒãŸå…¬é–‹éµãŒå¿…è¦ãªå ´" +"åˆã¯ã€è‡ªå·±ç½²åèªè¨¼ã‚’作æˆã™ã‚‹ã®ã‚’é¸ã‚“ã§ã¯ãªã‚‰ãšã€å›žç”ã¯ã™ã¹ã¦èªè¨¼å±€ (CA) ã®è¦" +"æ±‚é …ç›®ã«å®Œå…¨ã«ä¸€è‡´ã—ã¦ã„ã‚‹å¿…è¦ãŒã‚ã‚‹ã“ã¨ã«ç•™æ„ã—ã¦ãã ã•ã„。ãã†ã§ãªã„å ´åˆ" +"ã¯ã€è¨¼æ˜Žæ›¸è¦æ±‚ã¯æ‹’å¦ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚‹ã§ã—ょã†ã€‚" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"æ—¢å˜ã®å…¬é–‹éµãŠã‚ˆã³ç§˜å¯†éµã‚’インãƒãƒ¼ãƒˆã—ãŸã„å ´åˆã¯ã€ãƒ•ã‚¡ã‚¤ãƒ«åã‚’å°‹ãられã¾ã™ " +"(両方ãŒä¸€ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ã«ä¿å˜ã•ã‚Œã¦ã„ã‚‹å ´åˆã¯å…¨ãåŒã˜ã«ãªã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“)。ã©" +"ã“ã«èªè¨¼å±€ã®å…¬é–‹éµãŒä¿å˜ã•ã‚Œã¦ã„ã‚‹ã‹ã‚’指定ã™ã‚‹ã“ã¨ã‚‚ä»»æ„ã§å¯èƒ½ã§ã™ãŒã€ã“ã®" +"ファイルã¯å…ˆã»ã©ã®ã‚‚ã®ã¨åŒã˜ã«ã¯ã§ãã¾ã›ã‚“。X.509 証明書㯠PEM å½¢å¼ã§ã‚ã‚Šã€ç§˜" +"密éµã¯æš—å·åŒ–ã•ã‚Œã¦ã„ãªã„ã“ã¨ãŒå¿…è¦ãªã“ã¨ã«ã‚‚注æ„ãã ã•ã„。ã•ã‚‚ãªãã°ã‚¤ãƒ³ãƒãƒ¼" +"ト作æ¥ã¯å¤±æ•—ã—ã¾ã™ã€‚" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "PEM å½¢å¼ã® X.509 証明書ã®ãƒ•ã‚¡ã‚¤ãƒ«å:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "PEM å½¢å¼ã® X.509 証明書をå«ã‚“ã§ã„るファイルã®å ´æ‰€ã‚’入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "PEM å½¢å¼ã® X.509 秘密éµã®ãƒ•ã‚¡ã‚¤ãƒ«å:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"PEM å½¢å¼ã® X.509 証明書ã«å¯¾å¿œã™ã‚‹ RSA 秘密éµã‚’å«ã‚€ãƒ•ã‚¡ã‚¤ãƒ«ã®å ´æ‰€ã‚’入力ã—ã¦ã" +"ã ã•ã„。ã“れ㯠X.509 証明書をå«ã‚“ã§ã„るファイルã¨åŒã˜ã§æ§‹ã„ã¾ã›ã‚“。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "PEM å½¢å¼ã® X.509 ルート CA ã®ãƒ•ã‚¡ã‚¤ãƒ«å:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"X.509 èªè¨¼å±€ã®ãƒ«ãƒ¼ãƒˆãŒè¨¼æ˜Žæ›¸ã«ç½²åã™ã‚‹ã®ã«ä½¿ã£ãŸ PEM å½¢å¼ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’å«ã‚“ã " +"ファイルã®å ´æ‰€ã‚’入力ã™ã‚‹ã“ã¨ã‚‚ä»»æ„ã§å¯èƒ½ã§ã™ã€‚ã“れをæŒã£ã¦ã„ãªã„ã€ã‚ã‚‹ã„ã¯åˆ©" +"用ã—ãŸããªã„ã¨ã„ã†å ´åˆã«ã¯ã“ã®æ¬„を空ã®ã¾ã¾ã«ã—ã¦ãŠã„ã¦ãã ã•ã„。ルート CA ã‚’ " +"X.509 証明書や秘密éµã¨åŒã˜ãƒ•ã‚¡ã‚¤ãƒ«ã«ä¿å˜ã™ã‚‹ã®ã¯ã§ããªã„ã“ã¨ã«ã”注æ„ãã ã•" +"ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "作æˆã™ã‚‹ RSA éµã®éµé•·ã‚’入力ã—ã¦ãã ã•ã„:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"生æˆã™ã‚‹ RSA éµã®é•·ã•ã‚’入力ã—ã¦ãã ã•ã„。安全ã®ãŸã‚ã€1024 ビット未満ã«ã™ã¹ã" +"ã§ã¯ã‚ã‚Šã¾ã›ã‚“。4096 ビットより大ããªã‚‚ã®ã«ã™ã‚‹å¿…è¦ã‚‚ãªã„ã§ã—ょã†ã€‚èªè¨¼ãƒ—ãƒã‚»" +"スãŒé…ããªã‚Šã¾ã™ã—ã€ç¾æ™‚点ã§ã¯ãŠãらãå¿…è¦ã‚ã‚Šã¾ã›ã‚“。" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "自己署å X.509 証明書を生æˆã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"証明書è¦æ±‚ã«ç½²åã™ã‚‹ãŸã‚ã«ã¯èªè¨¼å±€ãŒå¿…è¦ã¨ãªã‚‹ã®ã§ã€è‡ªå‹•çš„ã«è¡Œã†ã«ã¯è‡ªå·±ç½²å " +"X.509 証明書ã®ã¿ãŒç”ŸæˆãŒå¯èƒ½ã§ã™ã€‚自己署å証明書ã®ä½œæˆã‚’é¸ã‚“ã å ´åˆã¯ã€ã™ãã«" +"ã“れを利用ã—ã¦ã€IPSec 接続ã®èªè¨¼ã« X.509 証明書を利用ã—ã¦ã„ã‚‹ä»–ã® IPSec ホス" +"トã¸ã®æŽ¥ç¶šãŒå¯èƒ½ã«ãªã‚Šã¾ã™ã€‚ã—ã‹ã—ã€strongSwan ã® PKI 機能を使ã„ãŸã„å ´åˆã¯ã€" +"trust path を生æˆã™ã‚‹ãŸã‚ã«å˜ä¸€ã®èªè¨¼å±€ã«ã‚ˆã£ã¦ã™ã¹ã¦ã® X.509 証明書ã«ç½²åã—" +"ã¦ã‚‚らã†å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"自己署å証明書を作æˆã—ãŸããªã„å ´åˆã€RSA 秘密éµã¨å¯¾å¿œã™ã‚‹è¨¼æ˜Žæ›¸è¦æ±‚ã®ã¿ãŒä½œæˆ" +"ã•ã‚Œã‚‹ã®ã§ã€èªè¨¼å±€ã«å¯¾ã—ã¦è¨¼æ˜Žæ›¸è¦æ±‚ã«ç½²åã‚’ã—ã¦ã‚‚らã†å¿…è¦ãŒç”Ÿã˜ã¾ã™ã€‚" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹å›½ã‚³ãƒ¼ãƒ‰:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"サーãƒãŒå˜åœ¨ã™ã‚‹å ´æ‰€ã®äºŒæ–‡å—ã®å›½ã‚³ãƒ¼ãƒ‰ (例ãˆã°æ—¥æœ¬ã®å ´åˆã¯ã€ŒJPã€) を入力ã—ã¦" +"ãã ã•ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"OpenSSL ã¯ã€æ£è¦ã® ISO-3166 国コードãŒç„¡ã„ã¨è¨¼æ˜Žæ›¸ã®ç”Ÿæˆã‚’æ‹’å¦ã—ã¾ã™ã€‚X.509 " +"証明書ã«ãŠã„ã¦ã€ä»–ã®ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã«ã¤ã„ã¦ã¯ç©ºã§ã‚‚構ã„ã¾ã›ã‚“ãŒã€ã“ã‚Œã«ã¤ã„ã¦ã¯è¨±" +"å¯ã•ã‚Œã¦ã„ã¾ã›ã‚“。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹éƒ½é“府県å:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "サーãƒæ‰€åœ¨åœ°ã®éƒ½é“府県å (例:「Tokyoã€)を入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹åœ°åŸŸå:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "サーãƒæ‰€åœ¨åœ° (大抵ã¯ã€ŒShinjukuã€ã®ã‚ˆã†ãªå¸‚区å)を入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹çµ„ç¹”å:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "サーãƒãŒæ‰€å±žã™ã‚‹çµ„ç¹” (「Debianã€ãªã©) を入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹éƒ¨ç½²å:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "サーãƒãŒæ‰€å±žã™ã‚‹éƒ¨ç½²å (「security groupã€ãªã©) を入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹ã‚³ãƒ¢ãƒ³ãƒãƒ¼ãƒ :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"ã“ã®ãƒ›ã‚¹ãƒˆç”¨ã® (「gateway.example.orgã€ã®ã‚ˆã†ãª) コモンãƒãƒ¼ãƒ を入力ã—ã¦ãã ã•" +"ã„。" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "X.509 証明書è¦æ±‚ã«è¨˜è¼‰ã™ã‚‹ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"X.509 証明書ã«ã¤ã„ã¦ã®å¯¾å¿œã‚’è¡Œã†ã€å€‹äººã‚ã‚‹ã„ã¯å›£ä½“ã®ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’入力ã—ã¦" +"ãã ã•ã„。" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "opportunistic encryption を有効ã«ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"ã“ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã® strongSwan 㯠opportunistic encryption (OE) をサãƒãƒ¼ãƒˆã—ã¦ã„" +"ã¾ã™ã€‚OE 㯠IPSec èªè¨¼æƒ…å ±ã‚’ DNS レコードã«å«ã‚ãŸã‚‚ã®ã§ã™ã€‚ã“ã‚ŒãŒåºƒãé©ç”¨ã•ã‚Œ" +"るよã†ã«ãªã‚‹ã¾ã§ã¯ã€ã“れを有効ã«ã™ã‚‹ã¨å…¨ã¦ã®æ–°è¦ã®å¤–部接続ã«è‘—ã—ã„é…延を引ã" +"èµ·ã“ã—ã¾ã™ã€‚" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"opportunistic encryption を有効ã«ã™ã‚‹ã®ã¯ã€æœ¬å½“ã«åˆ©ç”¨ã—ãŸã„ã¨è€ƒãˆãŸæ™‚ã®ã¿ã«ã™" +"ã¹ãã§ã™ã€‚ã“ã®è¨å®šã¯ã€pluto デーモンã®èµ·å‹•ãªã©ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆæŽ¥ç¶š (デフォルト" +"ルート) を切æ–ã™ã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚" + +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "ã‚ãªãŸã®å›½ã®å›½ã‚³ãƒ¼ãƒ‰ã‚’2æ–‡å—ã§å…¥åŠ›ã—ã¦ãã ã•ã„。ã“ã®ã‚³ãƒ¼ãƒ‰ã¯è¨¼æ˜Žæ›¸è¦æ±‚ã«è¨˜" +#~ "載ã•ã‚Œã¾ã™ã€‚" + +#~ msgid "Example: AT" +#~ msgstr "例: JP" + +#~ msgid "Example: Upper Austria" +#~ msgstr "例: Tokyo" + +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "ã‚ãªãŸã®åœ¨ä½ã—ã¦ã„る地域ã®åå‰ (例: 市町æ‘å) を入力ã—ã¦ãã ã•ã„。ã“ã‚Œã¯è¨¼" +#~ "明書è¦æ±‚ã«è¨˜è¼‰ã•ã‚Œã¾ã™ã€‚" + +#~ msgid "Example: Vienna" +#~ msgstr "例: Shinjuku-ku" + +#~ msgid "Example: Debian" +#~ msgstr "例: Debian" + +#~ msgid "Example: security group" +#~ msgstr "例: security group" + +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "X.509 証明書ã®ç”Ÿæˆå¯¾è±¡ã¨ãªã‚‹ã¹ãコモンãƒãƒ¼ãƒ (例: ã“ã®ãƒžã‚·ãƒ³ã®ãƒ›ã‚¹ãƒˆå) ã‚’" +#~ "入力ã—ã¦ãã ã•ã„。ã“ã‚Œã¯è¨¼æ˜Žæ›¸è¦æ±‚ã«è¨˜è¼‰ã•ã‚Œã¾ã™ã€‚" + +#~ msgid "Example: gateway.debian.org" +#~ msgstr "例: gateway.debian.org" + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "æ–°ãŸãªå…¬é–‹éµãƒ»ç§˜å¯†éµã®ã‚ーペアを生æˆã—ãŸããªã„å ´åˆã¯ã€æ¬¡ã®æ®µéšŽã§æ—¢å˜ã®ã‚ー" +#~ "ペアã®åˆ©ç”¨ã‚’é¸æŠžã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚" + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "è¦æ±‚æƒ…å ±ã¯ X.509 証明書ã‹ã‚‰ RSA 秘密éµã¨ç…§ã‚‰ã—åˆã‚ã›ã¦å¿…è¦ãªæƒ…å ±ã‚’è‡ªå‹•çš„ã«" +#~ "展開ã™ã‚‹äº‹ãŒå¯èƒ½ã§ã™ã€‚ PEM å½¢å¼ã®å ´åˆã€åŒæ–¹ã‚’一ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ã«ã¾ã¨ã‚ã‚‹ã“ã¨" +#~ "ã‚‚å¯èƒ½ã§ã™ã€‚ãã®ã‚ˆã†ãªè¨¼æ˜Žæ›¸ã¨éµã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒæ—¢ã«ã‚ã‚Šã€ã“れらを IPSec 通信" +#~ "ã§ã®èªè¨¼ã«ä½¿ç”¨ã—ãŸã„å ´åˆã¯ã“ã®ã‚ªãƒ—ションを有効ã«ã—ã¦ãã ã•ã„。" + +#~ msgid "earliest, \"after NFS\", \"after PCMCIA\"" +#~ msgstr "å¯èƒ½ãªé™ã‚Šæ—©ã, \"NFS 起動後\", \"PCMCIA 起動後\"" + +#~ msgid "" +#~ "There are three possibilities when strongSwan can start: before or after " +#~ "the NFS services and after the PCMCIA services. The correct answer " +#~ "depends on your specific setup." +#~ msgstr "" +#~ "strongSwan ã‚’èµ·å‹•ã•ã›ã‚‹ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã®é¸æŠžè‚¢ã¨ã—ã¦ã¯3ã¤ãŒè€ƒãˆã‚‰ã‚Œã¾ã™: NFS " +#~ "サービスã®é–‹å§‹å‰ãƒ»é–‹å§‹å¾Œãƒ»PCMCIA サービスã®é–‹å§‹å¾Œã€ã§ã™ã€‚æ£è§£ã¯ã‚ãªãŸã®è¨" +#~ "定次第ã§ã™ã€‚" + +#~ msgid "" +#~ "If you do not have your /usr tree mounted via NFS (either you only mount " +#~ "other, less vital trees via NFS or don't use NFS mounted trees at all) " +#~ "and don't use a PCMCIA network card, then it's best to start strongSwan " +#~ "at the earliest possible time, thus allowing the NFS mounts to be secured " +#~ "by IPSec. In this case (or if you don't understand or care about this " +#~ "issue), answer \"earliest\" to this question (the default)." +#~ msgstr "" +#~ "NFS 経由㧠/usr をマウントã›ãš (ä»–ã®ãƒ‘ーティションやã‚ã¾ã‚Šé‡è¦ã§ã¯ãªã„パー" +#~ "ティションを NFS 経由ã§ãƒžã‚¦ãƒ³ãƒˆã™ã‚‹ã‹ã€ã¾ãŸã¯ NFS マウントを全ã使ã‚ãª" +#~ "ã„)ã€åŠ ãˆã¦ PCMCIA ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚«ãƒ¼ãƒ‰ã‚’利用ã—ã¦ã„ãªã„å ´åˆã€å¯èƒ½ãªé™ã‚Šæ—©ã„" +#~ "タイミング㧠strongSwan ã‚’èµ·å‹•ã™ã‚‹ã®ãŒãƒ™ã‚¹ãƒˆã§ã™ã€‚ã“ã®è¨å®šã«ã‚ˆã£ã¦ã€NFS ã§" +#~ "ã®ãƒžã‚¦ãƒ³ãƒˆã¯ IPSec ã§ä¿è·ã•ã‚Œã¾ã™ã€‚ã“ã®å ´åˆ (ã¾ãŸã¯ã“ã®å•é¡Œã‚’ç†è§£ã—ã¦ã„ãª" +#~ "ã„ã‹ç‰¹ã«æ°—ã«ã—ãªã„å ´åˆ) ã€\"å¯èƒ½ãªé™ã‚Šæ—©ã\"ã¨è³ªå•ã«ç”ãˆã¦ãã ã•ã„ (標準è¨" +#~ "定ã§ã™) 。" + +#~ msgid "" +#~ "If you have your /usr tree mounted via NFS and don't use a PCMCIA network " +#~ "card, then you will need to start strongSwan after NFS so that all " +#~ "necessary files are available. In this case, answer \"after NFS\" to this " +#~ "question. Please note that the NFS mount of /usr can not be secured by " +#~ "IPSec in this case." +#~ msgstr "" +#~ "NFS 経由㧠/usr をマウントã—ã¦ã„㦠PCMCIA ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚«ãƒ¼ãƒ‰ã‚’使用ã—ã¦ã„ãª" +#~ "ã„å ´åˆã¯ã€å¿…è¦ãªãƒ•ã‚¡ã‚¤ãƒ«ã‚’利用å¯èƒ½ã«ã™ã‚‹ãŸã‚ã« strongSwan ã‚’ NFS ã®å¾Œã§èµ·" +#~ "å‹•ã—ãªã‘ã‚Œã°ãªã‚Šã¾ã›ã‚“。ã“ã®å ´åˆã€\"NFS 起動後\" ã¨ç”ãˆã¦ãã ã•ã„。ã“ã®æ™‚" +#~ "ã« NFS 経由ã§ãƒžã‚¦ãƒ³ãƒˆã•ã‚Œã‚‹ /usr ã¯ã€IPSec ã«ã‚ˆã‚‹ã‚»ã‚ュアãªçŠ¶æ…‹ã«ã¯ãªã‚‰ãª" +#~ "ã„ã¨ã„ã†ã“ã¨ã«æ³¨æ„ã—ã¦ãã ã•ã„。" + +#~ msgid "" +#~ "If you use a PCMCIA network card for your IPSec connections, then you " +#~ "only have to choose to start it after the PCMCIA services. Answer \"after " +#~ "PCMCIA\" in this case. This is also the correct answer if you want to " +#~ "fetch keys from a locally running DNS server with DNSSec support." +#~ msgstr "" +#~ "IPSec 接続㫠PCMCIA ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚«ãƒ¼ãƒ‰ã‚’利用ã—ã¦ã„ãŸå ´åˆã€PCMCIA サービス" +#~ "ã®èµ·å‹•å¾Œã« strongSwan ã‚’èµ·å‹•ã™ã‚‹ä»¥å¤–ã«é¸æŠžã¯ã‚ã‚Šã¾ã›ã‚“。ã“ã®å ´" +#~ "åˆã€\"PCMCIA 起動後\" ã¨ç”ãˆã¦ãã ã•ã„。ãƒãƒ¼ã‚«ãƒ«ã§å‹•ä½œã—ã¦ã„ã‚‹ DNSSec 機能" +#~ "を使用ã—ã¦ã„ã‚‹ DNS サーãƒã‹ã‚‰éµã‚’å–å¾—ã—ãŸã„å ´åˆã§ã‚‚ã€ã“ã®ç”ãˆã‚’ã—ã¦ãã ã•" +#~ "ã„。" + +#~ msgid "Do you wish to support IKEv1?" +#~ msgstr "IKEv1 をサãƒãƒ¼ãƒˆã—ã¾ã™ã‹?" + +#~ msgid "" +#~ "strongSwan supports both versions of the Internet Key Exchange protocol, " +#~ "IKEv1 and IKEv2. Do you want to start the \"pluto\" daemon for IKEv1 " +#~ "support when strongSwan is started?" +#~ msgstr "" +#~ "strongSwan 㯠IKEv1 㨠IKEv2 ã®ä¸¡æ–¹ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆéµäº¤æ›ãƒ—ãƒãƒˆã‚³ãƒ«ã‚’サ" +#~ "ãƒãƒ¼ãƒˆã—ã¦ã„ã¾ã™ã€‚strongSwan ãŒèµ·å‹•ã™ã‚‹éš›ã€IKEv1 サãƒãƒ¼ãƒˆã®ãŸã‚ \"pluto\" " +#~ "デーモンを起動ã—ã¾ã™ã‹?" + +#~ msgid "Do you wish to support IKEv2?" +#~ msgstr "IKEv2 をサãƒãƒ¼ãƒˆã—ã¾ã™ã‹?" + +#~ msgid "" +#~ "strongSwan supports both versions of the Internet Key Exchange protocol, " +#~ "IKEv1 and IKEv2. Do you want to start the \"charon\" daemon for IKEv2 " +#~ "support when strongSwan is started?" +#~ msgstr "" +#~ "strongSwan 㯠IKEv1 㨠IKEv2 ã®ä¸¡æ–¹ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆéµäº¤æ›ãƒ—ãƒãƒˆã‚³ãƒ«ã‚’サ" +#~ "ãƒãƒ¼ãƒˆã—ã¦ã„ã¾ã™ã€‚strongSwan ãŒèµ·å‹•ã™ã‚‹éš›ã€IKEv2 サãƒãƒ¼ãƒˆã®ãŸã‚ \"pluto\" " +#~ "デーモンを起動ã—ã¾ã™ã‹?" + +#~ msgid "" +#~ "strongSwan comes with support for opportunistic encryption (OE), which " +#~ "stores IPSec authentication information (i.e. RSA public keys) in " +#~ "(preferably secure) DNS records. Until this is widely deployed, " +#~ "activating it will cause a significant slow-down for every new, outgoing " +#~ "connection. Since version 2.0, strongSwan upstream comes with OE enabled " +#~ "by default and is thus likely to break your existing connection to the " +#~ "Internet (i.e. your default route) as soon as pluto (the strongSwan " +#~ "keying daemon) is started." +#~ msgstr "" +#~ "strongSwan ã¯ã€IPSec èªè¨¼æƒ…å ± (例: RSA 公開éµ) ã‚’ (願ã‚ãã¯ã‚»ã‚ュアãª) " +#~ "DNS レコード内ã«ä¿å˜ã™ã‚‹ opportunistic encryption (OE) をサãƒãƒ¼ãƒˆã—ã¦ã„ã¾" +#~ "ã™ã€‚ã“ã‚Œã¯åºƒã利用ã•ã‚Œã‚‹ã‚ˆã†ã«ãªã‚‹ã¾ã§ã€æœ‰åŠ¹ã«ã™ã‚‹ã¨å¤–部ã¸ã®æ–°è¦æŽ¥ç¶šã¯å…¨ã¦" +#~ "æ ¼æ®µã«é…ããªã‚Šã¾ã™ã€‚ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 2.0 より strongSwan ã®é–‹ç™ºå…ƒã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ " +#~ "OE を有効ã«ã—ã¦ã„ã¾ã™ã€‚ãã®ãŸã‚ pluto (strongSwan éµç½²åデーモン) ãŒé–‹å§‹ã™" +#~ "ã‚‹ã¨ã™ãã€æ—¢å˜ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆæŽ¥ç¶š (ã¤ã¾ã‚Šãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãƒ«ãƒ¼ãƒˆ) ãŒä¸æ–ã•ã‚Œã‚‹ã‹" +#~ "ã‚‚ã—ã‚Œã¾ã›ã‚“。" + +#~ msgid "" +#~ "Please choose whether you want to enable support for OE. If unsure, do " +#~ "not enable it." +#~ msgstr "" +#~ "OE ã®ã‚µãƒãƒ¼ãƒˆã‚’有効ã«ã™ã‚‹ã‹ã©ã†ã‹ã‚’é¸ã‚“ã§ãã ã•ã„。よãã‚ã‹ã‚‰ãªã„å ´åˆã¯ã€" +#~ "有効ã«ã¯ã—ãªã„ã§ãã ã•ã„。" diff --git a/debian/po/nb.po b/debian/po/nb.po new file mode 100644 index 000000000..b00aa9f83 --- /dev/null +++ b/debian/po/nb.po @@ -0,0 +1,658 @@ +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009. +msgid "" +msgstr "" +"Project-Id-Version: nb\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2009-05-25 14:59+0100\n" +"Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n" +"Language-Team: Norwegian BokmÃ¥l <i18n-nb@lister.ping.uio.no>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 0.3\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Start strongSwan pÃ¥ nytt nÃ¥" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +#, fuzzy +#| msgid "" +#| "Restarting strongSwan is recommended, because if there is a security fix, " +#| "it will not be applied until the daemon restarts. However, this might " +#| "close existing connections and then bring them back up." +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"Det anbefales Ã¥ starte strongSwan pÃ¥ nytt nÃ¥, for om det var en " +"sikkerhetsrettelse, sÃ¥ fÃ¥r den ikke effekt før daemonen startes pÃ¥ nytt. " +"Imidlertid kan dette lukke eksisterende forbindelser og deretter koble dem " +"opp igjen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Skal strongSwans IKEv1-daemon startes?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Pluto-daemonen mÃ¥ kjøre for Ã¥ kunne støtte versjon 1 av Internet Key " +"Exchange-protokollen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Skal strongSwans IKEv2-daemon startes?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Charon-daemonen mÃ¥ kjøre for Ã¥ kunne støtte versjon 2 av Internet Key " +"Exchange-protokollen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +#, fuzzy +#| msgid "Use an existing X.509 certificate for strongSwan?" +msgid "Use an X.509 certificate for this host?" +msgstr "Skal et eksisterende X.509-sertifikat brukes for strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "File name of your X.509 certificate in PEM format:" +msgid "File name of your PEM format X.509 certificate:" +msgstr "Filnavn for ditt X.509-sertifikat i PEM-format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing your X.509 " +#| "certificate in PEM format." +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Oppgi full sti til fila som inneholder ditt X.509-sertifikat i PEM-format." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "File name of your existing X.509 private key in PEM format:" +msgid "File name of your PEM format X.509 private key:" +msgstr "Filnavn for din eksisterende private X.509-nøkkel i PEM-format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing the private RSA key " +#| "matching your X.509 certificate in PEM format. This can be the same file " +#| "as the X.509 certificate." +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Oppgi full sti til fila som inneholder den private nøkkelen som tilsvarer " +"ditt X.509-sertifikat i PEM-format. Dette kan være den samme fila som X.509-" +"sertifikatet." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +#, fuzzy +#| msgid "File name of your X.509 certificate in PEM format:" +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Filnavn for ditt X.509-sertifikat i PEM-format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "Create a self-signed X.509 certificate?" +msgid "Create a self-signed X.509 certificate?" +msgstr "Skal det lages et selvsignert X.509-sertifikat?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "" +#| "If you do not accept this option, only the RSA private key will be " +#| "created, along with a certificate request which you will need to have " +#| "signed by a certificate authority." +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Hvis du ikke godtar dette, sÃ¥ blir bare en privat RSA-nøkkel opprettet, " +"sammen med en sertifikatsøknad som du mÃ¥ fÃ¥ en sertifikatutsteder til Ã¥ " +"signere." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +#, fuzzy +#| msgid "Country code for the X.509 certificate request:" +msgid "Country code for the X.509 certificate request:" +msgstr "Landskode for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "State or province name for the X.509 certificate request:" +msgid "State or province name for the X.509 certificate request:" +msgstr "Stat eller provinsnavn for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "" +#| "Please enter the full name of the state or province to include in the " +#| "certificate request." +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Oppgi fullt navn pÃ¥ stat eller provins som skal tas med i sertifikatsøknaden." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +#, fuzzy +#| msgid "Locality name for the X.509 certificate request:" +msgid "Locality name for the X.509 certificate request:" +msgstr "Stedsnavn for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +#, fuzzy +#| msgid "Organization name for the X.509 certificate request:" +msgid "Organization name for the X.509 certificate request:" +msgstr "Organisasjonsnavn for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X.509 certificate request:" +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Organisasjonsenhet for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X.509 certificate request:" +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "Organisasjonsenhet for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +#, fuzzy +#| msgid "Common name for the X.509 certificate request:" +msgid "Common Name for the X.509 certificate request:" +msgstr "Vanlig navn for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "Email address for the X.509 certificate request:" +msgid "Email address for the X.509 certificate request:" +msgstr "E-postadresse for X.509-sertifikatsøknaden:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "" +#| "Please enter the email address (for the individual or organization " +#| "responsible) that should be used in the certificate request." +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Oppgi e-postadressen (for ansvarlig person eller organisasjon) som skal " +"brukes i sertifikatsøknaden." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "SlÃ¥ pÃ¥ opportunistisk kryptering?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Denne versjonen av strongSwan støtter opportunistisk kryptering (OE), som " +"lagrer autentiseringsinformasjon for IPSec i DNS-data. Inntil dette er tatt " +"i vanlig bruk vil det gi en betydelig forsinkelse for hver ny utgÃ¥ende " +"tilkobling hvis dette er aktivert." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Du bør bare slÃ¥ pÃ¥ opportunistisk kryptering hvis du er sikker pÃ¥ at du vil " +"ha det. Det kan koble ut Internett-forbindelsen (standardruten) nÃ¥r pluto." +"nissen starter." + +#, fuzzy +#~| msgid "When to start strongSwan:" +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "NÃ¥r strongSwan skal startes:" + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Oppgi full sti til fila som inneholder ditt X.509-sertifikat i PEM-format." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Oppgi full sti til fila som inneholder ditt X.509-sertifikat i PEM-format." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X.509 " +#~| "certificate in PEM format." +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "" +#~ "Oppgi full sti til fila som inneholder ditt X.509-sertifikat i PEM-format." + +#, fuzzy +#~| msgid "" +#~| "Please enter the two-letter ISO3166 country code that should be used in " +#~| "the certificate request." +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Oppgi tobokstavers ISO3166 landskode som skal brukes i sertifikatsøknaden." + +#, fuzzy +#~| msgid "" +#~| "Please enter the locality name (often a city) that should be used in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "Oppgi stedsnavn (ofte en by) som skal brukes i sertifikatsøknaden." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization name (often a company) that should be used " +#~| "in the certificate request." +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Oppgi organisasjonsnavn (ofte et firma) som skal brukes i " +#~ "sertifikatsøknaden." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit name (often a department) that " +#~| "should be used in the certificate request." +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Oppgi organisasjonsenhet (ofte en avdeling som skal brukes i " +#~ "sertifikatsøknaden." + +#, fuzzy +#~| msgid "" +#~| "Please enter the common name (such as the host name of this machine) " +#~| "that should be used in the certificate request." +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Oppgi vanlig navn (slik som vertsnavnet pÃ¥ denne maskinen) som skal " +#~ "brukes i sertifikatsøknaden." + +#~ msgid "earliest" +#~ msgstr "tidligst" + +#~ msgid "after NFS" +#~ msgstr "etter NFS" + +#~ msgid "after PCMCIA" +#~ msgstr "etter PCMCIA" + +#~ msgid "" +#~ "StrongSwan starts during system startup so that it can protect " +#~ "filesystems that are automatically mounted." +#~ msgstr "" +#~ "StrongSwan starter under systemoppstart, slik at det kan beskytte " +#~ "filsystemer som monteres automatisk." + +#~ msgid "" +#~ " * earliest: if /usr is not mounted through NFS and you don't use a\n" +#~ " PCMCIA network card, it is best to start strongSwan as soon as\n" +#~ " possible, so that NFS mounts can be secured by IPSec;\n" +#~ " * after NFS: recommended when /usr is mounted through NFS and no\n" +#~ " PCMCIA network card is used;\n" +#~ " * after PCMCIA: recommended if the IPSec connection uses a PCMCIA\n" +#~ " network card or if it needs keys to be fetched from a locally running " +#~ "DNS\n" +#~ " server with DNSSec support." +#~ msgstr "" +#~ " * tidligst: hvis /usr ikke monteres via NFS og du ikke bruker et\n" +#~ " PCMCIA nettverkskort, sÃ¥ er det best Ã¥ starte strongSwan\n" +#~ " snarest mulig, slik at NFS-montering kan sikres med IPSec;\n" +#~ " * etter NFS: anbefales nÃ¥r /usr monteres via NFS og det ikke\n" +#~ " brukes noe PCMCIA nettverkskort.\n" +#~ " * etter PCMCIA: anbefales hvis IPSec-tilkoblingen bruker et PCMCIA\n" +#~ " nettverkskort eller om den trenger Ã¥ hente nøkler fra en lokal\n" +#~ " DNS-tjener med DNSSec-støtte. " + +#~ msgid "" +#~ "If you don't restart strongSwan now, you should do so manually at the " +#~ "first opportunity." +#~ msgstr "" +#~ "Hvis du ikke gjør en omstart pÃ¥ strongSwan nÃ¥, sÃ¥ bør du gjøre det " +#~ "manuelt ved første anledning." + +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "Skal det lages et offentlig/privat RSA-nøkkelpar for denne verten?" + +#~ msgid "" +#~ "StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to " +#~ "authenticate IPSec connections to other hosts. RSA authentication is " +#~ "generally considered more secure and is easier to administer. You can use " +#~ "PSK and RSA authentication simultaneously." +#~ msgstr "" +#~ "StrongSwan kan bruke en delt nøkkel (PSK) eller et RSA-nøkkelpar for Ã¥ " +#~ "autentisere IPSec-forbindelser til andre verter. RSA-autentisering " +#~ "betraktes for det meste som sikrere og lettere Ã¥ administrere. Du kan " +#~ "bruke PSK og RSA-autentisering samtidig." + +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Hvis du ikke vil lage et nytt offentlig/privat nøkkelpar, sÃ¥ kan du velge " +#~ "Ã¥ bruke et eksisterende nøkkelpar i neste steg." + +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "Den informasjonen som trengs kan hentes automatisk fra et eksisterende " +#~ "X.509-sertifikat med tilhørende privat RSA-nøkkel. Begge deler kan være i " +#~ "én fil, hvis den er i PEM-format. Du bør velge dette hvis du har et slikt " +#~ "sertifikat og vil bruke det til Ã¥ autentisere IPSec-forbindelser." + +#~ msgid "RSA key length:" +#~ msgstr "RSA nøkkellengde:" + +#~ msgid "" +#~ "Please enter the length of RSA key you wish to generate. A value of less " +#~ "than 1024 bits is not considered secure. A value of more than 2048 bits " +#~ "will probably affect performance." +#~ msgstr "" +#~ "Oppgi lengde for RSA-nøkkelen du vil opprette. Kortere nøkler enn 1024 " +#~ "bit betraktes ikke som sikre. En nøkkellengde pÃ¥ mer enn 2048 bit vil " +#~ "antakelig gÃ¥ ut over ytelsen." + +#~ msgid "" +#~ "Only self-signed X.509 certificates can be created automatically, because " +#~ "otherwise a certificate authority is needed to sign the certificate " +#~ "request." +#~ msgstr "" +#~ "Bare selvsignerte X.509-sertifikater kan lages automatisk, for ellers mÃ¥ " +#~ "en sertifikatutsteder signere sertifikatsøknaden." + +#~ msgid "" +#~ "If you accept this option, the certificate created can be used " +#~ "immediately to connect to other IPSec hosts that support authentication " +#~ "via an X.509 certificate. However, using strongSwan's PKI features " +#~ "requires a trust path to be created by having all X.509 certificates " +#~ "signed by a single authority." +#~ msgstr "" +#~ "Hvis du godtar dette, sÃ¥ kan det sertifikatet som lages bli brukt straks " +#~ "til Ã¥ kople til andre IPSec-verter som støtter autentisering via et X.509-" +#~ "sertifikat. Men om strongSwans PKI-del skal brukes, mÃ¥ det lages en " +#~ "tillitskjede ved at alle X.509-sertifikatene signeres av en enkelt " +#~ "utsteder." + +#~ msgid "" +#~ "This field is mandatory; otherwise a certificate cannot be generated." +#~ msgstr "" +#~ "Dette feltet er obligatorisk, uten det kan det ikke lages et sertifikat." diff --git a/debian/po/nl.po b/debian/po/nl.po new file mode 100644 index 000000000..736f2c753 --- /dev/null +++ b/debian/po/nl.po @@ -0,0 +1,856 @@ +# translation of strongswan_2.7.3+dfsg-1_nl.po to Dutch +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +# Luk Claes <luk.claes@ugent.be>, 2005 +# Kurt De Bree <kdebree@telenet.be>, 2006. +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan_2.7.3+dfsg-1_nl\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2006-09-28 19:50+0200\n" +"Last-Translator: Kurt De Bree <kdebree@telenet.be>\n" +"Language-Team: Dutch <debian-l10n-dutch@lists.debian.org>\n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.9.1\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +#, fuzzy +#| msgid "When to start strongSwan:" +msgid "Restart strongSwan now?" +msgstr "Wanneer moet strongSwan herstarten:" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +#, fuzzy +#| msgid "" +#| "Restarting strongSwan is a good idea, since if there is a security fix, " +#| "it will not be fixed until the daemon restarts. Most people expect the " +#| "daemon to restart, so this is generally a good idea. However this might " +#| "take down existing connections and then bring them back up." +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"strongSwan herstarten is een goed idee omdat als er een " +"veiligheidsherstelling is, het pas echt hersteld zal zijn vanaf dat de " +"achtergronddienst is herstart. De meeste mensen verwachten dat de " +"achtergronddienst herstart, dus dit is meestal een goed idee. Hoewel, dit " +"kan bestaande verbindingen verbreken en ze dan opnieuw herstellen." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +#, fuzzy +#| msgid "Do you have an existing X509 certificate file for strongSwan?" +msgid "Use an X.509 certificate for this host?" +msgstr "" +"Hebt u een bestaand X509-certificaatbestand dat u voor strongSwan wilt " +"gebruiken?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +#, fuzzy +#| msgid "" +#| "This installer can automatically create a RSA public/private keypair for " +#| "this host. This keypair can be used to authenticate IPSec connections to " +#| "other hosts and is the preferred way for building up secure IPSec " +#| "connections. The other possibility would be to use shared secrets " +#| "(passwords that are the same on both sides of the tunnel) for " +#| "authenticating an connection, but for a larger number of connections RSA " +#| "authentication is easier to administer and more secure." +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Deze installatie kan automatisch een publiek/privaat RSA-sleutelpaar " +"aanmaken voor deze host. Dit sleutelpaar kan worden gebruikt om IPSec-" +"verbinden naar andere hosts te authenticeren en is de aanbevolen manier om " +"veilige IPSec-verbindingen op te zetten. De andere mogelijkheid zou zijn om " +"gedeelde geheimen (wachtwoorden die aan beide kanten van de tunnel hetzelfde " +"zijn) te gebruiken voor het authenticeren van een verbinding, maar voor een " +"groter aantal verbindingen is RSA-authenticatie makkelijker te beheren en " +"veiliger." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "File name of your X509 certificate in PEM format:" +msgid "File name of your PEM format X.509 certificate:" +msgstr "Bestandsnaam van uw X509-certificaat in PEM-formaat:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing your X509 " +#| "certificate in PEM format." +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Geef de volledige locatie van het bestand dat uw X509-certificaat in PEM-" +"formaat bevat." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "File name of your X509 private key in PEM format:" +msgid "File name of your PEM format X.509 private key:" +msgstr "Bestandsnaam van uw private X509-sleutel in PEM-formaat:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +#, fuzzy +#| msgid "" +#| "Please enter the full location of the file containing the private RSA key " +#| "matching your X509 certificate in PEM format. This can be the same file " +#| "that contains the X509 certificate." +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Geef de volledige locatie van het bestand dat uw private RSA-sleutel bevat " +"die behoort bij uw X509-certificaat in PEM-formaat. Dit kan hetzelfde " +"bestand zijn als dat wat uw X509-certificaat bevat." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +#, fuzzy +#| msgid "File name of your X509 certificate in PEM format:" +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Bestandsnaam van uw X509-certificaat in PEM-formaat:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +#, fuzzy +#| msgid "The length of the created RSA key (in bits):" +msgid "Please enter which length the created RSA key should have:" +msgstr "Lengte van de aangemaakte RSA-sleutel (in bits):" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +#, fuzzy +#| msgid "" +#| "Please enter the length of the created RSA key. It should not be less " +#| "than 1024 bits because this should be considered unsecure and you will " +#| "probably not need anything more than 2048 bits because it only slows the " +#| "authentication process down and is not needed at the moment." +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Geef de lengte van de aangemaakte RSA-sleutel. Het mag niet minder dan 1024 " +"bits zijn omdat dit als onveilig wordt beschouwd en u zult waarschijnlijk " +"niet meer dan 2048 bits nodig hebben omdat het enkel het authenticatieproces " +"vertraagt en op dit moment niet nodig is." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "Do you want to create a self-signed X509 certificate?" +msgid "Create a self-signed X.509 certificate?" +msgstr "Wilt u een door uzelf getekend X509-certificaat aanmaken?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "" +#| "This installer can only create self-signed X509 certificates " +#| "automatically, because otherwise a certificate authority is needed to " +#| "sign the certificate request. If you want to create a self-signed " +#| "certificate, you can use it immediately to connect to other IPSec hosts " +#| "that support X509 certificate for authentication of IPSec connections. " +#| "However, if you want to use the new PKI features of strongSwan >= 1.91, " +#| "you will need to have all X509 certificates signed by a single " +#| "certificate authority to create a trust path." +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Deze installatie kan enkel een door uzelf getekend X509-certificaat " +"automatischaanmaken omdat anders een certificaatautoriteit nodig is om de " +"certificaataanvraag te tekenen. Als u een door uzelf getekend certificaat " +"wilt aanmaken, dan kunt u het onmiddellijk gebruiken om een verbinding te " +"leggen met andere IPSec-hosts die X509-certificaten ondersteunen voor IPSec-" +"verbindingen. Hoewel, als u de nieuwe PKI-mogelijkheden wilt gebruiken van " +"strongSwan >= 1.91, dan zult u alle X509-certificaten moeten laten tekenen " +"door één enkele certificaatautoriteit om een vertrouwenspad aan te maken." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +#, fuzzy +#| msgid "" +#| "If you do not want to create a self-signed certificate, then this " +#| "installer will only create the RSA private key and the certificate " +#| "request and you will have to sign the certificate request with your " +#| "certificate authority." +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Als u geen door uzelf getekend certificaat wilt aanmaken, dan zal deze " +"installatie enkel de private RSA-sleutel en de certificaataanvraag aanmaken " +"en u zult de certificaataanvraag moeten laten tekenen door uw " +"certificaatautoriteit." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +#, fuzzy +#| msgid "Country code for the X509 certificate request:" +msgid "Country code for the X.509 certificate request:" +msgstr "Landcode van de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +#, fuzzy +#| msgid "" +#| "You really need to enter a valid country code here, because openssl will " +#| "refuse to generate certificates without one. An empty field is allowed " +#| "for any other field of the X.509 certificate, but not for this one." +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"U moet hier wel een geldige landcode opgeven omdat openssl anders zal " +"weigeren om een certificaat aan te maken. Er is voor elke veld van het X509-" +"certificaat een leeg veld toegestaan, maar niet voor dit veld." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "State or province name for the X509 certificate request:" +msgid "State or province name for the X.509 certificate request:" +msgstr "Staat of provincie voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +#, fuzzy +#| msgid "" +#| "Please enter the full name of the state or province you live in. This " +#| "name will be placed in the certificate request." +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Geef de volledige naam van de staat of provincie waarin u woont. Deze naam " +"zal in de certificaataanvraag worden geplaatst." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +#, fuzzy +#| msgid "Locality name for the X509 certificate request:" +msgid "Locality name for the X.509 certificate request:" +msgstr "Plaatsnaam voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +#, fuzzy +#| msgid "Organization name for the X509 certificate request:" +msgid "Organization name for the X.509 certificate request:" +msgstr "Naam van de organisatie voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X509 certificate request:" +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Organisatie-eenheid voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +#, fuzzy +#| msgid "Organizational unit for the X509 certificate request:" +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "Organisatie-eenheid voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +#, fuzzy +#| msgid "Common name for the X509 certificate request:" +msgid "Common Name for the X.509 certificate request:" +msgstr "Naam voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "Email address for the X509 certificate request:" +msgid "Email address for the X.509 certificate request:" +msgstr "E-mailadres voor de X509-certificaataanvraag:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +#, fuzzy +#| msgid "" +#| "Please enter the email address of the person or organization who is " +#| "responsible for the X509 certificate, This address will be placed in the " +#| "certificate request." +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Geef het e-mailadres van de persoon of organisatie die verantwoordelijk is " +"voor het X509-certificaat. Dit adres zal in de certificaataanvraag worden " +"geplaatst." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +#, fuzzy +#| msgid "Do you wish to enable opportunistic encryption in strongSwan?" +msgid "Enable opportunistic encryption?" +msgstr "Wilt u opportunistische encryptie aanschakelen in strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" + +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "Wilt u strongSwan herstarten?" + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Geef de volledige locatie van het bestand dat uw X509-certificaat in PEM-" +#~ "formaat bevat." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X509 " +#~| "certificate in PEM format." +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Geef de volledige locatie van het bestand dat uw X509-certificaat in PEM-" +#~ "formaat bevat." + +#, fuzzy +#~| msgid "" +#~| "Please enter the full location of the file containing your X509 " +#~| "certificate in PEM format." +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "" +#~ "Geef de volledige locatie van het bestand dat uw X509-certificaat in PEM-" +#~ "formaat bevat." + +#, fuzzy +#~| msgid "" +#~| "Please enter the 2 letter country code for your country. This code will " +#~| "be placed in the certificate request." +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Geef de 2-letterige landcode voor uw land. Deze code zal in de " +#~ "certificaataanvraag worden geplaatst." + +#~ msgid "Example: AT" +#~ msgstr "Voorbeeld: BE" + +#~ msgid "Example: Upper Austria" +#~ msgstr "Voorbeeld: Limburg" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Geef de organisatie (v.b. bedrijf) waarvoor het X509-certificaat wordt " +#~ "aangemaakt. Deze naam zal in de certicicaataanvraag worden geplaatst." + +#~ msgid "Example: Vienna" +#~ msgstr "Voorbeeld: Genk" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Geef de organisatie (v.b. bedrijf) waarvoor het X509-certificaat wordt " +#~ "aangemaakt. Deze naam zal in de certicicaataanvraag worden geplaatst." + +#~ msgid "Example: Debian" +#~ msgstr "Voorbeeld: Debian" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Geef de organisatie (v.b. bedrijf) waarvoor het X509-certificaat wordt " +#~ "aangemaakt. Deze naam zal in de certicicaataanvraag worden geplaatst." + +#~ msgid "Example: security group" +#~ msgstr "Voorbeeld: dienst veiligheid" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Geef de organisatie (v.b. bedrijf) waarvoor het X509-certificaat wordt " +#~ "aangemaakt. Deze naam zal in de certicicaataanvraag worden geplaatst." + +#~ msgid "Example: gateway.debian.org" +#~ msgstr "Voorbeeld: gateway.debian.org" + +#~ msgid "When to start strongSwan:" +#~ msgstr "Wanneer moet strongSwan herstarten:" + +#, fuzzy +#~| msgid "Do you want to create a RSA public/private keypair for this host?" +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "Wilt u een publiek/privaat RSA-sleutelpaar aanmaken voor deze host?" + +#, fuzzy +#~| msgid "" +#~| "If you do not want to create a new public/private keypair, you can " +#~| "choose to use an existing one." +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Indien u geen nieuw publiek/privaat sleutelpaar wenst aan te maken, kunt " +#~ "u een bestaand sleutelpaar kiezen." + +#, fuzzy +#~| msgid "" +#~| "This installer can automatically extract the needed information from an " +#~| "existing X509 certificate with a matching RSA private key. Both parts " +#~| "can be in one file, if it is in PEM format. If you have such an existing " +#~| "certificate and key file and want to use it for authenticating IPSec " +#~| "connections, then please answer yes." +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "Deze installatie kan de benodigde informatie automatisch extraheren van " +#~ "een bestaand X509-certificaat met een bijhorende private RSA-sleutel. " +#~ "Beide delen kunnen in één bestand zijn, als het in PEM-formaat is. Hebt u " +#~ "zo'n bestaand certificaat en een sleutelbestand; en wilt u het voor de " +#~ "authenticatie van IPSec-verbindingen gebruiken, antwoord dan met 'ja'" + +#, fuzzy +#~| msgid "" +#~| "Please enter the locality (e.g. city) where you live. This name will be " +#~| "placed in the certificate request." +#~ msgid "" +#~ "Please enter the locality name (often a city) that should be used in the " +#~ "certificate request." +#~ msgstr "" +#~ "Geef de plaatsnaam (v.b. stad) waar u woont. Deze naam zal in de " +#~ "certificaataanvraag worden geplaatst." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit (e.g. section) that the X509 " +#~| "certificate should be created for. This name will be placed in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the organization name (often a company) that should be used " +#~ "in the certificate request." +#~ msgstr "" +#~ "Geef de organisatie-eenheid (v.b. dienst) waarvoor het X509-certificaat " +#~ "wordt aangemaakt. Deze naam zal in de certificaataanvraag worden " +#~ "geplaatst." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit (e.g. section) that the X509 " +#~| "certificate should be created for. This name will be placed in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the organizational unit name (often a department) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Geef de organisatie-eenheid (v.b. dienst) waarvoor het X509-certificaat " +#~ "wordt aangemaakt. Deze naam zal in de certificaataanvraag worden " +#~ "geplaatst." + +#, fuzzy +#~| msgid "" +#~| "Please enter the common name (e.g. the host name of this machine) for " +#~| "which the X509 certificate should be created for. This name will be " +#~| "placed in the certificate request." +#~ msgid "" +#~ "Please enter the common name (such as the host name of this machine) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Geef de naam (v.b. computernaam van deze machine) waarvoor het X509-" +#~ "certificaat wordt aangemaakt. Deze naam zal in de certificaataanvraag " +#~ "worden geplaatst." + +#~ msgid "earliest, \"after NFS\", \"after PCMCIA\"" +#~ msgstr "\"zo vroeg mogelijk\", \"na NFS\", \"na PCMCIA\"" + +#~ msgid "" +#~ "There are three possibilities when strongSwan can start: before or after " +#~ "the NFS services and after the PCMCIA services. The correct answer " +#~ "depends on your specific setup." +#~ msgstr "" +#~ "Er zijn drie mogelijkheden wanneer stronSwan kan starten: vóór of na de " +#~ "NFS-diensten en na de PCMCIA-diensten. Het juiste antwoord is afhankelijk " +#~ "van uw specifieke installatie." + +#~ msgid "" +#~ "If you do not have your /usr tree mounted via NFS (either you only mount " +#~ "other, less vital trees via NFS or don't use NFS mounted trees at all) " +#~ "and don't use a PCMCIA network card, then it's best to start strongSwan " +#~ "at the earliest possible time, thus allowing the NFS mounts to be secured " +#~ "by IPSec. In this case (or if you don't understand or care about this " +#~ "issue), answer \"earliest\" to this question (the default)." +#~ msgstr "" +#~ "Als u uw /usr-boom niet via NFS heeft aangekoppeld (u koppelt enkel " +#~ "andere, minder vitale bomen via NFS of u gebruikt NFS helemaal niet om " +#~ "bomen aan te koppelen) en u gebruikt geen PCMCIA-netwerkkaart, dan is het " +#~ "best om strongSwan zo vroeg mogelijk te starten, dus toe te staan van de " +#~ "NFS-aankoppelingen te beveiligen door IPSec. In dit geval (of als u deze " +#~ "zaak niet verstaat of het u niet uitmaakt), antwoord dan \"zo vroeg " +#~ "mogelijk\" op deze vraag (de standaard)." + +#~ msgid "" +#~ "If you have your /usr tree mounted via NFS and don't use a PCMCIA network " +#~ "card, then you will need to start strongSwan after NFS so that all " +#~ "necessary files are available. In this case, answer \"after NFS\" to this " +#~ "question. Please note that the NFS mount of /usr can not be secured by " +#~ "IPSec in this case." +#~ msgstr "" +#~ "Als u uw /usr-boom via NFS heeft aangekoppeld en u gebruikt geen PCMCIA-" +#~ "netwerkkaart, dan zult u strongSwan moeten starten na NFS zodat alle " +#~ "nodige bestanden aanwezig zijn. In dit geval, antwoord \"na NFS\" op deze " +#~ "vraag. Merk op dat in dit geval de NFS-aankoppeling van /usr niet kan " +#~ "worden beveiligd door IPSec." + +#~ msgid "" +#~ "If you use a PCMCIA network card for your IPSec connections, then you " +#~ "only have to choose to start it after the PCMCIA services. Answer \"after " +#~ "PCMCIA\" in this case. This is also the correct answer if you want to " +#~ "fetch keys from a locally running DNS server with DNSSec support." +#~ msgstr "" +#~ "Als u een PCMCIA-netwerkkaart gebruikt voor uw IPSec-verbindingen, dan " +#~ "hebt u enkel de keuze om te starten na de PCMCIA-diensten. Antwoord in " +#~ "dit geval \"na PCMCIA\". Dit is ook het correcte antwoord als u sleutels " +#~ "wilt afhalen van een lokaal draaiende DNS-server met DNSSec-ondersteuning." + +#, fuzzy +#~ msgid "Do you wish to support IKEv1?" +#~ msgstr "Wilt u strongSwan herstarten?" + +#, fuzzy +#~ msgid "Do you wish to support IKEv2?" +#~ msgstr "Wilt u strongSwan herstarten?" + +#~ msgid "" +#~ "strongSwan comes with support for opportunistic encryption (OE), which " +#~ "stores IPSec authentication information (i.e. RSA public keys) in " +#~ "(preferably secure) DNS records. Until this is widely deployed, " +#~ "activating it will cause a significant slow-down for every new, outgoing " +#~ "connection. Since version 2.0, strongSwan upstream comes with OE enabled " +#~ "by default and is thus likely to break your existing connection to the " +#~ "Internet (i.e. your default route) as soon as pluto (the strongSwan " +#~ "keying daemon) is started." +#~ msgstr "" +#~ "strongSwan heeft ondersteuning voor opportunistische encryptie (OE) die " +#~ "IPSec-authenticatie-informatie (v.b. publieke RSA-sleutels) bewaart in " +#~ "(liefst veilige) DNS-records. Totdat dit veelvuldig wordt toegepast zal " +#~ "dit activeren een significante vertraging veroorzaken voor elke nieuwe " +#~ "uitgaande verbinding. Omdat versie 2.0 va strongSwan standaard OE heeft " +#~ "aangeschakeld, wordt dus waarschijnlijk uw bestaande verbinding met het " +#~ "Internet (v.b. uw standaard route) verbroken vanaf dat pluto (de " +#~ "strongSwan-sleutelringachtergronddienst) wordt gestart." + +#~ msgid "" +#~ "Please choose whether you want to enable support for OE. If unsure, do " +#~ "not enable it." +#~ msgstr "" +#~ "Kiest of u OE-ondersteuning wilt aanschakelen. Indien onzeker, schakel " +#~ "het dan niet aan." + +#~ msgid "x509, plain" +#~ msgstr "x509, gewoon" + +#~ msgid "The type of RSA keypair to create:" +#~ msgstr "Aan te maken type RSA-sleutelpaar:" + +#~ msgid "" +#~ "It is possible to create a plain RSA public/private keypair for use with " +#~ "strongSwan or to create a X509 certificate file which contains the RSA " +#~ "public key and additionally stores the corresponding private key." +#~ msgstr "" +#~ "Het is mogelijk om een gewoon publiek/privaat RSA-sleutelpaar aan te " +#~ "maken om te gebruiken met strongSwan of om een X509-certificaatbestand " +#~ "aan te maken die de publieke RSA-sleutel bevat en de corresponderende " +#~ "private sleutel te bewaren." + +#~ msgid "" +#~ "If you only want to build up IPSec connections to hosts also running " +#~ "strongSwan, it might be a bit easier using plain RSA keypairs. But if you " +#~ "want to connect to other IPSec implementations, you will need a X509 " +#~ "certificate. It is also possible to create a X509 certificate here and " +#~ "extract the RSA public key in plain format if the other side runs " +#~ "strongSwan without X509 certificate support." +#~ msgstr "" +#~ "Als u enkel IPSec-verbindingen wilt opzetten naar hosts die ook " +#~ "strongSwan draaien, dan is het misschien een beetje gemakkelijker om " +#~ "gewone RSA-sleutelparen te gebruiken. Maar als u verbindingen wilt leggen " +#~ "met andere IPSec-implementaties, dan zult u een X509-certificaat nodig " +#~ "hebben. Het is ook mogelijk om hier een X509-certificaat aan te maken en " +#~ "de publieke RSA-sleutel te extraheren in een gewoon formaat als de andere " +#~ "kant strongSwan draait zonder X509-certificaatondersteuning." + +#~ msgid "" +#~ "Therefore a X509 certificate is recommended since it is more flexible and " +#~ "this installer should be able to hide the complex creation of the X509 " +#~ "certificate and its use in strongSwan anyway." +#~ msgstr "" +#~ "Daarom wordt een X509-certificaat aanbevolen omdat het flexibeler is en " +#~ "deze installatie moet de complexe creatie van een X509-certificaat kunnen " +#~ "verbergen en het toch in strongSwan kunnen gebruiken." diff --git a/debian/po/pt.po b/debian/po/pt.po new file mode 100644 index 000000000..7fd40d15c --- /dev/null +++ b/debian/po/pt.po @@ -0,0 +1,478 @@ +# translation of strongswan debconf to Portuguese +# Copyright (C) 2007 the strongswan's copyright holder +# This file is distributed under the same license as the strongswan package. +# +# LuÃsa Lourenço <kikentai@gmail.com>, 2007. +# Américo Monteiro <a_monteiro@netcabo.pt>, 2009, 2010. +msgid "" +msgstr "" +"Project-Id-Version: strongswan 4.4.0-1\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2010-06-26 18:47+0100\n" +"Last-Translator: Américo Monteiro <a_monteiro@netcabo.pt>\n" +"Language-Team: Portuguese <traduz@debianpt.org>\n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.0\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Antiga gestão de Runlevels substituÃda." + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Versões anteriores do pacote strongSwan deram uma hipótese entre três NÃveis-" +"Arranque/Paragem diferentes. Devido a alterações no procedimento standard de " +"arranque do sistema, isto não é mais necessário ou útil. Para todas as novas " +"instalação assim como para as antigas que correm em qualquer dos modos " +"predefinidos, serão agora definidos nÃveis sãos predefinidos. Se você está a " +"actualizar uma versão anterior e alterou os seus parâmetros de arranque do " +"strongSwan, então por favor veja NEWS.Debian para instruções sobre como " +"modificar a sua configuração apropriadamente." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Reiniciar agora o strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"É recomendado reiniciar o strongSwan, porque se existir uma correcção de " +"segurança, esta não será aplicada até que o daemon seja reiniciado. A " +"maioria das pessoas espera que o daemon reinicie, portanto isto é geralmente " +"uma boa ideia. No entanto isto poderá fechar ligações existentes e depois " +"ligá-las de novo, portanto se você está a usar algo como um túnel do " +"strongSwan para ligar a esta actualização, o reiniciar não é recomendado." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Iniciar o daemon IKEv1 do strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"O daemon pluto precisa de estar a correr para suportar a versão 1 do " +"protocolo Internet Key Exchange." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Iniciar o daemon IKEv2 do strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"O daemon charon precisa de estar a correr para suportar a versão 2 do " +"protocolo Internet Key Exchange." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Usar um certificado X.509 para esta máquina?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Pode ser criado automaticamente ou importado um certificado X.509 para esta " +"máquina. Pode ser usado para autenticar ligações IPsec para outras máquinas " +"e é a maneira preferida de construir ligações IPsec seguras. A outra " +"possibilidade seria usar segredos partilhados (palavras-passe que são iguais " +"em ambos os lados do túnel) para autenticar a ligação, mas para um grande " +"número de ligações, a autenticação baseada em chaves é mais fácil de " +"administrar e mais segura." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Alternativamente, você pode rejeitar esta opção e mais tarde usar o comando " +"\"dpkg-reconfigure strongswan\" para voltar aqui." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "criar" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importar" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "Métodos de usar um certificado X.509 para autenticar esta máquina:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"É possÃvel criar um novo certificado X.509 com configurações definidas pelo " +"utilizador ou importar uma chave pública e privada existente em ficheiro(s) " +"PEM para autenticar ligações IPsec." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Se escolher criar um novo certificado X.509 ser-lhe-à primeiro perguntado um " +"número de questões que têm de ser respondidas antes da criação poder " +"iniciar. Por favor tenha em mente que se deseja que a chave pública seja " +"assinada por uma Autoridade de Certificados existente, você não deve " +"seleccionar a criação de um certificado auto-assinado e todas as respostas " +"dadas devem corresponder exactamente aos requisitos da AC, caso contrário o " +"pedido de certificado pode ser rejeitado." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Se deseja importar uma chave pública e privada existente, ser-lhe-à pedido " +"os seus nomes de ficheiros (que podem ser idênticos se ambas as partes " +"estiverem armazenadas juntamente no mesmo ficheiro). Opcionalmente você " +"também pode especificar um nome de ficheiro onde as chave(s) pública(s) da " +"Autoridade de Certificados são mantidas, mas este ficheiro não pode ser o " +"mesmo que os anteriores. Por favor tenha também em mente que o formato dos " +"certificados X.509 tem de ser PEM e que a chave privada não pode estar " +"encriptada ou o procedimento de importação irá falhar." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Nome de ficheiro do seu certificado X.509 em formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Por favor insira a localização do ficheiro que contém o seu certificado " +"X.509 em formato PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Nome do ficheiro da sua chave privada X.509 em formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Por favor insira a localização do ficheiro que contém a chave privada RSA " +"que coincide com o seu certificado X.509 em formato PEM. Este pode ser o " +"mesmo ficheiro que contém o certificado X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Nome de ficheiro do seu RootCA X.509 em formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Opcionalmente você pode agora indicar a localização do ficheiro que contém a " +"raiz da Autoridade de Certificados X.509 usada para assinar o seu " +"certificado em formato PEM. Se você não tem um ou não o quer usar, por favor " +"deixe o campo vazio. Por favor note que não é possÃvel armazenar a RootCA no " +"mesmo ficheiro que o seu certificado X.509 ou chave privada." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Por favor indique o comprimento que a chave RSA criada deve ter:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Por favor indique o comprimento que a chave RSA criada. Não deve ser menos " +"que 1024 bits porque isto seria considerado inseguro e provavelmente você " +"não vai precisar de nada maior que 4096 bits porque apenas atrasa o processo " +"de autenticação e de momento não é necessário." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Criar um certificado X.509 auto-assinado?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Apenas os certificados X.509 auto-assinados podem ser criados " +"automaticamente, porque caso contrário é necessário uma Autoridade de " +"Certificados para assinar o pedido de certificado. Se escolher criar um " +"certificado auto-assinado, você pode usá-lo imediatamente para ligar a " +"outras máquinas IPsec que suportam certificados X.509 para autenticação de " +"ligações IPsec. No entanto, usar as funcionalidades PKI do strongSwan requer " +"que todos os certificados seja assinados por uma única Autoridade de " +"Certificados para criar um caminho de confiança." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Se escolher não criar um certificado auto-assinado, apenas a chave RSA " +"privada e o pedido de certificado serão criados, e você tem que assinar o " +"pedido de certificado com a sua Autoridade de Certificados." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Código de paÃs para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Por favor indique o código de duas letras para o paÃs onde o servidor reside " +"(algo como \"PT\" para Portugal)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"O OpenSSL irá recusar gerar um certificado a menos que isto seja um código " +"ISO-3166 de paÃs válido; um campo vazio é permitido em qualquer parte do " +"certificado X.509, mas não aqui." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Estado ou nome da provÃncia para o pedido do certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Por favor insira o nome completo do estado ou provÃncia onde o servidor " +"reside (algo como \"Estremadura Portugal\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Nome da localidade para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Por favor indique a localidade onde o servidor reside (geralmente uma " +"cidade, tal como \"Lisboa\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Nome da organização para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Por favor indique a organização a que o servidor pertence (algo como \"Debian" +"\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Unidade organizativa para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Por favor indique a unidade organizacional a que o servidor pertence (algo " +"como \"Departamento de Segurança\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Nome comum para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Por favor indique o Nome Comum para esta máquina (algo como \"gateway." +"exemplo.org\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "Endereço de email para o pedido de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Por favor insira o endereço de email da pessoa ou organização responsável " +"pelo certificado X.509." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Activar encriptação oportunista?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Esta versão do strongSwan suporta encriptação oportunista (OE), a qual " +"guarda informação de autenticação IPSec em registos DNS. Até que isto esteja " +"amplamente instalado, a sua activação irá causar um atraso significativo em " +"cada nova ligação de saÃda." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Você deverá apenas activar a encriptação oportunista se tiver a certeza que " +"a quer. Pode quebrar a ligação à Internet (rota predefinida) assim que o " +"daemon pluto arrancar." diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po new file mode 100644 index 000000000..e9c7b66d1 --- /dev/null +++ b/debian/po/pt_BR.po @@ -0,0 +1,819 @@ +# Debconf translations for strongswan. +# Copyright (C) 2010 THE strongswan'S COPYRIGHT HOLDER +# This file is distributed under the same license as the strongswan package. +# +# André LuÃs Lopes <andrelop@debian.org>, 2005. +# Adriano Rafael Gomes <adrianorg@gmail.com>, 2010. +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-12-12 00:00-0200\n" +"Last-Translator: Adriano Rafael Gomes <adrianorg@gmail.com>\n" +"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian." +"org>\n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Antigo gerenciamento de nÃvel de execução (\"runlevel\") obsoleto" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Versões anteriores do pacote strongSwan permitiam escolher entre três " +"diferentes NÃveis de InÃcio/Parada (\"Start/Stop-Levels\"). Devido a " +"mudanças no procedimento padrão de inicialização do sistema, isso não é mais " +"necessário ou útil. Para todas as novas instalações, bem como para as " +"antigas instalações executando em qualquer dos modos predefinidos, nÃveis " +"padrão adequados serão definidos agora. Se você está atualizando a partir de " +"uma versão anterior e alterou seus parâmetros de inicialização do " +"strongSwan, então, por favor, veja o arquivo NEWS.Debian para instruções " +"sobre como modificar sua configuração de acordo." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Reiniciar o strongSwan agora?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"Reiniciar o strongSwan é recomendado, uma vez que caso exista uma correção " +"para uma falha de segurança, a mesma não será aplicada até que o daemon seja " +"reiniciado. A maioria das pessoas espera que o daemon seja reiniciado, " +"portanto essa é geralmente uma boa idéia. Porém, isso pode derrubar conexões " +"existentes, e então posteriormente trazê-las de volta, assim se você está " +"usando um túnel strongSwan para se conectar para fazer esta atualização, não " +"é recomendado reiniciar." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Iniciar o daemon IKEv1 do strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"O daemon \"pluto\" deve estar em execução para suportar a versão 1 do " +"protocolo Internet Key Exchange." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Iniciar o daemon IKEv2 do strongSwan?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"O daemon \"charon\" deve estar em execução para suportar a versão 2 do " +"protocolo Internet Key Exchange." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Usar um certificado X.509 para este host?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Um certificado X.509 para este host pode ser automaticamente criado ou " +"importado. Ele pode ser usado para autenticar conexões IPsec para outros " +"hosts e é a maneira preferida para construir conexões IPsec seguras. A outra " +"possibilidade seria usar segredos compartilhados (senhas que são iguais em " +"ambos os lados do túnel) para autenticar uma conexão, mas para um grande " +"número de conexões, a autenticação baseada em chaves é mais fácil de " +"administrar e mais segura." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Alternativamente, você pode rejeitar esta opção e mais tarde usar o comando " +"\"dpkg-reconfigure strongswan\" para voltar atrás." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "criar" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importar" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "Métodos para usar um certificado X.509 para autenticar este host:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"É possÃvel criar um novo certificado X.509 com configurações definidas pelo " +"usuário ou importar um par de chaves pública e privada existente armazenado " +"em arquivo(s) PEM para autenticar conexões IPsec." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Se você escolher criar um novo certificado X.509, você primeiro será " +"perguntado sobre uma série de questões que devem ser respondidas antes que a " +"criação possa iniciar. Por favor, tenha em mente que se você quer que a " +"chave pública seja assinada por uma Autoridade Certificadora existente, você " +"não deve selecionar a criação de um certificado auto-assinado, e todas as " +"respostas dadas devem atender exatamente os requisitos da CA, ou a " +"requisição do certificado pode ser rejeitada." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Se você quiser importar um par de chaves pública e privada existente, você " +"será perguntado pelos seus nomes de arquivo (que podem ser idênticos se " +"ambas as partes estão armazenadas juntas em um arquivo único). " +"Opcionalmente, você pode também especificar um nome de arquivo onde a(s) " +"chave(s) pública(s) da Autoridade Certificadora é(são) mantida(s), mas este " +"arquivo não pode ser o mesmo que os anteriores. Por favor, também esteja " +"ciente de que os certificados X.509 devem estar no formato PEM, e de que a " +"chave privada não deve estar criptografada, ou o procedimento de importação " +"falhará." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Nome de arquivo do seu certificado X.509 no formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Por favor, informe a localização do arquivo contendo seu certificado X.509 " +"no formato PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Nome de arquivo da sua chave privada X.509 no formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Por favor, informe a localização do arquivo contendo a chave privada RSA que " +"casa com seu certificado X.509 no formato PEM. Este pode ser o mesmo arquivo " +"que contém o certificado X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Nome de arquivo da sua RootCA X.509 no formato PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Opcionalmente, você pode informar a localização do arquivo contendo a " +"Autoridade Certificadora X.509 raiz usada para assinar seu certificado no " +"formato PEM. Se você não tem uma, ou não quer usá-la, por favor, deixe o " +"campo vazio. Por favor, note que não é possÃvel armazenar a RootCA no mesmo " +"arquivo do seu certificado X.509 ou chave privada." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Por favor, informe que tamanho a chave RSA a ser criada deve ter:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Por favor, informe o tamanho da chave RSA a ser criada. A mesma não deve ser " +"menor que 1024 bits devido a uma chave de tamanho menor que esse ser " +"considerada insegura. Você também não precisará de nada maior que 4096 " +"porque isso somente deixaria o processo de autenticação mais lento e não " +"seria necessário no momento." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Criar um certificado X.509 auto-assinado?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Somente certificados X.509 auto-assinados podem ser criados automaticamente, " +"devido a uma Autoridade Certificadora ser necessária para assinar a " +"requisição de certificado. Caso você queira criar um certificado auto-" +"assinado, você poderá usá-lo imediatamente para conectar a outros hosts " +"IPsec que suportem certificados X.509 para autenticação de conexões IPsec. " +"Porém, usar os novos recursos PKI do strongSwan requer que todos seus " +"certificados sejam assinados por uma única Autoridade Certificadora para " +"criar um caminho de confiança." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Caso você não queira criar um certificado auto-assinado, somente a chave " +"privada RSA e a requisição de certificado serão criadas, e você terá que " +"assinar a requisição de certificado junto a sua Autoridade Certificadora." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Código de paÃs para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Por favor, informe o código de duas letras do paÃs onde o servidor reside " +"(como \"BR\" para Brasil)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"O OpenSSL se recusará a gerar um certificado a menos que este valor seja um " +"código de paÃs ISO-3166 válido; um valor vazio é permitido em qualquer outro " +"campo do certificado X.509, mas não aqui." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Estado ou nome de provÃncia para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Por favor, informe o nome completo do estado ou provÃncia em que o servidor " +"reside (como \"São Paulo\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Nome da localidade para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Por favor, informe a localidade em que o servidor reside (como \"São Paulo" +"\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Nome da organização para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Por favor, informe a organização à qual o servidor pertence (como \"Debian" +"\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Unidade organizacional para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Por favor, informe a unidade organizacional à qual o servidor pertence (como " +"\"grupo de segurança\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Nome Comum para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Por favor, informe o Nome Comum (\"Common Name\") para este host (como " +"\"gateway.example.org\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "Endereço de e-mail para a requisição de certificado X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Por favor, informe o endereço de e-mail da pessoa ou organização responsável " +"pelo certificado X.509." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Habilitar encriptação oportunista?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Esta versão do strongSwan suporta encriptação oportunista (OE), a qual " +"armazena informação de autenticação IPsec em registros DNS. Até que isso " +"seja amplamente difundido, ativá-la causará uma demora significante para " +"cada nova conexão de saÃda." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Você deve habilitar a encriptação oportunista somente se você tiver certeza " +"de querê-la. Ela pode quebrar a conexão à Internet (rota padrão) quando o " +"daemon \"pluto\" iniciar." + +#, fuzzy +#~ msgid "Do you wish to restart strongSwan?" +#~ msgstr "Você deseja reiniciar o Openswan ?" + +#, fuzzy +#~ msgid "Please enter the location of your X509 certificate in PEM format:" +#~ msgstr "" +#~ "Por favor, informe a localização do arquivo contendo seu certificado X509 " +#~ "no formato PEM." + +#, fuzzy +#~ msgid "Please enter the location of your X509 private key in PEM format:" +#~ msgstr "" +#~ "Por favor, informe a localização do arquivo contendo seu certificado X509 " +#~ "no formato PEM." + +#, fuzzy +#~ msgid "You may now enter the location of your X509 RootCA in PEM format:" +#~ msgstr "" +#~ "Por favor, informe a localização do arquivo contendo seu certificado X509 " +#~ "no formato PEM." + +#, fuzzy +#~| msgid "" +#~| "Please enter the 2 letter country code for your country. This code will " +#~| "be placed in the certificate request." +#~ msgid "" +#~ "Please enter the 2 letter country code for your country. This code will " +#~ "be placed in the certificate request." +#~ msgstr "" +#~ "Por favor, informe o códifo de paÃs de duas letras para seu paÃs. Esse " +#~ "código será inserido na requisição de certificado." + +#~ msgid "Example: AT" +#~ msgstr "Exemplo: BR" + +#~ msgid "Example: Upper Austria" +#~ msgstr "Exemplo : Sao Paulo" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the locality (e.g. city) where you live. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Por favor, informe a organização (ou seja, a empresa) para a qual este " +#~ "certificado X509 deverá ser criado. Esse nome será inserido na requisição " +#~ "de certificado." + +#~ msgid "Example: Vienna" +#~ msgstr "Exemplo : Sao Paulo" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the organization (e.g. company) that the X509 certificate " +#~ "should be created for. This name will be placed in the certificate " +#~ "request." +#~ msgstr "" +#~ "Por favor, informe a organização (ou seja, a empresa) para a qual este " +#~ "certificado X509 deverá ser criado. Esse nome será inserido na requisição " +#~ "de certificado." + +#~ msgid "Example: Debian" +#~ msgstr "Exemplo : Debian" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the organizational unit (e.g. section) that the X509 " +#~ "certificate should be created for. This name will be placed in the " +#~ "certificate request." +#~ msgstr "" +#~ "Por favor, informe a organização (ou seja, a empresa) para a qual este " +#~ "certificado X509 deverá ser criado. Esse nome será inserido na requisição " +#~ "de certificado." + +#~ msgid "Example: security group" +#~ msgstr "Exemplo : Grupo de Segurança" + +#, fuzzy +#~| msgid "" +#~| "Please enter the organization (e.g. company) that the X509 certificate " +#~| "should be created for. This name will be placed in the certificate " +#~| "request." +#~ msgid "" +#~ "Please enter the common name (e.g. the host name of this machine) for " +#~ "which the X509 certificate should be created for. This name will be " +#~ "placed in the certificate request." +#~ msgstr "" +#~ "Por favor, informe a organização (ou seja, a empresa) para a qual este " +#~ "certificado X509 deverá ser criado. Esse nome será inserido na requisição " +#~ "de certificado." + +#~ msgid "Example: gateway.debian.org" +#~ msgstr "Exemplo : gateway.debian.org" + +#, fuzzy +#~ msgid "When to start strongSwan:" +#~ msgstr "Você deseja reiniciar o Openswan ?" + +#, fuzzy +#~ msgid "Create an RSA public/private keypair for this host?" +#~ msgstr "" +#~ "Você deseja criar um par de chaves RSA pública/privada para este host ?" + +#, fuzzy +#~ msgid "" +#~ "If you do not want to create a new public/private keypair, you can choose " +#~ "to use an existing one in the next step." +#~ msgstr "" +#~ "Você deseja criar um par de chaves RSA pública/privada para este host ?" + +#, fuzzy +#~ msgid "" +#~ "The required information can automatically be extracted from an existing " +#~ "X.509 certificate with a matching RSA private key. Both parts can be in " +#~ "one file, if it is in PEM format. You should choose this option if you " +#~ "have such an existing certificate and key file and want to use it for " +#~ "authenticating IPSec connections." +#~ msgstr "" +#~ "Este instalador pode extrair automaticamente a informação necessária de " +#~ "um certificado X509 existente com uma chave RSA privada adequada. Ambas " +#~ "as partes podem estar em um arquivo, caso estejam no formato PEM. Você " +#~ "possui um certificado existente e um arquivo de chave e quer usá-los para " +#~ "autenticar conexões IPSec ?" + +#, fuzzy +#~| msgid "" +#~| "Please enter the locality (e.g. city) where you live. This name will be " +#~| "placed in the certificate request." +#~ msgid "" +#~ "Please enter the locality name (often a city) that should be used in the " +#~ "certificate request." +#~ msgstr "" +#~ "Por favor, informe a localidade (ou seja, cidade) onde você mora. Esse " +#~ "nome será inserido na requisição de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit (e.g. section) that the X509 " +#~| "certificate should be created for. This name will be placed in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the organization name (often a company) that should be used " +#~ "in the certificate request." +#~ msgstr "" +#~ "Por favor, informe a unidade organizacional (ou seja, seção ou " +#~ "departamento) para a qual este certificado deverá ser criado. Esse nome " +#~ "será inserido na requisição de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the organizational unit (e.g. section) that the X509 " +#~| "certificate should be created for. This name will be placed in the " +#~| "certificate request." +#~ msgid "" +#~ "Please enter the organizational unit name (often a department) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Por favor, informe a unidade organizacional (ou seja, seção ou " +#~ "departamento) para a qual este certificado deverá ser criado. Esse nome " +#~ "será inserido na requisição de certificado." + +#, fuzzy +#~| msgid "" +#~| "Please enter the common name (e.g. the host name of this machine) for " +#~| "which the X509 certificate should be created for. This name will be " +#~| "placed in the certificate request." +#~ msgid "" +#~ "Please enter the common name (such as the host name of this machine) that " +#~ "should be used in the certificate request." +#~ msgstr "" +#~ "Por favor, informe o nome comum (ou seja, o nome do host dessa máquina) " +#~ "para o qual o certificado X509 deverá ser criado. Esse nome será inserido " +#~ "na requisição de certificado." + +#~ msgid "earliest, \"after NFS\", \"after PCMCIA\"" +#~ msgstr "o quando antes, \"depois do NFS\", \"depois do PCMCIA\"" + +#, fuzzy +#~ msgid "" +#~ "There are three possibilities when strongSwan can start: before or after " +#~ "the NFS services and after the PCMCIA services. The correct answer " +#~ "depends on your specific setup." +#~ msgstr "" +#~ "Com os nÃveis de inicialização atuais do Debian (quase todos os serviços " +#~ "iniciando no nÃvel 20) é impossÃvel para o Openswan sempre iniciar no " +#~ "momento correto. Existem três possibilidades para quando iniciar o " +#~ "Openswan : antes ou depois dos serviços NFS e depois dos serviços PCMCIA. " +#~ "A resposta correta depende se sua configuração especÃfica." + +#, fuzzy +#~ msgid "" +#~ "If you do not have your /usr tree mounted via NFS (either you only mount " +#~ "other, less vital trees via NFS or don't use NFS mounted trees at all) " +#~ "and don't use a PCMCIA network card, then it's best to start strongSwan " +#~ "at the earliest possible time, thus allowing the NFS mounts to be secured " +#~ "by IPSec. In this case (or if you don't understand or care about this " +#~ "issue), answer \"earliest\" to this question (the default)." +#~ msgstr "" +#~ "Caso você não possua sua à rvore /usr montada via NFS (você somente monta " +#~ "outras à rvores não vitais via NFS ou não usa à rvores montadas via NFS) e " +#~ "não use um cartão de rede PCMCIA, a melhor opção é iniciar o Openswan o " +#~ "quando antes, permitindo dessa forma que os pontos de montagem NFS " +#~ "estejam protegidos por IPSec. Nesse caso (ou caso você não compreenda ou " +#~ "não se importe com esse problema), responda \"o quando antes\" para esta " +#~ "pergunta (o que é o padrão)." + +#, fuzzy +#~ msgid "" +#~ "If you have your /usr tree mounted via NFS and don't use a PCMCIA network " +#~ "card, then you will need to start strongSwan after NFS so that all " +#~ "necessary files are available. In this case, answer \"after NFS\" to this " +#~ "question. Please note that the NFS mount of /usr can not be secured by " +#~ "IPSec in this case." +#~ msgstr "" +#~ "Caso você possua sua à rvore /usr montada via NFS e não use um cartão de " +#~ "rede PCMCIA, você precisará iniciar o Openswan depois do NFS de modo que " +#~ "todos os arquivos necessários estejam disponÃveis. Nesse caso, responda " +#~ "\"depois do NFS\" para esta pergunta. Por favor, note que a montagem NFS " +#~ "de /usr não poderá ser protegida pelo IPSec nesse caso." + +#~ msgid "" +#~ "If you use a PCMCIA network card for your IPSec connections, then you " +#~ "only have to choose to start it after the PCMCIA services. Answer \"after " +#~ "PCMCIA\" in this case. This is also the correct answer if you want to " +#~ "fetch keys from a locally running DNS server with DNSSec support." +#~ msgstr "" +#~ "Caso você use um cartão de rede PCMCIA para suas conexões IPSec você " +#~ "precisará somente optar por iniciar o Opensan depois dos serviços PCMCIA. " +#~ "Responda \"depois do PCMCIA\" nesse caso. Esta é também a maneira correta " +#~ "de obter chaves de um servidor DNS sendo executado localmente e com " +#~ "suporte a DNSSec." + +#, fuzzy +#~ msgid "Do you wish to support IKEv1?" +#~ msgstr "Você deseja reiniciar o Openswan ?" + +#, fuzzy +#~ msgid "Do you wish to support IKEv2?" +#~ msgstr "Você deseja reiniciar o Openswan ?" + +#, fuzzy +#~ msgid "" +#~ "strongSwan comes with support for opportunistic encryption (OE), which " +#~ "stores IPSec authentication information (i.e. RSA public keys) in " +#~ "(preferably secure) DNS records. Until this is widely deployed, " +#~ "activating it will cause a significant slow-down for every new, outgoing " +#~ "connection. Since version 2.0, strongSwan upstream comes with OE enabled " +#~ "by default and is thus likely to break your existing connection to the " +#~ "Internet (i.e. your default route) as soon as pluto (the strongSwan " +#~ "keying daemon) is started." +#~ msgstr "" +#~ "O Openswan suporta encriptação oportunÃstica (OE), a qual armazena " +#~ "informações de autenticação IPSec (por exemplo, chaves públicas RSA) em " +#~ "registros DNS (preferivelmente seguros). Até que esse suporte esteja " +#~ "largamento sendo utilizado, ativá-lo irá causar uma signficante lentidão " +#~ "para cada nova conexão de saÃda. Iniciando a partir da versão 2.0, o " +#~ "Openswan, da forma como é distribuÃdo pelos desenvolvedores oficiais, é " +#~ "fornecido com o suporte a OE habilitado por padrão e, portanto, " +#~ "provavelmente irá quebrar suas conexões existentes com a Internet (por " +#~ "exemplo, sua rota padrão) tão logo o pluto (o daemon de troca de chaves " +#~ "do Openswan) seja iniciado." + +#~ msgid "" +#~ "Please choose whether you want to enable support for OE. If unsure, do " +#~ "not enable it." +#~ msgstr "" +#~ "Por favor, informe se você deseja habilitar o suporte a OE. Em caso de " +#~ "dúvidas, não habilite esse suporte." + +#~ msgid "x509, plain" +#~ msgstr "x509, pura" + +#, fuzzy +#~ msgid "The type of RSA keypair to create:" +#~ msgstr "Qual tipo de par de chaves RSA você deseja criar ?" + +#, fuzzy +#~ msgid "" +#~ "It is possible to create a plain RSA public/private keypair for use with " +#~ "strongSwan or to create a X509 certificate file which contains the RSA " +#~ "public key and additionally stores the corresponding private key." +#~ msgstr "" +#~ "É possÃvel criar um par de chaves RSA pública/privada pura (plain) para " +#~ "uso com o Openswan ou para criar um arquivo de certificado X509 que irá " +#~ "conter a chave RSA pública e adicionalmente armazenar a chave privada " +#~ "correspondente." + +#, fuzzy +#~ msgid "" +#~ "If you only want to build up IPSec connections to hosts also running " +#~ "strongSwan, it might be a bit easier using plain RSA keypairs. But if you " +#~ "want to connect to other IPSec implementations, you will need a X509 " +#~ "certificate. It is also possible to create a X509 certificate here and " +#~ "extract the RSA public key in plain format if the other side runs " +#~ "strongSwan without X509 certificate support." +#~ msgstr "" +#~ "Caso você queira somente construir conexões IPsec para hosts e também " +#~ "executar o Openswan, pode ser um pouco mais fácil usar pares de chaves " +#~ "RSA puros (plain). Mas caso você queira se conectar a outras " +#~ "implementações IPSec, você precisará de um certificado X509. É também " +#~ "possÃvel criar um certificado X509 aqui e extrair a chave pública em " +#~ "formato puro (plain) caso o outro lado execute o Openswan sem suporte a " +#~ "certificados X509." + +#, fuzzy +#~ msgid "" +#~ "Therefore a X509 certificate is recommended since it is more flexible and " +#~ "this installer should be able to hide the complex creation of the X509 " +#~ "certificate and its use in strongSwan anyway." +#~ msgstr "" +#~ "Um certificado X509 é recomendado, uma vez que o mesmo é mais flexÃvel e " +#~ "este instalador é capaz de simplificar a complexa criação do certificado " +#~ "X509 e seu uso com o Openswan." + +#, fuzzy +#~ msgid "Please choose the when to start strongSwan:" +#~ msgstr "Você deseja reiniciar o Openswan ?" + +#, fuzzy +#~ msgid "At which level do you wish to start strongSwan ?" +#~ msgstr "Em que nÃvel você deseja iniciar o Openswan ?" + +#~ msgid "2048" +#~ msgstr "2048" diff --git a/debian/po/ru.po b/debian/po/ru.po new file mode 100644 index 000000000..e3e3ffb09 --- /dev/null +++ b/debian/po/ru.po @@ -0,0 +1,473 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the strongswan package. +# +# Yuri Kozlov <yuray@komyakino.ru>, 2009, 2010. +msgid "" +msgstr "" +"Project-Id-Version: strongswan 4.4.0-1\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2010-06-25 19:08+0400\n" +"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n" +"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Заменена ÑиÑтема ÑƒÐ¿Ñ€Ð°Ð²Ð»ÐµÐ½Ð¸Ñ ÑƒÑ€Ð¾Ð²Ð½Ñми выполнениÑ" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Ð’ предыдущих верÑиÑÑ… пакета strongSwan предлагалÑÑ Ð²Ñ‹Ð±Ð¾Ñ€ между Ñ‚Ñ€ÐµÐ¼Ñ " +"уровнÑми запуÑка/оÑтанова. Из-за изменений Ñтандартной процедуры запуÑка в " +"ÑиÑтеме Ñто больше не требуетÑÑ Ð¸ ненужно. Ð’ новых уÑтановках, а также в " +"Ñтарых, работающих на любом уровне, будут выбраны разумные уровни по " +"умолчанию. ЕÑли выполнÑÑ‚ÑÑ Ð¾Ð±Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ðµ предыдущей верÑии и вы изменÑли " +"параметры запуÑка strongSwan, прочитайте инÑтрукции из файла NEWS.Debian о " +"том, как изменить ÑоответÑтвующую наÑтройку." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "ПерезапуÑтить strongSwan прÑмо ÑейчаÑ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"РекомендуетÑÑ Ð¿ÐµÑ€ÐµÐ·Ð°Ð¿ÑƒÑтить strongSwan, так как при наличии иÑправлений " +"безопаÑноÑти они не заработают, пока Ñлужба не будет перезапущена. " +"БольшинÑтво людей вÑÑ‘ равно перезапуÑкают Ñлужбу, поÑтому обычно лучше Ñто " +"Ñделать. Однако Ñто может привеÑти к кратковременному разрыву ÑущеÑтвующих " +"Ñоединений, поÑтому еÑли вы ÑÐµÐ¹Ñ‡Ð°Ñ Ð¸Ñпользуете туннель strongSwan Ð´Ð»Ñ " +"Ð¿Ð¾Ð´ÐºÐ»ÑŽÑ‡ÐµÐ½Ð¸Ñ Ð¿ÐµÑ€ÐµÐ·Ð°Ð¿ÑƒÑк не рекомендуетÑÑ." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "ЗапуÑтить Ñлужбу strongSwan IKEv1?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Ð”Ð»Ñ Ð¿Ð¾Ð´Ð´ÐµÑ€Ð¶ÐºÐ¸ 1-й верÑии протокола обмена ключами Интернет должна быть " +"запущена Ñлужба pluto." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "ЗапуÑтить Ñлужбу strongSwan IKEv2?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Ð”Ð»Ñ Ð¿Ð¾Ð´Ð´ÐµÑ€Ð¶ÐºÐ¸ 2-й верÑии протокола обмена ключами Интернет должна быть " +"запущена Ñлужба charon." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "ИÑпользовать ÑущеÑтвующий Ñертификат X.509 Ð´Ð»Ñ Ñтого узла?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Сертификат X.509 Ð´Ð»Ñ Ñтого узла может быть автоматичеÑки Ñоздан или " +"импортирован. Он может иÑпользоватьÑÑ Ð´Ð»Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ð¸ IPSec Ñоединений Ñ " +"другими узлами, и Ñто ÑвлÑетÑÑ Ð¿Ñ€ÐµÐ´Ð¿Ð¾Ñ‡Ñ‚Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ñ‹Ð¼ ÑпоÑобом ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð±ÐµÐ·Ð¾Ð¿Ð°Ñных " +"Ñоединений IPSec. Также Ð´Ð»Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ð¸ ÑÐ¾ÐµÐ´Ð¸Ð½ÐµÐ½Ð¸Ñ Ð¼Ð¾Ð¶Ð½Ð¾ иÑпользовать " +"общие Ñекреты (одинаковые пароли на обоих концах туннелÑ), но при большом " +"количеÑтве Ñоединений Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ñ Ð¿Ð¾ ключам легче в админиÑтрировании и " +"она более безопаÑна." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Или же вы можете ответить отрицательно и позже вернутьÑÑ Ðº Ñтому вопроÑу " +"запуÑтив команду \"dpkg-reconfigure ostrongswan\"." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "Ñоздать" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "импортировать" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "Методы, иÑпользующие Ñертификат X.509 Ð´Ð»Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ð¸ данного узла:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Возможно Ñоздать новый Ñертификат X.509, заданный пользователем, или " +"импортировать ÑущеÑтвующий открытый и закрытый ключи из файла(ов) PEM Ð´Ð»Ñ " +"аутентификации Ñоединений IPsec." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"ЕÑли вы выберете Ñоздание нового Ñертификата X.509, то Ñначала вам будет " +"задано неÑколько вопроÑов, на которые нужно ответить до начала ÑозданиÑ. " +"Учтите, что еÑли вы хотите подпиÑать открытый ключ в дейÑтвующем центре " +"Ñертификации, то вам ненужно выбирать Ñоздание ÑамоподпиÑанного Ñертификата, " +"и вÑе ответы должны точно удовлетворÑÑ‚ÑŒ требованиÑм ЦС, иначе Ð·Ð°Ð¿Ñ€Ð¾Ñ " +"Ñертификата может быть отклонён." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"ЕÑли вы хотите импортировать ÑущеÑтвующий открытый и закрытый ключи, то вам " +"будет предложено указать имена файлов Ñ Ð½Ð¸Ð¼Ð¸ (которые могут быть одинаковы, " +"еÑли обе чаÑти хранÑÑ‚ÑÑ Ð² одном файле). Также вы можете указать Ð¸Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð°, " +"где хранитÑÑ Ð¾Ñ‚ÐºÑ€Ñ‹Ñ‚Ñ‹Ð¹ ключ(и) центра Ñертификации, но Ñтот файл не может " +"Ñовпадать Ñ Ð¿Ñ€ÐµÐ´Ñ‹Ð´ÑƒÑ‰Ð¸Ð¼Ð¸. Заметим, что формат Ñертификатов X.509 должен быть " +"PEM и что закрытый ключ не должен быть зашифрован, иначе процедура импорта " +"завершитÑÑ Ð½ÐµÑƒÐ´Ð°Ñ‡Ð½Ð¾." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Ð˜Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð° Ñертификата X.509 в формате PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Введите полный путь к файлу, Ñодержащему ваш Ñертификат X.509 в формате PEM." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Ð˜Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð° Ñертификата X.509 в формате PEM Ñ Ð·Ð°ÐºÑ€Ñ‹Ñ‚Ñ‹Ð¼ ключом:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Введите путь к файлу, Ñодержащему закрытый ключ RSA Ð´Ð»Ñ Ð²Ð°ÑˆÐµÐ³Ð¾ Ñертификата " +"X.509 в формате PEM. Ðто может быть тот же файл, что и Ð´Ð»Ñ Ñертификата X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Ð˜Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð° Ñертификата X.509 в формате PEM Ð´Ð»Ñ RootCA:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Также вы можете ввеÑти раÑположение файла Ñ Ñертификатом корневого центра " +"Ñертификации X.509, иÑпользуемого Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñи вашего Ñертификата в формате " +"PEM. ЕÑли у Ð²Ð°Ñ ÐµÐ³Ð¾ нет или вы не хотите его иÑпользовать, то оÑтавьте поле " +"пуÑтым. Заметим, что невозможно хранить RootCA в одном файле Ñ Ð²Ð°ÑˆÐ¸Ð¼ " +"открытым или закрытым ключом Ñертификата X.509." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Длина Ñоздаваемого ключа RSA:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Введите длину необходимую длину ключа RSA. Она должна быть не менее 1024 " +"бит, так как Ð¼ÐµÐ½ÑŒÑˆÐ°Ñ Ð½Ðµ ÑчитаетÑÑ Ð±ÐµÐ·Ð¾Ð¿Ð°Ñной, и вам, вероÑтно, не нужно " +"задавать значение более 4096, так как Ñто только замедлит процеÑÑ " +"аутентификации и, в наÑтоÑщее времÑ, не очень рационально." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Создать ÑамоподпиÑанный Ñертификат X.509?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"ПроцеÑÑ ÑƒÑтановки умеет Ñоздавать автоматичеÑки только ÑамоподпиÑанные " +"Ñертификаты X.509, так как иначе требуетÑÑ Ñ€Ð°Ð±Ð¾Ñ‚Ð° центра Ñертификации Ð´Ð»Ñ " +"подпиÑи запроÑа Ñертификата. Созданный ÑамоподпиÑанный Ñертификат Ñразу " +"можно иÑпользовать Ð´Ð»Ñ Ð¿Ð¾Ð´ÐºÐ»ÑŽÑ‡ÐµÐ½Ð¸Ñ Ðº другим машинам Ñ IPSec, которые " +"поддерживают Ñертификаты X.509 Ð´Ð»Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ð¸ Ñоединений IPSec. Однако, " +"еÑли вы хотите воÑпользоватьÑÑ Ð½Ð¾Ð²Ñ‹Ð¼Ð¸ возможноÑÑ‚Ñми PKI из strongSwan, то " +"вÑе ваши Ñертификаты X.509 должны быть подпиÑаны единым Ñертификационным " +"центром Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ð¾Ð³Ð¾ пути." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"ЕÑли вы ответите отрицательно, то будет Ñоздан только закрытый ключ RSA, а " +"также Ð·Ð°Ð¿Ñ€Ð¾Ñ Ð´Ð»Ñ Ñертификата, который вам нужно подпиÑать в центре " +"Ñертификации." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Код Ñтраны Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Введите двухбуквенный код Ñтраны, где раÑположен Ñервер (например, \"RU\" в " +"РоÑÑии)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"ЗдеÑÑŒ нужно ввеÑти правильный код Ñтраны ÑоглаÑно ISO-3166, так как OpenSSL " +"откажетÑÑ Ð³ÐµÐ½ÐµÑ€Ð¸Ñ€Ð¾Ð²Ð°Ñ‚ÑŒ Ñертификаты в противном Ñлучае. ПуÑтое значение " +"разрешено Ð´Ð»Ñ Ð»ÑŽÐ±Ð¾Ð³Ð¾ Ð¿Ð¾Ð»Ñ Ñертификата X.509 кроме Ñтого." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Ðазвание облаÑти или округа Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Укажите полное название облаÑти или округа, в котором находитÑÑ Ñервер " +"(например, \"Moscow region\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Ðазвание меÑта Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Укажите название меÑта, где раÑполагаетÑÑ Ñервер (например город, \"Sergiev " +"Posad\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Ðазвание организации Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Укажите название организации, которой принадлежит Ñервер (например, \"Debian" +"\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "" +"Ðазвание Ñтруктурной единицы организации Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Ðазвание Ñтруктурной единицы организации Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "ОбщеизвеÑтное название Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" +"Укажите общеизвеÑтное название (например, Ð¸Ð¼Ñ Ð´Ð°Ð½Ð½Ð¾Ð³Ð¾ компьютера), например, " +"\"gateway.example.org\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "ÐÐ´Ñ€ÐµÑ Ñлектронной почты Ð´Ð»Ñ Ð·Ð°Ð¿Ñ€Ð¾Ñа Ñертификата X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Укажите Ð°Ð´Ñ€ÐµÑ Ñлектронной почты (человека или организации) Ð´Ð»Ñ Ð²ÐºÐ»ÑŽÑ‡ÐµÐ½Ð¸Ñ Ð² " +"Ð·Ð°Ð¿Ñ€Ð¾Ñ Ñертификата." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Включить поддержку гибкого шифрованиÑ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Ðта верÑÐ¸Ñ strongSwan поддерживает гибкое шифрование (opportunistic " +"encryption, OE), при котором Ð¸Ð½Ñ„Ð¾Ñ€Ð¼Ð°Ñ†Ð¸Ñ Ð¾Ð± аутентификации IPSec хранитÑÑ Ð² " +"запиÑÑÑ… DNS. Пока Ñто широко не Ñтанет раÑпроÑтранено, Ð´Ð°Ð½Ð½Ð°Ñ Ð¿Ð¾Ð´Ð´ÐµÑ€Ð¶ÐºÐ° " +"приведёт к значительной задержке при каждом новом иÑходÑщем Ñоединении." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Включайте гибкое шифрование, еÑли вам Ñто дейÑтвительно нужно. Ðто может " +"прервать Ñоединение Ñ Ð¸Ð½Ñ‚ÐµÑ€Ð½ÐµÑ‚Ð¾Ð¼ (маршрут по умолчанию) при запуÑке Ñлужбы " +"pluto." diff --git a/debian/po/sv.po b/debian/po/sv.po new file mode 100644 index 000000000..c93658ffd --- /dev/null +++ b/debian/po/sv.po @@ -0,0 +1,481 @@ +# translation of strongswan_sv.po to Swedish +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +# Martin Ågren <martin.agren@gmail.com>, 2008, 2009, 2010. +msgid "" +msgstr "" +"Project-Id-Version: strongswan_sv\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-09 12:15+0200\n" +"PO-Revision-Date: 2010-06-26 16:51+0200\n" +"Last-Translator: Martin Ågren <martin.agren@gmail.com>\n" +"Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: swe\n" +"X-Poedit-Country: swe\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Gammal körnivåhantering har ersatts" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Tidigare versioner av paketet strongswan erbjöd ett val mellan tre olika " +"start-/stoppnivåer. På grund av ändringar i systemuppstartproceduren är " +"detta inte längre nödvändigt eller användbart. För alla nya installationer, " +"såväl som gamla installationer som kör i något av de fördefinierade lägena, " +"kommer rimliga standardvärden nu sättas. Om du uppgraderar från en tidigare " +"version och ändrade dina uppstartsparametrar för strongSwan, bör du ta en " +"titt på NEWS.Debian för instruktioner om hur du kan ändra din installation " +"på motsvarande sätt." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Starta om strongSwan nu?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such " +"a strongSwan tunnel to connect for this update, restarting is not " +"recommended." +msgstr "" +"Att starta om strongSwan rekommenderas eftersom en eventuell " +"säkerhetsrättning inte kommer användas förrän demonen startas om. De flesta " +"förväntar att servern startas om, så detta är normalt en bra ide. Detta kan " +"dock stänga existerande anslutningar och sedan ta upp dem igen, så om du " +"använder en strongSwan-tunnel för att genomföra den här uppdateringen är en " +"omstart inte rekommenderad." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Starta strongSwans IKEv1-demon?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Pluto-demonen måste köras för att stödja version 1 av Internet Key Exchange-" +"protokollet." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Starta strongSwans IKEv2-demon?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Charon-demonen måste köras för att stödja version 2 av Internet Key Exchange-" +"protokollet." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Vill du använda ett X.509-certifikat för den här värden?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Ett X.509-certifikat för den här värden kan skapas eller importeras " +"automatiskt. Det kan användas för att autentisera IPsec-anslutningar till " +"andra värdar och är det rekommenderade sättet för att bygga upp säkra IPsec-" +"anslutningar. Den andra möjligheten skulle vara att använda delade " +"säkerheter (lösenord som är samma på båda sidor av tunneln) för " +"autentisering av en anslutning, men för ett större antal anslutningar är " +"nyckelbaserad autentisering lättare att administrera och säkrare." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Alternativt kan du avfärda det här valet och använda kommandot \"dpkg-" +"reconfigure strongswan\" för att komma tillbaka vid ett senare tillfälle." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "skapa" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "importera" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" +"Metoder för användning av ett X.509-certifikat för autentisering av den här " +"värden:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Det är möjligt att skapa ett nytt X.509-certifikat med användar-definierade " +"inställningar eller att importera existerande publika och privata nycklar " +"lagrade i PEM-fil(er) för autentisering av IPsec-anslutningar." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Om du väljer att skapa ett nytt X.509-certifikat kommer du först få svara på " +"några frågor innan genereringen kan startas. Kom ihåg att du, om du vill att " +"den publika nyckeln ska signeras av existerande certifikatsutställare (CA), " +"inte ska välja att skapa ett självsignerat certifikat och att alla svar " +"precis måste motsvara de krav CA:n ställer. Annars kan certifikatsförfrågan " +"komma att avslås." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Om du vill importera existerande publika och privata nycklar kommer du " +"ombeds ange deras filnamn (som kan vara identiska om båda delarna sparas " +"tillsammans i en fil). Du kan även ange ett filnamn där CA:n publika nyckel " +"finns, men denna fil kan inte vara samma som de tidigare. Notera också att " +"formatet för X.509-certifikaten måste vara PEM och att den privata nyckeln " +"inte får vara krypterad för att den ska kunna importeras." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Namn på filen med ditt X.509-certifikat i PEM-format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" +"Ange platsen för den fil som innehåller ditt X.509-certifikat i PEM-format." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Namn på filen med din privata X.509-nyckel i PEM-format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Ange platsen för den fil som innehåller den privata RSA-nyckel som matchar " +"ditt X.509-certifikat i PEM-format. Detta kan vara samma fil som innehåller " +"X.509-certifikatet." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Namn på filen med rot-CA:ns X.509-certifikat i PEM-format:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Du kan nu, om du vill, ange platsen för den fil som innehåller ett X.509-" +"certifikat för den rot-CA som använts för att signera ditt certifikat i PEM-" +"format. Lämna fältet tomt om du inte har något sådant certifikat eller om du " +"inte vill använda det. Observera att det inte är möjligt att lagra rot-CA:n " +"i samma fil som ditt X.509-certifikat eller den privata nyckeln." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Ange vilken längd den skapade RSA-nyckeln ska ha:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Ange längden på den skapade RSA-nyckeln. Den bör inte vara kortare än 1024 " +"bitar eftersom det anses osäkert. Du behöver troligtvis inte mer än 4096 " +"bitar eftersom det gör autentiseringen långsammare och anses innebära en " +"onödigt stor säkerhetsmarginal för tillfället." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Vill du skapa ett självsignerat X.509-certifikat?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Endast självsignerade X.509-certifikat kan skapas automatiskt eftersom det " +"annars krävs en CA för att signera certifikatsförfrågan. Om du väljer att " +"skapa ett självsignerat certifikat, kan du genast använda det för att " +"ansluta till andra IPsec-värdar som stödjer X.509-certifikat för " +"autentisering av IPsec-anslutningar. Användning av strongSwans PKI-" +"funktioner kräver dock att alla certifikat har signerats av en och samma CA " +"för att skapa en tillitskedja." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Om du inte väljer att skapa ett självsignerat certifikta, kommer endast den " +"privata RSA-nyckeln och certifikatsförfrågan att skapas. Du måste dåfå " +"certifikatsförfrån signerad av din certifikatsutställare." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Landskod för X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Ange den kod om två bokstäver som identifierar landet som servern står i " +"(exempelvis \"SE\" för Sverige)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"OpenSSL kommer vägra generera ett certifikat såvida det här värdet inte är " +"en giltig landskod enligt ISO-3166; ett tomt fält är giltigt på andra " +"ställen i X.509-certifikat, men inte här." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Region eller län för X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Ange namnet på den region eller den stat som servern står i (exempelvis " +"\"Skåne län\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Lokaliteten för X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "Ange den lokalitet servern står i (ofta en stad, såsom \"Malmö\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Organisationsnamn för X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Ange namnet på den organisation servern tillhör (exempelvis \"Debian\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Organisationsenhet för X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Ange den organisationsenhet servern tillhör (exempelvis \"säkerhetsgruppen" +"\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Namn på X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "Ange namnet på den här värden (exempelvis \"gateway.example.org\")." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "E-postadress för X.509-certifikatsförfrågan:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Ange e-postadressen till den person eller organisation som är ansvarig för " +"X.509-certifikatet." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Vill du aktivera opportunistisk kryptering?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Denna version av strongSwan stödjer opportunistisk kryptering (OE), som " +"lagrar IPSec-autentiseringsinformation i DNS-registret. Till dess detta " +"används i stor utsträckning, kommer aktivering av det att orsaka betydande " +"fördröjningar för varje ny utgående anslutning." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"Du ska bara aktivera opportunistisk kryptering om du är säker på att du vill " +"ha det. Det kan bryta internetanslutningen (standardvägen) när pluto-demonen " +"startas." diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 000000000..59fbb9d6c --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,381 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" diff --git a/debian/po/vi.po b/debian/po/vi.po new file mode 100644 index 000000000..180377b5f --- /dev/null +++ b/debian/po/vi.po @@ -0,0 +1,458 @@ +# Vietnamese translation for StrongSwan. +# Copyright © 2010 Free Software Foundation, Inc. +# Clytie Siddall <clytie@riverland.net.au>, 2005-2010. +# +msgid "" +msgstr "" +"Project-Id-Version: strongswan 4.4.0-1\n" +"Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" +"POT-Creation-Date: 2010-08-16 14:23+0200\n" +"PO-Revision-Date: 2010-10-03 19:22+1030\n" +"Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n" +"Language-Team: Vietnamese <vi-VN@googlegroups.com>\n" +"Language: vi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.8\n" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "Old runlevel management superseded" +msgstr "Quản lý cấp chạy cÅ© đã được thay thế" + +#. Type: note +#. Description +#: ../strongswan-starter.templates:2001 +msgid "" +"Previous versions of the strongSwan package gave a choice between three " +"different Start/Stop-Levels. Due to changes in the standard system startup " +"procedure, this is no longer necessary or useful. For all new installations " +"as well as old ones running in any of the predefined modes, sane default " +"levels will now be set. If you are upgrading from a previous version and " +"changed your strongSwan startup parameters, then please take a look at NEWS." +"Debian for instructions on how to modify your setup accordingly." +msgstr "" +"Các phiên bản trÆ°á»›c của gói strongSwan đã cho phép chá»n trong ba cấp Chạy/" +"Dừng. Do thay đổi trong thủ tục khởi chạy tiêu chuẩn, không còn có thể là m " +"nhÆ° thế, nó cÅ©ng không còn có Ãch. Cho má»i bản cà i đặt má»›i, cÅ©ng nhÆ° bản cà i " +"đặt cÅ© nà o Ä‘ang chạy trong má»™t của những chế Ä‘á»™ xác định sẵn nà y, má»™t cấp " +"mặc định thÃch hợp sắp được láºp. Nếu bạn Ä‘ang nâng cấp từ má»™t phiên bản " +"trÆ°á»›c và đã sá»a đổi tham số khởi chạy nà o của strongSwan, hãy xem táºp tin " +"tin tức « NEWS.Debian » để tìm hÆ°á»›ng dẫn vá» cách sá»a đổi thiết láºp cho phù " +"hợp." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "Restart strongSwan now?" +msgstr "Khởi chạy lại strongSwan ngay bây giá» ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:3001 +msgid "" +"Restarting strongSwan is recommended, since if there is a security fix, it " +"will not be applied until the daemon restarts. Most people expect the daemon " +"to restart, so this is generally a good idea. However, this might take down " +"existing connections and then bring them back up, so if you are using such a " +"strongSwan tunnel to connect for this update, restarting is not recommended." +msgstr "" +"Khuyên bạn khởi chạy lại strongSwan, vì sá»± sá»a chữa bảo máºt nà o không phải " +"được áp dụng đến khi trình ná»n khởi chạy. Phần lá»›n các ngÆ°á»i trông đợi trình " +"ná»n khởi chạy thì nói chung nó là má»™t ý kiến tốt. Tuy nhiên nó có thể tắt " +"rồi báºt lại kết nối đã có, vì thế nếu bạn Ä‘ang sá» dụng (v.d.) má»™t Ä‘Æ°á»ng hầm " +"strongSwan để kết nối đến bản cáºp nháºt nà y, không nên khởi chạy lại và o lúc " +"nà y." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "Start strongSwan's IKEv1 daemon?" +msgstr "Khởi chạy trình ná»n IKEv1 của strongSwan ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:4001 +msgid "" +"The pluto daemon must be running to support version 1 of the Internet Key " +"Exchange protocol." +msgstr "" +"Äồng thá»i cÅ©ng cần phải chạy trình ná»n pluto, để há»— trợ phiên bản 1 của giao " +"thức Trao Äổi Khoá Internet (IKE)." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "Start strongSwan's IKEv2 daemon?" +msgstr "Khởi chạy trình ná»n IKEv2 của strongSwan ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:5001 +msgid "" +"The charon daemon must be running to support version 2 of the Internet Key " +"Exchange protocol." +msgstr "" +"Äồng thá»i cÅ©ng cần phải chạy trình ná»n charon, để há»— trợ phiên bản 2 của " +"giao thức Trao Äổi Khoá Internet (IKE)." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "Use an X.509 certificate for this host?" +msgstr "Dùng chứng nháºn X.509 cho máy nà y ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"An X.509 certificate for this host can be automatically created or imported. " +"It can be used to authenticate IPsec connections to other hosts and is the " +"preferred way of building up secure IPsec connections. The other possibility " +"would be to use shared secrets (passwords that are the same on both sides of " +"the tunnel) for authenticating a connection, but for a larger number of " +"connections, key based authentication is easier to administer and more " +"secure." +msgstr "" +"Má»™t chứng nháºn X.509 có thể được tá»± Ä‘á»™ng tạo hoặc nháºp cho máy nà y. Chứng " +"nháºn nà y có thể được sá» dụng để xác thá»±c kết nối IPsec đến máy khác: nó là " +"phÆ°Æ¡ng pháp Æ°a thÃch để xây dá»±ng kết nối IPsec bảo máºt. Tuỳ chá»n khác là sá» " +"dụng Ä‘iá»u bà máºt chia sẻ (cùng má»™t máºt khẩu ở hai bên Ä‘Æ°á»ng hầm) để xác thá»±c " +"kết nối, nhÆ°ng mà cho nhiá»u kết nối dá»… hÆ¡n quản lý sá»± xác thức dá»±a và o khoá, " +"và phÆ°Æ¡ng pháp nà y bảo máºt hÆ¡n." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:6001 +msgid "" +"Alternatively you can reject this option and later use the command \"dpkg-" +"reconfigure strongswan\" to come back." +msgstr "" +"Hoặc bạn có thể từ chối tuỳ chá»n nà y, và chạy câu lệnh « dpkg-reconfigure " +"strongswan » vá» sau để trở vá» tiến trình cấu hình nà y." + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "create" +msgstr "tạo" + +#. Type: select +#. Choices +#: ../strongswan-starter.templates:7001 +msgid "import" +msgstr "nháºp" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "Methods for using a X.509 certificate to authenticate this host:" +msgstr "PhÆ°Æ¡ng pháp sá» dụng chứng nháºn X.509 để xác thá»±c máy nà y:" + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"It is possible to create a new X.509 certificate with user-defined settings " +"or to import an existing public and private key stored in PEM file(s) for " +"authenticating IPsec connections." +msgstr "" +"Có thể tạo má»™t chứng nháºn X.509 má»›i vá»›i thiết láºp được ngÆ°á»i dùng xác định, " +"hoặc có thể nháºp má»™t cặp khoá (công và riêng) đã có theo táºp tin PEM, để xác " +"thá»±c kết nối IPsec." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you choose to create a new X.509 certificate you will first be asked a " +"number of questions which must be answered before the creation can start. " +"Please keep in mind that if you want the public key to get signed by an " +"existing Certificate Authority you should not select to create a self-signed " +"certificate and all the answers given must match exactly the requirements of " +"the CA, otherwise the certificate request may be rejected." +msgstr "" +"Nếu bạn chá»n tạo má»™t chứng nháºn X.509 má»›i thì đầu tiên bạn được há»i má»™t số " +"câu bắt buá»™c phải trả lá»i trÆ°á»›c khi có thể bắt đầu tạo chứng nháºn. Ghi nhá»› " +"rằng nếu bạn muốn có khoá công được ký bởi má»™t CA (nhà cầm quyá»n cấp chứng " +"nháºn) đã tồn tại, bạn không nên chá»n tạo má»™t chứng nháºn tá»± ký, và tất cả các " +"đáp ứng bạn là m phải tÆ°Æ¡ng ứng chÃnh xác vá»›i yêu cầu của CA, không thì yêu " +"cầu chứng nháºn có thể bị từ chối." + +#. Type: select +#. Description +#: ../strongswan-starter.templates:7002 +msgid "" +"If you want to import an existing public and private key you will be " +"prompted for their filenames (which may be identical if both parts are " +"stored together in one file). Optionally you may also specify a filename " +"where the public key(s) of the Certificate Authority are kept, but this file " +"cannot be the same as the former ones. Please also be aware that the format " +"for the X.509 certificates has to be PEM and that the private key must not " +"be encrypted or the import procedure will fail." +msgstr "" +"Nếu bạn muốn nháºp má»™t cặp khoá công và riêng đã có, bạn sẽ được nhắc nháºp " +"(các) tên táºp tin (mà có thể là trùng nếu cả hai khoá được giữ trong cùng " +"má»™t táºp tin). Tuỳ chá»n bạn cÅ©ng có thể ghi rõ má»™t tên táºp tin chứa (các) " +"khoá công của CA, nhÆ°ng mà táºp tin nà y phải khác vá»›i táºp tin nháºp trÆ°á»›c. " +"CÅ©ng ghi nhá»› rằng định dạng của chứng nháºn X.509 phải là PEM, và khoá riêng " +"không thể được máºt mã, không thì tiến trình nháºp không thà nh công." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "File name of your PEM format X.509 certificate:" +msgstr "Tên táºp tin của chứng nháºn X.509 dạng PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:8001 +msgid "" +"Please enter the location of the file containing your X.509 certificate in " +"PEM format." +msgstr "Hãy nháºp vị trà của táºp tin chứa chứng nháºn X.509 dạng PEM của bạn." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "File name of your PEM format X.509 private key:" +msgstr "Tên táºp tin cỳa khoá riêng X.509 dạng PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:9001 +msgid "" +"Please enter the location of the file containing the private RSA key " +"matching your X.509 certificate in PEM format. This can be the same file " +"that contains the X.509 certificate." +msgstr "" +"Hãy nháºp vị trà của táºp tin chứa khoá RSA riêng tÆ°Æ¡ng ứng vá»›i chứng nháºn " +"X.509, cả hai theo định dạng PEM. (Äây có thể là cùng má»™t táºp tin vá»›i táºp " +"tin chứa chứng nháºn X.509.)" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "File name of your PEM format X.509 RootCA:" +msgstr "Tên táºp tin của RootCA X.509 dạng PEM:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:10001 +msgid "" +"Optionally you can now enter the location of the file containing the X.509 " +"Certificate Authority root used to sign your certificate in PEM format. If " +"you do not have one or do not want to use it please leave the field empty. " +"Please note that it's not possible to store the RootCA in the same file as " +"your X.509 certificate or private key." +msgstr "" +"Tuỳ chá»n bạn bây giá» có thể nháºp vị trà của táºp tin chứa gốc nhà cầm quyá»n " +"cấp chứng nháºn X.509 được dùng để ký chứng nháºn theo định dạng PEM của bạn. " +"Không có hoặc không muốn sá» dụng nó thì bá» trống trÆ°á»ng nà y. Ghi chú rằng " +"không thể giữ RootCA trong cùng má»™t táºp tin vá»›i chứng nháºn X.509 hoặc khoá " +"riêng của bạn." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "Please enter which length the created RSA key should have:" +msgstr "Gõ chiá»u dà i dá»± định của khoá RSA cần tạo :" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:11001 +msgid "" +"Please enter the length of the created RSA key. It should not be less than " +"1024 bits because this should be considered unsecure and you will probably " +"not need anything more than 4096 bits because it only slows the " +"authentication process down and is not needed at the moment." +msgstr "" +"Hãy nháºp chiá»u dà i của khoá RSA cần tạo. Ãt hÆ¡n 1024 bit được thấy là không " +"an toà n, và lá»›n hÆ¡n 4096 bit chỉ là m cháºm tiến trình xác thá»±c và chÆ°a cần " +"thiết." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "Create a self-signed X.509 certificate?" +msgstr "Tạo má»™t chứng nháºn X.509 tá»± ký ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"Only self-signed X.509 certificates can be created automatically, because " +"otherwise a Certificate Authority is needed to sign the certificate request. " +"If you choose to create a self-signed certificate, you can use it " +"immediately to connect to other IPsec hosts that support X.509 certificate " +"for authentication of IPsec connections. However, using strongSwan's PKI " +"features requires all certificates to be signed by a single Certificate " +"Authority to create a trust path." +msgstr "" +"Chỉ chứng nháºn X.509 tá»± ký có thể được tá»± Ä‘á»™ng tạo, vì bằng cách khác má»™t CA " +"cần thiết để ký yêu cầu chứng nháºn. Nếu bạn chá»n tạo má»™t chứng nháºn tá»± ký, " +"bạn có thể sá» dụng nó ngay láºp tức để kết nối tá»›i máy IPsec khác có há»— trợ " +"chứng nháºn X.509 để xác thá»±c kết nối IPsec. Tuy nhiên, tÃnh năng PKI của " +"strongSwan yêu cầu tất cả các chứng nháºn được ký bởi cùng má»™t CA, để tạo má»™t " +"Ä‘Æ°á»ng dẫn tin cáºy." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:12001 +msgid "" +"If you do not choose to create a self-signed certificate, only the RSA " +"private key and the certificate request will be created, and you will have " +"to sign the certificate request with your Certificate Authority." +msgstr "" +"Nếu bạn không chá»n tạo má»™t chứng nháºn tá»± ký thì chỉ khoá riêng RSA và yêu " +"cầu chứng nháºn sẽ được tạo, và bạn cần phải ký yêu cầu chứng nháºn bằng CA." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "Country code for the X.509 certificate request:" +msgstr "Mã quốc gia cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"Please enter the two-letter code for the country the server resides in (such " +"as \"AT\" for Austria)." +msgstr "" +"Hãy nháºp mã hai chữ cho quốc gia chứa máy phục vụ (v.d. « VI » cho Việt Nam)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:13001 +msgid "" +"OpenSSL will refuse to generate a certificate unless this is a valid " +"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 " +"certificate, but not here." +msgstr "" +"Không có mã quốc gia ISO-3166 đúng thì OpenSSL từ chối tạo chứng nháºn. Có " +"thể bá» trống trÆ°á»ng ở má»™t số nÆ¡i khác trong chứng nháºn X.509 mà không phải ở " +"đây." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "State or province name for the X.509 certificate request:" +msgstr "Tên của bảng hay tỉnh cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:14001 +msgid "" +"Please enter the full name of the state or province the server resides in " +"(such as \"Upper Austria\")." +msgstr "" +"Hãy nháºp tên đầy đủ của bang hay tỉnh chứa máy phục vụ (v.d. « Nghệ An »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "Locality name for the X.509 certificate request:" +msgstr "Tên vùng cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:15001 +msgid "" +"Please enter the locality the server resides in (often a city, such as " +"\"Vienna\")." +msgstr "" +"Hãy nháºp vùng chứa máy phục vụ (thÆ°á»ng là má»™t thà nh phố, v.d. « Nhà Trắng »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "Organization name for the X.509 certificate request:" +msgstr "Tên tổ chức cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:16001 +msgid "" +"Please enter the organization the server belongs to (such as \"Debian\")." +msgstr "" +"Hãy nháºp tổ chức sở hữu máy phục vụ (v.d. « Debian » hoặc « Dá»± án MOST »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "Organizational unit for the X.509 certificate request:" +msgstr "Tên Ä‘Æ¡n vị tổ chức cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:17001 +msgid "" +"Please enter the organizational unit the server belongs to (such as " +"\"security group\")." +msgstr "" +"Hãy nháºp tên Ä‘Æ¡n vị của tổ chức sở hữu máy phục vụ (v.d. « nhóm địa phÆ°Æ¡ng " +"hoá »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "Common Name for the X.509 certificate request:" +msgstr "Tên chung cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:18001 +msgid "" +"Please enter the Common Name for this host (such as \"gateway.example.org\")." +msgstr "Hãy nháºp Tên Chung cho máy nà y (v.d. « cổng_ra.vị_dụ.org »)." + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "Email address for the X.509 certificate request:" +msgstr "Äịa chỉ thÆ° cho yêu cầu chứng nháºn X.509:" + +#. Type: string +#. Description +#: ../strongswan-starter.templates:19001 +msgid "" +"Please enter the email address of the person or organization responsible for " +"the X.509 certificate." +msgstr "" +"Hãy nháºp địa chỉ thÆ° Ä‘iện tá» của ngÆ°á»i hoặc tổ chức chịu trách nhiệm vá» yêu " +"cầu chứng nháºn nà y." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "Enable opportunistic encryption?" +msgstr "Báºt máºt mã cÆ¡ há»™i chủ nghÄ©a ?" + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"This version of strongSwan supports opportunistic encryption (OE), which " +"stores IPSec authentication information in DNS records. Until this is widely " +"deployed, activating it will cause a significant delay for every new " +"outgoing connection." +msgstr "" +"Phiên bản strongSwan nà y há»— trợ máºt mã cÆ¡ há»™i chủ nghÄ©a (OE) mà cất giữ " +"thông tin xác thá»±c IPSec trong mục ghi DNS. Chức năng nà y chÆ°a phổ biến thì " +"vẫn còn là m trá»… má»—i kết nối má»›i gá»i Ä‘i." + +#. Type: boolean +#. Description +#: ../strongswan-starter.templates:20001 +msgid "" +"You should only enable opportunistic encryption if you are sure you want it. " +"It may break the Internet connection (default route) as the pluto daemon " +"starts." +msgstr "" +"ChÆ°a chắc thì không nên hiệu lá»±c chức năng máºt mã cÆ¡ há»™i chủ nghÄ©a. Nó cÅ©ng " +"có thể đóng kết nối Internet (Ä‘Æ°á»ng dẫn mặc định) do trình ná»n pluto khởi " +"chạy." diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000..e3eb7b5c8 --- /dev/null +++ b/debian/rules @@ -0,0 +1,182 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +export DH_OPTIONS + +# this is a security-critical package, set all the options we can +export DEB_BUILD_HARDENING=1 + +CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ + --libexecdir=/usr/lib \ + --enable-ldap --enable-curl \ + --with-capabilities=libcap \ + --enable-smartcard --enable-pkcs11 \ + --with-default-pkcs11=/usr/lib/opensc-pkcs11.so \ + --enable-mediation --enable-medsrv --enable-medcli \ + --enable-openssl --enable-agent \ + --enable-ctr --enable-ccm --enable-gcm --enable-addrblock \ + --enable-eap-radius --enable-eap-identity --enable-eap-md5 \ + --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ + --enable-eap-tls --enable-eap-ttls --enable-eap-tnc \ + --enable-sql --enable-integrity-test \ + --enable-ha --enable-dhcp --enable-farp \ + --enable-led \ + --enable-test-vectors --enable-nat-transport + # --with-user=strongswan --with-group=nogroup \ + # --enable-kernel-pfkey --enable-kernel-klips \ + # And for --enable-eap-sim we would need the library, which we don't + # have right now. + # Don't --enable-cisco-quirks, because some other IPsec implementations + # (most notably the Phion one) have problems connecting when pluto + # sends these Cisco options. + +DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU) + +ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O2 +endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif +# the padlock plugin only makes sense on i386 +# but it actually doesn't do much, so maybe we don't need it +ifeq ($(DEB_BUILD_ARCH_CPU),i386) + CONFIGUREARGS += --enable-padlock +endif + +# And only enable network-manager building if the libraries are present +# (they will be when the build-deps are fulfilled, but this makes it easier +# to do backports where the network-manager libs can not be installed, and +# thus to just ignore build-deps). +ifeq ($(shell test -d /usr/include/libnm-glib/ && echo yes),yes) + CONFIGUREARS += --enable-nm +endif + +build: build-stamp +build-stamp: + dh_testdir + ./configure $(CONFIGUREARGS) + $(MAKE) CC="$(CC)" CFLAGS="$(CFLAGS)" + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + [ ! -f Makefile ] || $(MAKE) distclean + #-$(MAKE) -C programs/fswcert/ clean + # after a make clean, no binaries _should_ be left, but .... + -find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm + + # Really clean (#356716) + # This is a hack: should be better implemented + rm -f lib/libstrongswan/libstrongswan.a || true + rm -f lib/libstrongswan/liboswlog.a || true + + # just in case something went wrong + rm -f $(CURDIR)/debian/ipsec.secrets + + # and make sure that template are up-to-date + debconf-updatepo + + dh_clean + +install: build-stamp + dh_testdir + dh_testroot + dh_installdirs + $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp + + # install files from debian/tmp into proper package dirs + dh_install --list-missing + # special handling for padlock, as it is only built on i386 +ifeq ($(DEB_BUILD_ARCH_CPU),i386) + install $(CURDIR)/debian/tmp/usr/lib/ipsec/plugins/libstrongswan-padlock.so* $(CURDIR)/debian/libstrongswan/usr/lib/ipsec/plugins/ +endif + # and special handling for network-manager files - only install when build + install -d $(CURDIR)/debian/tmp/usr/lib/ipsec/plugins/libstrongswan-nm.so* $(CURDIR)/debian/strongswan-nm/usr/lib/ipsec/plugins/ + + # and additional files not covered by upstream makefile... + install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets + # also "patch" ipsec.conf to include the debconf-managed file + echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf + echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf + # and to enable both IKEv1 and IKEv2 by default + sed -r 's/^[ \t]+# *plutostart=(yes|no) */\tplutostart=yes/;s/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp + mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf + # set permissions on ipsec.secrets + chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets + #chmod 644 $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf + chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/ + # don't know why they come with +x set by default... + #chmod 644 $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/policies/* + #chmod 644 $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/examples/* + + # this is handled by update-rc.d + rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d + + # delete var/lock/subsys and var/run to satisfy lintian + rm -rf $(CURDIR)/debian/openswan/var/lock + rm -rf $(CURDIR)/debian/openswan/var/run + + dh_installdocs -pstrongswan -n + # change the paths in the installed doc files (but only in regular + # files, not in links to the outside of the build tree !) + # TODO: check if we still need this + ( cd $(CURDIR)/debian/strongswan/; \ + for f in `grep "/usr/local/" --recursive --files-with-match *`; \ + do \ + if [ -f $$f -a ! -L $$f ]; then \ + cp $$f $$f.old; \ + sed 's/\/usr\/local\//\/usr\//' $$f.old > $$f; \ + rm $$f.old; \ + fi; \ + done ) + + # the logcheck ignore files + install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.paranoid/strongswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.server/strongswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.workstation/strongswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/libstrongswan/etc/logcheck/violations.ignore.d/strongswan + + # more lintian cleanups + find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f + find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf + +binary-common: + dh_testdir + dh_testroot + dh_installdirs + dh_installinit --name=ipsec + dh_installdebconf + dh_installchangelogs NEWS + dh_installdocs README + dh_link + dh_strip --dbg-package=strongswan-dbg + dh_compress + dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d + dh_lintian + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary-indep: + $(MAKE) -f debian/rules binary-common DH_OPTIONS=-i + +binary-arch: install + $(MAKE) -f debian/rules binary-common DH_OPTIONS=-a + +binary-%: build-stamp install + make -f debian/rules binary-common DH_OPTIONS=-p$* + +binary: binary-indep binary-arch +.PHONY: clean binary-indep binary-arch diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/strongswan-ikev1.install b/debian/strongswan-ikev1.install new file mode 100644 index 000000000..8d4a824ca --- /dev/null +++ b/debian/strongswan-ikev1.install @@ -0,0 +1,4 @@ +usr/lib/ipsec/pluto usr/lib/ipsec/ +usr/lib/ipsec/_pluto_adns usr/lib/ipsec/ +usr/lib/ipsec/whack usr/lib/ipsec/ +usr/share/man/man8/pluto.8 usr/share/man/man8/ diff --git a/debian/strongswan-ikev2.install b/debian/strongswan-ikev2.install new file mode 100644 index 000000000..5bf3cdd1b --- /dev/null +++ b/debian/strongswan-ikev2.install @@ -0,0 +1,11 @@ +usr/lib/libcharon.so* usr/lib/ +usr/lib/ipsec/charon usr/lib/ipsec/ +usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-socket*.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-eap*.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-agent.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-curl.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-ldap.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-medsrv.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-medcli.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/plugins/libstrongswan-attr*.so* usr/lib/ipsec/plugins/ diff --git a/debian/strongswan-starter.config b/debian/strongswan-starter.config new file mode 100644 index 000000000..cb9de0964 --- /dev/null +++ b/debian/strongswan-starter.config @@ -0,0 +1,46 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +# disable for now, until we can deal with the don't-edit-conffiles situation +#db_input high strongswan/ikev1 || true +#db_input high strongswan/ikev2 || true + +db_input medium strongswan/restart || true + +db_input high strongswan/enable-oe || true + +db_get strongswan/install_x509_certificate +if [ "$RET" = "true" ]; then + db_input high strongswan/how_to_get_x509_certificate || true + db_go || true + + db_get strongswan/how_to_get_x509_certificate + if [ "$RET" = "create" ]; then + # create a new certificate + db_input medium strongswan/rsa_key_length || true + db_input high strongswan/x509_self_signed || true + # we can't allow the country code to be empty - openssl will + # refuse to create a certificate this way + countrycode="" + while [ -z "$countrycode" ]; do + db_input medium strongswan/x509_country_code || true + db_go || true + db_get strongswan/x509_country_code + countrycode="$RET" + done + db_input medium strongswan/x509_state_name || true + db_input medium strongswan/x509_locality_name || true + db_input medium strongswan/x509_organization_name || true + db_input medium strongswan/x509_organizational_unit || true + db_input medium strongswan/x509_common_name || true + db_input medium strongswan/x509_email_address || true + db_go || true + elif [ "$RET" = "import" ]; then + # existing certificate - use it + db_input critical strongswan/existing_x509_certificate_filename || true + db_input critical strongswan/existing_x509_key_filename || true + db_input critical strongswan/existing_x509_rootca_filename || true + db_go || true + fi +fi diff --git a/debian/strongswan-starter.dirs b/debian/strongswan-starter.dirs new file mode 100644 index 000000000..ca35d4a43 --- /dev/null +++ b/debian/strongswan-starter.dirs @@ -0,0 +1,10 @@ +/etc +/etc/ipsec.d +/etc/ipsec.d/cacerts +/etc/ipsec.d/ocspcerts +/etc/ipsec.d/crls +/etc/ipsec.d/private +/etc/ipsec.d/policies +/etc/init.d +/var/lock/subsys +/var/lib/strongswan diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install new file mode 100644 index 000000000..84bb69868 --- /dev/null +++ b/debian/strongswan-starter.install @@ -0,0 +1,27 @@ +# starter +usr/lib/ipsec/starter usr/lib/ipsec/ +usr/lib/ipsec/_copyright usr/lib/ipsec/ +usr/sbin/ipsec usr/sbin/ +etc/ipsec.d etc/ +etc/ipsec.conf etc/ +usr/share/man/man8/ipsec.8 usr/share/man/man8/ +usr/share/man/man8/_copyright.8 usr/share/man/man8/ +usr/share/man/man8/starter.8 usr/share/man/man8/ +usr/share/man/man5/ipsec.conf.5 usr/share/man/man5/ +usr/share/man/man5/ipsec.secrets.5 usr/share/man/man5/ +# updown +usr/lib/ipsec/plugins/libstrongswan-updown.so* usr/lib/ipsec/plugins/ +usr/lib/ipsec/_updown usr/lib/ipsec/ +usr/lib/ipsec/_updown_espmark usr/lib/ipsec/ +usr/share/man/man8/_updown.8 usr/share/man/man8/ +usr/share/man/man8/_updown_espmark.8 usr/share/man/man8/ +# tools +usr/lib/ipsec/scepclient usr/lib/ipsec/ +usr/lib/ipsec/openac usr/lib/ipsec/ +usr/lib/ipsec/pki usr/lib/ipsec/ +usr/lib/ipsec/pool usr/lib/ipsec/ +usr/share/man/man8/scepclient.8 usr/share/man/man8/ +usr/share/man/man8/openac.8 usr/share/man/man8/ +# stroke +usr/lib/ipsec/stroke usr/lib/ipsec/ +usr/lib/ipsec/plugins/libstrongswan-stroke.so* usr/lib/ipsec/plugins/ diff --git a/debian/strongswan-starter.ipsec.init b/debian/strongswan-starter.ipsec.init new file mode 100644 index 000000000..484a4e0b3 --- /dev/null +++ b/debian/strongswan-starter.ipsec.init @@ -0,0 +1,164 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: vpn +# Required-Start: $network $local_fs +# Required-Stop: $network $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Strongswan IPsec services +### END INIT INFO + +# Author: Rene Mayrhofer <rene@mayrhofer.eu.org> + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="strongswan IPsec services" +NAME=ipsec +STARTER=/usr/sbin/$NAME +PIDFILE1=/var/run/pluto.pid +PIDFILE2=/var/run/charon.pid +PLUTO=/usr/lib/ipsec/pluto +CHARON=/usr/lib/ipsec/charon +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$STARTER" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + # test if either charon or pluto are currently running (PIDFILE1 or PIDFILE2) + if [ -e $PLUTO ]; then + start-stop-daemon --start --quiet --pidfile $PIDFILE1 --exec $STARTER --test > /dev/null \ + || return 1 + fi + if [ -e $CHARON ]; then + start-stop-daemon --start --quiet --pidfile $PIDFILE2 --exec $STARTER --test > /dev/null \ + || return 1 + fi + + $STARTER start || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + # give the proper signal to stop + $STARTER stop || return 2 + + RETVAL=0 + # but kill if that didn't work + if [ -e $PIDFILE1 ]; then + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE1 --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + fi + if [ -e $PIDFILE2 ]; then + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE2 --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + fi + + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + if [ -e $PLUTO ]; then + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $PLUTO + [ "$?" = 2 ] && return 2 + fi + if [ -e $CHARON ]; then + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $CHARON + [ "$?" = 2 ] && return 2 + fi + + # strongswan is known to leave PID files behind when something goes wrong, cleanup here + rm -f $PIDFILE1 $PIDFILE2 + # and just to make sure they are really really dead at this point... + killall -9 $PLUTO 2>/dev/null + killall -9 $CHARON 2>/dev/null + + return "$RETVAL" +} + +do_reload() { + $STARTER reload + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + $STARTER status || exit $? + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/debian/strongswan-starter.lintian-overrides b/debian/strongswan-starter.lintian-overrides new file mode 100644 index 000000000..02731f348 --- /dev/null +++ b/debian/strongswan-starter.lintian-overrides @@ -0,0 +1,4 @@ +# as here private data is stored we need tighter perms here +strongswan-starter: non-standard-dir-perm etc/ipsec.d/private/ 0700 != 0755 +strongswan-starter: non-standard-file-perm etc/ipsec.secrets 0600 != 0644 +strongswan-starter: non-standard-dir-perm var/lib/openswan/ 0700 != 0755 diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst new file mode 100644 index 000000000..32bf86ffc --- /dev/null +++ b/debian/strongswan-starter.postinst @@ -0,0 +1,327 @@ +#! /bin/bash +# postinst script for strongswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +CONF_FILE=/var/lib/strongswan/ipsec.conf.inc +SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc + +Warn () +{ + echo "$*" >&2 +} + +Error () +{ + Warn "Error: $*" +} + +insert_private_key_filename() { + if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then + echo ": RSA $1" >> $SECRETS_INC_FILE + fi +} + +make_x509_cert() { + if [ $# -ne 12 ]; then + echo "Error in creating X.509 certificate" + exit 1 + fi + + case $5 in + false) + certreq=$4.req + selfsigned="" + ;; + true) + certreq=$4 + selfsigned="-x509" + ;; + *) + echo "Error in creating X.509 certificate" + exit 1 + ;; + esac + + echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \ + /usr/bin/openssl req -new -outform PEM -out $certreq \ + -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \ + -days $2 $selfsigned >/dev/null +} + +enable_daemon_start() { + daemon=$1 + protocol=$2 + + echo -n "Enabling ${protocol} support by pluto ... " + if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then + echo "already enabled" + elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then + sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp + cp $CONF_FILE.tmp $CONF_FILE + rm $CONF_FILE.tmp + echo "done" + elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then + sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp + cp $CONF_FILE.tmp $CONF_FILE + rm $CONF_FILE.tmp + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo -e "\t${daemon}start=yes" > $CONF_FILE + else + echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" + fi +} + +disable_daemon_start() { + daemon=$1 + protocol=$2 + + echo -n "Disabling ${protocol} support by pluto ... " + if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE || + egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then + echo "already disabled" + elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then + sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp + cp $CONF_FILE.tmp $CONF_FILE + rm $CONF_FILE.tmp + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo -e "\t${daemon}start=yes" > $CONF_FILE + else + echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" + fi +} + +setup_strongswan_user() { + if ! getent passwd strongswan >/dev/null; then + adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan + fi +} + +. /usr/share/debconf/confmodule + +case "$1" in + configure) + db_get strongswan/install_x509_certificate + if [ "$RET" = "true" ]; then + db_get strongswan/how_to_get_x509_certificate + if [ "$RET" = "create" ]; then + # extract the key from a (newly created) x509 certificate + host=`hostname` + newkeyfile="/etc/ipsec.d/private/${host}Key.pem" + newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" + if [ -e $newcertfile -o -e $newkeyfile ]; then + Error "$newcertfile or $newkeyfile already exists." + Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair." + else + # create a new certificate + db_get strongswan/rsa_key_length + keylength=$RET + db_get strongswan/x509_self_signed + selfsigned=$RET + db_get strongswan/x509_country_code + countrycode=$RET + if [ -z "$countrycode" ]; then countrycode="."; fi + db_get strongswan/x509_state_name + statename=$RET + if [ -z "$statename" ]; then statename="."; fi + db_get strongswan/x509_locality_name + localityname=$RET + if [ -z "$localityname" ]; then localityname="."; fi + db_get strongswan/x509_organization_name + orgname=$RET + if [ -z "$orgname" ]; then orgname="."; fi + db_get strongswan/x509_organizational_unit + orgunit=$RET + if [ -z "$orgunit" ]; then orgunit="."; fi + db_get strongswan/x509_common_name + commonname=$RET + if [ -z "$commonname" ]; then commonname="."; fi + db_get strongswan/x509_email_address + email=$RET + if [ -z "$email" ]; then email="."; fi + make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" + chmod 0600 "$newkeyfile" + umask 077 + insert_private_key_filename "$newkeyfile" + echo "Successfully created x509 certificate." + fi + elif [ "$RET" = "import" ]; then + # existing certificate - use it + db_get strongswan/existing_x509_certificate_filename + certfile=$RET + db_get strongswan/existing_x509_key_filename + keyfile=$RET + db_get strongswan/existing_x509_rootca_filename + cafile=$RET + + if [ ! "$certfile" ] || [ ! "$keyfile" ]; then + Error "Either the certificate or the key filename is not specified." + elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then + Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link." + elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then + Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file." + elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then + Error "The certificate or the key file contains the rootca - unable to import automatically." + elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then + Error "The certificate file contains more than one certificate - unable to import automatically." + elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then + Error "The key file contains an encrypted key - unable to import automatically." + else + newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")" + newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")" + if [ "$cafile" ]; then + newcafile="/etc/ipsec.d/private/$(basename "$cafile")" + else + newcafile="" + fi + + if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then + Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists." + Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"." + else + openssl x509 -in $certfile -out $newcertfile 2>/dev/null + umask 077 + openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null + chmod 0600 "$newkeyfile" + insert_private_key_filename "$newkeyfile" + cp "$cafile" /etc/ipsec.d/cacerts + echo "Successfully integrated existing x509 certificate." + fi + fi + fi + db_set strongswan/install_x509_certificate false + fi + + # lets see if we are already using dependency based booting or the correct runlevel parameters + if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then + db_fset strongswan/runlevel_changes seen false + db_input high strongswan/runlevel_changes || true + db_go + + # if the admin did not change the runlevels which got installed by older packages we can modify them + if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then + update-rc.d -f ipsec remove + fi + + update-rc.d ipsec defaults 16 84 > /dev/null + fi + + db_get strongswan/enable-oe + if [ "$RET" != "true" ]; then + echo -n "Disabling opportunistic encryption (OE) in config file ... " + if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then + # also update to new-style config + sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo -n "converted old config line to new format" + fi + if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then + sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE + else + echo "already disabled" + fi + else + echo -n "Enabling opportunistic encryption (OE) in config file ... " + if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then + # also update to new-style config + sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo -n "converted old config line to new format" + fi + if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then + echo "already enabled" + elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then + sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE + else + cat <<EOF >> $CONF_FILE +#Enable Opportunistic Encryption +include /etc/ipsec.d/examples/oe.conf +EOF + echo "done" + fi + fi + + # disabled for now, until we can solve the don't-edit-conffiles issue + #db_get strongswan/ikev1 + #if [ "$RET" != "true" ]; then + # enable_daemon_start "pluto" "IKEv1" + #else + # disable_daemon_start "pluto" "IKEv1" + #fi + #db_get strongswan/ikev2 + #if [ "$RET" != "true" ]; then + # enable_daemon_start "charon" "IKEv2" + #else + # disable_daemon_start "charon" "IKEv2" + #fi + + # create user for strongswan to change its uid into + # disabled until this can be kept in sync with build-time uid + #setup_strongswan_user + + if [ -z "$2" ]; then + # no old configured version - start strongswan now + invoke-rc.d ipsec start || true + else + # does the user wish strongswan to restart? + db_get strongswan/restart + if [ "$RET" = "true" ]; then + invoke-rc.d ipsec restart || true # sure, we'll restart it for you + fi + fi + + db_stop + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument '$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically + +#DEBHELPER# + +exit 0 diff --git a/debian/strongswan-starter.postrm b/debian/strongswan-starter.postrm new file mode 100644 index 000000000..455687a3c --- /dev/null +++ b/debian/strongswan-starter.postrm @@ -0,0 +1,48 @@ +#! /bin/sh +# postrm script for strongswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postrm> `remove' +# * <postrm> `purge' +# * <old-postrm> `upgrade' <new-version> +# * <new-postrm> `failed-upgrade' <old-version> +# * <new-postrm> `abort-install' +# * <new-postrm> `abort-install' <old-version> +# * <new-postrm> `abort-upgrade' <old-version> +# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version> +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + # update the menu system +# if [ -x /usr/bin/update-menus ]; then update-menus; fi + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 + +esac + +if [ "$1" = "purge" ] ; then + update-rc.d ipsec remove >/dev/null + #if which deluser >/dev/null 2>&1; then + # deluser --quiet strongswan > /dev/null || true + #fi + + rm -rf /etc/ipsec.d/ + rm -rf /var/run/pluto/ +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + + diff --git a/debian/strongswan-starter.prerm b/debian/strongswan-starter.prerm new file mode 100644 index 000000000..c1ba063d6 --- /dev/null +++ b/debian/strongswan-starter.prerm @@ -0,0 +1,40 @@ +#! /bin/sh +# prerm script for strongswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <prerm> `remove' +# * <old-prerm> `upgrade' <new-version> +# * <new-prerm> `failed-upgrade' <old-version> +# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> +# * <deconfigured's-prerm> `deconfigure' `in-favour' +# <package-being-installed> <version> `removing' +# <conflicting-package> <version> +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + upgrade) + ;; + remove|deconfigure) + invoke-rc.d ipsec stop || true +# install-info --quiet --remove /usr/info/strongswan.info.gz + ;; + failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates new file mode 100644 index 000000000..f36a76388 --- /dev/null +++ b/debian/strongswan-starter.templates @@ -0,0 +1,194 @@ +# These templates have been reviewed by the debian-l10n-english +# team +# +# If modifications/additions/rewording are needed, please ask +# debian-l10n-english@lists.debian.org for advice. +# +# Even minor modifications require translation updates and such +# changes should be coordinated with translators and reviewers. + +Template: strongswan/runlevel_changes +Type: note +_Description: Old runlevel management superseded + Previous versions of the strongSwan package gave a choice between + three different Start/Stop-Levels. Due to changes in the standard system + startup procedure, this is no longer necessary or useful. For all new + installations as well as old ones running in any of the predefined modes, + sane default levels will now be set. If you are upgrading from a previous + version and changed your strongSwan startup parameters, then please take a + look at NEWS.Debian for instructions on how to modify your setup accordingly. + +Template: strongswan/restart +Type: boolean +Default: true +_Description: Restart strongSwan now? + Restarting strongSwan is recommended, since if there is a security fix, it + will not be applied until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However, this might take down + existing connections and then bring them back up, so if you are using such + a strongSwan tunnel to connect for this update, restarting is not recommended. + +Template: strongswan/ikev1 +Type: boolean +Default: true +_Description: Start strongSwan's IKEv1 daemon? + The pluto daemon must be running to support version 1 of the Internet Key + Exchange protocol. + +Template: strongswan/ikev2 +Type: boolean +Default: true +_Description: Start strongSwan's IKEv2 daemon? + The charon daemon must be running to support version 2 of the Internet Key + Exchange protocol. + +Template: strongswan/install_x509_certificate +Type: boolean +Default: false +_Description: Use an X.509 certificate for this host? + An X.509 certificate for this host can be automatically created or imported. + It can be used to authenticate IPsec connections to other hosts + and is the preferred way of building up secure IPsec connections. The other + possibility would be to use shared secrets (passwords that are the same on + both sides of the tunnel) for authenticating a connection, but for a larger + number of connections, key based authentication is easier to administer and + more secure. + . + Alternatively you can reject this option and later use the command + "dpkg-reconfigure strongswan" to come back. + +Template: strongswan/how_to_get_x509_certificate +Type: select +__Choices: create, import +Default: create +_Description: Methods for using a X.509 certificate to authenticate this host: + It is possible to create a new X.509 certificate with user-defined settings + or to import an existing public and private key stored in PEM file(s) for + authenticating IPsec connections. + . + If you choose to create a new X.509 certificate you will first be asked + a number of questions which must be answered before the creation can start. + Please keep in mind that if you want the public key to get signed by + an existing Certificate Authority you should not select to create a + self-signed certificate and all the answers given must match exactly the + requirements of the CA, otherwise the certificate request may be rejected. + . + If you want to import an existing public and private key you will be + prompted for their filenames (which may be identical if both parts are stored + together in one file). Optionally you may also specify a filename where the + public key(s) of the Certificate Authority are kept, but this file cannot + be the same as the former ones. Please also be aware that the format for the + X.509 certificates has to be PEM and that the private key must not be encrypted + or the import procedure will fail. + +Template: strongswan/existing_x509_certificate_filename +Type: string +_Description: File name of your PEM format X.509 certificate: + Please enter the location of the file containing your X.509 certificate in + PEM format. + +Template: strongswan/existing_x509_key_filename +Type: string +_Description: File name of your PEM format X.509 private key: + Please enter the location of the file containing the private RSA key + matching your X.509 certificate in PEM format. This can be the same file + that contains the X.509 certificate. + +Template: strongswan/existing_x509_rootca_filename +Type: string +_Description: File name of your PEM format X.509 RootCA: + Optionally you can now enter the location of the file containing the X.509 + Certificate Authority root used to sign your certificate in PEM format. If you + do not have one or do not want to use it please leave the field empty. Please + note that it's not possible to store the RootCA in the same file as your X.509 + certificate or private key. + +Template: strongswan/rsa_key_length +Type: string +Default: 2048 +_Description: Please enter which length the created RSA key should have: + Please enter the length of the created RSA key. It should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 4096 bits because it only slows the + authentication process down and is not needed at the moment. + +Template: strongswan/x509_self_signed +Type: boolean +Default: true +_Description: Create a self-signed X.509 certificate? + Only self-signed X.509 certificates can be created + automatically, because otherwise a Certificate Authority is needed to sign + the certificate request. If you choose to create a self-signed certificate, + you can use it immediately to connect to other IPsec hosts that support + X.509 certificate for authentication of IPsec connections. However, using + strongSwan's PKI features requires all certificates to be signed by a single + Certificate Authority to create a trust path. + . + If you do not choose to create a self-signed certificate, only the RSA + private key and the certificate request will be created, and you will + have to sign the certificate request with your Certificate Authority. + +Template: strongswan/x509_country_code +Type: string +Default: AT +_Description: Country code for the X.509 certificate request: + Please enter the two-letter code for the country the server resides in + (such as "AT" for Austria). + . + OpenSSL will refuse to generate a certificate unless this is a valid + ISO-3166 country code; an empty field is allowed elsewhere in the X.509 + certificate, but not here. + +Template: strongswan/x509_state_name +Type: string +Default: +_Description: State or province name for the X.509 certificate request: + Please enter the full name of the state or province the server resides in + (such as "Upper Austria"). + +Template: strongswan/x509_locality_name +Type: string +Default: +_Description: Locality name for the X.509 certificate request: + Please enter the locality the server resides in (often a city, such + as "Vienna"). + +Template: strongswan/x509_organization_name +Type: string +Default: +_Description: Organization name for the X.509 certificate request: + Please enter the organization the server belongs to (such as "Debian"). + +Template: strongswan/x509_organizational_unit +Type: string +Default: +_Description: Organizational unit for the X.509 certificate request: + Please enter the organizational unit the server belongs to (such as + "security group"). + +Template: strongswan/x509_common_name +Type: string +Default: +_Description: Common Name for the X.509 certificate request: + Please enter the Common Name for this host (such as + "gateway.example.org"). + +Template: strongswan/x509_email_address +Type: string +Default: +_Description: Email address for the X.509 certificate request: + Please enter the email address of the person or organization + responsible for the X.509 certificate. + +Template: strongswan/enable-oe +Type: boolean +Default: false +_Description: Enable opportunistic encryption? + This version of strongSwan supports opportunistic encryption (OE), which stores + IPSec authentication information in + DNS records. Until this is widely deployed, activating it will + cause a significant delay for every new outgoing connection. + . + You should only enable opportunistic encryption if you are sure you want it. + It may break the Internet connection (default route) as the pluto daemon + starts. diff --git a/debian/strongswan.docs b/debian/strongswan.docs new file mode 100644 index 000000000..297170db8 --- /dev/null +++ b/debian/strongswan.docs @@ -0,0 +1,2 @@ +README +CREDITS diff --git a/debian/svn-deblayout b/debian/svn-deblayout new file mode 100644 index 000000000..51fb3b726 --- /dev/null +++ b/debian/svn-deblayout @@ -0,0 +1,8 @@ +buildArea=/home/rene/amw/src/packages/build-area +origDir=/home/rene/amw/src/packages/tarballs +origUrl=svn+ssh://svn.gibraltar.at/srv/svn/debian-packages/trunk/debian/tarballs +tagsUrl=svn+ssh://svn.gibraltar.at/srv/svn/debian-packages/tags/strongswan +trunkDir=/home/rene/amw/src/packages/strongswan +trunkUrl=svn+ssh://svn.gibraltar.at/srv/svn/debian-packages/trunk/debian/strongswan +upsCurrentUrl=svn+ssh://svn.gibraltar.at/srv/svn/debian-packages/branches/source-dist/debian/strongswan +upsTagUrl=svn+ssh://svn.gibraltar.at/srv/svn/debian-packages/tags/strongswan diff --git a/debian/use-bash1.diff b/debian/use-bash1.diff new file mode 100644 index 000000000..6d0c922df --- /dev/null +++ b/debian/use-bash1.diff @@ -0,0 +1,4 @@ +1c1 +< #! /bin/sh +--- +> #!/bin/bash diff --git a/debian/use-bash2.diff b/debian/use-bash2.diff new file mode 100644 index 000000000..ccee7f27e --- /dev/null +++ b/debian/use-bash2.diff @@ -0,0 +1,4 @@ +1c1 +< #!/bin/sh +--- +> #!/bin/bash diff --git a/debian/watch b/debian/watch new file mode 100644 index 000000000..812049178 --- /dev/null +++ b/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://download.strongswan.org/strongswan-([\d.]+)\.tar\.bz2 diff --git a/ltmain.sh b/ltmain.sh index 7ed280bc9..7ed280bc9 100755..100644 --- a/ltmain.sh +++ b/ltmain.sh diff --git a/man/Makefile.in b/man/Makefile.in index f0d8cde7d..9eb5e3330 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -198,7 +198,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -237,8 +243,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index 1b74fab08..c422b50ec 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,8 @@ +<<<<<<< HEAD +.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan" +======= .TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan" +>>>>>>> upstream/4.5.1 .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -544,6 +548,10 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap +<<<<<<< HEAD +to (require the) use of the Extensible Authentication Protocol. In the case +of +======= to (require the) use of the Extensible Authentication Protocol. To require a trustchain public key strength for the remote side, specify the key type followed by the strength in bits (for example @@ -551,6 +559,7 @@ key type followed by the strength in bits (for example or .BR ecdsa-256 ). For +>>>>>>> upstream/4.5.1 .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -594,7 +603,11 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. +<<<<<<< HEAD +The left participant's ID can be overriden by specifying a +======= The left participant's ID can be overridden by specifying a +>>>>>>> upstream/4.5.1 .B leftid value which must be certified by the certificate, though. .TP @@ -603,10 +616,13 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +<<<<<<< HEAD +======= .BR leftcertpolicy " = <OIDs>" Comma separated list of certificate policy OIDs the peers certificate must have. OIDs are specified using the numerical dotted representation (IKEv2 only). .TP +>>>>>>> upstream/4.5.1 .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -962,6 +978,8 @@ synonym for .BR reqid " = <number>" sets the reqid for a given connection to a pre-configured fixed value. .TP +<<<<<<< HEAD +======= .BR tfc " = <value>" number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The @@ -969,6 +987,7 @@ special value .BR %mtu fills up ESP packets with padding to have the size of the MTU. .TP +>>>>>>> upstream/4.5.1 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 9a789acef..8b36d0f32 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -544,6 +544,10 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap +<<<<<<< HEAD +to (require the) use of the Extensible Authentication Protocol. In the case +of +======= to (require the) use of the Extensible Authentication Protocol. To require a trustchain public key strength for the remote side, specify the key type followed by the strength in bits (for example @@ -551,6 +555,7 @@ key type followed by the strength in bits (for example or .BR ecdsa-256 ). For +>>>>>>> upstream/4.5.1 .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -594,7 +599,11 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. +<<<<<<< HEAD +The left participant's ID can be overriden by specifying a +======= The left participant's ID can be overridden by specifying a +>>>>>>> upstream/4.5.1 .B leftid value which must be certified by the certificate, though. .TP @@ -603,10 +612,13 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +<<<<<<< HEAD +======= .BR leftcertpolicy " = <OIDs>" Comma separated list of certificate policy OIDs the peers certificate must have. OIDs are specified using the numerical dotted representation (IKEv2 only). .TP +>>>>>>> upstream/4.5.1 .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -962,6 +974,8 @@ synonym for .BR reqid " = <number>" sets the reqid for a given connection to a pre-configured fixed value. .TP +<<<<<<< HEAD +======= .BR tfc " = <value>" number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The @@ -969,6 +983,7 @@ special value .BR %mtu fills up ESP packets with padding to have the size of the MTU. .TP +>>>>>>> upstream/4.5.1 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 3eb60afcf..cdefee24d 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,8 @@ +<<<<<<< HEAD +.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan" +======= .TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan" +>>>>>>> upstream/4.5.1 .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 2e58a87d0..04e29c245 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,8 @@ +<<<<<<< HEAD +.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan" +======= .TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan" +>>>>>>> upstream/4.5.1 .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -60,6 +64,8 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +<<<<<<< HEAD +======= .SH INCLUDING FILES Using the .B include @@ -115,6 +121,7 @@ other.conf: } .EE +>>>>>>> upstream/4.5.1 .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -460,9 +467,12 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +<<<<<<< HEAD +======= .TP .BR libstrongswan.x509.enforce_critical " [yes]" Discard certificates with unsupported or unknown critical extensions +>>>>>>> upstream/4.5.1 .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -478,8 +488,18 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules +<<<<<<< HEAD + +.TP +.BR libstrongswan.plugins.pkcs11.use_hasher " [no]" + +.TP +.BR libstrongswan.plugins.x509.enforce_critical " [no]" +Discard certificates with unsupported or unknown critical extensions +======= .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" +>>>>>>> upstream/4.5.1 .SS libtls section .TP .BR libtls.cipher diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 47aa6d552..7d3cf8388 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -60,6 +60,8 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +<<<<<<< HEAD +======= .SH INCLUDING FILES Using the .B include @@ -115,6 +117,7 @@ other.conf: } .EE +>>>>>>> upstream/4.5.1 .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -460,9 +463,12 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +<<<<<<< HEAD +======= .TP .BR libstrongswan.x509.enforce_critical " [yes]" Discard certificates with unsupported or unknown critical extensions +>>>>>>> upstream/4.5.1 .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -478,8 +484,18 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules +<<<<<<< HEAD + +.TP +.BR libstrongswan.plugins.pkcs11.use_hasher " [no]" + +.TP +.BR libstrongswan.plugins.x509.enforce_critical " [no]" +Discard certificates with unsupported or unknown critical extensions +======= .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" +>>>>>>> upstream/4.5.1 .SS libtls section .TP .BR libtls.cipher diff --git a/scripts/Makefile.am b/scripts/Makefile.am index 2cd8b499b..74c7ce93b 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -2,8 +2,13 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls AM_CFLAGS = \ -DPLUGINS="\"${scripts_plugins}\"" +<<<<<<< HEAD +noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \ + thread_analysis dh_speed pubkey_speed crypt_burn +======= noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \ thread_analysis dh_speed pubkey_speed crypt_burn fetch +>>>>>>> upstream/4.5.1 if USE_TLS noinst_PROGRAMS += tls_test @@ -17,11 +22,22 @@ bin2sql_SOURCES = bin2sql.c id2sql_SOURCES = id2sql.c key2keyid_SOURCES = key2keyid.c keyid2sql_SOURCES = keyid2sql.c +<<<<<<< HEAD +======= oid2der_SOURCES = oid2der.c +>>>>>>> upstream/4.5.1 thread_analysis_SOURCES = thread_analysis.c dh_speed_SOURCES = dh_speed.c pubkey_speed_SOURCES = pubkey_speed.c crypt_burn_SOURCES = crypt_burn.c +<<<<<<< HEAD +id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt +pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt +crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +======= fetch_SOURCES = fetch.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -31,6 +47,7 @@ dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +>>>>>>> upstream/4.5.1 key2keyid.o : $(top_builddir)/config.status diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 891555dcd..0c0c59f09 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -35,9 +35,14 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \ +<<<<<<< HEAD + key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \ + dh_speed$(EXEEXT) pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) +======= key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \ thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \ pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) fetch$(EXEEXT) +>>>>>>> upstream/4.5.1 subdir = scripts DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -70,10 +75,13 @@ am_dh_speed_OBJECTS = dh_speed.$(OBJEXT) dh_speed_OBJECTS = $(am_dh_speed_OBJECTS) dh_speed_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +<<<<<<< HEAD +======= am_fetch_OBJECTS = fetch.$(OBJEXT) fetch_OBJECTS = $(am_fetch_OBJECTS) fetch_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +>>>>>>> upstream/4.5.1 am_id2sql_OBJECTS = id2sql.$(OBJEXT) id2sql_OBJECTS = $(am_id2sql_OBJECTS) id2sql_DEPENDENCIES = \ @@ -86,10 +94,13 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT) keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS) keyid2sql_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +<<<<<<< HEAD +======= am_oid2der_OBJECTS = oid2der.$(OBJEXT) oid2der_OBJECTS = $(am_oid2der_OBJECTS) oid2der_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +>>>>>>> upstream/4.5.1 am_pubkey_speed_OBJECTS = pubkey_speed.$(OBJEXT) pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS) pubkey_speed_DEPENDENCIES = \ @@ -111,6 +122,15 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ +<<<<<<< HEAD + $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \ + $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ + $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) +DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ + $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \ + $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ + $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) +======= $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \ $(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ $(oid2der_SOURCES) $(pubkey_speed_SOURCES) \ @@ -120,6 +140,7 @@ DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ $(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ $(oid2der_SOURCES) $(pubkey_speed_SOURCES) \ $(thread_analysis_SOURCES) +>>>>>>> upstream/4.5.1 ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -242,7 +263,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -281,8 +308,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -302,11 +332,22 @@ bin2sql_SOURCES = bin2sql.c id2sql_SOURCES = id2sql.c key2keyid_SOURCES = key2keyid.c keyid2sql_SOURCES = keyid2sql.c +<<<<<<< HEAD +======= oid2der_SOURCES = oid2der.c +>>>>>>> upstream/4.5.1 thread_analysis_SOURCES = thread_analysis.c dh_speed_SOURCES = dh_speed.c pubkey_speed_SOURCES = pubkey_speed.c crypt_burn_SOURCES = crypt_burn.c +<<<<<<< HEAD +id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt +pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt +crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +======= fetch_SOURCES = fetch.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -316,6 +357,7 @@ dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +>>>>>>> upstream/4.5.1 all: all-am .SUFFIXES: @@ -371,9 +413,12 @@ crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) @rm -f dh_speed$(EXEEXT) $(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS) +<<<<<<< HEAD +======= fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) @rm -f fetch$(EXEEXT) $(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS) +>>>>>>> upstream/4.5.1 id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) @rm -f id2sql$(EXEEXT) $(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS) @@ -383,9 +428,12 @@ key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) @rm -f keyid2sql$(EXEEXT) $(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS) +<<<<<<< HEAD +======= oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) @rm -f oid2der$(EXEEXT) $(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS) +>>>>>>> upstream/4.5.1 pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) @rm -f pubkey_speed$(EXEEXT) $(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS) @@ -403,11 +451,17 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@ +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@ +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid2der.Po@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@ diff --git a/src/Makefile.am b/src/Makefile.am index cd75de5e9..c631adff2 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -16,6 +16,10 @@ if USE_TLS SUBDIRS += libtls endif +<<<<<<< HEAD +if USE_FILE_CONFIG + SUBDIRS += libfreeswan starter ipsec _copyright +======= if USE_LIBCHARON SUBDIRS += libcharon endif @@ -26,6 +30,7 @@ endif if USE_IPSEC_SCRIPT SUBDIRS += ipsec _copyright +>>>>>>> upstream/4.5.1 endif if USE_PLUTO @@ -33,7 +38,11 @@ if USE_PLUTO endif if USE_CHARON +<<<<<<< HEAD + SUBDIRS += libcharon charon +======= SUBDIRS += charon +>>>>>>> upstream/4.5.1 endif if USE_STROKE @@ -48,10 +57,13 @@ if USE_TOOLS SUBDIRS += libfreeswan openac scepclient pki endif +<<<<<<< HEAD +======= if USE_CONFTEST SUBDIRS += conftest endif +>>>>>>> upstream/4.5.1 if USE_DUMM SUBDIRS += dumm endif @@ -76,4 +88,8 @@ EXTRA_DIST = strongswan.conf install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" +<<<<<<< HEAD + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true +======= test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true +>>>>>>> upstream/4.5.1 diff --git a/src/Makefile.in b/src/Makefile.in index 63d29b694..efa3a0913 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -37,6 +37,19 @@ host_triplet = @host@ @USE_LIBHYDRA_TRUE@am__append_2 = libhydra @USE_SIMAKA_TRUE@am__append_3 = libsimaka @USE_TLS_TRUE@am__append_4 = libtls +<<<<<<< HEAD +@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright +@USE_PLUTO_TRUE@am__append_6 = pluto whack +@USE_CHARON_TRUE@am__append_7 = libcharon charon +@USE_STROKE_TRUE@am__append_8 = stroke +@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark +@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki +@USE_DUMM_TRUE@am__append_11 = dumm +@USE_FAST_TRUE@am__append_12 = libfast +@USE_MANAGER_TRUE@am__append_13 = manager +@USE_MEDSRV_TRUE@am__append_14 = medsrv +@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum +======= @USE_LIBCHARON_TRUE@am__append_5 = libcharon @USE_FILE_CONFIG_TRUE@am__append_6 = libfreeswan starter @USE_IPSEC_SCRIPT_TRUE@am__append_7 = ipsec _copyright @@ -51,6 +64,7 @@ host_triplet = @host@ @USE_MANAGER_TRUE@am__append_16 = manager @USE_MEDSRV_TRUE@am__append_17 = medsrv @USE_INTEGRITY_TEST_TRUE@am__append_18 = checksum +>>>>>>> upstream/4.5.1 subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -85,9 +99,15 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \ +<<<<<<< HEAD + libfreeswan starter ipsec _copyright pluto whack libcharon \ + charon stroke _updown _updown_espmark openac scepclient pki \ + dumm libfast manager medsrv checksum +======= libcharon libfreeswan starter ipsec _copyright pluto whack \ charon stroke _updown _updown_espmark openac scepclient pki \ conftest dumm libfast manager medsrv checksum +>>>>>>> upstream/4.5.1 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -233,7 +253,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -272,8 +298,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -288,8 +317,12 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) $(am__append_9) \ $(am__append_10) $(am__append_11) $(am__append_12) \ +<<<<<<< HEAD + $(am__append_13) $(am__append_14) $(am__append_15) +======= $(am__append_13) $(am__append_14) $(am__append_15) \ $(am__append_16) $(am__append_17) $(am__append_18) +>>>>>>> upstream/4.5.1 EXTRA_DIST = strongswan.conf all: all-recursive @@ -640,7 +673,11 @@ uninstall-am: install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" +<<<<<<< HEAD + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true +======= test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true +>>>>>>> upstream/4.5.1 # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am index 405e08b3d..edffcfc25 100644 --- a/src/_copyright/Makefile.am +++ b/src/_copyright/Makefile.am @@ -1,5 +1,9 @@ ipsec_PROGRAMS = _copyright _copyright_SOURCES = _copyright.c +<<<<<<< HEAD +dist_man8_MANS = _copyright.8 +======= +>>>>>>> upstream/4.5.1 INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 8d4ef733e..321eeadea 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -36,7 +36,12 @@ build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = _copyright$(EXEEXT) subdir = src/_copyright +<<<<<<< HEAD +DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +======= DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +>>>>>>> upstream/4.5.1 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -52,7 +57,11 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +<<<<<<< HEAD +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +======= am__installdirs = "$(DESTDIR)$(ipsecdir)" +>>>>>>> upstream/4.5.1 PROGRAMS = $(ipsec_PROGRAMS) am__copyright_OBJECTS = _copyright.$(OBJEXT) _copyright_OBJECTS = $(am__copyright_OBJECTS) @@ -74,6 +83,33 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(_copyright_SOURCES) DIST_SOURCES = $(_copyright_SOURCES) +<<<<<<< HEAD +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man8_MANS) +======= +>>>>>>> upstream/4.5.1 ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -196,7 +232,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -235,8 +277,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -248,6 +293,10 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ _copyright_SOURCES = _copyright.c +<<<<<<< HEAD +dist_man8_MANS = _copyright.8 +======= +>>>>>>> upstream/4.5.1 INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libstrongswan @@ -368,6 +417,43 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +<<<<<<< HEAD +install-man8: $(dist_man8_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } +======= +>>>>>>> upstream/4.5.1 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -422,6 +508,22 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) +<<<<<<< HEAD + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi +======= +>>>>>>> upstream/4.5.1 @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -453,9 +555,15 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am +<<<<<<< HEAD +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ +======= all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(ipsecdir)"; do \ +>>>>>>> upstream/4.5.1 test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -506,7 +614,11 @@ info: info-am info-am: +<<<<<<< HEAD +install-data-am: install-ipsecPROGRAMS install-man +======= install-data-am: install-ipsecPROGRAMS +>>>>>>> upstream/4.5.1 install-dvi: install-dvi-am @@ -522,7 +634,11 @@ install-info: install-info-am install-info-am: +<<<<<<< HEAD +install-man: install-man8 +======= install-man: +>>>>>>> upstream/4.5.1 install-pdf: install-pdf-am @@ -552,7 +668,13 @@ ps: ps-am ps-am: +<<<<<<< HEAD +uninstall-am: uninstall-ipsecPROGRAMS uninstall-man + +uninstall-man: uninstall-man8 +======= uninstall-am: uninstall-ipsecPROGRAMS +>>>>>>> upstream/4.5.1 .MAKE: install-am install-strip @@ -563,12 +685,22 @@ uninstall-am: uninstall-ipsecPROGRAMS install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am \ +<<<<<<< HEAD + install-ipsecPROGRAMS install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ + uninstall-man uninstall-man8 +======= install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags uninstall uninstall-am uninstall-ipsecPROGRAMS +>>>>>>> upstream/4.5.1 # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/_copyright/_copyright.8 b/src/_copyright/_copyright.8 new file mode 100644 index 000000000..99386254b --- /dev/null +++ b/src/_copyright/_copyright.8 @@ -0,0 +1,29 @@ +.TH _COPYRIGHT 8 "25 Apr 2002" +.SH NAME +ipsec _copyright \- prints FreeSWAN copyright +.SH DESCRIPTION +.I _copyright +outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright" +.SH "SEE ALSO" +ipsec(8) +.SH HISTORY +Man page written for the Linux FreeS/WAN project +<http://www.freeswan.org/> +by Michael Richardson. Program written by Henry Spencer. +.\" +.\" $Log: _copyright.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index fa33bb570..f6f6d5f48 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -200,7 +200,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -239,8 +245,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index a428db4e2..55c5ce2c1 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -200,7 +200,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -239,8 +245,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index f502b0f25..7192e9e96 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -199,7 +199,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -238,8 +244,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/charon/charon.c b/src/charon/charon.c index d1fff5bd9..9e2d02b83 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -26,8 +26,11 @@ #include <pthread.h> #include <sys/stat.h> #include <sys/types.h> +<<<<<<< HEAD +======= #include <syslog.h> #include <errno.h> +>>>>>>> upstream/4.5.1 #include <unistd.h> #include <getopt.h> #include <pwd.h> @@ -44,9 +47,12 @@ #include <private/android_filesystem_config.h> #endif +<<<<<<< HEAD +======= #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ #define LOG_AUTHPRIV LOG_AUTH #endif +>>>>>>> upstream/4.5.1 /** * PID file, in which charon stores its process id @@ -273,6 +279,8 @@ static void unlink_pidfile() unlink(PID_FILE); } +<<<<<<< HEAD +======= /** * Initialize logging */ @@ -401,6 +409,7 @@ static void initialize_loggers(bool use_stderr, level_t levels[]) sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT); } } +>>>>>>> upstream/4.5.1 /** * print command line usage and exit @@ -528,10 +537,15 @@ int main(int argc, char *argv[]) goto deinit; } +<<<<<<< HEAD + /* initialize daemon */ + if (!charon->initialize(charon, use_syslog, levels)) +======= initialize_loggers(!use_syslog, levels); /* initialize daemon */ if (!charon->initialize(charon)) +>>>>>>> upstream/4.5.1 { DBG1(DBG_DMN, "initialization failed - aborting charon"); goto deinit; diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 65aa91422..0e68ed938 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -237,7 +237,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -276,8 +282,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 79961b916..9b19f605e 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -226,7 +226,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,8 +271,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index b9b758193..b02da80c0 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -172,7 +172,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -211,8 +217,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h index 930fdd2de..92d9258df 100644 --- a/src/include/linux/xfrm.h +++ b/src/include/linux/xfrm.h @@ -283,7 +283,10 @@ enum xfrm_attr_type_t { XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ XFRMA_MARK, /* struct xfrm_mark */ +<<<<<<< HEAD +======= XFRMA_TFCPAD, /* __u32 */ +>>>>>>> upstream/4.5.1 __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 0b4870e94..bf74828be 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -200,7 +200,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -239,8 +245,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 index 6f4117be7..d0bd9ce70 100644 --- a/src/ipsec/ipsec.8 +++ b/src/ipsec/ipsec.8 @@ -1,4 +1,8 @@ +<<<<<<< HEAD +.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan" +======= .TH IPSEC 8 "2010-05-30" "4.5.1" "strongSwan" +>>>>>>> upstream/4.5.1 .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in index 2ea0ef798..0f619d087 100755 --- a/src/ipsec/ipsec.in +++ b/src/ipsec/ipsec.in @@ -65,7 +65,11 @@ case "$1" in echo " rereadsecrets|rereadgroups" echo " rereadcacerts|rereadaacerts|rereadocspcerts" echo " rereadacerts|rereadcrls|rereadall" +<<<<<<< HEAD + echo " purgeocsp|purgeike" +======= echo " purgeocsp|purgecrls|purgecerts|purgeike" +>>>>>>> upstream/4.5.1 echo " scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]" echo " openac" echo " pluto" @@ -191,11 +195,19 @@ rereadall|purgeocsp) fi exit "$rc" ;; +<<<<<<< HEAD +purgeike) + rc=7 + if [ -e $IPSEC_CHARON_PID ] + then + $IPSEC_STROKE purgeike +======= purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then $IPSEC_STROKE "$1" +>>>>>>> upstream/4.5.1 rc="$?" fi exit "$rc" diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 1e78c9d79..e90fa1d0e 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -53,7 +53,10 @@ processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \ processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ +<<<<<<< HEAD +======= processing/jobs/start_action_job.c processing/jobs/start_action_job.h \ +>>>>>>> upstream/4.5.1 processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ @@ -88,12 +91,17 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ sa/tasks/task.c sa/tasks/task.h \ +<<<<<<< HEAD +tnccs/tnccs.c tnccs/tnccs.h \ +tnccs/tnccs_manager.h tnccs/tnccs_manager.c +======= tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ tnc/imc/imc.h tnc/imc/imc_manager.h \ tnc/imv/imv.h tnc/imv/imv_manager.h \ tnc/imv/imv_recommendations.c tnc/imv/imv_recommendations.h \ tnc/tnccs/tnccs.c tnc/tnccs/tnccs.h \ tnc/tnccs/tnccs_manager.c tnc/tnccs/tnccs_manager.h +>>>>>>> upstream/4.5.1 daemon.lo : $(top_builddir)/config.status @@ -322,14 +330,22 @@ endif if USE_TNC_IMC SUBDIRS += plugins/tnc_imc if MONOLITHIC +<<<<<<< HEAD + libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la +======= libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc-imc.la +>>>>>>> upstream/4.5.1 endif endif if USE_TNC_IMV SUBDIRS += plugins/tnc_imv if MONOLITHIC +<<<<<<< HEAD + libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la +======= libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la +>>>>>>> upstream/4.5.1 endif endif @@ -347,6 +363,8 @@ if MONOLITHIC endif endif +<<<<<<< HEAD +======= if USE_TNCCS_DYNAMIC SUBDIRS += plugins/tnccs_dynamic if MONOLITHIC @@ -354,6 +372,7 @@ if MONOLITHIC endif endif +>>>>>>> upstream/4.5.1 if USE_MEDSRV SUBDIRS += plugins/medsrv if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 6ec4c6ca5..ab3f3b670 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -96,13 +96,43 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la @MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la @USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc +<<<<<<< HEAD +@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la +@USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv +@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la +======= @MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc-imc.la @USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv @MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc-imv.la +>>>>>>> upstream/4.5.1 @USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11 @MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la @USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20 @MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la +<<<<<<< HEAD +@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la +@USE_NM_TRUE@am__append_65 = plugins/nm +@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la +@USE_DHCP_TRUE@am__append_67 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la +@USE_ANDROID_TRUE@am__append_69 = plugins/android +@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la +@USE_MAEMO_TRUE@am__append_71 = plugins/maemo +@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la +@USE_HA_TRUE@am__append_73 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la +@USE_LED_TRUE@am__append_75 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la +@USE_UCI_TRUE@am__append_77 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la +@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester +@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la +======= @USE_TNCCS_DYNAMIC_TRUE@am__append_61 = plugins/tnccs_dynamic @MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_62 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la @USE_MEDSRV_TRUE@am__append_63 = plugins/medsrv @@ -127,6 +157,7 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_82 = plugins/uci/libstrongswan-addrblock.la @USE_UNIT_TESTS_TRUE@am__append_83 = plugins/unit_tester @MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_84 = plugins/unit_tester/libstrongswan-unit-tester.la +>>>>>>> upstream/4.5.1 subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -183,8 +214,12 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ +<<<<<<< HEAD + $(am__append_78) $(am__append_80) $(am__append_82) +======= $(am__append_78) $(am__append_80) $(am__append_82) \ $(am__append_84) +>>>>>>> upstream/4.5.1 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/file_logger.c \ bus/listeners/file_logger.h bus/listeners/sys_logger.c \ @@ -254,9 +289,14 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c \ processing/jobs/send_keepalive_job.h \ +<<<<<<< HEAD + processing/jobs/roam_job.c processing/jobs/roam_job.h \ + processing/jobs/update_sa_job.c \ +======= processing/jobs/start_action_job.c \ processing/jobs/start_action_job.h processing/jobs/roam_job.c \ processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ +>>>>>>> upstream/4.5.1 processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ processing/jobs/inactivity_job.h \ @@ -292,12 +332,17 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ +<<<<<<< HEAD + tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ + tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \ +======= tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \ tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \ tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \ tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \ tnc/tnccs/tnccs_manager.h encoding/payloads/endpoint_notify.c \ +>>>>>>> upstream/4.5.1 encoding/payloads/endpoint_notify.h \ processing/jobs/initiate_mediation_job.c \ processing/jobs/initiate_mediation_job.h \ @@ -323,6 +368,18 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \ migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \ rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \ +<<<<<<< HEAD + send_keepalive_job.lo roam_job.lo update_sa_job.lo \ + inactivity_job.lo authenticator.lo eap_authenticator.lo \ + eap_method.lo eap_manager.lo sim_manager.lo \ + psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \ + ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \ + keymat.lo trap_manager.lo child_create.lo child_delete.lo \ + child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \ + ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \ + ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \ + ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \ +======= send_keepalive_job.lo start_action_job.lo roam_job.lo \ update_sa_job.lo inactivity_job.lo authenticator.lo \ eap_authenticator.lo eap_method.lo eap_manager.lo \ @@ -334,6 +391,7 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \ tncifimv.lo imv_recommendations.lo tnccs.lo tnccs_manager.lo \ +>>>>>>> upstream/4.5.1 $(am__objects_1) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ @@ -375,9 +433,15 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \ plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \ plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \ +<<<<<<< HEAD + plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \ + plugins/android plugins/maemo plugins/ha plugins/led \ + plugins/uci plugins/addrblock plugins/unit_tester +======= plugins/tnccs_dynamic plugins/medsrv plugins/medcli plugins/nm \ plugins/dhcp plugins/android plugins/maemo plugins/ha \ plugins/led plugins/uci plugins/addrblock plugins/unit_tester +>>>>>>> upstream/4.5.1 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -523,7 +587,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -562,8 +632,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -644,9 +717,14 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c \ processing/jobs/send_keepalive_job.h \ +<<<<<<< HEAD + processing/jobs/roam_job.c processing/jobs/roam_job.h \ + processing/jobs/update_sa_job.c \ +======= processing/jobs/start_action_job.c \ processing/jobs/start_action_job.h processing/jobs/roam_job.c \ processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ +>>>>>>> upstream/4.5.1 processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ processing/jobs/inactivity_job.h \ @@ -682,12 +760,17 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ +<<<<<<< HEAD + tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ + tnccs/tnccs_manager.c $(am__append_1) +======= tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \ tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \ tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \ tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \ tnc/tnccs/tnccs_manager.h $(am__append_1) +>>>>>>> upstream/4.5.1 INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ @@ -713,8 +796,12 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ +<<<<<<< HEAD + $(am__append_78) $(am__append_80) $(am__append_82) +======= $(am__append_78) $(am__append_80) $(am__append_82) \ $(am__append_84) +>>>>>>> upstream/4.5.1 EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \ @MONOLITHIC_FALSE@ $(am__append_7) $(am__append_9) \ @@ -735,7 +822,11 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \ @MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \ @MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \ +<<<<<<< HEAD +@MONOLITHIC_FALSE@ $(am__append_81) +======= @MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) +>>>>>>> upstream/4.5.1 # build optional plugins ######################## @@ -758,7 +849,11 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \ @MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \ @MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \ +<<<<<<< HEAD +@MONOLITHIC_TRUE@ $(am__append_81) +======= @MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) +>>>>>>> upstream/4.5.1 all: all-recursive .SUFFIXES: @@ -882,7 +977,10 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Plo@am__quote@ +<<<<<<< HEAD +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_recommendations.Plo@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@ @@ -914,13 +1012,19 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_manager.Plo@am__quote@ +<<<<<<< HEAD +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/start_action_job.Plo@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@ +<<<<<<< HEAD +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncifimv.Plo@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@ @@ -1301,6 +1405,8 @@ send_keepalive_job.lo: processing/jobs/send_keepalive_job.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c +<<<<<<< HEAD +======= start_action_job.lo: processing/jobs/start_action_job.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo @@ -1308,6 +1414,7 @@ start_action_job.lo: processing/jobs/start_action_job.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c +>>>>>>> upstream/4.5.1 roam_job.lo: processing/jobs/roam_job.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo @@ -1546,6 +1653,21 @@ task.lo: sa/tasks/task.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c +<<<<<<< HEAD +tnccs.lo: tnccs/tnccs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c + +tnccs_manager.lo: tnccs/tnccs_manager.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +======= tncifimv.lo: tnc/tncifimv.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tncifimv.lo -MD -MP -MF $(DEPDIR)/tncifimv.Tpo -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tncifimv.Tpo $(DEPDIR)/tncifimv.Plo @@ -1573,6 +1695,7 @@ tnccs_manager.lo: tnc/tnccs/tnccs_manager.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c +>>>>>>> upstream/4.5.1 endpoint_notify.lo: encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index 23931c47d..9abc07598 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -227,13 +227,20 @@ static bool log_cb(entry_t *entry, log_data_t *data) { entry->blocker = FALSE; entry->condvar->signal(entry->condvar); +<<<<<<< HEAD +======= entry->calling--; +>>>>>>> upstream/4.5.1 } else { entry_destroy(entry); } va_end(args); +<<<<<<< HEAD + entry->calling--; +======= +>>>>>>> upstream/4.5.1 return TRUE; } va_end(args); diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c index e78cb702d..93635ca15 100644 --- a/src/libcharon/config/backend_manager.c +++ b/src/libcharon/config/backend_manager.c @@ -96,11 +96,14 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ANY; } +<<<<<<< HEAD +======= else { me_cand->destroy(me_cand); return MATCH_NONE; } +>>>>>>> upstream/4.5.1 me_cand->destroy(me_cand); } else @@ -124,11 +127,14 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ANY; } +<<<<<<< HEAD +======= else { other_cand->destroy(other_cand); return MATCH_NONE; } +>>>>>>> upstream/4.5.1 other_cand->destroy(other_cand); } else @@ -138,8 +144,16 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) return match; } +<<<<<<< HEAD +/** + * implements backend_manager_t.get_ike_cfg. + */ +static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, + host_t *me, host_t *other) +======= METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, private_backend_manager_t *this, host_t *me, host_t *other) +>>>>>>> upstream/4.5.1 { ike_cfg_t *current, *found = NULL; enumerator_t *enumerator; @@ -315,9 +329,18 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list, } } +<<<<<<< HEAD +/** + * Implements backend_manager_t.create_peer_cfg_enumerator. + */ +static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, + host_t *me, host_t *other, identification_t *my_id, + identification_t *other_id) +======= METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, private_backend_manager_t *this, host_t *me, host_t *other, identification_t *my_id, identification_t *other_id) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; peer_data_t *data; @@ -376,8 +399,15 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, (void*)peer_enum_filter_destroy); } +<<<<<<< HEAD +/** + * implements backend_manager_t.get_peer_cfg_by_name. + */ +static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name) +======= METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*, private_backend_manager_t *this, char *name) +>>>>>>> upstream/4.5.1 { backend_t *backend; peer_cfg_t *config = NULL; @@ -394,24 +424,45 @@ METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*, return config; } +<<<<<<< HEAD +/** + * Implementation of backend_manager_t.remove_backend. + */ +static void remove_backend(private_backend_manager_t *this, backend_t *backend) +======= METHOD(backend_manager_t, remove_backend, void, private_backend_manager_t *this, backend_t *backend) +>>>>>>> upstream/4.5.1 { this->lock->write_lock(this->lock); this->backends->remove(this->backends, backend, NULL); this->lock->unlock(this->lock); } +<<<<<<< HEAD +/** + * Implementation of backend_manager_t.add_backend. + */ +static void add_backend(private_backend_manager_t *this, backend_t *backend) +======= METHOD(backend_manager_t, add_backend, void, private_backend_manager_t *this, backend_t *backend) +>>>>>>> upstream/4.5.1 { this->lock->write_lock(this->lock); this->backends->insert_last(this->backends, backend); this->lock->unlock(this->lock); } +<<<<<<< HEAD +/** + * Implementation of backend_manager_t.destroy. + */ +static void destroy(private_backend_manager_t *this) +======= METHOD(backend_manager_t, destroy, void, private_backend_manager_t *this) +>>>>>>> upstream/4.5.1 { this->backends->destroy(this->backends); this->lock->destroy(this->lock); @@ -420,6 +471,22 @@ METHOD(backend_manager_t, destroy, void, /* * Described in header-file +<<<<<<< HEAD + */ +backend_manager_t *backend_manager_create() +{ + private_backend_manager_t *this = malloc_thing(private_backend_manager_t); + + this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; + this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name; + this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator; + this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend; + this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend; + this->public.destroy = (void (*)(backend_manager_t*))destroy; + + this->backends = linked_list_create(); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); +======= */ backend_manager_t *backend_manager_create() @@ -438,6 +505,7 @@ backend_manager_t *backend_manager_create() .backends = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 74949be3c..6edceffd6 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -80,11 +80,14 @@ struct private_child_cfg_t { ipsec_mode_t mode; /** +<<<<<<< HEAD +======= * action to take to start CHILD_SA */ action_t start_action; /** +>>>>>>> upstream/4.5.1 * action to take on DPD */ action_t dpd_action; @@ -123,12 +126,15 @@ struct private_child_cfg_t { * Optional mark to install outbound CHILD_SA with */ mark_t mark_out; +<<<<<<< HEAD +======= /** * Traffic Flow Confidentiality padding, if enabled */ u_int32_t tfc; +>>>>>>> upstream/4.5.1 /** * set up IPsec transport SA in MIPv6 proxy mode */ @@ -140,20 +146,41 @@ struct private_child_cfg_t { bool install_policy; }; +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_name. + */ +static char *get_name(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_name, char*, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->name; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.add_proposal. + */ +static void add_proposal(private_child_cfg_t *this, proposal_t *proposal) +======= METHOD(child_cfg_t, add_proposal, void, private_child_cfg_t *this, proposal_t *proposal) +>>>>>>> upstream/4.5.1 { this->proposals->insert_last(this->proposals, proposal); } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_proposals. + */ +static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) +======= METHOD(child_cfg_t, get_proposals, linked_list_t*, private_child_cfg_t *this, bool strip_dh) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; proposal_t *current; @@ -174,9 +201,18 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*, return proposals; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.select_proposal. + */ +static proposal_t* select_proposal(private_child_cfg_t*this, + linked_list_t *proposals, bool strip_dh, + bool private) +======= METHOD(child_cfg_t, select_proposal, proposal_t*, private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh, bool private) +>>>>>>> upstream/4.5.1 { enumerator_t *stored_enum, *supplied_enum; proposal_t *stored, *supplied, *selected = NULL; @@ -221,8 +257,16 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, return selected; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.add_traffic_selector. + */ +static void add_traffic_selector(private_child_cfg_t *this, bool local, + traffic_selector_t *ts) +======= METHOD(child_cfg_t, add_traffic_selector, void, private_child_cfg_t *this, bool local, traffic_selector_t *ts) +>>>>>>> upstream/4.5.1 { if (local) { @@ -234,8 +278,17 @@ METHOD(child_cfg_t, add_traffic_selector, void, } } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_traffic_selectors. + */ +static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local, + linked_list_t *supplied, + host_t *host) +======= METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, private_child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host) +>>>>>>> upstream/4.5.1 { enumerator_t *e1, *e2; traffic_selector_t *ts1, *ts2, *selected; @@ -341,14 +394,28 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, return result; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_updown. + */ +static char* get_updown(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_updown, char*, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->updown; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_hostaccess. + */ +static bool get_hostaccess(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_hostaccess, bool, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->hostaccess; } @@ -369,8 +436,15 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter) } #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter) +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_lifetime. + */ +static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t); memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t)); @@ -380,12 +454,25 @@ METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*, return lft; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_mode. + */ +static ipsec_mode_t get_mode(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_mode, ipsec_mode_t, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->mode; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_dpd_action. + */ +static action_t get_dpd_action(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_start_action, action_t, private_child_cfg_t *this) { @@ -394,18 +481,33 @@ METHOD(child_cfg_t, get_start_action, action_t, METHOD(child_cfg_t, get_dpd_action, action_t, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->dpd_action; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_close_action. + */ +static action_t get_close_action(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_close_action, action_t, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->close_action; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_dh_group. + */ +static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; proposal_t *proposal; @@ -423,30 +525,65 @@ METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t, return dh_group; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.use_ipcomp. + */ +static bool use_ipcomp(private_child_cfg_t *this) +======= METHOD(child_cfg_t, use_ipcomp, bool, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->use_ipcomp; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_inactivity. + */ +static u_int32_t get_inactivity(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_inactivity, u_int32_t, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->inactivity; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_reqid. + */ +static u_int32_t get_reqid(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_reqid, u_int32_t, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->reqid; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_mark. + */ +static mark_t get_mark(private_child_cfg_t *this, bool inbound) +======= METHOD(child_cfg_t, get_mark, mark_t, private_child_cfg_t *this, bool inbound) +>>>>>>> upstream/4.5.1 { return inbound ? this->mark_in : this->mark_out; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.set_mipv6_options. + */ +static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode, + bool install_policy) +======= METHOD(child_cfg_t, get_tfc, u_int32_t, private_child_cfg_t *this) { @@ -455,32 +592,61 @@ METHOD(child_cfg_t, get_tfc, u_int32_t, METHOD(child_cfg_t, set_mipv6_options, void, private_child_cfg_t *this, bool proxy_mode, bool install_policy) +>>>>>>> upstream/4.5.1 { this->proxy_mode = proxy_mode; this->install_policy = install_policy; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.use_proxy_mode. + */ +static bool use_proxy_mode(private_child_cfg_t *this) +======= METHOD(child_cfg_t, use_proxy_mode, bool, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->proxy_mode; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.install_policy. + */ +static bool install_policy(private_child_cfg_t *this) +======= METHOD(child_cfg_t, install_policy, bool, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { return this->install_policy; } +<<<<<<< HEAD +/** + * Implementation of child_cfg_t.get_ref. + */ +static child_cfg_t* get_ref(private_child_cfg_t *this) +======= METHOD(child_cfg_t, get_ref, child_cfg_t*, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { ref_get(&this->refcount); return &this->public; } +<<<<<<< HEAD +/** + * Implements child_cfg_t.destroy. + */ +static void destroy(private_child_cfg_t *this) +======= METHOD(child_cfg_t, destroy, void, private_child_cfg_t *this) +>>>>>>> upstream/4.5.1 { if (ref_put(&this->refcount)) { @@ -501,6 +667,47 @@ METHOD(child_cfg_t, destroy, void, */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, +<<<<<<< HEAD + ipsec_mode_t mode, action_t dpd_action, + action_t close_action, bool ipcomp, + u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out) +{ + private_child_cfg_t *this = malloc_thing(private_child_cfg_t); + + this->public.get_name = (char* (*) (child_cfg_t*))get_name; + this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; + this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; + this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; + this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; + this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal; + this->public.get_updown = (char* (*) (child_cfg_t*))get_updown; + this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess; + this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode; + this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action; + this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action; + this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime; + this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; + this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; + this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; + this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity; + this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid; + this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark; + this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode; + this->public.install_policy = (bool (*) (child_cfg_t *))install_policy; + this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref; + this->public.destroy = (void (*) (child_cfg_t*))destroy; + + this->name = strdup(name); + this->updown = updown ? strdup(updown) : NULL; + this->hostaccess = hostaccess; + this->mode = mode; + this->dpd_action = dpd_action; + this->close_action = close_action; + this->use_ipcomp = ipcomp; + this->inactivity = inactivity; + this->reqid = reqid; +======= ipsec_mode_t mode, action_t start_action, action_t dpd_action, action_t close_action, bool ipcomp, u_int32_t inactivity, u_int32_t reqid, @@ -553,15 +760,39 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, .other_ts = linked_list_create(), .tfc = tfc, ); +>>>>>>> upstream/4.5.1 if (mark_in) { this->mark_in = *mark_in; } +<<<<<<< HEAD + else + { + this->mark_in.value = 0; + this->mark_in.mask = 0; + } +======= +>>>>>>> upstream/4.5.1 if (mark_out) { this->mark_out = *mark_out; } +<<<<<<< HEAD + else + { + this->mark_out.value = 0; + this->mark_out.mask = 0; + } + + this->proxy_mode = FALSE; + this->install_policy = TRUE; + this->refcount = 1; + this->proposals = linked_list_create(); + this->my_ts = linked_list_create(); + this->other_ts = linked_list_create(); +======= +>>>>>>> upstream/4.5.1 memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t)); return &this->public; diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 175ced76c..d933b2a04 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -32,15 +32,25 @@ typedef struct child_cfg_t child_cfg_t; #include <kernel/kernel_ipsec.h> /** +<<<<<<< HEAD + * Action to take when DPD detected/connection gets closed by peer. +======= * Action to take when connection is loaded, DPD is detected or * connection gets closed by peer. +>>>>>>> upstream/4.5.1 */ enum action_t { /** No action */ ACTION_NONE, +<<<<<<< HEAD + /** Route config to reestablish on demand */ + ACTION_ROUTE, + /** Restart config immediately */ +======= /** Route config to establish or reestablish on demand */ ACTION_ROUTE, /** Start or restart config immediately */ +>>>>>>> upstream/4.5.1 ACTION_RESTART, }; @@ -170,6 +180,8 @@ struct child_cfg_t { ipsec_mode_t (*get_mode) (child_cfg_t *this); /** +<<<<<<< HEAD +======= * Action to take to start CHILD_SA. * * @return start action @@ -177,6 +189,7 @@ struct child_cfg_t { action_t (*get_start_action) (child_cfg_t *this); /** +>>>>>>> upstream/4.5.1 * Action to take on DPD. * * @return DPD action @@ -228,6 +241,8 @@ struct child_cfg_t { mark_t (*get_mark)(child_cfg_t *this, bool inbound); /** +<<<<<<< HEAD +======= * Get the TFC padding value to use for CHILD_SA. * * @return TFC padding, 0 to disable, -1 for MTU @@ -235,6 +250,7 @@ struct child_cfg_t { u_int32_t (*get_tfc)(child_cfg_t *this); /** +>>>>>>> upstream/4.5.1 * Sets two options needed for Mobile IPv6 interoperability * * @param proxy_mode use IPsec transport proxy mode (default FALSE) @@ -291,7 +307,10 @@ struct child_cfg_t { * @param updown updown script to execute on up/down event * @param hostaccess TRUE to allow access to the local host * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET +<<<<<<< HEAD +======= * @param start_action start action +>>>>>>> upstream/4.5.1 * @param dpd_action DPD action * @param close_action close action * @param ipcomp use IPComp, if peer supports it @@ -299,14 +318,24 @@ struct child_cfg_t { * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign * @param mark_in optional inbound mark (can be NULL) * @param mark_out optional outbound mark (can be NULL) +<<<<<<< HEAD +======= * @param tfc TFC padding size, 0 to disable, -1 to pad to PMTU +>>>>>>> upstream/4.5.1 * @return child_cfg_t object */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, +<<<<<<< HEAD + ipsec_mode_t mode, action_t dpd_action, + action_t close_action, bool ipcomp, + u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out); +======= ipsec_mode_t mode, action_t start_action, action_t dpd_action, action_t close_action, bool ipcomp, u_int32_t inactivity, u_int32_t reqid, mark_t *mark_in, mark_t *mark_out, u_int32_t tfc); +>>>>>>> upstream/4.5.1 #endif /** CHILD_CFG_H_ @}*/ diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 6f0c87279..2b31eca04 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -682,7 +682,11 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->use_mobike = mobike; this->dpd = dpd; this->virtual_ip = virtual_ip; +<<<<<<< HEAD + this->pool = pool ? strdup(pool) : NULL; +======= this->pool = strdupnull(pool); +>>>>>>> upstream/4.5.1 this->local_auth = linked_list_create(); this->remote_auth = linked_list_create(); this->refcount = 1; diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 86a59bc1b..aba7feede 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -560,7 +560,10 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) if (token == NULL) { +<<<<<<< HEAD +======= DBG1(DBG_CFG, "algorithm '%.*s' not recognized", alg.len, alg.ptr); +>>>>>>> upstream/4.5.1 return FAILED; } @@ -741,10 +744,16 @@ static void proposal_add_supported_ike(private_proposal_t *this) integrity_algorithm_t integrity; pseudo_random_function_t prf; diffie_hellman_group_t group; +<<<<<<< HEAD + + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption)) +======= const char *plugin_name; enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) +>>>>>>> upstream/4.5.1 { switch (encryption) { @@ -779,7 +788,11 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_signer_enumerator(lib->crypto); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &integrity)) +======= while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) +>>>>>>> upstream/4.5.1 { switch (integrity) { @@ -798,7 +811,11 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_prf_enumerator(lib->crypto); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &prf)) +======= while (enumerator->enumerate(enumerator, &prf, &plugin_name)) +>>>>>>> upstream/4.5.1 { switch (prf) { @@ -817,7 +834,11 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &group)) +======= while (enumerator->enumerate(enumerator, &group, &plugin_name)) +>>>>>>> upstream/4.5.1 { switch (group) { diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 4f2831e42..4223d5a8d 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -19,6 +19,16 @@ #include <stdio.h> #include <sys/types.h> #include <unistd.h> +<<<<<<< HEAD +#include <syslog.h> +#include <time.h> +#include <errno.h> + +#ifdef CAPABILITIES +#ifdef HAVE_SYS_CAPABILITY_H +#include <sys/capability.h> +#endif /* HAVE_SYS_CAPABILITY_H */ +======= #include <time.h> #ifdef CAPABILITIES @@ -27,6 +37,7 @@ # elif defined(CAPABILITIES_NATIVE) # include <linux/capability.h> # endif /* CAPABILITIES_NATIVE */ +>>>>>>> upstream/4.5.1 #endif /* CAPABILITIES */ #include "daemon.h" @@ -34,7 +45,14 @@ #include <library.h> #include <config/proposal.h> #include <kernel/kernel_handler.h> +<<<<<<< HEAD + +#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ +#define LOG_AUTHPRIV LOG_AUTH +#endif +======= #include <processing/jobs/start_action_job.h> +>>>>>>> upstream/4.5.1 typedef struct private_daemon_t private_daemon_t; @@ -59,7 +77,11 @@ struct private_daemon_t { cap_t caps; #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE +<<<<<<< HEAD + struct __user_cap_data_struct caps; +======= struct __user_cap_data_struct caps[2]; +>>>>>>> upstream/4.5.1 #endif /* CAPABILITIES_NATIVE */ }; @@ -144,6 +166,11 @@ METHOD(daemon_t, keep_cap, void, cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET); #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE +<<<<<<< HEAD + this->caps.effective |= 1 << cap; + this->caps.permitted |= 1 << cap; + this->caps.inheritable |= 1 << cap; +======= int i = 0; if (cap >= 32) @@ -154,6 +181,7 @@ METHOD(daemon_t, keep_cap, void, this->caps[i].effective |= 1 << cap; this->caps[i].permitted |= 1 << cap; this->caps[i].inheritable |= 1 << cap; +>>>>>>> upstream/4.5.1 #endif /* CAPABILITIES_NATIVE */ } @@ -168,6 +196,11 @@ METHOD(daemon_t, drop_capabilities, bool, #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE struct __user_cap_header_struct header = { +<<<<<<< HEAD + .version = _LINUX_CAPABILITY_VERSION, + }; + if (capset(&header, &this->caps) != 0) +======= #if defined(_LINUX_CAPABILITY_VERSION_3) .version = _LINUX_CAPABILITY_VERSION_3, #elif defined(_LINUX_CAPABILITY_VERSION_2) @@ -177,6 +210,7 @@ METHOD(daemon_t, drop_capabilities, bool, #endif }; if (capset(&header, this->caps) != 0) +>>>>>>> upstream/4.5.1 { return FALSE; } @@ -212,9 +246,161 @@ static void print_plugins() DBG1(DBG_DMN, "loaded plugins: %s", buf); } +<<<<<<< HEAD +/** + * Initialize logging + */ +static void initialize_loggers(private_daemon_t *this, bool use_stderr, + level_t levels[]) +{ + sys_logger_t *sys_logger; + file_logger_t *file_logger; + enumerator_t *enumerator; + char *facility, *filename; + int loggers_defined = 0; + debug_t group; + level_t def; + bool append, ike_name; + FILE *file; + + /* setup sysloggers */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.syslog"); + while (enumerator->enumerate(enumerator, &facility)) + { + loggers_defined++; + + ike_name = lib->settings->get_bool(lib->settings, + "charon.syslog.%s.ike_name", FALSE, facility); + if (streq(facility, "daemon")) + { + sys_logger = sys_logger_create(LOG_DAEMON, ike_name); + } + else if (streq(facility, "auth")) + { + sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name); + } + else + { + continue; + } + def = lib->settings->get_int(lib->settings, + "charon.syslog.%s.default", 1, facility); + for (group = 0; group < DBG_MAX; group++) + { + sys_logger->set_level(sys_logger, group, + lib->settings->get_int(lib->settings, + "charon.syslog.%s.%N", def, + facility, debug_lower_names, group)); + } + this->public.sys_loggers->insert_last(this->public.sys_loggers, + sys_logger); + this->public.bus->add_listener(this->public.bus, &sys_logger->listener); + } + enumerator->destroy(enumerator); + + /* and file loggers */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.filelog"); + while (enumerator->enumerate(enumerator, &filename)) + { + loggers_defined++; + if (streq(filename, "stderr")) + { + file = stderr; + } + else if (streq(filename, "stdout")) + { + file = stdout; + } + else + { + append = lib->settings->get_bool(lib->settings, + "charon.filelog.%s.append", TRUE, filename); + file = fopen(filename, append ? "a" : "w"); + if (file == NULL) + { + DBG1(DBG_DMN, "opening file %s for logging failed: %s", + filename, strerror(errno)); + continue; + } + if (lib->settings->get_bool(lib->settings, + "charon.filelog.%s.flush_line", FALSE, filename)) + { + setlinebuf(file); + } + } + file_logger = file_logger_create(file, + lib->settings->get_str(lib->settings, + "charon.filelog.%s.time_format", NULL, filename), + lib->settings->get_bool(lib->settings, + "charon.filelog.%s.ike_name", FALSE, filename)); + def = lib->settings->get_int(lib->settings, + "charon.filelog.%s.default", 1, filename); + for (group = 0; group < DBG_MAX; group++) + { + file_logger->set_level(file_logger, group, + lib->settings->get_int(lib->settings, + "charon.filelog.%s.%N", def, + filename, debug_lower_names, group)); + } + this->public.file_loggers->insert_last(this->public.file_loggers, + file_logger); + this->public.bus->add_listener(this->public.bus, &file_logger->listener); + + } + enumerator->destroy(enumerator); + + /* set up legacy style default loggers provided via command-line */ + if (!loggers_defined) + { + /* set up default stdout file_logger */ + file_logger = file_logger_create(stdout, NULL, FALSE); + this->public.bus->add_listener(this->public.bus, &file_logger->listener); + this->public.file_loggers->insert_last(this->public.file_loggers, + file_logger); + /* set up default daemon sys_logger */ + sys_logger = sys_logger_create(LOG_DAEMON, FALSE); + this->public.bus->add_listener(this->public.bus, &sys_logger->listener); + this->public.sys_loggers->insert_last(this->public.sys_loggers, + sys_logger); + for (group = 0; group < DBG_MAX; group++) + { + sys_logger->set_level(sys_logger, group, levels[group]); + if (use_stderr) + { + file_logger->set_level(file_logger, group, levels[group]); + } + } + + /* set up default auth sys_logger */ + sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE); + this->public.bus->add_listener(this->public.bus, &sys_logger->listener); + this->public.sys_loggers->insert_last(this->public.sys_loggers, + sys_logger); + sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT); + } +} + +METHOD(daemon_t, initialize, bool, + private_daemon_t *this, bool syslog, level_t levels[]) +{ + /* for uncritical pseudo random numbers */ + srandom(time(NULL) + getpid()); + + /* setup bus and it's listeners first to enable log output */ + this->public.bus = bus_create(); + /* set up hook to log dbg message in library via charons message bus */ + dbg_old = dbg; + dbg = dbg_bus; + + initialize_loggers(this, !syslog, levels); + +======= METHOD(daemon_t, initialize, bool, private_daemon_t *this) { +>>>>>>> upstream/4.5.1 DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")"); if (lib->integrity) @@ -226,6 +412,19 @@ METHOD(daemon_t, initialize, bool, DBG1(DBG_DMN, "daemon 'charon': passed file integrity test"); } +<<<<<<< HEAD + /* load secrets, ca certificates and crls */ + this->public.controller = controller_create(); + this->public.eap = eap_manager_create(); + this->public.sim = sim_manager_create(); + this->public.tnccs = tnccs_manager_create(); + this->public.backends = backend_manager_create(); + this->public.socket = socket_manager_create(); + this->public.traps = trap_manager_create(); + this->kernel_handler = kernel_handler_create(); + +======= +>>>>>>> upstream/4.5.1 /* load plugins, further infrastructure may need it */ if (!lib->plugins->load(lib->plugins, NULL, lib->settings->get_str(lib->settings, "charon.load", PLUGINS))) @@ -247,9 +446,12 @@ METHOD(daemon_t, initialize, bool, return FALSE; } +<<<<<<< HEAD +======= /* Queue start_action job */ lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create()); +>>>>>>> upstream/4.5.1 #ifdef ME this->public.connect_manager = connect_manager_create(); if (this->public.connect_manager == NULL) @@ -275,11 +477,16 @@ private_daemon_t *daemon_create() .drop_capabilities = _drop_capabilities, .initialize = _initialize, .start = _start, +<<<<<<< HEAD +======= .bus = bus_create(), +>>>>>>> upstream/4.5.1 .file_loggers = linked_list_create(), .sys_loggers = linked_list_create(), }, ); +<<<<<<< HEAD +======= charon = &this->public; this->public.controller = controller_create(); this->public.eap = eap_manager_create(); @@ -289,6 +496,7 @@ private_daemon_t *daemon_create() this->public.socket = socket_manager_create(); this->public.traps = trap_manager_create(); this->kernel_handler = kernel_handler_create(); +>>>>>>> upstream/4.5.1 #ifdef CAPABILITIES #ifdef CAPABILITIES_LIBCAP @@ -309,6 +517,10 @@ private_daemon_t *daemon_create() */ void libcharon_deinit() { +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 destroy((private_daemon_t*)charon); charon = NULL; } @@ -321,6 +533,9 @@ bool libcharon_init() private_daemon_t *this; this = daemon_create(); +<<<<<<< HEAD + charon = &this->public; +======= /* for uncritical pseudo random numbers */ srandom(time(NULL) + getpid()); @@ -328,6 +543,7 @@ bool libcharon_init() /* set up hook to log dbg message in library via charons message bus */ dbg_old = dbg; dbg = dbg_bus; +>>>>>>> upstream/4.5.1 lib->printf_hook->add_handler(lib->printf_hook, 'P', proposal_printf_hook, diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 04f1fc249..ae590601f 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -149,9 +149,13 @@ typedef struct daemon_t daemon_t; #include <config/backend_manager.h> #include <sa/authenticators/eap/eap_manager.h> #include <sa/authenticators/eap/sim_manager.h> +<<<<<<< HEAD +#include <tnccs/tnccs_manager.h> +======= #include <tnc/imc/imc_manager.h> #include <tnc/imv/imv_manager.h> #include <tnc/tnccs/tnccs_manager.h> +>>>>>>> upstream/4.5.1 #ifdef ME #include <sa/connect_manager.h> @@ -239,6 +243,8 @@ struct daemon_t { sim_manager_t *sim; /** +<<<<<<< HEAD +======= * TNC IMC manager controlling Integrity Measurement Collectors */ imc_manager_t *imcs; @@ -249,6 +255,7 @@ struct daemon_t { imv_manager_t *imvs; /** +>>>>>>> upstream/4.5.1 * TNCCS manager to maintain registered TNCCS protocols */ tnccs_manager_t *tnccs; @@ -298,7 +305,11 @@ struct daemon_t { /** * Initialize the daemon. */ +<<<<<<< HEAD + bool (*initialize)(daemon_t *this, bool syslog, level_t levels[]); +======= bool (*initialize)(daemon_t *this); +>>>>>>> upstream/4.5.1 /** * Starts the daemon, i.e. spawns the threads of the thread pool. @@ -317,9 +328,12 @@ extern daemon_t *charon; /** * Initialize libcharon and create the "charon" instance of daemon_t. * +<<<<<<< HEAD +======= * This function initializes the bus, listeners can be registered before * calling initialize(). * +>>>>>>> upstream/4.5.1 * @return FALSE if integrity check failed */ bool libcharon_init(); diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c index ce3844361..785f1430a 100644 --- a/src/libcharon/encoding/generator.c +++ b/src/libcharon/encoding/generator.c @@ -41,7 +41,10 @@ #include <encoding/payloads/cp_payload.h> #include <encoding/payloads/configuration_attribute.h> #include <encoding/payloads/eap_payload.h> +<<<<<<< HEAD +======= #include <encoding/payloads/unknown_payload.h> +>>>>>>> upstream/4.5.1 /** * Generating is done in a data buffer. @@ -90,10 +93,27 @@ struct private_generator_t { */ void *data_struct; +<<<<<<< HEAD + /* + * Last payload length position offset in the buffer. + */ + u_int32_t last_payload_length_position_offset; + + /** + * Offset of the header length field in the buffer. + */ + u_int32_t header_length_position_offset; + + /** + * Last SPI size. + */ + u_int8_t last_spi_size; +======= /** * Offset of the header length field in the buffer. */ u_int32_t header_length_offset; +>>>>>>> upstream/4.5.1 /** * Attribute format of the last generated transform attribute. @@ -184,6 +204,36 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes, } /** +<<<<<<< HEAD + * Writes a specific amount of byte into the buffer at a specific offset. + */ +static void write_bytes_to_buffer_at_offset(private_generator_t *this, + void *bytes, int number_of_bytes, u_int32_t offset) +{ + int i; + u_int8_t *read_position = (u_int8_t *)bytes; + u_int8_t *write_position; + u_int32_t free_space_after_offset = get_size(this) - offset; + + /* check first if enough space for new data is available */ + if (number_of_bytes > free_space_after_offset) + { + make_space_available(this, + (number_of_bytes - free_space_after_offset) * 8); + } + + write_position = this->buffer + offset; + for (i = 0; i < number_of_bytes; i++) + { + *write_position = *read_position; + read_position++; + write_position++; + } +} + +/** +======= +>>>>>>> upstream/4.5.1 * Generates a U_INT-Field type and writes it to buffer. */ static void generate_u_int_type(private_generator_t *this, @@ -198,13 +248,19 @@ static void generate_u_int_type(private_generator_t *this, number_of_bits = 4; break; case TS_TYPE: +<<<<<<< HEAD +======= case RESERVED_BYTE: case SPI_SIZE: +>>>>>>> upstream/4.5.1 case U_INT_8: number_of_bits = 8; break; case U_INT_16: +<<<<<<< HEAD +======= case PAYLOAD_LENGTH: +>>>>>>> upstream/4.5.1 case CONFIGURATION_ATTRIBUTE_LENGTH: number_of_bits = 16; break; @@ -268,8 +324,11 @@ static void generate_u_int_type(private_generator_t *this, break; } case TS_TYPE: +<<<<<<< HEAD +======= case RESERVED_BYTE: case SPI_SIZE: +>>>>>>> upstream/4.5.1 case U_INT_8: { /* 8 bit values are written as they are */ @@ -307,7 +366,10 @@ static void generate_u_int_type(private_generator_t *this, } case U_INT_16: +<<<<<<< HEAD +======= case PAYLOAD_LENGTH: +>>>>>>> upstream/4.5.1 case CONFIGURATION_ATTRIBUTE_LENGTH: { u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset))); @@ -341,6 +403,52 @@ static void generate_u_int_type(private_generator_t *this, } /** +<<<<<<< HEAD + * Generate a reserved bit or byte + */ +static void generate_reserved_field(private_generator_t *this, int bits) +{ + /* only one bit or 8 bit fields are supported */ + if (bits != 1 && bits != 8) + { + DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits); + return ; + } + make_space_available(this, bits); + + if (bits == 1) + { + u_int8_t reserved_bit = ~(1 << (7 - this->current_bit)); + + *(this->out_position) = *(this->out_position) & reserved_bit; + if (this->current_bit == 0) + { + /* memory must be zero */ + *(this->out_position) = 0x00; + } + this->current_bit++; + if (this->current_bit >= 8) + { + this->current_bit = this->current_bit % 8; + this->out_position++; + } + } + else + { + if (this->current_bit > 0) + { + DBG1(DBG_ENC, "reserved field cannot be written cause " + "alignement of current bit is %d", this->current_bit); + return; + } + *(this->out_position) = 0x00; + this->out_position++; + } +} + +/** +======= +>>>>>>> upstream/4.5.1 * Generate a FLAG filed */ static void generate_flag(private_generator_t *this, u_int32_t offset) @@ -395,7 +503,11 @@ METHOD(generator_t, get_chunk, chunk_t, { chunk_t data; +<<<<<<< HEAD + *lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset); +======= *lenpos = (u_int32_t*)(this->buffer + this->header_length_offset); +>>>>>>> upstream/4.5.1 data = chunk_create(this->buffer, get_length(this)); DBG3(DBG_ENC, "generated data of this generator %B", &data); return data; @@ -411,6 +523,11 @@ METHOD(generator_t, generate_payload, void, this->data_struct = payload; payload_type = payload->get_type(payload); +<<<<<<< HEAD + /* spi size has to get reseted */ + this->last_spi_size = 0; +======= +>>>>>>> upstream/4.5.1 offset_start = this->out_position - this->buffer; @@ -430,6 +547,58 @@ METHOD(generator_t, generate_payload, void, case U_INT_8: case U_INT_16: case U_INT_32: +<<<<<<< HEAD + case IKE_SPI: + case TS_TYPE: + case ATTRIBUTE_TYPE: + case CONFIGURATION_ATTRIBUTE_LENGTH: + { + generate_u_int_type(this, rules[i].type, rules[i].offset); + break; + } + case RESERVED_BIT: + { + generate_reserved_field(this, 1); + break; + } + case RESERVED_BYTE: + { + generate_reserved_field(this, 8); + break; + } + case FLAG: + { + generate_flag(this, rules[i].offset); + break; + } + case PAYLOAD_LENGTH: + { + this->last_payload_length_position_offset = get_offset(this); + generate_u_int_type(this, U_INT_16,rules[i].offset); + break; + } + case HEADER_LENGTH: + { + this->header_length_position_offset = get_offset(this); + generate_u_int_type(this ,U_INT_32, rules[i].offset); + break; + } + case SPI_SIZE: + generate_u_int_type(this, U_INT_8, rules[i].offset); + this->last_spi_size = *((u_int8_t *)(this->data_struct + + rules[i].offset)); + break; + case ADDRESS: + { + generate_from_chunk(this, rules[i].offset); + break; + } + case SPI: + { + generate_from_chunk(this, rules[i].offset); + break; + } +======= case PAYLOAD_LENGTH: case IKE_SPI: case RESERVED_BYTE: @@ -449,6 +618,7 @@ METHOD(generator_t, generate_payload, void, break; case ADDRESS: case SPI: +>>>>>>> upstream/4.5.1 case KEY_EXCHANGE_DATA: case NOTIFICATION_DATA: case NONCE_DATA: @@ -460,6 +630,198 @@ METHOD(generator_t, generate_payload, void, case CONFIGURATION_ATTRIBUTE_VALUE: case VID_DATA: case EAP_DATA: +<<<<<<< HEAD + { + u_int32_t payload_length_position_offset; + u_int16_t length_of_payload; + u_int16_t header_length = 0; + u_int16_t length_in_network_order; + + switch(rules[i].type) + { + case KEY_EXCHANGE_DATA: + header_length = KE_PAYLOAD_HEADER_LENGTH; + break; + case NOTIFICATION_DATA: + header_length = NOTIFY_PAYLOAD_HEADER_LENGTH + + this->last_spi_size; + break; + case NONCE_DATA: + header_length = NONCE_PAYLOAD_HEADER_LENGTH; + break; + case ID_DATA: + header_length = ID_PAYLOAD_HEADER_LENGTH; + break; + case AUTH_DATA: + header_length = AUTH_PAYLOAD_HEADER_LENGTH; + break; + case CERT_DATA: + header_length = CERT_PAYLOAD_HEADER_LENGTH; + break; + case CERTREQ_DATA: + header_length = CERTREQ_PAYLOAD_HEADER_LENGTH; + break; + case SPIS: + header_length = DELETE_PAYLOAD_HEADER_LENGTH; + break; + case VID_DATA: + header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH; + break; + case CONFIGURATION_ATTRIBUTE_VALUE: + header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH; + break; + case EAP_DATA: + header_length = EAP_PAYLOAD_HEADER_LENGTH; + break; + default: + break; + } + generate_from_chunk(this, rules[i].offset); + + payload_length_position_offset = + this->last_payload_length_position_offset; + + length_of_payload = header_length + + ((chunk_t *)(this->data_struct + rules[i].offset))->len; + + length_in_network_order = htons(length_of_payload); + write_bytes_to_buffer_at_offset(this, &length_in_network_order, + sizeof(u_int16_t), payload_length_position_offset); + break; + } + case PROPOSALS: + { + u_int32_t payload_length_position_offset = + this->last_payload_length_position_offset; + /* Length of SA_PAYLOAD is calculated */ + u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH; + u_int16_t int16_val; + linked_list_t *proposals = *((linked_list_t **) + (this->data_struct + rules[i].offset)); + iterator_t *iterator; + payload_t *current_proposal; + + iterator = proposals->create_iterator(proposals,TRUE); + while (iterator->iterate(iterator, (void**)¤t_proposal)) + { + u_int32_t before_generate_position_offset; + u_int32_t after_generate_position_offset; + + before_generate_position_offset = get_offset(this); + generate_payload(this, current_proposal); + after_generate_position_offset = get_offset(this); + length_of_sa_payload += (after_generate_position_offset - + before_generate_position_offset); + } + iterator->destroy(iterator); + + int16_val = htons(length_of_sa_payload); + write_bytes_to_buffer_at_offset(this, &int16_val, + sizeof(u_int16_t),payload_length_position_offset); + break; + } + case TRANSFORMS: + { + u_int32_t payload_length_position_offset = + this->last_payload_length_position_offset; + u_int16_t length_of_proposal = + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size; + u_int16_t int16_val; + linked_list_t *transforms = *((linked_list_t **) + (this->data_struct + rules[i].offset)); + iterator_t *iterator; + payload_t *current_transform; + + iterator = transforms->create_iterator(transforms,TRUE); + while (iterator->iterate(iterator, (void**)¤t_transform)) + { + u_int32_t before_generate_position_offset; + u_int32_t after_generate_position_offset; + + before_generate_position_offset = get_offset(this); + generate_payload(this, current_transform); + after_generate_position_offset = get_offset(this); + + length_of_proposal += (after_generate_position_offset - + before_generate_position_offset); + } + iterator->destroy(iterator); + + int16_val = htons(length_of_proposal); + write_bytes_to_buffer_at_offset(this, &int16_val, + sizeof(u_int16_t), payload_length_position_offset); + break; + } + case TRANSFORM_ATTRIBUTES: + { + u_int32_t transform_length_position_offset = + this->last_payload_length_position_offset; + u_int16_t length_of_transform = + TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + u_int16_t int16_val; + linked_list_t *transform_attributes =*((linked_list_t **) + (this->data_struct + rules[i].offset)); + iterator_t *iterator; + payload_t *current_attribute; + + iterator = transform_attributes->create_iterator( + transform_attributes, TRUE); + while (iterator->iterate(iterator, (void**)¤t_attribute)) + { + u_int32_t before_generate_position_offset; + u_int32_t after_generate_position_offset; + + before_generate_position_offset = get_offset(this); + generate_payload(this, current_attribute); + after_generate_position_offset = get_offset(this); + + length_of_transform += (after_generate_position_offset - + before_generate_position_offset); + } + + iterator->destroy(iterator); + + int16_val = htons(length_of_transform); + write_bytes_to_buffer_at_offset(this, &int16_val, + sizeof(u_int16_t),transform_length_position_offset); + break; + } + case CONFIGURATION_ATTRIBUTES: + { + u_int32_t configurations_length_position_offset = + this->last_payload_length_position_offset; + u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH; + u_int16_t int16_val; + linked_list_t *configuration_attributes = *((linked_list_t **) + (this->data_struct + rules[i].offset)); + iterator_t *iterator; + payload_t *current_attribute; + + iterator = configuration_attributes->create_iterator( + configuration_attributes,TRUE); + while (iterator->iterate(iterator, (void**)¤t_attribute)) + { + u_int32_t before_generate_position_offset; + u_int32_t after_generate_position_offset; + + before_generate_position_offset = get_offset(this); + generate_payload(this, current_attribute); + after_generate_position_offset = get_offset(this); + + length_of_configurations += after_generate_position_offset - + before_generate_position_offset; + } + + iterator->destroy(iterator); + + int16_val = htons(length_of_configurations); + write_bytes_to_buffer_at_offset(this, &int16_val, + sizeof(u_int16_t),configurations_length_position_offset); + break; + } + case ATTRIBUTE_FORMAT: + { +======= case ENCRYPTED_DATA: case UNKNOWN_DATA: generate_from_chunk(this, rules[i].offset); @@ -485,19 +847,41 @@ METHOD(generator_t, generate_payload, void, break; } case ATTRIBUTE_FORMAT: +>>>>>>> upstream/4.5.1 generate_flag(this, rules[i].offset); /* Attribute format is a flag which is stored in context*/ this->attribute_format = *((bool *)(this->data_struct + rules[i].offset)); break; +<<<<<<< HEAD + } + + case ATTRIBUTE_LENGTH_OR_VALUE: + { + if (this->attribute_format == FALSE) + { + generate_u_int_type(this, U_INT_16, rules[i].offset); + /* this field hold the length of the attribute */ + this->attribute_length = + *((u_int16_t *)(this->data_struct + rules[i].offset)); +======= case ATTRIBUTE_LENGTH_OR_VALUE: if (this->attribute_format) { generate_u_int_type(this, U_INT_16, rules[i].offset); +>>>>>>> upstream/4.5.1 } else { generate_u_int_type(this, U_INT_16, rules[i].offset); +<<<<<<< HEAD + } + break; + } + case ATTRIBUTE_VALUE: + { + if (this->attribute_format == FALSE) +======= /* this field hold the length of the attribute */ this->attribute_length = *((u_int16_t *)(this->data_struct + rules[i].offset)); @@ -506,6 +890,7 @@ METHOD(generator_t, generate_payload, void, case ATTRIBUTE_VALUE: { if (!this->attribute_format) +>>>>>>> upstream/4.5.1 { DBG2(DBG_ENC, "attribute value has not fixed size"); /* the attribute value is generated */ @@ -513,6 +898,47 @@ METHOD(generator_t, generate_payload, void, } break; } +<<<<<<< HEAD + case TRAFFIC_SELECTORS: + { + u_int32_t payload_length_position_offset = + this->last_payload_length_position_offset; + u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH; + u_int16_t int16_val; + linked_list_t *traffic_selectors = *((linked_list_t **) + (this->data_struct + rules[i].offset)); + iterator_t *iterator; + payload_t *current_tss; + + iterator = traffic_selectors->create_iterator( + traffic_selectors,TRUE); + while (iterator->iterate(iterator, (void **)¤t_tss)) + { + u_int32_t before_generate_position_offset; + u_int32_t after_generate_position_offset; + + before_generate_position_offset = get_offset(this); + generate_payload(this, current_tss); + after_generate_position_offset = get_offset(this); + + length_of_ts_payload += (after_generate_position_offset - + before_generate_position_offset); + } + iterator->destroy(iterator); + + int16_val = htons(length_of_ts_payload); + write_bytes_to_buffer_at_offset(this, &int16_val, + sizeof(u_int16_t),payload_length_position_offset); + break; + } + + case ENCRYPTED_DATA: + { + generate_from_chunk(this, rules[i].offset); + break; + } +======= +>>>>>>> upstream/4.5.1 default: DBG1(DBG_ENC, "field type %N is not supported", encoding_type_names, rules[i].type); diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index dbef340ab..071424812 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -131,7 +131,10 @@ static payload_rule_t ike_sa_init_r_rules[] = { {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE}, {KEY_EXCHANGE, 1, 1, FALSE, FALSE}, {NONCE, 1, 1, FALSE, FALSE}, +<<<<<<< HEAD +======= {CERTIFICATE_REQUEST, 1, 1, FALSE, FALSE}, +>>>>>>> upstream/4.5.1 {VENDOR_ID, 0, 10, FALSE, FALSE}, }; @@ -491,6 +494,8 @@ struct private_message_t { bool is_request; /** +<<<<<<< HEAD +======= * Higher version supported? */ bool version_flag; @@ -506,6 +511,7 @@ struct private_message_t { bool sort_disabled; /** +>>>>>>> upstream/4.5.1 * Message ID of this message. */ u_int32_t message_id; @@ -663,6 +669,20 @@ METHOD(message_t, get_request, bool, return this->is_request; } +<<<<<<< HEAD +/** + * Is this message in an encoded form? + */ +static bool is_encoded(private_message_t *this) +{ + chunk_t data = this->packet->get_data(this->packet); + + if (data.ptr == NULL) + { + return FALSE; + } + return TRUE; +======= METHOD(message_t, set_version_flag, void, private_message_t *this) { @@ -692,6 +712,7 @@ METHOD(message_t, is_encoded, bool, private_message_t *this) { return this->packet->get_data(this->packet).ptr != NULL; +>>>>>>> upstream/4.5.1 } METHOD(message_t, add_payload, void, @@ -765,12 +786,15 @@ METHOD(message_t, create_payload_enumerator, enumerator_t*, return this->payloads->create_enumerator(this->payloads); } +<<<<<<< HEAD +======= METHOD(message_t, remove_payload_at, void, private_message_t *this, enumerator_t *enumerator) { this->payloads->remove_at(this->payloads, enumerator); } +>>>>>>> upstream/4.5.1 METHOD(message_t, get_payload, payload_t*, private_message_t *this, payload_type_t type) { @@ -1040,12 +1064,15 @@ static encryption_payload_t* wrap_payloads(private_message_t *this) return encryption; } +<<<<<<< HEAD +======= METHOD(message_t, disable_sort, void, private_message_t *this) { this->sort_disabled = TRUE; } +>>>>>>> upstream/4.5.1 METHOD(message_t, generate, status_t, private_message_t *this, aead_t *aead, packet_t **packet) { @@ -1057,8 +1084,17 @@ METHOD(message_t, generate, status_t, chunk_t chunk; char str[256]; u_int32_t *lenpos; +<<<<<<< HEAD + + if (is_encoded(this)) + { /* already generated, return a new packet clone */ + *packet = this->packet->clone(this->packet); + return SUCCESS; + } +======= bool *reserved; int i; +>>>>>>> upstream/4.5.1 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED) { @@ -1080,10 +1116,14 @@ METHOD(message_t, generate, status_t, return NOT_SUPPORTED; } +<<<<<<< HEAD + order_payloads(this); +======= if (!this->sort_disabled) { order_payloads(this); } +>>>>>>> upstream/4.5.1 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str))); @@ -1097,12 +1137,18 @@ METHOD(message_t, generate, status_t, } ike_header = ike_header_create(); +<<<<<<< HEAD + ike_header->set_exchange_type(ike_header, this->exchange_type); + ike_header->set_message_id(ike_header, this->message_id); + ike_header->set_response_flag(ike_header, !this->is_request); +======= ike_header->set_maj_version(ike_header, this->major_version); ike_header->set_min_version(ike_header, this->minor_version); ike_header->set_exchange_type(ike_header, this->exchange_type); ike_header->set_message_id(ike_header, this->message_id); ike_header->set_response_flag(ike_header, !this->is_request); ike_header->set_version_flag(ike_header, this->version_flag); +>>>>>>> upstream/4.5.1 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id)); ike_header->set_initiator_spi(ike_header, @@ -1110,6 +1156,8 @@ METHOD(message_t, generate, status_t, ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id)); +<<<<<<< HEAD +======= for (i = 0; i < countof(this->reserved); i++) { reserved = payload_get_field(&ike_header->payload_interface, @@ -1120,6 +1168,7 @@ METHOD(message_t, generate, status_t, } } +>>>>>>> upstream/4.5.1 generator = generator_create(); /* generate all payloads with proper next type */ @@ -1188,8 +1237,11 @@ METHOD(message_t, parse_header, status_t, { ike_header_t *ike_header; status_t status; +<<<<<<< HEAD +======= bool *reserved; int i; +>>>>>>> upstream/4.5.1 DBG2(DBG_ENC, "parsing header of message"); @@ -1224,6 +1276,9 @@ METHOD(message_t, parse_header, status_t, this->minor_version = ike_header->get_min_version(ike_header); this->first_payload = ike_header->payload_interface.get_next_type( &ike_header->payload_interface); +<<<<<<< HEAD + +======= for (i = 0; i < countof(this->reserved); i++) { reserved = payload_get_field(&ike_header->payload_interface, @@ -1233,6 +1288,7 @@ METHOD(message_t, parse_header, status_t, this->reserved[i] = *reserved; } } +>>>>>>> upstream/4.5.1 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type, this->is_request ? "request" : "response"); @@ -1249,6 +1305,8 @@ METHOD(message_t, parse_header, status_t, } /** +<<<<<<< HEAD +======= * Check if a payload is for a mediation extension connectivity check */ static bool is_connectivity_check(private_message_t *this, payload_t *payload) @@ -1274,6 +1332,7 @@ static bool is_connectivity_check(private_message_t *this, payload_t *payload) } /** +>>>>>>> upstream/4.5.1 * Decrypt payload from the encryption payload */ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) @@ -1344,15 +1403,23 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) } encryption->destroy(encryption); } +<<<<<<< HEAD + if (type != UNKNOWN_PAYLOAD && !was_encrypted) +======= if (payload_is_known(type) && !was_encrypted && !is_connectivity_check(this, payload)) +>>>>>>> upstream/4.5.1 { rule = get_payload_rule(this, type); if (!rule || rule->encrypted) { DBG1(DBG_ENC, "payload type %N was not encrypted", payload_type_names, type); +<<<<<<< HEAD + status = VERIFY_ERROR; +======= status = FAILED; +>>>>>>> upstream/4.5.1 break; } } @@ -1367,7 +1434,10 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) */ static status_t verify(private_message_t *this) { +<<<<<<< HEAD +======= bool complete = FALSE; +>>>>>>> upstream/4.5.1 int i; DBG2(DBG_ENC, "verifying message structure"); @@ -1385,9 +1455,28 @@ static status_t verify(private_message_t *this) while (enumerator->enumerate(enumerator, &payload)) { payload_type_t type; +<<<<<<< HEAD + unknown_payload_t *unknown; + + type = payload->get_type(payload); + if (type == UNKNOWN_PAYLOAD) + { + /* unknown payloads are ignored if they are not critical */ + unknown = (unknown_payload_t*)payload; + if (unknown->is_critical(unknown)) + { + DBG1(DBG_ENC, "%N is not supported, but its critical!", + payload_type_names, type); + enumerator->destroy(enumerator); + return NOT_SUPPORTED; + } + } + else if (type == rule->type) +======= type = payload->get_type(payload); if (type == rule->type) +>>>>>>> upstream/4.5.1 { found++; DBG2(DBG_ENC, "found payload of type %N", @@ -1404,15 +1493,25 @@ static status_t verify(private_message_t *this) } enumerator->destroy(enumerator); +<<<<<<< HEAD + if (found < rule->min_occurence) +======= if (!complete && found < rule->min_occurence) +>>>>>>> upstream/4.5.1 { DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)", payload_type_names, rule->type, rule->min_occurence, found); return VERIFY_ERROR; } +<<<<<<< HEAD + if (rule->sufficient) + { + return SUCCESS; +======= if (found && rule->sufficient) { complete = TRUE; +>>>>>>> upstream/4.5.1 } } return SUCCESS; @@ -1441,7 +1540,11 @@ METHOD(message_t, parse_body, status_t, { DBG1(DBG_ENC, "payload type %N could not be parsed", payload_type_names, type); +<<<<<<< HEAD + return PARSE_ERROR; +======= return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED; +>>>>>>> upstream/4.5.1 } DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type); @@ -1451,7 +1554,11 @@ METHOD(message_t, parse_body, status_t, DBG1(DBG_ENC, "%N payload verification failed", payload_type_names, type); payload->destroy(payload); +<<<<<<< HEAD + return VERIFY_ERROR; +======= return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED; +>>>>>>> upstream/4.5.1 } DBG2(DBG_ENC, "%N payload verified. Adding to payload list", @@ -1469,11 +1576,22 @@ METHOD(message_t, parse_body, status_t, type = payload->get_next_type(payload); } +<<<<<<< HEAD + if (type == ENCRYPTED) + { + status = decrypt_payloads(this, aead); + if (status != SUCCESS) + { + DBG1(DBG_ENC, "could not decrypt payloads"); + return status; + } +======= status = decrypt_payloads(this, aead); if (status != SUCCESS) { DBG1(DBG_ENC, "could not decrypt payloads"); return status; +>>>>>>> upstream/4.5.1 } status = verify(this); @@ -1521,6 +1639,11 @@ message_t *message_create_from_packet(packet_t *packet) .get_first_payload_type = _get_first_payload_type, .set_request = _set_request, .get_request = _get_request, +<<<<<<< HEAD + .add_payload = _add_payload, + .add_notify = _add_notify, + .generate = _generate, +======= .set_version_flag = _set_version_flag, .get_reserved_header_bit = _get_reserved_header_bit, .set_reserved_header_bit = _set_reserved_header_bit, @@ -1529,12 +1652,16 @@ message_t *message_create_from_packet(packet_t *packet) .disable_sort = _disable_sort, .generate = _generate, .is_encoded = _is_encoded, +>>>>>>> upstream/4.5.1 .set_source = _set_source, .get_source = _get_source, .set_destination = _set_destination, .get_destination = _get_destination, .create_payload_enumerator = _create_payload_enumerator, +<<<<<<< HEAD +======= .remove_payload_at = _remove_payload_at, +>>>>>>> upstream/4.5.1 .get_payload = _get_payload, .get_notify = _get_notify, .parse_header = _parse_header, @@ -1543,8 +1670,11 @@ message_t *message_create_from_packet(packet_t *packet) .get_packet_data = _get_packet_data, .destroy = _destroy, }, +<<<<<<< HEAD +======= .major_version = IKE_MAJOR_VERSION, .minor_version = IKE_MINOR_VERSION, +>>>>>>> upstream/4.5.1 .exchange_type = EXCHANGE_TYPE_UNDEFINED, .is_request = TRUE, .first_payload = NO_PAYLOAD, diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h index 51197308c..dcc9b0577 100644 --- a/src/libcharon/encoding/message.h +++ b/src/libcharon/encoding/message.h @@ -154,6 +154,8 @@ struct message_t { bool (*get_request) (message_t *this); /** +<<<<<<< HEAD +======= * Set the version flag in the IKE header. */ void (*set_version_flag)(message_t *this); @@ -174,6 +176,7 @@ struct message_t { void (*set_reserved_header_bit)(message_t *this, u_int nr); /** +>>>>>>> upstream/4.5.1 * Append a payload to the message. * * If the payload must be encrypted is not specified here. Encryption @@ -201,11 +204,14 @@ struct message_t { chunk_t data); /** +<<<<<<< HEAD +======= * Disable automatic payload sorting for this message. */ void (*disable_sort)(message_t *this); /** +>>>>>>> upstream/4.5.1 * Parses header of message. * * Begins parisng of a message created via message_create_from_packet(). @@ -231,6 +237,11 @@ struct message_t { * @param aead aead transform to verify/decrypt message * @return * - SUCCESS if parsing successful +<<<<<<< HEAD + * - NOT_SUPPORTED if ciritcal unknown payloads found + * - NOT_SUPPORTED if message type is not supported! +======= +>>>>>>> upstream/4.5.1 * - PARSE_ERROR if message parsing failed * - VERIFY_ERROR if message verification failed (bad syntax) * - FAILED if integrity check failed @@ -258,6 +269,8 @@ struct message_t { status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet); /** +<<<<<<< HEAD +======= * Check if the message has already been encoded using generate(). * * @return TRUE if message has been encoded @@ -265,6 +278,7 @@ struct message_t { bool (*is_encoded)(message_t *this); /** +>>>>>>> upstream/4.5.1 * Gets the source host informations. * * @warning Returned host_t object is not getting cloned, @@ -312,6 +326,8 @@ struct message_t { enumerator_t * (*create_payload_enumerator) (message_t *this); /** +<<<<<<< HEAD +======= * Remove the payload at the current enumerator position. * * @param enumerator enumerator created by create_payload_enumerator() @@ -319,6 +335,7 @@ struct message_t { void (*remove_payload_at)(message_t *this, enumerator_t *enumerator); /** +>>>>>>> upstream/4.5.1 * Find a payload of a specific type. * * Returns the first occurance. diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c index 32cefb9e7..7a5ec8495 100644 --- a/src/libcharon/encoding/parser.c +++ b/src/libcharon/encoding/parser.c @@ -387,6 +387,15 @@ static status_t parse_payload(private_parser_t *this, DBG3(DBG_ENC, "parsing payload from %b", this->byte_pos, this->input_roof - this->byte_pos); +<<<<<<< HEAD + if (pld->get_type(pld) == UNKNOWN_PAYLOAD) + { + DBG1(DBG_ENC, " payload type %d is unknown, handling as %N", + payload_type, payload_type_names, UNKNOWN_PAYLOAD); + } + +======= +>>>>>>> upstream/4.5.1 /* base pointer for output, avoids casting in every rule */ output = pld; @@ -409,7 +418,10 @@ static status_t parse_payload(private_parser_t *this, break; } case U_INT_8: +<<<<<<< HEAD +======= case RESERVED_BYTE: +>>>>>>> upstream/4.5.1 { if (!parse_uint8(this, rule_number, output + rule->offset)) { @@ -428,7 +440,10 @@ static status_t parse_payload(private_parser_t *this, break; } case U_INT_32: +<<<<<<< HEAD +======= case HEADER_LENGTH: +>>>>>>> upstream/4.5.1 { if (!parse_uint32(this, rule_number, output + rule->offset)) { @@ -447,6 +462,26 @@ static status_t parse_payload(private_parser_t *this, break; } case RESERVED_BIT: +<<<<<<< HEAD + { + if (!parse_bit(this, rule_number, NULL)) + { + pld->destroy(pld); + return PARSE_ERROR; + } + break; + } + case RESERVED_BYTE: + { + if (!parse_uint8(this, rule_number, NULL)) + { + pld->destroy(pld); + return PARSE_ERROR; + } + break; + } +======= +>>>>>>> upstream/4.5.1 case FLAG: { if (!parse_bit(this, rule_number, output + rule->offset)) @@ -472,6 +507,18 @@ static status_t parse_payload(private_parser_t *this, } break; } +<<<<<<< HEAD + case HEADER_LENGTH: + { + if (!parse_uint32(this, rule_number, output + rule->offset)) + { + pld->destroy(pld); + return PARSE_ERROR; + } + break; + } +======= +>>>>>>> upstream/4.5.1 case SPI_SIZE: { if (!parse_uint8(this, rule_number, output + rule->offset)) diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c index cb44a997c..25a57511a 100644 --- a/src/libcharon/encoding/payloads/auth_payload.c +++ b/src/libcharon/encoding/payloads/auth_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -19,6 +23,10 @@ #include <encoding/payloads/encodings.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_auth_payload_t private_auth_payload_t; /** @@ -43,6 +51,8 @@ struct private_auth_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved_bit[7]; @@ -53,6 +63,7 @@ struct private_auth_payload_t { u_int8_t reserved_byte[3]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -76,6 +87,29 @@ struct private_auth_payload_t { */ encoding_rule_t auth_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ +<<<<<<< HEAD + { U_INT_8, offsetof(private_auth_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_auth_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length)}, + /* 1 Byte AUTH type*/ + { U_INT_8, offsetof(private_auth_payload_t, auth_method) }, + /* 3 reserved bytes */ + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + /* some auth data bytes, length is defined in PAYLOAD_LENGTH */ + { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } +======= { U_INT_8, offsetof(private_auth_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_auth_payload_t, critical) }, @@ -97,6 +131,7 @@ encoding_rule_t auth_payload_encodings[] = { { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[2]) }, /* some auth data bytes, length is defined in PAYLOAD_LENGTH */ { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } +>>>>>>> upstream/4.5.1 }; /* @@ -113,6 +148,36 @@ encoding_rule_t auth_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_auth_payload_t *this) +{ + if (this->auth_method == 0 || + (this->auth_method >= 4 && this->auth_method <= 8) || + (this->auth_method >= 12 && this->auth_method <= 200)) + { + /* reserved IDs */ + return FAILED; + } + return SUCCESS; +} + +/** + * Implementation of auth_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = auth_payload_encodings; + *rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_auth_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_auth_payload_t *this) { @@ -128,10 +193,25 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_auth_payload_t *this) +>>>>>>> upstream/4.5.1 { return AUTHENTICATION; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_auth_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_auth_payload_t *this,payload_type_t type) +======= METHOD(payload_t, get_next_type, payload_type_t, private_auth_payload_t *this) { @@ -140,22 +220,94 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_auth_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_auth_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_auth_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of auth_payload_t.set_auth_method. + */ +static void set_auth_method (private_auth_payload_t *this, auth_method_t method) +======= METHOD(auth_payload_t, set_auth_method, void, private_auth_payload_t *this, auth_method_t method) +>>>>>>> upstream/4.5.1 { this->auth_method = method; } +<<<<<<< HEAD +/** + * Implementation of auth_payload_t.get_auth_method. + */ +static auth_method_t get_auth_method (private_auth_payload_t *this) +{ + return (this->auth_method); +} + +/** + * Implementation of auth_payload_t.set_data. + */ +static void set_data (private_auth_payload_t *this, chunk_t data) +{ + if (this->auth_data.ptr != NULL) + { + chunk_free(&(this->auth_data)); + } + this->auth_data.ptr = clalloc(data.ptr,data.len); + this->auth_data.len = data.len; + this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len; +} + +/** + * Implementation of auth_payload_t.get_data. + */ +static chunk_t get_data (private_auth_payload_t *this) +{ + return (this->auth_data); +} + +/** + * Implementation of auth_payload_t.get_data_clone. + */ +static chunk_t get_data_clone (private_auth_payload_t *this) +{ + chunk_t cloned_data; + if (this->auth_data.ptr == NULL) + { + return (this->auth_data); + } + cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len); + cloned_data.len = this->auth_data.len; + return cloned_data; +} + +/** + * Implementation of payload_t.destroy and auth_payload_t.destroy. + */ +static void destroy(private_auth_payload_t *this) +{ + if (this->auth_data.ptr != NULL) + { + chunk_free(&(this->auth_data)); + } + +======= METHOD(auth_payload_t, get_auth_method, auth_method_t, private_auth_payload_t *this) { @@ -180,6 +332,7 @@ METHOD2(payload_t, auth_payload_t, destroy, void, private_auth_payload_t *this) { free(this->auth_data.ptr); +>>>>>>> upstream/4.5.1 free(this); } @@ -188,6 +341,34 @@ METHOD2(payload_t, auth_payload_t, destroy, void, */ auth_payload_t *auth_payload_create() { +<<<<<<< HEAD + private_auth_payload_t *this = malloc_thing(private_auth_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.destroy = (void (*) (auth_payload_t *)) destroy; + this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method; + this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method; + this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data; + this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone; + this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH; + this->auth_data = chunk_empty; + + return (&(this->public)); +======= private_auth_payload_t *this; INIT(this, @@ -211,4 +392,5 @@ auth_payload_t *auth_payload_create() .payload_length = AUTH_PAYLOAD_HEADER_LENGTH, ); return &this->public; +>>>>>>> upstream/4.5.1 } diff --git a/src/libcharon/encoding/payloads/auth_payload.h b/src/libcharon/encoding/payloads/auth_payload.h index e4c4e6ae3..c28fc1e06 100644 --- a/src/libcharon/encoding/payloads/auth_payload.h +++ b/src/libcharon/encoding/payloads/auth_payload.h @@ -62,13 +62,35 @@ struct auth_payload_t { /** * Set the AUTH data. * +<<<<<<< HEAD + * Data gets cloned. + * + * @param data AUTH data as chunk_t +======= * @param data AUTH data as chunk_t, gets cloned +>>>>>>> upstream/4.5.1 */ void (*set_data) (auth_payload_t *this, chunk_t data); /** * Get the AUTH data. * +<<<<<<< HEAD + * Returned data are a copy of the internal one. + * + * @return AUTH data as chunk_t + */ + chunk_t (*get_data_clone) (auth_payload_t *this); + + /** + * Get the AUTH data. + * + * Returned data are NOT copied + * + * @return AUTH data as chunk_t + */ + chunk_t (*get_data) (auth_payload_t *this); +======= * @return AUTH data as chunk_t, internal data */ chunk_t (*get_data) (auth_payload_t *this); @@ -87,6 +109,7 @@ struct auth_payload_t { * @param nr number of the reserved bit, 0-6 */ void (*set_reserved_bit)(auth_payload_t *this, u_int nr); +>>>>>>> upstream/4.5.1 /** * Destroys an auth_payload_t object. diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c index c42cec680..6a28cd658 100644 --- a/src/libcharon/encoding/payloads/cert_payload.c +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -1,7 +1,11 @@ /* * Copyright (C) 2008 Tobias Brunner +<<<<<<< HEAD + * Copyright (C) 2005-2007 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -44,9 +48,15 @@ typedef struct private_cert_payload_t private_cert_payload_t; /** * Private data of an cert_payload_t object. +<<<<<<< HEAD + * + */ +struct private_cert_payload_t { +======= */ struct private_cert_payload_t { +>>>>>>> upstream/4.5.1 /** * Public cert_payload_t interface. */ @@ -63,11 +73,14 @@ struct private_cert_payload_t { bool critical; /** +<<<<<<< HEAD +======= * reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -97,6 +110,19 @@ struct private_cert_payload_t { */ encoding_rule_t cert_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ +<<<<<<< HEAD + { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_cert_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_cert_payload_t, critical) }, @@ -108,12 +134,17 @@ encoding_rule_t cert_payload_encodings[] = { { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[4]) }, { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[5]) }, { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)}, /* 1 Byte CERT type*/ { U_INT_8, offsetof(private_cert_payload_t, encoding) }, /* some cert data bytes, length is defined in PAYLOAD_LENGTH */ +<<<<<<< HEAD + { CERT_DATA, offsetof(private_cert_payload_t, data) } +======= { CERT_DATA, offsetof(private_cert_payload_t, data) } +>>>>>>> upstream/4.5.1 }; /* @@ -129,23 +160,43 @@ encoding_rule_t cert_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_cert_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_cert_payload_t *this) +>>>>>>> upstream/4.5.1 { if (this->encoding == ENC_X509_HASH_AND_URL || this->encoding == ENC_X509_HASH_AND_URL_BUNDLE) { +<<<<<<< HEAD +======= int i; +>>>>>>> upstream/4.5.1 /* coarse verification of "Hash and URL" encoded certificates */ if (this->data.len <= 20) { DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore", +<<<<<<< HEAD + this->data.len); + this->invalid_hash_and_url = TRUE; + return SUCCESS; + } + + int i = 20; /* skipping the hash */ + for (; i < this->data.len; ++i) +======= this->data.len); this->invalid_hash_and_url = TRUE; return SUCCESS; } for (i = 20; i < this->data.len; ++i) +>>>>>>> upstream/4.5.1 { if (this->data.ptr[i] == '\0') { @@ -155,17 +206,47 @@ METHOD(payload_t, verify, status_t, else if (!isprint(this->data.ptr[i])) { DBG1(DBG_ENC, "non printable characters in url of hash-and-url" +<<<<<<< HEAD + " encoded certificate payload, ignore"); +======= " encoded certificate payload, ignore"); +>>>>>>> upstream/4.5.1 this->invalid_hash_and_url = TRUE; return SUCCESS; } } +<<<<<<< HEAD + + /* URL is not null terminated, correct that */ + chunk_t data = chunk_alloc(this->data.len + 1); + memcpy(data.ptr, this->data.ptr, this->data.len); + data.ptr[this->data.len] = '\0'; + chunk_free(&this->data); + this->data = data; +======= /* URL is not null terminated, correct that */ this->data = chunk_cat("mc", this->data, chunk_from_chars(0)); +>>>>>>> upstream/4.5.1 } return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of cert_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_cert_payload_t *this, + encoding_rule_t **rules, size_t *rule_count) +{ + *rules = cert_payload_encodings; + *rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_cert_payload_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { @@ -175,34 +256,87 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_cert_payload_t *this) +>>>>>>> upstream/4.5.1 { return CERTIFICATE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_cert_payload_t *this) +======= METHOD(payload_t, get_next_type, payload_type_t, private_cert_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->next_payload; } +<<<<<<< HEAD +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_cert_payload_t *this,payload_type_t type) +======= METHOD(payload_t, set_next_type, void, private_cert_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_cert_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_cert_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of cert_payload_t.get_cert_encoding. + */ +static cert_encoding_t get_cert_encoding(private_cert_payload_t *this) +======= METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t, private_cert_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->encoding; } +<<<<<<< HEAD +/** + * Implementation of cert_payload_t.get_cert. + */ +static certificate_t *get_cert(private_cert_payload_t *this) +{ + if (this->encoding != ENC_X509_SIGNATURE) + { + return NULL; + } + return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, this->data, + BUILD_END); +} + +/** + * Implementation of cert_payload_t.get_hash. + */ +static chunk_t get_hash(private_cert_payload_t *this) +{ + chunk_t hash = chunk_empty; + if ((this->encoding != ENC_X509_HASH_AND_URL && + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || +======= METHOD(cert_payload_t, get_cert, certificate_t*, private_cert_payload_t *this) { @@ -230,6 +364,7 @@ METHOD(cert_payload_t, get_hash, chunk_t, if ((this->encoding != ENC_X509_HASH_AND_URL && this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || +>>>>>>> upstream/4.5.1 this->invalid_hash_and_url) { return hash; @@ -239,11 +374,21 @@ METHOD(cert_payload_t, get_hash, chunk_t, return hash; } +<<<<<<< HEAD +/** + * Implementation of cert_payload_t.get_url. + */ +static char *get_url(private_cert_payload_t *this) +{ + if ((this->encoding != ENC_X509_HASH_AND_URL && + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || +======= METHOD(cert_payload_t, get_url, char*, private_cert_payload_t *this) { if ((this->encoding != ENC_X509_HASH_AND_URL && this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || +>>>>>>> upstream/4.5.1 this->invalid_hash_and_url) { return NULL; @@ -251,10 +396,19 @@ METHOD(cert_payload_t, get_url, char*, return (char*)this->data.ptr + 20; } +<<<<<<< HEAD +/** + * Implementation of payload_t.destroy and cert_payload_t.destroy. + */ +static void destroy(private_cert_payload_t *this) +{ + chunk_free(&this->data); +======= METHOD2(payload_t, cert_payload_t, destroy, void, private_cert_payload_t *this) { free(this->data.ptr); +>>>>>>> upstream/4.5.1 free(this); } @@ -263,6 +417,31 @@ METHOD2(payload_t, cert_payload_t, destroy, void, */ cert_payload_t *cert_payload_create() { +<<<<<<< HEAD + private_cert_payload_t *this = malloc_thing(private_cert_payload_t); + + this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; + + this->public.destroy = (void (*) (cert_payload_t*))destroy; + this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert; + this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding; + this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash; + this->public.get_url = (char* (*) (cert_payload_t*))get_url; + + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH; + this->data = chunk_empty; + this->encoding = 0; + this->invalid_hash_and_url = FALSE; + +======= private_cert_payload_t *this; INIT(this, @@ -285,6 +464,7 @@ cert_payload_t *cert_payload_create() .next_payload = NO_PAYLOAD, .payload_length = CERT_PAYLOAD_HEADER_LENGTH, ); +>>>>>>> upstream/4.5.1 return &this->public; } @@ -329,6 +509,8 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url) return &this->public; } +<<<<<<< HEAD +======= /* * Described in header */ @@ -341,3 +523,4 @@ cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data) this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; return &this->public; } +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h index 21b503a40..74d2b3cd2 100644 --- a/src/libcharon/encoding/payloads/cert_payload.h +++ b/src/libcharon/encoding/payloads/cert_payload.h @@ -134,6 +134,8 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert); */ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url); +<<<<<<< HEAD +======= /** * Creates a custom certificate payload using type and associated data. * @@ -143,4 +145,5 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url); */ cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data); +>>>>>>> upstream/4.5.1 #endif /** CERT_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c index 8e0836f0e..0c59fd66d 100644 --- a/src/libcharon/encoding/payloads/certreq_payload.c +++ b/src/libcharon/encoding/payloads/certreq_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -23,13 +27,23 @@ #include "certreq_payload.h" +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_certreq_payload_t private_certreq_payload_t; /** * Private data of an certreq_payload_t object. +<<<<<<< HEAD + * + */ +struct private_certreq_payload_t { +======= */ struct private_certreq_payload_t { +>>>>>>> upstream/4.5.1 /** * Public certreq_payload_t interface. */ @@ -46,11 +60,14 @@ struct private_certreq_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -71,6 +88,23 @@ struct private_certreq_payload_t { * * The defined offsets are the positions in a object of type * private_certreq_payload_t. +<<<<<<< HEAD + * + */ +encoding_rule_t certreq_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_certreq_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_certreq_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= */ encoding_rule_t certreq_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -85,6 +119,7 @@ encoding_rule_t certreq_payload_encodings[] = { { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[4]) }, { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[5]) }, { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_certreq_payload_t, payload_length) }, /* 1 Byte CERTREQ type*/ @@ -106,8 +141,15 @@ encoding_rule_t certreq_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_certreq_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_certreq_payload_t *this) +>>>>>>> upstream/4.5.1 { if (this->encoding == ENC_X509_SIGNATURE) { @@ -122,6 +164,21 @@ METHOD(payload_t, verify, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of certreq_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = certreq_payload_encodings; + *rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_certreq_payload_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { @@ -131,10 +188,25 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_certreq_payload_t *this) +>>>>>>> upstream/4.5.1 { return CERTIFICATE_REQUEST; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_certreq_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_certreq_payload_t *this,payload_type_t type) +======= METHOD(payload_t, get_next_type, payload_type_t, private_certreq_payload_t *this) { @@ -143,18 +215,33 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_certreq_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_certreq_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_certreq_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of certreq_payload_t.add_keyid. + */ +static void add_keyid(private_certreq_payload_t *this, chunk_t keyid) +======= METHOD(certreq_payload_t, add_keyid, void, private_certreq_payload_t *this, chunk_t keyid) +>>>>>>> upstream/4.5.1 { this->data = chunk_cat("mc", this->data, keyid); this->payload_length += keyid.len; @@ -171,8 +258,15 @@ struct keyid_enumerator_t { u_char *pos; }; +<<<<<<< HEAD +/** + * enumerate function for keyid_enumerator + */ +static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk) +======= METHOD(enumerator_t, keyid_enumerate, bool, keyid_enumerator_t *this, chunk_t *chunk) +>>>>>>> upstream/4.5.1 { if (this->pos == NULL) { @@ -195,6 +289,25 @@ METHOD(enumerator_t, keyid_enumerate, bool, return FALSE; } +<<<<<<< HEAD +/** + * Implementation of certreq_payload_t.create_keyid_enumerator. + */ +static enumerator_t* create_keyid_enumerator(private_certreq_payload_t *this) +{ + keyid_enumerator_t *enumerator = malloc_thing(keyid_enumerator_t); + enumerator->public.enumerate = (void*)keyid_enumerate; + enumerator->public.destroy = (void*)free; + enumerator->full = this->data; + enumerator->pos = NULL; + return &enumerator->public; +} + +/** + * Implementation of certreq_payload_t.get_cert_type. + */ +static certificate_type_t get_cert_type(private_certreq_payload_t *this) +======= METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*, private_certreq_payload_t *this) { @@ -212,6 +325,7 @@ METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*, METHOD(certreq_payload_t, get_cert_type, certificate_type_t, private_certreq_payload_t *this) +>>>>>>> upstream/4.5.1 { switch (this->encoding) { @@ -222,8 +336,15 @@ METHOD(certreq_payload_t, get_cert_type, certificate_type_t, } } +<<<<<<< HEAD +/** + * Implementation of payload_t.destroy and certreq_payload_t.destroy. + */ +static void destroy(private_certreq_payload_t *this) +======= METHOD2(payload_t, certreq_payload_t, destroy, void, private_certreq_payload_t *this) +>>>>>>> upstream/4.5.1 { chunk_free(&this->data); free(this); @@ -234,6 +355,32 @@ METHOD2(payload_t, certreq_payload_t, destroy, void, */ certreq_payload_t *certreq_payload_create() { +<<<<<<< HEAD + private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; + + /* public functions */ + this->public.destroy = (void (*) (certreq_payload_t*)) destroy; + this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator; + this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type; + this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH; + this->data = chunk_empty; + this->encoding = 0; + +======= private_certreq_payload_t *this; INIT(this, @@ -255,6 +402,7 @@ certreq_payload_t *certreq_payload_create() .next_payload = NO_PAYLOAD, .payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c index e608497bd..1ef8be800 100644 --- a/src/libcharon/encoding/payloads/configuration_attribute.c +++ b/src/libcharon/encoding/payloads/configuration_attribute.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2009 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -23,24 +27,37 @@ #include <library.h> #include <daemon.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_configuration_attribute_t private_configuration_attribute_t; /** * Private data of an configuration_attribute_t object. +<<<<<<< HEAD + * + */ +struct private_configuration_attribute_t { +======= */ struct private_configuration_attribute_t { +>>>>>>> upstream/4.5.1 /** * Public configuration_attribute_t interface. */ configuration_attribute_t public; /** +<<<<<<< HEAD +======= * Reserved bit */ bool reserved; /** +>>>>>>> upstream/4.5.1 * Type of the attribute. */ u_int16_t type; @@ -63,8 +80,13 @@ struct private_configuration_attribute_t { * private_configuration_attribute_t. */ encoding_rule_t configuration_attribute_encodings[] = { +<<<<<<< HEAD + + { RESERVED_BIT, 0 }, +======= /* 1 reserved bit */ { RESERVED_BIT, offsetof(private_configuration_attribute_t, reserved)}, +>>>>>>> upstream/4.5.1 /* type of the attribute as 15 bit unsigned integer */ { ATTRIBUTE_TYPE, offsetof(private_configuration_attribute_t, type) }, /* Length of attribute value */ @@ -85,8 +107,15 @@ encoding_rule_t configuration_attribute_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_configuration_attribute_t *this) +======= METHOD(payload_t, verify, status_t, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { bool failed = FALSE; @@ -154,6 +183,22 @@ METHOD(payload_t, verify, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_configuration_attribute_t *this, + encoding_rule_t **rules, size_t *rule_count) +{ + *rules = configuration_attribute_encodings; + *rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_configuration_attribute_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_configuration_attribute_t *this, encoding_rule_t **rules, size_t *rule_count) @@ -164,16 +209,38 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { return CONFIGURATION_ATTRIBUTE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_configuration_attribute_t *this) +======= METHOD(payload_t, get_next_type, payload_type_t, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { return NO_PAYLOAD; } +<<<<<<< HEAD +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_configuration_attribute_t *this, + payload_type_t type) +{ +} + +/** + * Implementation of configuration_attribute_t.get_length. + */ +static size_t get_length(private_configuration_attribute_t *this) +======= METHOD(payload_t, set_next_type, void, private_configuration_attribute_t *this, payload_type_t type) { @@ -181,24 +248,47 @@ METHOD(payload_t, set_next_type, void, METHOD(payload_t, get_length, size_t, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH; } +<<<<<<< HEAD +/** + * Implementation of configuration_attribute_t.get_type. + */ +static configuration_attribute_type_t get_configuration_attribute_type( + private_configuration_attribute_t *this) +======= METHOD(configuration_attribute_t, get_cattr_type, configuration_attribute_type_t, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { return this->type; } +<<<<<<< HEAD +/** + * Implementation of configuration_attribute_t.get_value. + */ +static chunk_t get_value(private_configuration_attribute_t *this) +======= METHOD(configuration_attribute_t, get_value, chunk_t, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { return this->value; } +<<<<<<< HEAD +/** + * Implementation of configuration_attribute_t.destroy and payload_t.destroy. + */ +static void destroy(private_configuration_attribute_t *this) +======= METHOD2(payload_t, configuration_attribute_t, destroy, void, private_configuration_attribute_t *this) +>>>>>>> upstream/4.5.1 { free(this->value.ptr); free(this); @@ -211,6 +301,25 @@ configuration_attribute_t *configuration_attribute_create() { private_configuration_attribute_t *this; +<<<<<<< HEAD + this = malloc_thing(private_configuration_attribute_t); + this->public.payload_interface.verify = (status_t(*)(payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules; + this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length; + this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type; + this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type; + this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type; + this->public.payload_interface.destroy = (void(*)(payload_t*))destroy; + + this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value; + this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type; + this->public.destroy = (void (*)(configuration_attribute_t*))destroy; + + this->type = 0; + this->value = chunk_empty; + this->length = 0; + +======= INIT(this, .public = { .payload_interface = { @@ -227,6 +336,7 @@ configuration_attribute_t *configuration_attribute_create() .destroy = _destroy, }, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c index 82e9e51b7..d8779d27f 100644 --- a/src/libcharon/encoding/payloads/cp_payload.c +++ b/src/libcharon/encoding/payloads/cp_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2009 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -33,9 +37,15 @@ typedef struct private_cp_payload_t private_cp_payload_t; /** * Private data of an cp_payload_t object. +<<<<<<< HEAD + * + */ +struct private_cp_payload_t { +======= */ struct private_cp_payload_t { +>>>>>>> upstream/4.5.1 /** * Public cp_payload_t interface. */ @@ -52,6 +62,8 @@ struct private_cp_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved_bit[7]; @@ -62,6 +74,7 @@ struct private_cp_payload_t { u_int8_t reserved_byte[3]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -82,6 +95,32 @@ struct private_cp_payload_t { * * The defined offsets are the positions in a object of type * private_cp_payload_t. +<<<<<<< HEAD + * + */ +encoding_rule_t cp_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_cp_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_cp_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole CP payload*/ + { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) }, + /* Proposals are stored in a proposal substructure, + offset points to a linked_list_t pointer */ + { U_INT_8, offsetof(private_cp_payload_t, type) }, + { RESERVED_BYTE,0 }, + { RESERVED_BYTE,0 }, + { RESERVED_BYTE,0 }, + { CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) } +======= */ encoding_rule_t cp_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -106,6 +145,7 @@ encoding_rule_t cp_payload_encodings[] = { { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[1])}, { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[2])}, { CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) } +>>>>>>> upstream/4.5.1 }; /* @@ -122,8 +162,15 @@ encoding_rule_t cp_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_cp_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { status_t status = SUCCESS; enumerator_t *enumerator; @@ -142,6 +189,22 @@ METHOD(payload_t, verify, status_t, return status; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_cp_payload_t *this, + encoding_rule_t **rules, size_t *rule_count) +{ + *rules = cp_payload_encodings; + *rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_cp_payload_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { @@ -151,18 +214,33 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { return CONFIGURATION; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_cp_payload_t *this) +======= METHOD(payload_t, get_next_type, payload_type_t, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->next_payload; } +<<<<<<< HEAD +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_cp_payload_t *this,payload_type_t type) +======= METHOD(payload_t, set_next_type, void, private_cp_payload_t *this,payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } @@ -185,33 +263,69 @@ static void compute_length(private_cp_payload_t *this) enumerator->destroy(enumerator); } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_cp_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of cp_payload_t.create_attribute_enumerator. + */ +static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this) +======= METHOD(cp_payload_t, create_attribute_enumerator, enumerator_t*, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->attributes->create_enumerator(this->attributes); } +<<<<<<< HEAD +/** + * Implementation of cp_payload_t.add_attribute. + */ +static void add_attribute(private_cp_payload_t *this, + configuration_attribute_t *attribute) +======= METHOD(cp_payload_t, add_attribute, void, private_cp_payload_t *this, configuration_attribute_t *attribute) +>>>>>>> upstream/4.5.1 { this->attributes->insert_last(this->attributes, attribute); compute_length(this); } +<<<<<<< HEAD +/** + * Implementation of cp_payload_t.get_type. + */ +static config_type_t get_config_type(private_cp_payload_t *this) +======= METHOD(cp_payload_t, get_config_type, config_type_t, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.destroy and cp_payload_t.destroy. + */ +static void destroy(private_cp_payload_t *this) +======= METHOD2(payload_t, cp_payload_t, destroy, void, private_cp_payload_t *this) +>>>>>>> upstream/4.5.1 { this->attributes->destroy_offset(this->attributes, offsetof(configuration_attribute_t, destroy)); @@ -221,6 +335,32 @@ METHOD2(payload_t, cp_payload_t, destroy, void, /* * Described in header. */ +<<<<<<< HEAD +cp_payload_t *cp_payload_create() +{ + private_cp_payload_t *this = malloc_thing(private_cp_payload_t); + + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator; + this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute; + this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type; + this->public.destroy = (void (*)(cp_payload_t *))destroy; + + /* set default values of the fields */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = CP_PAYLOAD_HEADER_LENGTH; + this->attributes = linked_list_create(); + this->type = CFG_REQUEST; + +======= cp_payload_t *cp_payload_create_type(config_type_t type) { private_cp_payload_t *this; @@ -246,13 +386,26 @@ cp_payload_t *cp_payload_create_type(config_type_t type) .attributes = linked_list_create(), .type = type, ); +>>>>>>> upstream/4.5.1 return &this->public; } /* * Described in header. */ +<<<<<<< HEAD +cp_payload_t *cp_payload_create_type(config_type_t type) +{ + private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create(); + + this->type = type; + + return &this->public; +} + +======= cp_payload_t *cp_payload_create() { return cp_payload_create_type(CFG_REQUEST); } +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c index e6ee07d39..4e94ff417 100644 --- a/src/libcharon/encoding/payloads/delete_payload.c +++ b/src/libcharon/encoding/payloads/delete_payload.c @@ -43,11 +43,14 @@ struct private_delete_payload_t { bool critical; /** +<<<<<<< HEAD +======= * reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -84,6 +87,16 @@ encoding_rule_t delete_payload_encodings[] = { { U_INT_8, offsetof(private_delete_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_delete_payload_t, critical) }, +<<<<<<< HEAD + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= /* 7 Bit reserved bits */ { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[0]) }, { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[1]) }, @@ -92,6 +105,7 @@ encoding_rule_t delete_payload_encodings[] = { { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[4]) }, { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[5]) }, { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_delete_payload_t, payload_length) }, { U_INT_8, offsetof(private_delete_payload_t, protocol_id) }, diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c index eafb668b6..8f5c8700a 100644 --- a/src/libcharon/encoding/payloads/eap_payload.c +++ b/src/libcharon/encoding/payloads/eap_payload.c @@ -43,11 +43,14 @@ struct private_eap_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -71,6 +74,15 @@ static encoding_rule_t eap_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_eap_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ +<<<<<<< HEAD + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[0]) }, { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[1]) }, { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[2]) }, @@ -78,6 +90,7 @@ static encoding_rule_t eap_payload_encodings[] = { { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[4]) }, { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[5]) }, { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_eap_payload_t, payload_length) }, /* chunt to data, starting at "code" */ diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c index 3befadfe2..58250e766 100644 --- a/src/libcharon/encoding/payloads/id_payload.c +++ b/src/libcharon/encoding/payloads/id_payload.c @@ -1,7 +1,12 @@ /* +<<<<<<< HEAD + * Copyright (C) 2007 Tobias Brunner + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG * Copyright (C) 2007 Tobias Brunner +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * * Hochschule fuer Technik Rapperswil @@ -52,6 +57,8 @@ struct private_id_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved_bit[7]; @@ -62,6 +69,7 @@ struct private_id_payload_t { u_int8_t reserved_byte[3]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -82,12 +90,26 @@ struct private_id_payload_t { * * The defined offsets are the positions in a object of type * private_id_payload_t. +<<<<<<< HEAD + * +======= +>>>>>>> upstream/4.5.1 */ encoding_rule_t id_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_id_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_id_payload_t, critical) }, +<<<<<<< HEAD + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= /* 7 Bit reserved bits */ { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[0]) }, { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[1]) }, @@ -96,16 +118,25 @@ encoding_rule_t id_payload_encodings[] = { { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[4]) }, { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[5]) }, { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_id_payload_t, payload_length) }, /* 1 Byte ID type*/ { U_INT_8, offsetof(private_id_payload_t, id_type) }, /* 3 reserved bytes */ +<<<<<<< HEAD + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + /* some id data bytes, length is defined in PAYLOAD_LENGTH */ + { ID_DATA, offsetof(private_id_payload_t, id_data) } +======= { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[0])}, { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[1])}, { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[2])}, /* some id data bytes, length is defined in PAYLOAD_LENGTH */ { ID_DATA, offsetof(private_id_payload_t, id_data) } +>>>>>>> upstream/4.5.1 }; /* @@ -122,15 +153,46 @@ encoding_rule_t id_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_id_payload_t *this) +{ + if ((this->id_type == 0) || + (this->id_type == 4) || + ((this->id_type >= 6) && (this->id_type <= 8)) || + ((this->id_type >= 12) && (this->id_type <= 200))) +======= METHOD(payload_t, verify, status_t, private_id_payload_t *this) { if (this->id_type == 0 || this->id_type == 4) +>>>>>>> upstream/4.5.1 { /* reserved IDs */ DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type); return FAILED; } +<<<<<<< HEAD + + return SUCCESS; +} + +/** + * Implementation of id_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = id_payload_encodings; + *rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_id_payload_t *this) +======= return SUCCESS; } @@ -143,28 +205,123 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_id_payload_t *this) +======= METHOD(payload_t, get_next_type, payload_type_t, private_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->next_payload; } +<<<<<<< HEAD +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_id_payload_t *this,payload_type_t type) +======= METHOD(payload_t, set_next_type, void, private_id_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_id_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of id_payload_t.set_type. + */ +static void set_id_type (private_id_payload_t *this, id_type_t type) +{ + this->id_type = type; +} + +/** + * Implementation of id_payload_t.get_id_type. + */ +static id_type_t get_id_type (private_id_payload_t *this) +{ + return (this->id_type); +} + +/** + * Implementation of id_payload_t.set_data. + */ +static void set_data (private_id_payload_t *this, chunk_t data) +{ + if (this->id_data.ptr != NULL) + { + chunk_free(&(this->id_data)); + } + this->id_data.ptr = clalloc(data.ptr,data.len); + this->id_data.len = data.len; + this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len; +} + + +/** + * Implementation of id_payload_t.get_data_clone. + */ +static chunk_t get_data (private_id_payload_t *this) +{ + return (this->id_data); +} + +/** + * Implementation of id_payload_t.get_data_clone. + */ +static chunk_t get_data_clone (private_id_payload_t *this) +{ + chunk_t cloned_data; + if (this->id_data.ptr == NULL) + { + return (this->id_data); + } + cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len); + cloned_data.len = this->id_data.len; + return cloned_data; +} + +/** + * Implementation of id_payload_t.get_identification. + */ +static identification_t *get_identification (private_id_payload_t *this) +{ + return identification_create_from_encoding(this->id_type,this->id_data); +} + +/** + * Implementation of payload_t.destroy and id_payload_t.destroy. + */ +static void destroy(private_id_payload_t *this) +{ + if (this->id_data.ptr != NULL) + { + chunk_free(&(this->id_data)); + } +======= METHOD(id_payload_t, get_identification, identification_t*, private_id_payload_t *this) { @@ -175,6 +332,7 @@ METHOD2(payload_t, id_payload_t, destroy, void, private_id_payload_t *this) { free(this->id_data.ptr); +>>>>>>> upstream/4.5.1 free(this); } @@ -183,6 +341,37 @@ METHOD2(payload_t, id_payload_t, destroy, void, */ id_payload_t *id_payload_create(payload_type_t payload_type) { +<<<<<<< HEAD + private_id_payload_t *this = malloc_thing(private_id_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.destroy = (void (*) (id_payload_t *)) destroy; + this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type; + this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type; + this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data; + this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data; + this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone; + + this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length =ID_PAYLOAD_HEADER_LENGTH; + this->id_data = chunk_empty; + this->payload_type = payload_type; + + return (&(this->public)); +======= private_id_payload_t *this; INIT(this, @@ -204,11 +393,20 @@ id_payload_t *id_payload_create(payload_type_t payload_type) .payload_type = payload_type, ); return &this->public; +>>>>>>> upstream/4.5.1 } /* * Described in header. */ +<<<<<<< HEAD +id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *identification) +{ + id_payload_t *this= id_payload_create(payload_type); + this->set_data(this,identification->get_encoding(identification)); + this->set_id_type(this,identification->get_type(identification)); + return this; +======= id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *id) { @@ -220,4 +418,5 @@ id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, this->payload_length += this->id_data.len; return &this->public; +>>>>>>> upstream/4.5.1 } diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h index 99831f85f..b5b9c5907 100644 --- a/src/libcharon/encoding/payloads/id_payload.h +++ b/src/libcharon/encoding/payloads/id_payload.h @@ -40,15 +40,66 @@ typedef struct id_payload_t id_payload_t; * The ID payload format is described in RFC section 3.5. */ struct id_payload_t { +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * The payload_t interface. */ payload_t payload_interface; /** +<<<<<<< HEAD + * Set the ID type. + * + * @param type Type of ID + */ + void (*set_id_type) (id_payload_t *this, id_type_t type); + + /** + * Get the ID type. + * + * @return type of the ID + */ + id_type_t (*get_id_type) (id_payload_t *this); + + /** + * Set the ID data. + * + * Data are getting cloned. + * + * @param data ID data as chunk_t + */ + void (*set_data) (id_payload_t *this, chunk_t data); + + /** + * Get the ID data. + * + * Returned data are a copy of the internal one + * + * @return ID data as chunk_t + */ + chunk_t (*get_data_clone) (id_payload_t *this); + + /** + * Get the ID data. + * + * Returned data are NOT copied. + * + * @return ID data as chunk_t + */ + chunk_t (*get_data) (id_payload_t *this); + + /** + * Creates an identification object of this id payload. + * + * Returned object has to get destroyed by the caller. + * +======= * Creates an identification object of this id payload. * +>>>>>>> upstream/4.5.1 * @return identification_t object */ identification_t *(*get_identification) (id_payload_t *this); diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c index 80dcee0cb..1462b346b 100644 --- a/src/libcharon/encoding/payloads/ike_header.c +++ b/src/libcharon/encoding/payloads/ike_header.c @@ -84,11 +84,14 @@ struct private_ike_header_t { } flags; /** +<<<<<<< HEAD +======= * Reserved bits of IKE header */ bool reserved[5]; /** +>>>>>>> upstream/4.5.1 * Associated Message-ID. */ u_int32_t message_id; @@ -124,6 +127,32 @@ encoding_rule_t ike_header_encodings[] = { /* 8 Byte SPI, stored in the field initiator_spi */ { IKE_SPI, offsetof(private_ike_header_t, initiator_spi) }, /* 8 Byte SPI, stored in the field responder_spi */ +<<<<<<< HEAD + { IKE_SPI, offsetof(private_ike_header_t, responder_spi) }, + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_ike_header_t, next_payload) }, + /* 4 Bit major version, stored in the field maj_version */ + { U_INT_4, offsetof(private_ike_header_t, maj_version) }, + /* 4 Bit minor version, stored in the field min_version */ + { U_INT_4, offsetof(private_ike_header_t, min_version) }, + /* 8 Bit for the exchange type */ + { U_INT_8, offsetof(private_ike_header_t, exchange_type) }, + /* 2 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* 3 Bit flags, stored in the fields response, version and initiator */ + { FLAG, offsetof(private_ike_header_t, flags.response) }, + { FLAG, offsetof(private_ike_header_t, flags.version) }, + { FLAG, offsetof(private_ike_header_t, flags.initiator) }, + /* 3 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* 4 Byte message id, stored in the field message_id */ + { U_INT_32, offsetof(private_ike_header_t, message_id) }, + /* 4 Byte length fied, stored in the field length */ + { HEADER_LENGTH, offsetof(private_ike_header_t, length) } +======= { IKE_SPI, offsetof(private_ike_header_t, responder_spi) }, /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_ike_header_t, next_payload) }, @@ -148,6 +177,7 @@ encoding_rule_t ike_header_encodings[] = { { U_INT_32, offsetof(private_ike_header_t, message_id) }, /* 4 Byte length fied, stored in the field length */ { HEADER_LENGTH,offsetof(private_ike_header_t, length) }, +>>>>>>> upstream/4.5.1 }; @@ -168,8 +198,16 @@ encoding_rule_t ike_header_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD + +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_ike_header_t *this) +======= METHOD(payload_t, verify, status_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { if ((this->exchange_type < IKE_SA_INIT) || ((this->exchange_type > INFORMATIONAL) @@ -181,6 +219,10 @@ METHOD(payload_t, verify, status_t, /* unsupported exchange type */ return FAILED; } +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 if (this->initiator_spi == 0 #ifdef ME /* we allow zero spi for INFORMATIONAL exchanges, @@ -192,6 +234,25 @@ METHOD(payload_t, verify, status_t, /* initiator spi not set */ return FAILED; } +<<<<<<< HEAD + + /* verification of version is not done in here */ + + return SUCCESS; +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(payload_t *this,payload_type_t type) +{ + ((private_ike_header_t *)this)->next_payload = type; +} +/** + * Implementation of ike_header_t.get_initiator_spi. + */ +static u_int64_t get_initiator_spi(private_ike_header_t *this) +======= return SUCCESS; } @@ -228,34 +289,69 @@ METHOD(payload_t, get_length, size_t, METHOD(ike_header_t, get_initiator_spi, u_int64_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->initiator_spi; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.set_initiator_spi. + */ +static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi) +======= METHOD(ike_header_t, set_initiator_spi, void, private_ike_header_t *this, u_int64_t initiator_spi) +>>>>>>> upstream/4.5.1 { this->initiator_spi = initiator_spi; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_responder_spi. + */ +static u_int64_t get_responder_spi(private_ike_header_t *this) +======= METHOD(ike_header_t, get_responder_spi, u_int64_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->responder_spi; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.set_responder_spi. + */ +static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi) +======= METHOD(ike_header_t, set_responder_spi, void, private_ike_header_t *this, u_int64_t responder_spi) +>>>>>>> upstream/4.5.1 { this->responder_spi = responder_spi; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_maj_version. + */ +static u_int8_t get_maj_version(private_ike_header_t *this) +======= METHOD(ike_header_t, get_maj_version, u_int8_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->maj_version; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_min_version. + */ +static u_int8_t get_min_version(private_ike_header_t *this) +======= METHOD(ike_header_t, set_maj_version, void, private_ike_header_t *this, u_int8_t major) { @@ -264,10 +360,17 @@ METHOD(ike_header_t, set_maj_version, void, METHOD(ike_header_t, get_min_version, u_int8_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->min_version; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_response_flag. + */ +static bool get_response_flag(private_ike_header_t *this) +======= METHOD(ike_header_t, set_min_version, void, private_ike_header_t *this, u_int8_t minor) { @@ -276,22 +379,43 @@ METHOD(ike_header_t, set_min_version, void, METHOD(ike_header_t, get_response_flag, bool, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->flags.response; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.set_response_flag. + */ +static void set_response_flag(private_ike_header_t *this, bool response) +======= METHOD(ike_header_t, set_response_flag, void, private_ike_header_t *this, bool response) +>>>>>>> upstream/4.5.1 { this->flags.response = response; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_version_flag. + */ +static bool get_version_flag(private_ike_header_t *this) +======= METHOD(ike_header_t, get_version_flag, bool, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->flags.version; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_initiator_flag. + */ +static bool get_initiator_flag(private_ike_header_t *this) +======= METHOD(ike_header_t, set_version_flag, void, private_ike_header_t *this, bool version) { @@ -300,51 +424,174 @@ METHOD(ike_header_t, set_version_flag, void, METHOD(ike_header_t, get_initiator_flag, bool, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->flags.initiator; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.set_initiator_flag. + */ +static void set_initiator_flag(private_ike_header_t *this, bool initiator) +======= METHOD(ike_header_t, set_initiator_flag, void, private_ike_header_t *this, bool initiator) +>>>>>>> upstream/4.5.1 { this->flags.initiator = initiator; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.get_exchange_type. + */ +static u_int8_t get_exchange_type(private_ike_header_t *this) +======= METHOD(ike_header_t, get_exchange_type, u_int8_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->exchange_type; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.set_exchange_type. + */ +static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type) +======= METHOD(ike_header_t, set_exchange_type, void, private_ike_header_t *this, u_int8_t exchange_type) +>>>>>>> upstream/4.5.1 { this->exchange_type = exchange_type; } +<<<<<<< HEAD +/** + * Implements ike_header_t's get_message_id function. + * See #ike_header_t.get_message_id for description. + */ +static u_int32_t get_message_id(private_ike_header_t *this) +======= METHOD(ike_header_t, get_message_id, u_int32_t, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { return this->message_id; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.set_message_id. + */ +static void set_message_id(private_ike_header_t *this, u_int32_t message_id) +======= METHOD(ike_header_t, set_message_id, void, private_ike_header_t *this, u_int32_t message_id) +>>>>>>> upstream/4.5.1 { this->message_id = message_id; } +<<<<<<< HEAD +/** + * Implementation of ike_header_t.destroy and payload_t.destroy. + */ +static void destroy(ike_header_t *this) +======= METHOD2(payload_t, ike_header_t, destroy, void, private_ike_header_t *this) +>>>>>>> upstream/4.5.1 { free(this); } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = ike_header_encodings; + *rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(payload_t *this) +{ + return HEADER; +} + +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(payload_t *this) +{ + return (((private_ike_header_t*)this)->next_payload); +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(payload_t *this) +{ + return (((private_ike_header_t*)this)->length); +} + +======= +>>>>>>> upstream/4.5.1 /* * Described in header. */ ike_header_t *ike_header_create() { +<<<<<<< HEAD + private_ike_header_t *this = malloc_thing(private_ike_header_t); + + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = get_encoding_rules; + this->public.payload_interface.get_length = get_length; + this->public.payload_interface.get_next_type = get_next_type; + this->public.payload_interface.set_next_type = set_next_type; + this->public.payload_interface.get_type = get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + this->public.destroy = destroy; + + this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi; + this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi; + this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi; + this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi; + this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version; + this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version; + this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag; + this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag; + this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag; + this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag; + this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag; + this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type; + this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type; + this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id; + this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id; + + /* set default values of the fields */ + this->initiator_spi = 0; + this->responder_spi = 0; + this->next_payload = 0; + this->maj_version = IKE_MAJOR_VERSION; + this->min_version = IKE_MINOR_VERSION; + this->exchange_type = EXCHANGE_TYPE_UNDEFINED; + this->flags.initiator = TRUE; + this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG; + this->flags.response = FALSE; + this->message_id = 0; + this->length = IKE_HEADER_LENGTH; + + return (ike_header_t*)this; +======= private_ike_header_t *this; INIT(this, @@ -389,4 +636,5 @@ ike_header_t *ike_header_create() ); return &this->public; +>>>>>>> upstream/4.5.1 } diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h index f52c852c5..77e23efb7 100644 --- a/src/libcharon/encoding/payloads/ike_header.h +++ b/src/libcharon/encoding/payloads/ike_header.h @@ -143,6 +143,8 @@ struct ike_header_t { u_int8_t (*get_maj_version) (ike_header_t *this); /** +<<<<<<< HEAD +======= * Set the major version. * * @param major major version @@ -150,6 +152,7 @@ struct ike_header_t { void (*set_maj_version) (ike_header_t *this, u_int8_t major); /** +>>>>>>> upstream/4.5.1 * Get the minor version. * * @return minor version @@ -157,6 +160,8 @@ struct ike_header_t { u_int8_t (*get_min_version) (ike_header_t *this); /** +<<<<<<< HEAD +======= * Set the minor version. * * @param minor minor version @@ -164,6 +169,7 @@ struct ike_header_t { void (*set_min_version) (ike_header_t *this, u_int8_t minor); /** +>>>>>>> upstream/4.5.1 * Get the response flag. * * @return response flag @@ -176,7 +182,10 @@ struct ike_header_t { * @param response response flag */ void (*set_response_flag) (ike_header_t *this, bool response); +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * Get "higher version supported"-flag. * @@ -185,6 +194,8 @@ struct ike_header_t { bool (*get_version_flag) (ike_header_t *this); /** +<<<<<<< HEAD +======= * Set the "higher version supported"-flag. * * @param version flag value @@ -192,6 +203,7 @@ struct ike_header_t { void (*set_version_flag)(ike_header_t *this, bool version); /** +>>>>>>> upstream/4.5.1 * Get the initiator flag. * * @return initiator flag diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c index 999d73192..dd239b212 100644 --- a/src/libcharon/encoding/payloads/ke_payload.c +++ b/src/libcharon/encoding/payloads/ke_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -21,13 +25,23 @@ #include <encoding/payloads/encodings.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_ke_payload_t private_ke_payload_t; /** * Private data of an ke_payload_t object. +<<<<<<< HEAD + * + */ +struct private_ke_payload_t { +======= */ struct private_ke_payload_t { +>>>>>>> upstream/4.5.1 /** * Public ke_payload_t interface. */ @@ -44,6 +58,8 @@ struct private_ke_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved_bit[7]; @@ -54,6 +70,7 @@ struct private_ke_payload_t { u_int8_t reserved_byte[2]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -74,6 +91,29 @@ struct private_ke_payload_t { * * The defined offsets are the positions in a object of type * private_ke_payload_t. +<<<<<<< HEAD + * + */ +encoding_rule_t ke_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_ke_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_ke_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) }, + /* DH Group number as 16 bit field*/ + { U_INT_16, offsetof(private_ke_payload_t, dh_group_number) }, + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, +======= */ encoding_rule_t ke_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -95,6 +135,7 @@ encoding_rule_t ke_payload_encodings[] = { /* 2 reserved bytes */ { RESERVED_BYTE, offsetof(private_ke_payload_t, reserved_byte[0])}, { RESERVED_BYTE, offsetof(private_ke_payload_t, reserved_byte[1])}, +>>>>>>> upstream/4.5.1 /* Key Exchange Data is from variable size */ { KEY_EXCHANGE_DATA, offsetof(private_ke_payload_t, key_exchange_data)} }; @@ -113,6 +154,42 @@ encoding_rule_t ke_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_ke_payload_t *this) +{ + /* dh group is not verified in here */ + return SUCCESS; +} + +/** + * Implementation of payload_t.destroy. + */ +static void destroy(private_ke_payload_t *this) +{ + if (this->key_exchange_data.ptr != NULL) + { + free(this->key_exchange_data.ptr); + } + free(this); +} + +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = ke_payload_encodings; + *rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_ke_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_ke_payload_t *this) { @@ -128,10 +205,25 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_ke_payload_t *this) +>>>>>>> upstream/4.5.1 { return KEY_EXCHANGE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_ke_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_ke_payload_t *this,payload_type_t type) +======= METHOD(payload_t, get_next_type, payload_type_t, private_ke_payload_t *this) { @@ -140,10 +232,66 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_ke_payload_t *this,payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * recompute the length of the payload. + */ +static void compute_length(private_ke_payload_t *this) +{ + size_t length = KE_PAYLOAD_HEADER_LENGTH; + if (this->key_exchange_data.ptr != NULL) + { + length += this->key_exchange_data.len; + } + this->payload_length = length; +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_ke_payload_t *this) +{ + compute_length(this); + return this->payload_length; +} + +/** + * Implementation of ke_payload_t.get_key_exchange_data. + */ +static chunk_t get_key_exchange_data(private_ke_payload_t *this) +{ + return (this->key_exchange_data); +} + +/** + * Implementation of ke_payload_t.set_key_exchange_data. + */ +static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data) +{ + /* destroy existing data first */ + if (this->key_exchange_data.ptr != NULL) + { + /* free existing value */ + free(this->key_exchange_data.ptr); + this->key_exchange_data.ptr = NULL; + this->key_exchange_data.len = 0; + + } + + this->key_exchange_data = chunk_clone(key_exchange_data); + compute_length(this); +} + +/** + * Implementation of ke_payload_t.get_dh_group_number. + */ +static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_ke_payload_t *this) { @@ -158,15 +306,25 @@ METHOD(ke_payload_t, get_key_exchange_data, chunk_t, METHOD(ke_payload_t, get_dh_group_number, diffie_hellman_group_t, private_ke_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->dh_group_number; } +<<<<<<< HEAD +/** + * Implementation of ke_payload_t.set_dh_group_number. + */ +static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number) +{ + this->dh_group_number = dh_group_number; +======= METHOD2(payload_t, ke_payload_t, destroy, void, private_ke_payload_t *this) { free(this->key_exchange_data.ptr); free(this); +>>>>>>> upstream/4.5.1 } /* @@ -174,6 +332,33 @@ METHOD2(payload_t, ke_payload_t, destroy, void, */ ke_payload_t *ke_payload_create() { +<<<<<<< HEAD + private_ke_payload_t *this = malloc_thing(private_ke_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data; + this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data; + this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number; + this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number; + this->public.destroy = (void (*) (ke_payload_t *)) destroy; + + /* set default values of the fields */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = KE_PAYLOAD_HEADER_LENGTH; + this->key_exchange_data = chunk_empty; + this->dh_group_number = MODP_NONE; + +======= private_ke_payload_t *this; INIT(this, @@ -195,6 +380,7 @@ ke_payload_t *ke_payload_create() .payload_length = KE_PAYLOAD_HEADER_LENGTH, .dh_group_number = MODP_NONE, ); +>>>>>>> upstream/4.5.1 return &this->public; } @@ -207,7 +393,11 @@ ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh) dh->get_my_public_value(dh, &this->key_exchange_data); this->dh_group_number = dh->get_dh_group(dh); +<<<<<<< HEAD + compute_length(this); +======= this->payload_length = this->key_exchange_data.len + KE_PAYLOAD_HEADER_LENGTH; +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h index 65cc11883..edf271add 100644 --- a/src/libcharon/encoding/payloads/ke_payload.h +++ b/src/libcharon/encoding/payloads/ke_payload.h @@ -47,13 +47,33 @@ struct ke_payload_t { payload_t payload_interface; /** +<<<<<<< HEAD + * Returns the currently set key exchange data of this KE payload. + * + * @warning Returned data are not copied. + * + * @return chunk_t pointing to the value +======= * Returns the key exchange data of this KE payload. * * @return chunk_t pointing to internal data +>>>>>>> upstream/4.5.1 */ chunk_t (*get_key_exchange_data) (ke_payload_t *this); /** +<<<<<<< HEAD + * Sets the key exchange data of this KE payload. + * + * Value is getting copied. + * + * @param key_exchange_data chunk_t pointing to the value to set + */ + void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data); + + /** +======= +>>>>>>> upstream/4.5.1 * Gets the Diffie-Hellman Group Number of this KE payload. * * @return DH Group Number of this payload @@ -61,6 +81,17 @@ struct ke_payload_t { diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this); /** +<<<<<<< HEAD + * Sets the Diffie-Hellman Group Number of this KE payload. + * + * @param dh_group_number DH Group to set + */ + void (*set_dh_group_number) (ke_payload_t *this, + diffie_hellman_group_t dh_group_number); + + /** +======= +>>>>>>> upstream/4.5.1 * Destroys an ke_payload_t object. */ void (*destroy) (ke_payload_t *this); diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c index 78000b8c6..ccaf60c09 100644 --- a/src/libcharon/encoding/payloads/nonce_payload.c +++ b/src/libcharon/encoding/payloads/nonce_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -15,19 +19,33 @@ * for more details. */ +<<<<<<< HEAD +/* offsetof macro */ +======= +>>>>>>> upstream/4.5.1 #include <stddef.h> #include "nonce_payload.h" #include <encoding/payloads/encodings.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_nonce_payload_t private_nonce_payload_t; /** * Private data of an nonce_payload_t object. +<<<<<<< HEAD + * + */ +struct private_nonce_payload_t { +======= */ struct private_nonce_payload_t { +>>>>>>> upstream/4.5.1 /** * Public nonce_payload_t interface. */ @@ -44,11 +62,14 @@ struct private_nonce_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -64,6 +85,27 @@ struct private_nonce_payload_t { * * The defined offsets are the positions in a object of type * private_nonce_payload_t. +<<<<<<< HEAD + * + */ +encoding_rule_t nonce_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_nonce_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_nonce_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole nonce payload*/ + { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, + /* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */ + { NONCE_DATA, offsetof(private_nonce_payload_t, nonce) } +======= */ encoding_rule_t nonce_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -82,6 +124,7 @@ encoding_rule_t nonce_payload_encodings[] = { { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, /* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */ { NONCE_DATA, offsetof(private_nonce_payload_t, nonce) }, +>>>>>>> upstream/4.5.1 }; /* 1 2 3 @@ -95,6 +138,57 @@ encoding_rule_t nonce_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_nonce_payload_t *this) +{ + if ((this->nonce.len < 16) || ((this->nonce.len > 256))) + { + /* nonce length is wrong */ + return FAILED; + } + + return SUCCESS; +} + +/** + * Implementation of nonce_payload_t.set_nonce. + */ +static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce) +{ + this->nonce.ptr = clalloc(nonce.ptr, nonce.len); + this->nonce.len = nonce.len; + this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len; + return SUCCESS; +} + +/** + * Implementation of nonce_payload_t.get_nonce. + */ +static chunk_t get_nonce(private_nonce_payload_t *this) +{ + chunk_t nonce; + nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len); + nonce.len = this->nonce.len; + return nonce; +} + +/** + * Implementation of nonce_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = nonce_payload_encodings; + *rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_nonce_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_nonce_payload_t *this) { @@ -114,10 +208,25 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_nonce_payload_t *this) +>>>>>>> upstream/4.5.1 { return NONCE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_nonce_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_nonce_payload_t *this,payload_type_t type) +======= METHOD(payload_t, get_next_type, payload_type_t, private_nonce_payload_t *this) { @@ -126,10 +235,40 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_nonce_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * recompute the length of the payload. + */ +static void compute_length(private_nonce_payload_t *this) +{ + this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len; +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_nonce_payload_t *this) +{ + compute_length(this); + return this->payload_length; +} + +/** + * Implementation of payload_t.destroy and nonce_payload_t.destroy. + */ +static void destroy(private_nonce_payload_t *this) +{ + if (this->nonce.ptr != NULL) + { + free(this->nonce.ptr); + } + +======= METHOD(payload_t, get_length, size_t, private_nonce_payload_t *this) { @@ -153,6 +292,7 @@ METHOD2(payload_t, nonce_payload_t, destroy, void, private_nonce_payload_t *this) { free(this->nonce.ptr); +>>>>>>> upstream/4.5.1 free(this); } @@ -161,6 +301,35 @@ METHOD2(payload_t, nonce_payload_t, destroy, void, */ nonce_payload_t *nonce_payload_create() { +<<<<<<< HEAD + private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.destroy = (void (*) (nonce_payload_t *)) destroy; + this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce; + this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH; + this->nonce.ptr = NULL; + this->nonce.len = 0; + + return (&(this->public)); +} + + +======= private_nonce_payload_t *this; INIT(this, @@ -183,3 +352,4 @@ nonce_payload_t *nonce_payload_create() ); return &this->public; } +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index 77f15ec6d..59668bb9d 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -1,8 +1,14 @@ /* +<<<<<<< HEAD + * Copyright (C) 2006-2008 Tobias Brunner + * Copyright (C) 2006 Daniel Roethlisberger + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG * Copyright (C) 2006-2008 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -187,9 +193,15 @@ typedef struct private_notify_payload_t private_notify_payload_t; /** * Private data of an notify_payload_t object. +<<<<<<< HEAD + * + */ +struct private_notify_payload_t { +======= */ struct private_notify_payload_t { +>>>>>>> upstream/4.5.1 /** * Public notify_payload_t interface. */ @@ -206,11 +218,14 @@ struct private_notify_payload_t { bool critical; /** +<<<<<<< HEAD +======= * reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -246,6 +261,10 @@ struct private_notify_payload_t { * * The defined offsets are the positions in a object of type * private_notify_payload_t. +<<<<<<< HEAD + * +======= +>>>>>>> upstream/4.5.1 */ encoding_rule_t notify_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -253,6 +272,15 @@ encoding_rule_t notify_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_notify_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ +<<<<<<< HEAD + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[0]) }, { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[1]) }, { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[2]) }, @@ -260,6 +288,7 @@ encoding_rule_t notify_payload_encodings[] = { { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[4]) }, { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[5]) }, { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) }, /* Protocol ID as 8 bit field*/ @@ -267,11 +296,19 @@ encoding_rule_t notify_payload_encodings[] = { /* SPI Size as 8 bit field*/ { SPI_SIZE, offsetof(private_notify_payload_t, spi_size) }, /* Notify message type as 16 bit field*/ +<<<<<<< HEAD + { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, + /* SPI as variable length field*/ + { SPI, offsetof(private_notify_payload_t, spi) }, + /* Key Exchange Data is from variable size */ + { NOTIFICATION_DATA, offsetof(private_notify_payload_t, notification_data) } +======= { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, /* SPI as variable length field*/ { SPI, offsetof(private_notify_payload_t, spi) }, /* Key Exchange Data is from variable size */ { NOTIFICATION_DATA,offsetof(private_notify_payload_t, notification_data) } +>>>>>>> upstream/4.5.1 }; /* @@ -292,8 +329,15 @@ encoding_rule_t notify_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_notify_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_notify_payload_t *this) +>>>>>>> upstream/4.5.1 { bool bad_length = FALSE; @@ -407,6 +451,21 @@ METHOD(payload_t, verify, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = notify_payload_encodings; + *rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_notify_payload_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { @@ -416,10 +475,25 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_notify_payload_t *this) +>>>>>>> upstream/4.5.1 { return NOTIFY; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_notify_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_notify_payload_t *this,payload_type_t type) +======= METHOD(payload_t, get_next_type, payload_type_t, private_notify_payload_t *this) { @@ -428,6 +502,7 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_notify_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } @@ -438,7 +513,10 @@ METHOD(payload_t, set_next_type, void, static void compute_length (private_notify_payload_t *this) { size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH; +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 if (this->notification_data.ptr != NULL) { length += this->notification_data.len; @@ -450,6 +528,21 @@ static void compute_length (private_notify_payload_t *this) this->payload_length = length; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_notify_payload_t *this) +{ + compute_length(this); + return this->payload_length; +} + +/** + * Implementation of notify_payload_t.get_protocol_id. + */ +static u_int8_t get_protocol_id(private_notify_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_notify_payload_t *this) { @@ -458,30 +551,59 @@ METHOD(payload_t, get_length, size_t, METHOD(notify_payload_t, get_protocol_id, u_int8_t, private_notify_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->protocol_id; } +<<<<<<< HEAD +/** + * Implementation of notify_payload_t.set_protocol_id. + */ +static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id) +======= METHOD(notify_payload_t, set_protocol_id, void, private_notify_payload_t *this, u_int8_t protocol_id) +>>>>>>> upstream/4.5.1 { this->protocol_id = protocol_id; } +<<<<<<< HEAD +/** + * Implementation of notify_payload_t.get_notify_type. + */ +static notify_type_t get_notify_type(private_notify_payload_t *this) +======= METHOD(notify_payload_t, get_notify_type, notify_type_t, private_notify_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->notify_type; } +<<<<<<< HEAD +/** + * Implementation of notify_payload_t.set_notify_type. + */ +static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type) +======= METHOD(notify_payload_t, set_notify_type, void, private_notify_payload_t *this, notify_type_t notify_type) +>>>>>>> upstream/4.5.1 { this->notify_type = notify_type; } +<<<<<<< HEAD +/** + * Implementation of notify_payload_t.get_spi. + */ +static u_int32_t get_spi(private_notify_payload_t *this) +======= METHOD(notify_payload_t, get_spi, u_int32_t, private_notify_payload_t *this) +>>>>>>> upstream/4.5.1 { switch (this->protocol_id) { @@ -497,8 +619,15 @@ METHOD(notify_payload_t, get_spi, u_int32_t, return 0; } +<<<<<<< HEAD +/** + * Implementation of notify_payload_t.set_spi. + */ +static void set_spi(private_notify_payload_t *this, u_int32_t spi) +======= METHOD(notify_payload_t, set_spi, void, private_notify_payload_t *this, u_int32_t spi) +>>>>>>> upstream/4.5.1 { chunk_free(&this->spi); switch (this->protocol_id) @@ -515,6 +644,39 @@ METHOD(notify_payload_t, set_spi, void, compute_length(this); } +<<<<<<< HEAD +/** + * Implementation of notify_payload_t.get_notification_data. + */ +static chunk_t get_notification_data(private_notify_payload_t *this) +{ + return (this->notification_data); +} + +/** + * Implementation of notify_payload_t.set_notification_data. + */ +static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data) +{ + chunk_free(&this->notification_data); + if (notification_data.len > 0) + { + this->notification_data = chunk_clone(notification_data); + } + compute_length(this); + return SUCCESS; +} + +/** + * Implementation of notify_payload_t.destroy and notify_payload_t.destroy. + */ +static status_t destroy(private_notify_payload_t *this) +{ + chunk_free(&this->notification_data); + chunk_free(&this->spi); + free(this); + return SUCCESS; +======= METHOD(notify_payload_t, get_notification_data, chunk_t, private_notify_payload_t *this) { @@ -535,6 +697,7 @@ METHOD2(payload_t, notify_payload_t, destroy, void, free(this->notification_data.ptr); free(this->spi.ptr); free(this); +>>>>>>> upstream/4.5.1 } /* @@ -542,6 +705,42 @@ METHOD2(payload_t, notify_payload_t, destroy, void, */ notify_payload_t *notify_payload_create() { +<<<<<<< HEAD + private_notify_payload_t *this = malloc_thing(private_notify_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id; + this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id; + this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type; + this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type; + this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi; + this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi; + this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data; + this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data; + this->public.destroy = (void (*) (notify_payload_t *)) destroy; + + /* set default values of the fields */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH; + this->protocol_id = 0; + this->notify_type = 0; + this->spi.ptr = NULL; + this->spi.len = 0; + this->spi_size = 0; + this->notification_data.ptr = NULL; + this->notification_data.len = 0; + +======= private_notify_payload_t *this; INIT(this, @@ -568,12 +767,21 @@ notify_payload_t *notify_payload_create() .next_payload = NO_PAYLOAD, .payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH, ); +>>>>>>> upstream/4.5.1 return &this->public; } /* * Described in header. */ +<<<<<<< HEAD +notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type) +{ + notify_payload_t *notify = notify_payload_create(); + + notify->set_notify_type(notify,notify_type); + notify->set_protocol_id(notify,protocol_id); +======= notify_payload_t *notify_payload_create_from_protocol_and_type( protocol_id_t protocol_id, notify_type_t notify_type) { @@ -581,6 +789,7 @@ notify_payload_t *notify_payload_create_from_protocol_and_type( notify->set_notify_type(notify, notify_type); notify->set_protocol_id(notify, protocol_id); +>>>>>>> upstream/4.5.1 return notify; } diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c index d1e677db7..35d073240 100644 --- a/src/libcharon/encoding/payloads/payload.c +++ b/src/libcharon/encoding/payloads/payload.c @@ -59,23 +59,41 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, N #ifdef ME ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION, "ID_PEER"); +<<<<<<< HEAD +ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER, +======= ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER, +>>>>>>> upstream/4.5.1 "HEADER", "PROPOSAL_SUBSTRUCTURE", "TRANSFORM_SUBSTRUCTURE", "TRANSFORM_ATTRIBUTE", "TRAFFIC_SELECTOR_SUBSTRUCTURE", +<<<<<<< HEAD + "CONFIGURATION_ATTRIBUTE", + "UNKNOWN_PAYLOAD"); +#else +ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION, +======= "CONFIGURATION_ATTRIBUTE"); #else ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION, +>>>>>>> upstream/4.5.1 "HEADER", "PROPOSAL_SUBSTRUCTURE", "TRANSFORM_SUBSTRUCTURE", "TRANSFORM_ATTRIBUTE", "TRAFFIC_SELECTOR_SUBSTRUCTURE", +<<<<<<< HEAD + "CONFIGURATION_ATTRIBUTE", + "UNKNOWN_PAYLOAD"); +#endif /* ME */ +ENUM_END(payload_type_names, UNKNOWN_PAYLOAD); +======= "CONFIGURATION_ATTRIBUTE"); #endif /* ME */ ENUM_END(payload_type_names, CONFIGURATION_ATTRIBUTE); +>>>>>>> upstream/4.5.1 /* short forms of payload names */ ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD, @@ -100,23 +118,41 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICAT #ifdef ME ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION, "IDp"); +<<<<<<< HEAD +ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER, +======= ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER, +>>>>>>> upstream/4.5.1 "HDR", "PROP", "TRANS", "TRANSATTR", "TSSUB", +<<<<<<< HEAD + "CPATTR", + "??"); +#else +ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION, +======= "CPATTR"); #else ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION, +>>>>>>> upstream/4.5.1 "HDR", "PROP", "TRANS", "TRANSATTR", "TSSUB", +<<<<<<< HEAD + "CPATTR", + "??"); +#endif /* ME */ +ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD); +======= "CPATTR"); #endif /* ME */ ENUM_END(payload_type_short_names, CONFIGURATION_ATTRIBUTE); +>>>>>>> upstream/4.5.1 /* * see header @@ -174,6 +210,12 @@ payload_t *payload_create(payload_type_t type) case ENCRYPTED: return (payload_t*)encryption_payload_create(); default: +<<<<<<< HEAD + return (payload_t*)unknown_payload_create(); + } +} + +======= return (payload_t*)unknown_payload_create(type); } } @@ -216,3 +258,4 @@ void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip) } return NULL; } +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h index 0f407ff42..68fbb01c0 100644 --- a/src/libcharon/encoding/payloads/payload.h +++ b/src/libcharon/encoding/payloads/payload.h @@ -137,7 +137,11 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle IKEv2-Header like a payload. */ +<<<<<<< HEAD + HEADER = 140, +======= HEADER = 256, +>>>>>>> upstream/4.5.1 /** * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -145,7 +149,11 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a proposal substructure like a payload. */ +<<<<<<< HEAD + PROPOSAL_SUBSTRUCTURE = 141, +======= PROPOSAL_SUBSTRUCTURE = 257, +>>>>>>> upstream/4.5.1 /** * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -153,7 +161,11 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform substructure like a payload. */ +<<<<<<< HEAD + TRANSFORM_SUBSTRUCTURE = 142, +======= TRANSFORM_SUBSTRUCTURE = 258, +>>>>>>> upstream/4.5.1 /** * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space. @@ -161,7 +173,11 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform attribute like a payload. */ +<<<<<<< HEAD + TRANSFORM_ATTRIBUTE = 143, +======= TRANSFORM_ATTRIBUTE = 259, +>>>>>>> upstream/4.5.1 /** * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -169,7 +185,11 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform selector like a payload. */ +<<<<<<< HEAD + TRAFFIC_SELECTOR_SUBSTRUCTURE = 144, +======= TRAFFIC_SELECTOR_SUBSTRUCTURE = 260, +>>>>>>> upstream/4.5.1 /** * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space. @@ -177,9 +197,24 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform attribute like a payload. */ +<<<<<<< HEAD + CONFIGURATION_ATTRIBUTE = 145, + + /** + * A unknown payload has a value of PRIVATE USE space. + * + * This payload type is not sent over wire and just + * used internally to handle a unknown payload. + */ + UNKNOWN_PAYLOAD = 146, +}; + + +======= CONFIGURATION_ATTRIBUTE = 261, }; +>>>>>>> upstream/4.5.1 /** * enum names for payload_type_t. */ @@ -260,6 +295,8 @@ struct payload_t { */ payload_t *payload_create(payload_type_t type); +<<<<<<< HEAD +======= /** * Check if a specific payload is implemented, or handled as unknown payload. * @@ -278,4 +315,5 @@ bool payload_is_known(payload_type_t type); */ void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip); +>>>>>>> upstream/4.5.1 #endif /** PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index f39c3b0e6..9272d1b63 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -47,11 +47,14 @@ struct private_proposal_substructure_t { u_int8_t next_payload; /** +<<<<<<< HEAD +======= * reserved byte */ u_int8_t reserved; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t proposal_length; @@ -96,8 +99,13 @@ struct private_proposal_substructure_t { encoding_rule_t proposal_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, +<<<<<<< HEAD + /* Reserved Byte is skipped */ + { RESERVED_BYTE, 0 }, +======= /* 1 Reserved Byte */ { RESERVED_BYTE, offsetof(private_proposal_substructure_t, reserved) }, +>>>>>>> upstream/4.5.1 /* Length of the whole proposal substructure payload*/ { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, /* proposal number is a number of 8 bit */ @@ -218,6 +226,24 @@ METHOD(payload_t, set_next_type, void, */ static void compute_length(private_proposal_substructure_t *this) { +<<<<<<< HEAD + iterator_t *iterator; + payload_t *current_transform; + size_t transforms_count = 0; + size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH; + + iterator = this->transforms->create_iterator(this->transforms,TRUE); + while (iterator->iterate(iterator, (void**)¤t_transform)) + { + length += current_transform->get_length(current_transform); + transforms_count++; + } + iterator->destroy(iterator); + + length += this->spi.len; + this->transforms_count = transforms_count; + this->proposal_length = length; +======= enumerator_t *enumerator; payload_t *transform; @@ -230,11 +256,16 @@ static void compute_length(private_proposal_substructure_t *this) this->transforms_count++; } enumerator->destroy(enumerator); +>>>>>>> upstream/4.5.1 } METHOD(payload_t, get_length, size_t, private_proposal_substructure_t *this) { +<<<<<<< HEAD + compute_length(this); +======= +>>>>>>> upstream/4.5.1 return this->proposal_length; } @@ -342,10 +373,39 @@ METHOD(proposal_substructure_t, get_proposal, proposal_t*, return proposal; } +<<<<<<< HEAD +METHOD(proposal_substructure_t, clone_, proposal_substructure_t*, + private_proposal_substructure_t *this) +{ + private_proposal_substructure_t *clone; + enumerator_t *enumerator; + transform_substructure_t *current; + + clone = (private_proposal_substructure_t*)proposal_substructure_create(); + clone->next_payload = this->next_payload; + clone->proposal_number = this->proposal_number; + clone->protocol_id = this->protocol_id; + clone->spi_size = this->spi_size; + if (this->spi.ptr != NULL) + { + clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len); + clone->spi.len = this->spi.len; + } + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, ¤t)) + { + current = current->clone(current); + add_transform_substructure(clone, current); + } + enumerator->destroy(enumerator); + + return &clone->public; +======= METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*, private_proposal_substructure_t *this) { return this->transforms->create_enumerator(this->transforms); +>>>>>>> upstream/4.5.1 } METHOD2(payload_t, proposal_substructure_t, destroy, void, @@ -381,6 +441,14 @@ proposal_substructure_t *proposal_substructure_create() .get_protocol_id = _get_protocol_id, .set_is_last_proposal = _set_is_last_proposal, .get_proposal = _get_proposal, +<<<<<<< HEAD + .set_spi = _set_spi, + .get_spi = _get_spi, + .clone = _clone_, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, +======= .create_substructure_enumerator = _create_substructure_enumerator, .set_spi = _set_spi, .get_spi = _get_spi, @@ -388,6 +456,7 @@ proposal_substructure_t *proposal_substructure_create() }, .next_payload = NO_PAYLOAD, .proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH, +>>>>>>> upstream/4.5.1 .transforms = linked_list_create(), ); @@ -479,7 +548,10 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( } this->proposal_number = proposal->get_number(proposal); this->protocol_id = proposal->get_protocol(proposal); +<<<<<<< HEAD +======= compute_length(this); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h index d0ba1fd2a..a7ad97e1c 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.h +++ b/src/libcharon/encoding/payloads/proposal_substructure.h @@ -111,11 +111,19 @@ struct proposal_substructure_t { proposal_t * (*get_proposal) (proposal_substructure_t *this); /** +<<<<<<< HEAD + * Clones an proposal_substructure_t object. + * + * @return cloned object + */ + proposal_substructure_t* (*clone) (proposal_substructure_t *this); +======= * Create an enumerator over transform substructures. * * @return enumerator over transform_substructure_t */ enumerator_t* (*create_substructure_enumerator)(proposal_substructure_t *this); +>>>>>>> upstream/4.5.1 /** * Destroys an proposal_substructure_t object. diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c index db20d052f..faa19b614 100644 --- a/src/libcharon/encoding/payloads/sa_payload.c +++ b/src/libcharon/encoding/payloads/sa_payload.c @@ -46,11 +46,14 @@ struct private_sa_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -73,6 +76,15 @@ encoding_rule_t sa_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_sa_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ +<<<<<<< HEAD + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, +======= { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[0]) }, { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[1]) }, { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[2]) }, @@ -80,6 +92,7 @@ encoding_rule_t sa_payload_encodings[] = { { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[4]) }, { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[5]) }, { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[6]) }, +>>>>>>> upstream/4.5.1 /* Length of the whole SA payload*/ { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) }, /* Proposals are stored in a proposal substructure, @@ -190,6 +203,10 @@ static void compute_length(private_sa_payload_t *this) METHOD(payload_t, get_length, size_t, private_sa_payload_t *this) { +<<<<<<< HEAD + compute_length(this); +======= +>>>>>>> upstream/4.5.1 return this->payload_length; } @@ -262,12 +279,15 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*, return list; } +<<<<<<< HEAD +======= METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*, private_sa_payload_t *this) { return this->proposals->create_enumerator(this->proposals); } +>>>>>>> upstream/4.5.1 METHOD2(payload_t, sa_payload_t, destroy, void, private_sa_payload_t *this) { @@ -296,7 +316,10 @@ sa_payload_t *sa_payload_create() }, .add_proposal = _add_proposal, .get_proposals = _get_proposals, +<<<<<<< HEAD +======= .create_substructure_enumerator = _create_substructure_enumerator, +>>>>>>> upstream/4.5.1 .destroy = _destroy, }, .next_payload = NO_PAYLOAD, diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h index cc8c481c8..fb0227016 100644 --- a/src/libcharon/encoding/payloads/sa_payload.h +++ b/src/libcharon/encoding/payloads/sa_payload.h @@ -61,6 +61,8 @@ struct sa_payload_t { void (*add_proposal) (sa_payload_t *this, proposal_t *proposal); /** +<<<<<<< HEAD +======= * Create an enumerator over all proposal substructures. * * @return enumerator over proposal_substructure_t @@ -68,6 +70,7 @@ struct sa_payload_t { enumerator_t* (*create_substructure_enumerator)(sa_payload_t *this); /** +>>>>>>> upstream/4.5.1 * Destroys an sa_payload_t object. */ void (*destroy) (sa_payload_t *this); diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c index df36e4383..f631714a2 100644 --- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c +++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -20,13 +24,23 @@ #include <encoding/payloads/encodings.h> #include <utils/linked_list.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t; /** * Private data of an traffic_selector_substructure_t object. +<<<<<<< HEAD + * + */ +struct private_traffic_selector_substructure_t { +======= */ struct private_traffic_selector_substructure_t { +>>>>>>> upstream/4.5.1 /** * Public traffic_selector_substructure_t interface. */ @@ -73,6 +87,26 @@ struct private_traffic_selector_substructure_t { * * The defined offsets are the positions in a object of type * private_traffic_selector_substructure_t. +<<<<<<< HEAD + * + */ +encoding_rule_t traffic_selector_substructure_encodings[] = { + /* 1 Byte next ts type*/ + { TS_TYPE, offsetof(private_traffic_selector_substructure_t, ts_type) }, + /* 1 Byte IP protocol id*/ + { U_INT_8, offsetof(private_traffic_selector_substructure_t, ip_protocol_id) }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_traffic_selector_substructure_t, payload_length) }, + /* 2 Byte start port*/ + { U_INT_16, offsetof(private_traffic_selector_substructure_t, start_port) }, + /* 2 Byte end port*/ + { U_INT_16, offsetof(private_traffic_selector_substructure_t, end_port) }, + /* starting address is either 4 or 16 byte */ + { ADDRESS, offsetof(private_traffic_selector_substructure_t, starting_address) }, + /* ending address is either 4 or 16 byte */ + { ADDRESS, offsetof(private_traffic_selector_substructure_t, ending_address) } + +======= */ encoding_rule_t traffic_selector_substructure_encodings[] = { /* 1 Byte next ts type*/ @@ -89,6 +123,7 @@ encoding_rule_t traffic_selector_substructure_encodings[] = { { ADDRESS, offsetof(private_traffic_selector_substructure_t, starting_address) }, /* ending address is either 4 or 16 byte */ { ADDRESS, offsetof(private_traffic_selector_substructure_t, ending_address) } +>>>>>>> upstream/4.5.1 }; /* @@ -109,8 +144,15 @@ encoding_rule_t traffic_selector_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_traffic_selector_substructure_t *this) +======= METHOD(payload_t, verify, status_t, private_traffic_selector_substructure_t *this) +>>>>>>> upstream/4.5.1 { if (this->start_port > this->end_port) { @@ -148,6 +190,21 @@ METHOD(payload_t, verify, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of traffic_selector_substructure_t.get_encoding_rules. + */ +static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = traffic_selector_substructure_encodings; + *rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) @@ -158,10 +215,33 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_traffic_selector_substructure_t *this) +>>>>>>> upstream/4.5.1 { return TRAFFIC_SELECTOR_SUBSTRUCTURE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_traffic_selector_substructure_t *this) +{ + return 0; +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type) +{ + +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_traffic_selector_substructure_t *this) +======= METHOD(payload_t, get_next_type, payload_type_t, private_traffic_selector_substructure_t *this) { @@ -175,10 +255,38 @@ METHOD(payload_t, set_next_type, void, METHOD(payload_t, get_length, size_t, private_traffic_selector_substructure_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of traffic_selector_substructure_t.get_traffic_selector. + */ +static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this) +{ + traffic_selector_t *ts; + ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type, + this->starting_address, this->start_port, + this->ending_address, this->end_port); + return ts; +} + +/** + * recompute length field of the payload + */ +void compute_length(private_traffic_selector_substructure_t *this) +{ + this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH + + this->ending_address.len + this->starting_address.len; +} + +/** + * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy. + */ +static void destroy(private_traffic_selector_substructure_t *this) +======= METHOD(traffic_selector_substructure_t, get_traffic_selector, traffic_selector_t*, private_traffic_selector_substructure_t *this) { @@ -190,6 +298,7 @@ METHOD(traffic_selector_substructure_t, get_traffic_selector, traffic_selector_t METHOD2(payload_t, traffic_selector_substructure_t, destroy, void, private_traffic_selector_substructure_t *this) +>>>>>>> upstream/4.5.1 { free(this->starting_address.ptr); free(this->ending_address.ptr); @@ -201,6 +310,34 @@ METHOD2(payload_t, traffic_selector_substructure_t, destroy, void, */ traffic_selector_substructure_t *traffic_selector_substructure_create() { +<<<<<<< HEAD + private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector; + this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy; + + /* private variables */ + this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH; + this->start_port = 0; + this->end_port = 0; + this->starting_address = chunk_empty; + this->ending_address = chunk_empty; + this->ip_protocol_id = 0; + /* must be set to be valid */ + this->ts_type = TS_IPV4_ADDR_RANGE; + + return (&(this->public)); +======= private_traffic_selector_substructure_t *this; INIT(this, @@ -222,11 +359,27 @@ traffic_selector_substructure_t *traffic_selector_substructure_create() .ts_type = TS_IPV4_ADDR_RANGE, ); return &this->public; +>>>>>>> upstream/4.5.1 } /* * Described in header */ +<<<<<<< HEAD +traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector) +{ + private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create(); + this->ts_type = traffic_selector->get_type(traffic_selector); + this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector); + this->start_port = traffic_selector->get_from_port(traffic_selector); + this->end_port = traffic_selector->get_to_port(traffic_selector); + this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector)); + this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector)); + + compute_length(this); + + return &(this->public); +======= traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector( traffic_selector_t *ts) { @@ -243,4 +396,5 @@ traffic_selector_substructure_t *traffic_selector_substructure_create_from_traff this->ending_address.len + this->starting_address.len; return &this->public; +>>>>>>> upstream/4.5.1 } diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c index 7d21258b1..7332b939b 100644 --- a/src/libcharon/encoding/payloads/transform_attribute.c +++ b/src/libcharon/encoding/payloads/transform_attribute.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -27,9 +31,15 @@ typedef struct private_transform_attribute_t private_transform_attribute_t; /** * Private data of an transform_attribute_t object. +<<<<<<< HEAD + * + */ +struct private_transform_attribute_t { +======= */ struct private_transform_attribute_t { +>>>>>>> upstream/4.5.1 /** * Public transform_attribute_t interface. */ @@ -71,6 +81,10 @@ ENUM_END(transform_attribute_type_name, KEY_LENGTH); * * The defined offsets are the positions in a object of type * private_transform_attribute_t. +<<<<<<< HEAD + * +======= +>>>>>>> upstream/4.5.1 */ encoding_rule_t transform_attribute_encodings[] = { /* Flag defining the format of this payload */ @@ -78,7 +92,11 @@ encoding_rule_t transform_attribute_encodings[] = { /* type of the attribute as 15 bit unsigned integer */ { ATTRIBUTE_TYPE, offsetof(private_transform_attribute_t, attribute_type) }, /* Length or value, depending on the attribute format flag */ +<<<<<<< HEAD + { ATTRIBUTE_LENGTH_OR_VALUE, offsetof(private_transform_attribute_t, attribute_length_or_value) }, +======= { ATTRIBUTE_LENGTH_OR_VALUE,offsetof(private_transform_attribute_t, attribute_length_or_value) }, +>>>>>>> upstream/4.5.1 /* Value of attribute if attribute format flag is zero */ { ATTRIBUTE_VALUE, offsetof(private_transform_attribute_t, attribute_value) } }; @@ -95,6 +113,34 @@ encoding_rule_t transform_attribute_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_transform_attribute_t *this) +{ + if (this->attribute_type != KEY_LENGTH) + { + return FAILED; + } + + return SUCCESS; +} + +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = transform_attribute_encodings; + *rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_transform_attribute_t *this) +======= METHOD(payload_t, verify, status_t, private_transform_attribute_t *this) { @@ -111,10 +157,61 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_transform_attribute_t *this) +>>>>>>> upstream/4.5.1 { return TRANSFORM_ATTRIBUTE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_transform_attribute_t *this) +{ + return (NO_PAYLOAD); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_transform_attribute_t *this,payload_type_t type) +{ +} + +/** + * Implementation of transform_attribute_t.get_length. + */ +static size_t get_length(private_transform_attribute_t *this) +{ + if (this->attribute_format == TRUE) + { + /*Attribute size is only 4 byte */ + return 4; + } + return (this->attribute_length_or_value + 4); +} + +/** + * Implementation of transform_attribute_t.set_value_chunk. + */ +static void set_value_chunk(private_transform_attribute_t *this, chunk_t value) +{ + if (this->attribute_value.ptr != NULL) + { + /* free existing value */ + free(this->attribute_value.ptr); + this->attribute_value.ptr = NULL; + this->attribute_value.len = 0; + + } + + if (value.len > 2) + { + this->attribute_value.ptr = clalloc(value.ptr,value.len); + this->attribute_value.len = value.len; + this->attribute_length_or_value = value.len; + /* attribute has not a fixed length */ +======= METHOD(payload_t, get_next_type, payload_type_t, private_transform_attribute_t *this) { @@ -145,10 +242,58 @@ METHOD(transform_attribute_t, set_value_chunk, void, { this->attribute_value = chunk_clone(value); this->attribute_length_or_value = value.len; +>>>>>>> upstream/4.5.1 this->attribute_format = FALSE; } else { +<<<<<<< HEAD + memcpy(&(this->attribute_length_or_value),value.ptr,value.len); + } +} + +/** + * Implementation of transform_attribute_t.set_value. + */ +static void set_value(private_transform_attribute_t *this, u_int16_t value) +{ + if (this->attribute_value.ptr != NULL) + { + /* free existing value */ + free(this->attribute_value.ptr); + this->attribute_value.ptr = NULL; + this->attribute_value.len = 0; + + } + this->attribute_length_or_value = value; +} + +/** + * Implementation of transform_attribute_t.get_value_chunk. + */ +static chunk_t get_value_chunk (private_transform_attribute_t *this) +{ + chunk_t value; + + if (this->attribute_format == FALSE) + { + value.ptr = this->attribute_value.ptr; + value.len = this->attribute_value.len; + } + else + { + value.ptr = (void *) &(this->attribute_length_or_value); + value.len = 2; + } + + return value; +} + +/** + * Implementation of transform_attribute_t.get_value. + */ +static u_int16_t get_value (private_transform_attribute_t *this) +======= memcpy(&this->attribute_length_or_value, value.ptr, value.len); } } @@ -173,28 +318,55 @@ METHOD(transform_attribute_t, get_value_chunk, chunk_t, METHOD(transform_attribute_t, get_value, u_int16_t, private_transform_attribute_t *this) +>>>>>>> upstream/4.5.1 { return this->attribute_length_or_value; } +<<<<<<< HEAD + +/** + * Implementation of transform_attribute_t.set_attribute_type. + */ +static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type) +======= METHOD(transform_attribute_t, set_attribute_type, void, private_transform_attribute_t *this, u_int16_t type) +>>>>>>> upstream/4.5.1 { this->attribute_type = type & 0x7FFF; } +<<<<<<< HEAD +/** + * Implementation of transform_attribute_t.get_attribute_type. + */ +static u_int16_t get_attribute_type (private_transform_attribute_t *this) +======= METHOD(transform_attribute_t, get_attribute_type, u_int16_t, private_transform_attribute_t *this) +>>>>>>> upstream/4.5.1 { return this->attribute_type; } +<<<<<<< HEAD +/** + * Implementation of transform_attribute_t.clone. + */ +static transform_attribute_t * _clone(private_transform_attribute_t *this) +{ + private_transform_attribute_t *new_clone; + + new_clone = (private_transform_attribute_t *) transform_attribute_create(); +======= METHOD(transform_attribute_t, clone_, transform_attribute_t*, private_transform_attribute_t *this) { private_transform_attribute_t *new_clone; new_clone = (private_transform_attribute_t *)transform_attribute_create(); +>>>>>>> upstream/4.5.1 new_clone->attribute_format = this->attribute_format; new_clone->attribute_type = this->attribute_type; @@ -202,6 +374,24 @@ METHOD(transform_attribute_t, clone_, transform_attribute_t*, if (!new_clone->attribute_format) { +<<<<<<< HEAD + new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len); + new_clone->attribute_value.len = this->attribute_value.len; + } + + return (transform_attribute_t *) new_clone; +} + +/** + * Implementation of transform_attribute_t.destroy and payload_t.destroy. + */ +static void destroy(private_transform_attribute_t *this) +{ + if (this->attribute_value.ptr != NULL) + { + free(this->attribute_value.ptr); + } +======= new_clone->attribute_value = chunk_clone(this->attribute_value); } return &new_clone->public; @@ -211,6 +401,7 @@ METHOD2(payload_t, transform_attribute_t, destroy, void, private_transform_attribute_t *this) { free(this->attribute_value.ptr); +>>>>>>> upstream/4.5.1 free(this); } @@ -219,6 +410,37 @@ METHOD2(payload_t, transform_attribute_t, destroy, void, */ transform_attribute_t *transform_attribute_create() { +<<<<<<< HEAD + private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t); + + /* payload interface */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk; + this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value; + this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk; + this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value; + this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type; + this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type; + this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone; + this->public.destroy = (void (*) (transform_attribute_t *)) destroy; + + /* set default values of the fields */ + this->attribute_format = TRUE; + this->attribute_type = 0; + this->attribute_length_or_value = 0; + this->attribute_value.ptr = NULL; + this->attribute_value.len = 0; + + return (&(this->public)); +======= private_transform_attribute_t *this; INIT(this, @@ -244,6 +466,7 @@ transform_attribute_t *transform_attribute_create() .attribute_format = TRUE, ); return &this->public; +>>>>>>> upstream/4.5.1 } /* @@ -252,7 +475,12 @@ transform_attribute_t *transform_attribute_create() transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length) { transform_attribute_t *attribute = transform_attribute_create(); +<<<<<<< HEAD + attribute->set_attribute_type(attribute,KEY_LENGTH); + attribute->set_value(attribute,key_length); +======= attribute->set_attribute_type(attribute, KEY_LENGTH); attribute->set_value(attribute, key_length); +>>>>>>> upstream/4.5.1 return attribute; } diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c index 0428da726..fa711a7b5 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.c +++ b/src/libcharon/encoding/payloads/transform_substructure.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -25,13 +29,23 @@ #include <utils/linked_list.h> #include <daemon.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 typedef struct private_transform_substructure_t private_transform_substructure_t; /** * Private data of an transform_substructure_t object. +<<<<<<< HEAD + * + */ +struct private_transform_substructure_t { +======= */ struct private_transform_substructure_t { +>>>>>>> upstream/4.5.1 /** * Public transform_substructure_t interface. */ @@ -41,16 +55,24 @@ struct private_transform_substructure_t { * Next payload type. */ u_int8_t next_payload; +<<<<<<< HEAD + +======= /** * Reserved bytes */ u_int8_t reserved[2]; +>>>>>>> upstream/4.5.1 /** * Length of this payload. */ u_int16_t transform_length; +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 /** * Type of the transform. */ @@ -67,11 +89,35 @@ struct private_transform_substructure_t { linked_list_t *attributes; }; +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 /** * Encoding rules to parse or generate a Transform substructure. * * The defined offsets are the positions in a object of type * private_transform_substructure_t. +<<<<<<< HEAD + * + */ +encoding_rule_t transform_substructure_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_transform_substructure_t, next_payload) }, + /* Reserved Byte is skipped */ + { RESERVED_BYTE, 0 }, + /* Length of the whole transform substructure*/ + { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length) }, + /* transform type is a number of 8 bit */ + { U_INT_8, offsetof(private_transform_substructure_t, transform_type) }, + /* Reserved Byte is skipped */ + { RESERVED_BYTE, 0 }, + /* tranform ID is a number of 8 bit */ + { U_INT_16, offsetof(private_transform_substructure_t, transform_id) }, + /* Attributes are stored in a transform attribute, + offset points to a linked_list_t pointer */ + { TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) } +======= */ encoding_rule_t transform_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -89,6 +135,7 @@ encoding_rule_t transform_substructure_encodings[] = { /* Attributes are stored in a transform attribute, offset points to a linked_list_t pointer */ { TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) } +>>>>>>> upstream/4.5.1 }; /* @@ -105,6 +152,21 @@ encoding_rule_t transform_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD + +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_transform_substructure_t *this) +{ + status_t status = SUCCESS; + iterator_t *iterator; + payload_t *current_attributes; + + if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3)) + { + /* must be 0 or 3 */ +======= METHOD(payload_t, verify, status_t, private_transform_substructure_t *this) { @@ -114,6 +176,7 @@ METHOD(payload_t, verify, status_t, if (this->next_payload != NO_PAYLOAD && this->next_payload != 3) { +>>>>>>> upstream/4.5.1 DBG1(DBG_ENC, "inconsistent next payload"); return FAILED; } @@ -134,6 +197,19 @@ METHOD(payload_t, verify, status_t, return FAILED; } } +<<<<<<< HEAD + iterator = this->attributes->create_iterator(this->attributes,TRUE); + + while(iterator->iterate(iterator, (void**)¤t_attributes)) + { + status = current_attributes->verify(current_attributes); + if (status != SUCCESS) + { + DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed"); + } + } + iterator->destroy(iterator); +======= enumerator = this->attributes->create_enumerator(this->attributes); while (enumerator->enumerate(enumerator, &attribute)) @@ -146,11 +222,27 @@ METHOD(payload_t, verify, status_t, } } enumerator->destroy(enumerator); +>>>>>>> upstream/4.5.1 /* proposal number is checked in SA payload */ return status; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = transform_substructure_encodings; + *rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_type(private_transform_substructure_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) @@ -161,14 +253,24 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_transform_substructure_t *this) +>>>>>>> upstream/4.5.1 { return TRANSFORM_SUBSTRUCTURE; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_transform_substructure_t *this) +{ + return (this->next_payload); +======= METHOD(payload_t, get_next_type, payload_type_t, private_transform_substructure_t *this) { return this->next_payload; +>>>>>>> upstream/4.5.1 } /** @@ -176,6 +278,83 @@ METHOD(payload_t, get_next_type, payload_type_t, */ static void compute_length (private_transform_substructure_t *this) { +<<<<<<< HEAD + iterator_t *iterator; + payload_t *current_attribute; + size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + + iterator = this->attributes->create_iterator(this->attributes,TRUE); + while (iterator->iterate(iterator, (void**)¤t_attribute)) + { + length += current_attribute->get_length(current_attribute); + } + iterator->destroy(iterator); + + this->transform_length = length; +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_transform_substructure_t *this) +{ + compute_length(this); + return this->transform_length; +} + +/** + * Implementation of transform_substructure_t.create_transform_attribute_iterator. + */ +static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward) +{ + return this->attributes->create_iterator(this->attributes,forward); +} + +/** + * Implementation of transform_substructure_t.add_transform_attribute. + */ +static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute) +{ + this->attributes->insert_last(this->attributes,(void *) attribute); + compute_length(this); +} + +/** + * Implementation of transform_substructure_t.set_is_last_transform. + */ +static void set_is_last_transform (private_transform_substructure_t *this, bool is_last) +{ + this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE; +} + +/** + * Implementation of transform_substructure_t.get_is_last_transform. + */ +static bool get_is_last_transform (private_transform_substructure_t *this) +{ + return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_transform_substructure_t *this,payload_type_t type) +{ +} + +/** + * Implementation of transform_substructure_t.set_transform_type. + */ +static void set_transform_type (private_transform_substructure_t *this,u_int8_t type) +{ + this->transform_type = type; +} + +/** + * Implementation of transform_substructure_t.get_transform_type. + */ +static u_int8_t get_transform_type (private_transform_substructure_t *this) +======= enumerator_t *enumerator; payload_t *attribute; @@ -207,16 +386,87 @@ METHOD(payload_t, set_next_type, void, METHOD(transform_substructure_t, get_transform_type, u_int8_t, private_transform_substructure_t *this) +>>>>>>> upstream/4.5.1 { return this->transform_type; } +<<<<<<< HEAD +/** + * Implementation of transform_substructure_t.set_transform_id. + */ +static void set_transform_id (private_transform_substructure_t *this,u_int16_t id) +{ + this->transform_id = id; +} + +/** + * Implementation of transform_substructure_t.get_transform_id. + */ +static u_int16_t get_transform_id (private_transform_substructure_t *this) +======= METHOD(transform_substructure_t, get_transform_id, u_int16_t, private_transform_substructure_t *this) +>>>>>>> upstream/4.5.1 { return this->transform_id; } +<<<<<<< HEAD +/** + * Implementation of transform_substructure_t.clone. + */ +static transform_substructure_t *clone_(private_transform_substructure_t *this) +{ + private_transform_substructure_t *clone; + iterator_t *attributes; + transform_attribute_t *current_attribute; + + clone = (private_transform_substructure_t *) transform_substructure_create(); + clone->next_payload = this->next_payload; + clone->transform_type = this->transform_type; + clone->transform_id = this->transform_id; + + attributes = this->attributes->create_iterator(this->attributes, FALSE); + while (attributes->iterate(attributes, (void**)¤t_attribute)) + { + current_attribute = current_attribute->clone(current_attribute); + clone->public.add_transform_attribute(&clone->public, current_attribute); + } + attributes->destroy(attributes); + + return &clone->public; +} + + +/** + * Implementation of transform_substructure_t.get_key_length. + */ +static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length) +{ + iterator_t *attributes; + transform_attribute_t *current_attribute; + + attributes = this->attributes->create_iterator(this->attributes, TRUE); + while (attributes->iterate(attributes, (void**)¤t_attribute)) + { + if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH) + { + *key_length = current_attribute->get_value(current_attribute); + attributes->destroy(attributes); + return SUCCESS; + } + } + attributes->destroy(attributes); + return FAILED; +} + + +/** + * Implementation of transform_substructure_t.destroy and payload_t.destroy. + */ +static void destroy(private_transform_substructure_t *this) +======= METHOD(transform_substructure_t, get_key_length, status_t, private_transform_substructure_t *this, u_int16_t *key_length) { @@ -239,6 +489,7 @@ METHOD(transform_substructure_t, get_key_length, status_t, METHOD2(payload_t, transform_substructure_t, destroy, void, private_transform_substructure_t *this) +>>>>>>> upstream/4.5.1 { this->attributes->destroy_offset(this->attributes, offsetof(transform_attribute_t, destroy)); @@ -250,6 +501,40 @@ METHOD2(payload_t, transform_substructure_t, destroy, void, */ transform_substructure_t *transform_substructure_create() { +<<<<<<< HEAD + private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t); + + /* payload interface */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator; + this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute; + this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform; + this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform; + this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type; + this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type; + this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id; + this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id; + this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length; + this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_; + this->public.destroy = (void (*) (transform_substructure_t *)) destroy; + + /* set default values of the fields */ + this->next_payload = NO_PAYLOAD; + this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + this->transform_id = 0; + this->transform_type = 0; + this->attributes = linked_list_create(); + + return (&(this->public)); +======= private_transform_substructure_t *this; INIT(this, @@ -274,12 +559,32 @@ transform_substructure_t *transform_substructure_create() .attributes = linked_list_create(), ); return &this->public; +>>>>>>> upstream/4.5.1 } /* * Described in header */ transform_substructure_t *transform_substructure_create_type( +<<<<<<< HEAD + transform_type_t transform_type, + u_int16_t transform_id, u_int16_t key_length) +{ + transform_substructure_t *transform = transform_substructure_create(); + + transform->set_transform_type(transform,transform_type); + transform->set_transform_id(transform,transform_id); + + if (key_length) + { + transform_attribute_t *attribute; + + attribute = transform_attribute_create_key_length(key_length); + transform->add_transform_attribute(transform, attribute); + + } + return transform; +======= transform_type_t type, u_int16_t id, u_int16_t key_length) { private_transform_substructure_t *this; @@ -295,5 +600,6 @@ transform_substructure_t *transform_substructure_create_type( compute_length(this); } return &this->public; +>>>>>>> upstream/4.5.1 } diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index c961700a4..2a60b65ba 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -34,6 +34,10 @@ typedef struct transform_substructure_t transform_substructure_t; #include <crypto/crypters/crypter.h> #include <config/proposal.h> +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 /** * IKEv1 Value for a transform payload. */ @@ -44,19 +48,42 @@ typedef struct transform_substructure_t transform_substructure_t; */ #define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8 +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 /** * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE. * * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2. */ struct transform_substructure_t { +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * The payload_t interface. */ payload_t payload_interface; /** +<<<<<<< HEAD + * Creates an iterator of stored transform_attribute_t objects. + * + * When deleting an transform attribute using this iterator, + * the length of this transform substructure has to be refreshed + * by calling get_length(). + * + * @param forward iterator direction (TRUE: front to end) + * @return created iterator_t object. + */ + iterator_t * (*create_transform_attribute_iterator) ( + transform_substructure_t *this, bool forward); + + /** +======= +>>>>>>> upstream/4.5.1 * Adds a transform_attribute_t object to this object. * * @param proposal transform_attribute_t object to add @@ -75,6 +102,23 @@ struct transform_substructure_t { void (*set_is_last_transform) (transform_substructure_t *this, bool is_last); /** +<<<<<<< HEAD + * Checks if this is the last transform. + * + * @return TRUE if this is the last Transform, FALSE otherwise + */ + bool (*get_is_last_transform) (transform_substructure_t *this); + + /** + * Sets transform type of the current transform substructure. + * + * @param type type value to set + */ + void (*set_transform_type) (transform_substructure_t *this, u_int8_t type); + + /** +======= +>>>>>>> upstream/4.5.1 * get transform type of the current transform. * * @return Transform type of current transform substructure. @@ -82,14 +126,29 @@ struct transform_substructure_t { u_int8_t (*get_transform_type) (transform_substructure_t *this); /** +<<<<<<< HEAD + * Sets transform id of the current transform substructure. + * + * @param id transform id to set + */ + void (*set_transform_id) (transform_substructure_t *this, u_int16_t id); + + /** + * get transform id of the current transform. +======= * Get transform id of the current transform. +>>>>>>> upstream/4.5.1 * * @return Transform id of current transform substructure. */ u_int16_t (*get_transform_id) (transform_substructure_t *this); /** +<<<<<<< HEAD + * get transform id of the current transform. +======= * Get transform id of the current transform. +>>>>>>> upstream/4.5.1 * * @param key_length The key length is written to this location * @return @@ -101,6 +160,16 @@ struct transform_substructure_t { u_int16_t *key_length); /** +<<<<<<< HEAD + * Clones an transform_substructure_t object. + * + * @return cloned transform_substructure_t object + */ + transform_substructure_t* (*clone) (transform_substructure_t *this); + + /** +======= +>>>>>>> upstream/4.5.1 * Destroys an transform_substructure_t object. */ void (*destroy) (transform_substructure_t *this); @@ -109,13 +178,31 @@ struct transform_substructure_t { /** * Creates an empty transform_substructure_t object. * +<<<<<<< HEAD + * @return created transform_substructure_t object +======= * @return created transform_substructure_t object +>>>>>>> upstream/4.5.1 */ transform_substructure_t *transform_substructure_create(void); /** * Creates an empty transform_substructure_t object. * +<<<<<<< HEAD + * The key length is used for the transport types ENCRYPTION_ALGORITHM, + * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all + * other transport types the key_length parameter is not used + * + * @param transform_type type of transform to create + * @param transform_id transform id specifying the specific algorithm of a transform type + * @param key_length Key length for key lenght attribute + * @return transform_substructure_t object + */ +transform_substructure_t *transform_substructure_create_type( + transform_type_t transform_type, u_int16_t transform_id, + u_int16_t key_length); +======= * @param type type of transform to create * @param id transform id specifc for the transform type * @param key_length key length for key lenght attribute, 0 to omit @@ -123,5 +210,6 @@ transform_substructure_t *transform_substructure_create(void); */ transform_substructure_t *transform_substructure_create_type( transform_type_t type, u_int16_t id, u_int16_t key_length); +>>>>>>> upstream/4.5.1 #endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c index 28f760e40..db01b433f 100644 --- a/src/libcharon/encoding/payloads/ts_payload.c +++ b/src/libcharon/encoding/payloads/ts_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2006 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -26,9 +30,15 @@ typedef struct private_ts_payload_t private_ts_payload_t; /** * Private data of an ts_payload_t object. +<<<<<<< HEAD + * + */ +struct private_ts_payload_t { +======= */ struct private_ts_payload_t { +>>>>>>> upstream/4.5.1 /** * Public ts_payload_t interface. */ @@ -50,6 +60,8 @@ struct private_ts_payload_t { bool critical; /** +<<<<<<< HEAD +======= * reserved bits */ bool reserved_bit[7]; @@ -60,6 +72,7 @@ struct private_ts_payload_t { bool reserved_byte[3]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -67,12 +80,20 @@ struct private_ts_payload_t { /** * Number of traffic selectors */ +<<<<<<< HEAD + u_int8_t number_of_traffic_selectors; +======= u_int8_t ts_num; +>>>>>>> upstream/4.5.1 /** * Contains the traffic selectors of type traffic_selector_substructure_t. */ +<<<<<<< HEAD + linked_list_t *traffic_selectors; +======= linked_list_t *substrs; +>>>>>>> upstream/4.5.1 }; /** @@ -80,6 +101,33 @@ struct private_ts_payload_t { * * The defined offsets are the positions in a object of type * private_ts_payload_t. +<<<<<<< HEAD + * + */ +encoding_rule_t ts_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_ts_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_ts_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_ts_payload_t, payload_length)}, + /* 1 Byte TS type*/ + { U_INT_8, offsetof(private_ts_payload_t, number_of_traffic_selectors) }, + /* 3 reserved bytes */ + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + /* some ts data bytes, length is defined in PAYLOAD_LENGTH */ + { TRAFFIC_SELECTORS, offsetof(private_ts_payload_t, traffic_selectors) } +======= */ encoding_rule_t ts_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -104,6 +152,7 @@ encoding_rule_t ts_payload_encodings[] = { { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[2])}, /* some ts data bytes, length is defined in PAYLOAD_LENGTH */ { TRAFFIC_SELECTORS,offsetof(private_ts_payload_t, substrs) } +>>>>>>> upstream/4.5.1 }; /* @@ -120,6 +169,27 @@ encoding_rule_t ts_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_ts_payload_t *this) +{ + iterator_t *iterator; + payload_t *current_traffic_selector; + status_t status = SUCCESS; + + if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors))) + { + /* must be the same */ + return FAILED; + } + + iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); + while(iterator->iterate(iterator, (void**)¤t_traffic_selector)) + { + status = current_traffic_selector->verify(current_traffic_selector); +======= METHOD(payload_t, verify, status_t, private_ts_payload_t *this) { @@ -135,16 +205,36 @@ METHOD(payload_t, verify, status_t, while (enumerator->enumerate(enumerator, &substr)) { status = substr->verify(substr); +>>>>>>> upstream/4.5.1 if (status != SUCCESS) { break; } } +<<<<<<< HEAD + iterator->destroy(iterator); +======= enumerator->destroy(enumerator); +>>>>>>> upstream/4.5.1 return status; } +<<<<<<< HEAD +/** + * Implementation of ts_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = ts_payload_encodings; + *rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_ts_payload_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { @@ -154,11 +244,32 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_ts_payload_t *this) +>>>>>>> upstream/4.5.1 { if (this->is_initiator) { return TRAFFIC_SELECTOR_INITIATOR; } +<<<<<<< HEAD + else + { + return TRAFFIC_SELECTOR_RESPONDER; + } +} + +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_ts_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_ts_payload_t *this,payload_type_t type) +======= return TRAFFIC_SELECTOR_RESPONDER; } @@ -170,6 +281,7 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_ts_payload_t *this,payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } @@ -177,6 +289,48 @@ METHOD(payload_t, set_next_type, void, /** * recompute the length of the payload. */ +<<<<<<< HEAD +static void compute_length (private_ts_payload_t *this) +{ + iterator_t *iterator; + size_t ts_count = 0; + size_t length = TS_PAYLOAD_HEADER_LENGTH; + payload_t *current_traffic_selector; + + iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); + while (iterator->iterate(iterator, (void**)¤t_traffic_selector)) + { + length += current_traffic_selector->get_length(current_traffic_selector); + ts_count++; + } + iterator->destroy(iterator); + + this->number_of_traffic_selectors= ts_count; + this->payload_length = length; +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_ts_payload_t *this) +{ + compute_length(this); + return this->payload_length; +} + +/** + * Implementation of ts_payload_t.get_initiator. + */ +static bool get_initiator (private_ts_payload_t *this) +{ + return (this->is_initiator); +} + +/** + * Implementation of ts_payload_t.set_initiator. + */ +static void set_initiator (private_ts_payload_t *this,bool is_initiator) +======= static void compute_length(private_ts_payload_t *this) { enumerator_t *enumerator; @@ -207,10 +361,58 @@ METHOD(ts_payload_t, get_initiator, bool, METHOD(ts_payload_t, set_initiator, void, private_ts_payload_t *this,bool is_initiator) +>>>>>>> upstream/4.5.1 { this->is_initiator = is_initiator; } +<<<<<<< HEAD +/** + * Implementation of ts_payload_t.add_traffic_selector_substructure. + */ +static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector) +{ + this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector); + this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors); +} + +/** + * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator. + */ +static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward) +{ + return this->traffic_selectors->create_iterator(this->traffic_selectors,forward); +} + +/** + * Implementation of ts_payload_t.get_traffic_selectors. + */ +static linked_list_t *get_traffic_selectors(private_ts_payload_t *this) +{ + traffic_selector_t *ts; + iterator_t *iterator; + traffic_selector_substructure_t *ts_substructure; + linked_list_t *ts_list = linked_list_create(); + + iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE); + while (iterator->iterate(iterator, (void**)&ts_substructure)) + { + ts = ts_substructure->get_traffic_selector(ts_substructure); + ts_list->insert_last(ts_list, (void*)ts); + } + iterator->destroy(iterator); + + return ts_list; +} + +/** + * Implementation of payload_t.destroy and ts_payload_t.destroy. + */ +static void destroy(private_ts_payload_t *this) +{ + this->traffic_selectors->destroy_offset(this->traffic_selectors, + offsetof(payload_t, destroy)); +======= METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*, private_ts_payload_t *this) { @@ -235,6 +437,7 @@ METHOD2(payload_t, ts_payload_t, destroy, void, private_ts_payload_t *this) { this->substrs->destroy_offset(this->substrs, offsetof(payload_t, destroy)); +>>>>>>> upstream/4.5.1 free(this); } @@ -243,6 +446,36 @@ METHOD2(payload_t, ts_payload_t, destroy, void, */ ts_payload_t *ts_payload_create(bool is_initiator) { +<<<<<<< HEAD + private_ts_payload_t *this = malloc_thing(private_ts_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.destroy = (void (*) (ts_payload_t *)) destroy; + this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator; + this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator; + this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure; + this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator; + this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length =TS_PAYLOAD_HEADER_LENGTH; + this->is_initiator = is_initiator; + this->number_of_traffic_selectors = 0; + this->traffic_selectors = linked_list_create(); + + return &(this->public); +======= private_ts_payload_t *this; INIT(this, @@ -267,21 +500,43 @@ ts_payload_t *ts_payload_create(bool is_initiator) .substrs = linked_list_create(), ); return &this->public; +>>>>>>> upstream/4.5.1 } /* * Described in header */ +<<<<<<< HEAD +ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors) +{ + iterator_t *iterator; + traffic_selector_t *ts; + traffic_selector_substructure_t *ts_substructure; +======= ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors) { enumerator_t *enumerator; traffic_selector_t *ts; traffic_selector_substructure_t *subst; +>>>>>>> upstream/4.5.1 private_ts_payload_t *this; this = (private_ts_payload_t*)ts_payload_create(is_initiator); +<<<<<<< HEAD + iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE); + while (iterator->iterate(iterator, (void**)&ts)) + { + ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts); + this->public.add_traffic_selector_substructure(&(this->public), ts_substructure); + } + iterator->destroy(iterator); + + return &(this->public); +} + +======= enumerator = traffic_selectors->create_enumerator(traffic_selectors); while (enumerator->enumerate(enumerator, &ts)) { @@ -293,3 +548,4 @@ ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, return &this->public; } +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h index 88ca00bc9..eb39a5c1d 100644 --- a/src/libcharon/encoding/payloads/ts_payload.h +++ b/src/libcharon/encoding/payloads/ts_payload.h @@ -19,6 +19,10 @@ * @{ @ingroup payloads */ +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 #ifndef TS_PAYLOAD_H_ #define TS_PAYLOAD_H_ @@ -35,13 +39,20 @@ typedef struct ts_payload_t ts_payload_t; */ #define TS_PAYLOAD_HEADER_LENGTH 8 +<<<<<<< HEAD + +======= +>>>>>>> upstream/4.5.1 /** * Class representing an IKEv2 TS payload. * * The TS payload format is described in RFC section 3.13. */ struct ts_payload_t { +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * The payload_t interface. */ @@ -66,6 +77,30 @@ struct ts_payload_t { void (*set_initiator) (ts_payload_t *this,bool is_initiator); /** +<<<<<<< HEAD + * Adds a traffic_selector_substructure_t object to this object. + * + * @param traffic_selector traffic_selector_substructure_t object to add + */ + void (*add_traffic_selector_substructure) (ts_payload_t *this, + traffic_selector_substructure_t *traffic_selector); + + /** + * Creates an iterator of stored traffic_selector_substructure_t objects. + * + * When removing an traffic_selector_substructure_t object + * using this iterator, the length of this payload + * has to get refreshed by calling payload_t.get_length! + * + * @param forward iterator direction (TRUE: front to end) + * @return created iterator_t object + */ + iterator_t *(*create_traffic_selector_substructure_iterator) ( + ts_payload_t *this, bool forward); + + /** +======= +>>>>>>> upstream/4.5.1 * Get a list of nested traffic selectors as traffic_selector_t. * * Resulting list and its traffic selectors must be destroyed after usage @@ -83,15 +118,28 @@ struct ts_payload_t { /** * Creates an empty ts_payload_t object. * +<<<<<<< HEAD + * @param is_initiator + * - TRUE if this payload is of type TSi + * - FALSE if this payload is of type TSr + * @return ts_payload_t object +======= * @param is_initiator TRUE for TSi, FALSE for TSr payload type * @return ts_payload_t object +>>>>>>> upstream/4.5.1 */ ts_payload_t *ts_payload_create(bool is_initiator); /** * Creates ts_payload with a list of traffic_selector_t * +<<<<<<< HEAD + * @param is_initiator + * - TRUE if this payload is of type TSi + * - FALSE if this payload is of type TSr +======= * @param is_initiator TRUE for TSi, FALSE for TSr payload type +>>>>>>> upstream/4.5.1 * @param traffic_selectors list of traffic selectors to include * @return ts_payload_t object */ diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c index 27af338b3..2f428ed06 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.c +++ b/src/libcharon/encoding/payloads/unknown_payload.c @@ -18,6 +18,11 @@ #include "unknown_payload.h" +<<<<<<< HEAD + + +======= +>>>>>>> upstream/4.5.1 typedef struct private_unknown_payload_t private_unknown_payload_t; /** @@ -31,11 +36,14 @@ struct private_unknown_payload_t { unknown_payload_t public; /** +<<<<<<< HEAD +======= * Type of this payload */ payload_type_t type; /** +>>>>>>> upstream/4.5.1 * Next payload type. */ u_int8_t next_payload; @@ -46,11 +54,14 @@ struct private_unknown_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -70,6 +81,23 @@ struct private_unknown_payload_t { */ encoding_rule_t unknown_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ +<<<<<<< HEAD + { U_INT_8, offsetof(private_unknown_payload_t, next_payload)}, + /* the critical bit */ + { FLAG, offsetof(private_unknown_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length)}, + /* some unknown data bytes, length is defined in PAYLOAD_LENGTH */ + { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) } +======= { U_INT_8, offsetof(private_unknown_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_unknown_payload_t, critical) }, @@ -85,6 +113,7 @@ encoding_rule_t unknown_payload_encodings[] = { { PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length) }, /* some unknown data bytes, length is defined in PAYLOAD_LENGTH */ { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) }, +>>>>>>> upstream/4.5.1 }; /* @@ -99,6 +128,21 @@ encoding_rule_t unknown_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_unknown_payload_t *this) +{ + /* can't do any checks, so we assume its good */ + return SUCCESS; +} + +/** + * Implementation of payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +======= METHOD(payload_t, verify, status_t, private_unknown_payload_t *this) { @@ -111,11 +155,34 @@ METHOD(payload_t, verify, status_t, METHOD(payload_t, get_encoding_rules, void, private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +>>>>>>> upstream/4.5.1 { *rules = unknown_payload_encodings; *rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t); } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_unknown_payload_t *this) +{ + return UNKNOWN_PAYLOAD; +} + +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_unknown_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_unknown_payload_t *this,payload_type_t type) +======= METHOD(payload_t, get_payload_type, payload_type_t, private_unknown_payload_t *this) { @@ -130,22 +197,57 @@ METHOD(payload_t, get_next_type, payload_type_t, METHOD(payload_t, set_next_type, void, private_unknown_payload_t *this,payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_unknown_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_unknown_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of unknown_payload_t.get_data. + */ +static bool is_critical(private_unknown_payload_t *this) +======= METHOD(unknown_payload_t, is_critical, bool, private_unknown_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->critical; } +<<<<<<< HEAD +/** + * Implementation of unknown_payload_t.get_data. + */ +static chunk_t get_data (private_unknown_payload_t *this) +{ + return (this->data); +} + +/** + * Implementation of payload_t.destroy and unknown_payload_t.destroy. + */ +static void destroy(private_unknown_payload_t *this) +{ + if (this->data.ptr != NULL) + { + chunk_free(&(this->data)); + } + +======= METHOD(unknown_payload_t, get_data, chunk_t, private_unknown_payload_t *this) { @@ -156,12 +258,40 @@ METHOD2(payload_t, unknown_payload_t, destroy, void, private_unknown_payload_t *this) { free(this->data.ptr); +>>>>>>> upstream/4.5.1 free(this); } /* * Described in header */ +<<<<<<< HEAD +unknown_payload_t *unknown_payload_create() +{ + private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.destroy = (void (*) (unknown_payload_t *)) destroy; + this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical; + this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH; + this->data = chunk_empty; + + return (&(this->public)); +======= unknown_payload_t *unknown_payload_create(payload_type_t type) { private_unknown_payload_t *this; @@ -204,4 +334,5 @@ unknown_payload_t *unknown_payload_create_data(payload_type_t type, this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH + data.len; return &this->public; +>>>>>>> upstream/4.5.1 } diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h index 5ae85331b..b874f6dc3 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.h +++ b/src/libcharon/encoding/payloads/unknown_payload.h @@ -70,6 +70,13 @@ struct unknown_payload_t { }; /** +<<<<<<< HEAD + * Creates an empty unknown_payload_t object. + * + * @return unknown_payload_t object + */ +unknown_payload_t *unknown_payload_create(void); +======= * Creates an empty unknown_payload_t. * * @param type of the payload @@ -87,5 +94,6 @@ unknown_payload_t *unknown_payload_create(payload_type_t type); */ unknown_payload_t *unknown_payload_create_data(payload_type_t type, bool critical, chunk_t data); +>>>>>>> upstream/4.5.1 #endif /** UNKNOWN_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c index e9e80e989..d2295e4a2 100644 --- a/src/libcharon/encoding/payloads/vendor_id_payload.c +++ b/src/libcharon/encoding/payloads/vendor_id_payload.c @@ -1,6 +1,10 @@ /* +<<<<<<< HEAD + * Copyright (C) 2005-2009 Martin Willi +======= * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -42,11 +46,14 @@ struct private_vendor_id_payload_t { bool critical; /** +<<<<<<< HEAD +======= * Reserved bits */ bool reserved[7]; /** +>>>>>>> upstream/4.5.1 * Length of this payload. */ u_int16_t payload_length; @@ -65,6 +72,23 @@ struct private_vendor_id_payload_t { */ encoding_rule_t vendor_id_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ +<<<<<<< HEAD + { U_INT_8, offsetof(private_vendor_id_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_vendor_id_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_vendor_id_payload_t, payload_length)}, + /* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */ + { VID_DATA, offsetof(private_vendor_id_payload_t, data) } +======= { U_INT_8, offsetof(private_vendor_id_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_vendor_id_payload_t, critical) }, @@ -80,6 +104,7 @@ encoding_rule_t vendor_id_payload_encodings[] = { { PAYLOAD_LENGTH, offsetof(private_vendor_id_payload_t, payload_length)}, /* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */ { VID_DATA, offsetof(private_vendor_id_payload_t, data) } +>>>>>>> upstream/4.5.1 }; /* @@ -94,12 +119,35 @@ encoding_rule_t vendor_id_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +<<<<<<< HEAD +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_vendor_id_payload_t *this) +======= METHOD(payload_t, verify, status_t, private_vendor_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of vendor_id_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_vendor_id_payload_t *this, + encoding_rule_t **rules, size_t *rule_count) +{ + *rules = vendor_id_payload_encodings; + *rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_vendor_id_payload_t *this) +======= METHOD(payload_t, get_encoding_rules, void, private_vendor_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count) @@ -110,36 +158,72 @@ METHOD(payload_t, get_encoding_rules, void, METHOD(payload_t, get_type, payload_type_t, private_vendor_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return VENDOR_ID; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_vendor_id_payload_t *this) +======= METHOD(payload_t, get_next_type, payload_type_t, private_vendor_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->next_payload; } +<<<<<<< HEAD +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type) +======= METHOD(payload_t, set_next_type, void, private_vendor_id_payload_t *this, payload_type_t type) +>>>>>>> upstream/4.5.1 { this->next_payload = type; } +<<<<<<< HEAD +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_vendor_id_payload_t *this) +======= METHOD(payload_t, get_length, size_t, private_vendor_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->payload_length; } +<<<<<<< HEAD +/** + * Implementation of vendor_id_payload_t.get_data. + */ +static chunk_t get_data(private_vendor_id_payload_t *this) +======= METHOD(vendor_id_payload_t, get_data, chunk_t, private_vendor_id_payload_t *this) +>>>>>>> upstream/4.5.1 { return this->data; } +<<<<<<< HEAD +/** + * Implementation of payload_t.destroy and vendor_id_payload_t.destroy. + */ +static void destroy(private_vendor_id_payload_t *this) +======= METHOD2(payload_t, vendor_id_payload_t, destroy, void, private_vendor_id_payload_t *this) +>>>>>>> upstream/4.5.1 { free(this->data.ptr); free(this); @@ -148,6 +232,26 @@ METHOD2(payload_t, vendor_id_payload_t, destroy, void, /* * Described in header */ +<<<<<<< HEAD +vendor_id_payload_t *vendor_id_payload_create() +{ + private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t); + + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data; + + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH; + this->data = chunk_empty; + +======= vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) { private_vendor_id_payload_t *this; @@ -170,13 +274,28 @@ vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) .payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + data.len, .data = data, ); +>>>>>>> upstream/4.5.1 return &this->public; } /* * Described in header */ +<<<<<<< HEAD +vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) +{ + private_vendor_id_payload_t *this; + + this = (private_vendor_id_payload_t*)vendor_id_payload_create(); + this->payload_length += data.len; + this->data = data; + + return &this->public; +} + +======= vendor_id_payload_t *vendor_id_payload_create() { return vendor_id_payload_create_data(chunk_empty); } +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h index 4e4e7d8eb..45cce985e 100644 --- a/src/libcharon/encoding/payloads/vendor_id_payload.h +++ b/src/libcharon/encoding/payloads/vendor_id_payload.h @@ -50,11 +50,14 @@ struct vendor_id_payload_t { * @return VID data, pointing to an internal chunk_t */ chunk_t (*get_data)(vendor_id_payload_t *this); +<<<<<<< HEAD +======= /** * Destroy Vendor ID payload. */ void (*destroy)(vendor_id_payload_t *this); +>>>>>>> upstream/4.5.1 }; /** diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 018318a59..7f3cd1692 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c index 12cf0c941..b6836cb1f 100644 --- a/src/libcharon/plugins/addrblock/addrblock_validator.c +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -1,6 +1,13 @@ /* +<<<<<<< HEAD + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil +======= * Copyright (C) 2010 Martin Willi, revosec AG * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil +>>>>>>> upstream/4.5.1 * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -88,8 +95,12 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer) METHOD(cert_validator_t, validate, bool, private_addrblock_validator_t *this, certificate_t *subject, +<<<<<<< HEAD + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +======= certificate_t *issuer, bool online, int pathlen, bool anchor, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509) diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index 7d6eb2b9c..d9700f810 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c index 601c91e7b..69941848c 100644 --- a/src/libcharon/plugins/android/android_creds.c +++ b/src/libcharon/plugins/android/android_creds.c @@ -235,7 +235,11 @@ METHOD(android_creds_t, set_username_password, void, DESTROY_IF(this->user); this->user = id->clone(id); free(this->pass); +<<<<<<< HEAD + this->pass = password ? strdup(password) : NULL; +======= this->pass = strdupnull(password); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index 487567f2a..c222d8a65 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -291,8 +291,13 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index 8046fc052..9c4ad3a02 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index 8851c1b79..521bf5595 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -459,7 +459,11 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) { dhcp_transaction_t *transaction = NULL; enumerator_t *enumerator; +<<<<<<< HEAD + host_t *offer, *server; +======= host_t *offer, *server = NULL; +>>>>>>> upstream/4.5.1 offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); @@ -500,7 +504,11 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) chunk_create((char*)&option->data[pos], 4)); } } +<<<<<<< HEAD + if (option->type == DHCP_SERVER_ID && option->len == 4) +======= if (!server && option->type == DHCP_SERVER_ID && option->len == 4) +>>>>>>> upstream/4.5.1 { server = host_create_from_chunk(AF_INET, chunk_create(option->data, 4), DHCP_SERVER_PORT); @@ -515,11 +523,19 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) } DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); transaction->set_address(transaction, offer->clone(offer)); +<<<<<<< HEAD + transaction->set_server(transaction, server->clone(server)); +======= transaction->set_server(transaction, server); +>>>>>>> upstream/4.5.1 } this->mutex->unlock(this->mutex); this->condvar->broadcast(this->condvar); offer->destroy(offer); +<<<<<<< HEAD + server->destroy(server); +======= +>>>>>>> upstream/4.5.1 } /** diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 4a23f9010..adb0d8344 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index ad1ae1906..933bc8a5b 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -224,7 +224,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,8 +269,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 142a35e50..1592ea208 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 5c1e07ade..cc51086e6 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 4e01d96cc..e2c3b5c1f 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 495ccf441..669be68e8 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 99084e2c1..58a317769 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -224,7 +224,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,8 +269,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index 90f203f61..4d219b861 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 3cd766a75..fb72884d4 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -224,7 +224,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,8 +269,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index a48fb652a..f7fc71bdf 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -225,7 +225,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,8 +270,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index f2af3ae0d..f26ec64df 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -224,7 +224,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,8 +269,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 9a58a6055..b37d2714a 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index 9ebb85be9..7334c6ce9 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index cf75585ef..db1f1c8c5 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index dd4ed5322..7d708b3b9 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -18,7 +18,11 @@ #include <tls_eap.h> #include <daemon.h> +<<<<<<< HEAD +#include <library.h> +======= #include <debug.h> +>>>>>>> upstream/4.5.1 typedef struct private_eap_tnc_t private_eap_tnc_t; @@ -114,8 +118,11 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, private_eap_tnc_t *this; size_t frag_size; int max_msg_count; +<<<<<<< HEAD +======= char* protocol; tnccs_type_t type; +>>>>>>> upstream/4.5.1 tnccs_t *tnccs; INIT(this, @@ -135,6 +142,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, "charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN); max_msg_count = lib->settings->get_int(lib->settings, "charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT); +<<<<<<< HEAD + tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server); +======= protocol = lib->settings->get_str(lib->settings, "charon.plugins.eap-tnc.protocol", "tnccs-1.1"); if (strcaseeq(protocol, "tnccs-2.0")) @@ -156,6 +166,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, return NULL; } tnccs = charon->tnccs->create_instance(charon->tnccs, type, is_server); +>>>>>>> upstream/4.5.1 this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count); if (!this->tls_eap) { diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index ff67686b2..36121c7a7 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -225,7 +225,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,8 +270,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c index 29b0a9303..c8e099ad5 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -196,7 +196,10 @@ METHOD(tls_application_t, process, status_t, in->destroy(in); return NEED_MORE; } +<<<<<<< HEAD +======= this->start_phase2 = FALSE; +>>>>>>> upstream/4.5.1 } type = this->method->get_type(this->method, &vendor); diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 21e8b78db..5f6354f32 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 2fcd7cc82..8be700808 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index 15f7824f9..698f73e12 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -21,8 +21,13 @@ #include <fcntl.h> #include <unistd.h> #include <errno.h> +<<<<<<< HEAD +#include <pthread.h> + +======= #include <threading/thread.h> +>>>>>>> upstream/4.5.1 #include <processing/jobs/callback_job.h> #define HA_FIFO IPSEC_PIDDIR "/charon.ha" @@ -60,6 +65,15 @@ struct private_ha_ctl_t { */ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) { +<<<<<<< HEAD + int fifo, old; + char buf[8]; + u_int segment; + + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old); + fifo = open(HA_FIFO, O_RDONLY); + pthread_setcancelstate(old, NULL); +======= int fifo; bool oldstate; char buf[8]; @@ -68,6 +82,7 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) oldstate = thread_cancelability(TRUE); fifo = open(HA_FIFO, O_RDONLY); thread_cancelability(oldstate); +>>>>>>> upstream/4.5.1 if (fifo == -1) { DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 85dc0f4a4..1015c65d0 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -596,9 +596,15 @@ static void process_child_add(private_ha_dispatcher_t *this, if (initiator) { if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi, +<<<<<<< HEAD + inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS || + child_sa->install(child_sa, encr_i, integ_i, outbound_spi, + outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS) +======= inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS || child_sa->install(child_sa, encr_i, integ_i, outbound_spi, outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS) +>>>>>>> upstream/4.5.1 { failed = TRUE; } @@ -606,9 +612,15 @@ static void process_child_add(private_ha_dispatcher_t *this, else { if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi, +<<<<<<< HEAD + inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS || + child_sa->install(child_sa, encr_r, integ_r, outbound_spi, + outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS) +======= inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS || child_sa->install(child_sa, encr_r, integ_r, outbound_spi, outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS) +>>>>>>> upstream/4.5.1 { failed = TRUE; } diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 7c7bef851..a83c1fd43 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -15,10 +15,18 @@ #include "ha_segments.h" +<<<<<<< HEAD +#include <pthread.h> + +#include <threading/mutex.h> +#include <threading/condvar.h> +#include <utils/linked_list.h> +======= #include <threading/mutex.h> #include <threading/condvar.h> #include <utils/linked_list.h> #include <threading/thread.h> +>>>>>>> upstream/4.5.1 #include <processing/jobs/callback_job.h> #define DEFAULT_HEARTBEAT_DELAY 1000 @@ -254,6 +262,18 @@ METHOD(listener_t, alert_hook, bool, */ static job_requeue_t watchdog(private_ha_segments_t *this) { +<<<<<<< HEAD + int oldstate; + bool timeout; + + this->mutex->lock(this->mutex); + pthread_cleanup_push((void*)this->mutex->unlock, this->mutex); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + timeout = this->condvar->timed_wait(this->condvar, this->mutex, + this->heartbeat_timeout); + pthread_setcancelstate(oldstate, NULL); + pthread_cleanup_pop(TRUE); +======= bool timeout, oldstate; this->mutex->lock(this->mutex); @@ -263,6 +283,7 @@ static job_requeue_t watchdog(private_ha_segments_t *this) this->heartbeat_timeout); thread_cancelability(oldstate); thread_cleanup_pop(TRUE); +>>>>>>> upstream/4.5.1 if (timeout) { DBG1(DBG_CFG, "no heartbeat received, taking all segments"); diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index 086178442..29734bea3 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -20,10 +20,17 @@ #include <sys/socket.h> #include <errno.h> #include <unistd.h> +<<<<<<< HEAD +#include <pthread.h> + +#include <daemon.h> +#include <utils/host.h> +======= #include <daemon.h> #include <utils/host.h> #include <threading/thread.h> +>>>>>>> upstream/4.5.1 #include <processing/jobs/callback_job.h> typedef struct private_ha_socket_t private_ha_socket_t; @@ -121,12 +128,21 @@ METHOD(ha_socket_t, pull, ha_message_t*, { ha_message_t *message; char buf[1024]; +<<<<<<< HEAD + int oldstate; + ssize_t len; + + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + len = recv(this->fd, buf, sizeof(buf), 0); + pthread_setcancelstate(oldstate, NULL); +======= bool oldstate; ssize_t len; oldstate = thread_cancelability(TRUE); len = recv(this->fd, buf, sizeof(buf), 0); thread_cancelability(oldstate); +>>>>>>> upstream/4.5.1 if (len <= 0) { switch (errno) diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index 299053ec1..6021ece01 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -223,8 +223,13 @@ static void setup_tunnel(private_ha_tunnel_t *this, peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT, +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index fa1194fd0..0684599f8 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index c921ec3db..91bae2d05 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -225,7 +225,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,8 +270,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index 71391d593..65fb5100e 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -224,8 +224,13 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) } child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL, +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1"); child_cfg->add_proposal(child_cfg, proposal); ts = traffic_selector_create_dynamic(0, 0, 65535); diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index ef9d7f9ef..701fd59e4 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -52,7 +52,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, +<<<<<<< HEAD + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, +======= u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, +>>>>>>> upstream/4.5.1 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index 8fd65adfa..f93cdf154 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -28,8 +28,11 @@ #include <threading/condvar.h> #include <threading/mutex.h> +<<<<<<< HEAD +======= static const char *plugin_name = "load_tester"; +>>>>>>> upstream/4.5.1 typedef struct private_load_tester_plugin_t private_load_tester_plugin_t; /** @@ -191,7 +194,11 @@ plugin_t *load_tester_plugin_create() this = malloc_thing(private_load_tester_plugin_t); this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +<<<<<<< HEAD + lib->crypto->add_dh(lib->crypto, MODP_NULL, +======= lib->crypto->add_dh(lib->crypto, MODP_NULL, plugin_name, +>>>>>>> upstream/4.5.1 (dh_constructor_t)load_tester_diffie_hellman_create); this->delay = lib->settings->get_int(lib->settings, diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am index 0bf7fad5d..95a76fe90 100644 --- a/src/libcharon/plugins/maemo/Makefile.am +++ b/src/libcharon/plugins/maemo/Makefile.am @@ -19,9 +19,13 @@ libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} dbusservice_DATA = org.strongswan.charon.service +<<<<<<< HEAD +EXTRA_DIST = $(dbusservice_DATA) +======= org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@ EXTRA_DIST = org.strongswan.charon.service.in CLEANFILES = $(dbusservice_DATA) +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in index 0ca1fa436..cfa6e6115 100644 --- a/src/libcharon/plugins/maemo/Makefile.in +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -224,7 +224,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,8 +269,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -288,8 +297,12 @@ libstrongswan_maemo_la_SOURCES = \ libstrongswan_maemo_la_LDFLAGS = -module -avoid-version libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} dbusservice_DATA = org.strongswan.charon.service +<<<<<<< HEAD +EXTRA_DIST = $(dbusservice_DATA) +======= EXTRA_DIST = org.strongswan.charon.service.in CLEANFILES = $(dbusservice_DATA) +>>>>>>> upstream/4.5.1 all: all-am .SUFFIXES: @@ -529,7 +542,10 @@ install-strip: mostlyclean-generic: clean-generic: +<<<<<<< HEAD +======= -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) +>>>>>>> upstream/4.5.1 distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -628,9 +644,12 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES uninstall-pluginLTLIBRARIES +<<<<<<< HEAD +======= org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@ +>>>>>>> upstream/4.5.1 # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c index 0e9fd8ccc..38ac6f8fc 100644 --- a/src/libcharon/plugins/maemo/maemo_service.c +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -115,11 +115,20 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } +<<<<<<< HEAD +METHOD(listener_t, child_state_change, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + child_sa_state_t state) +{ + /* this call back is only registered during initiation */ + if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) +======= METHOD(listener_t, ike_state_change, bool, private_maemo_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) { /* this call back is only registered during initiation */ if (this->ike_sa == ike_sa && state == IKE_DESTROYING) +>>>>>>> upstream/4.5.1 { change_status(this, VPN_STATUS_CONNECTION_FAILED); return FALSE; @@ -137,7 +146,11 @@ METHOD(listener_t, child_updown, bool, { /* disable hooks registered to catch initiation failures */ this->public.listener.ike_updown = NULL; +<<<<<<< HEAD + this->public.listener.child_state_change = NULL; +======= this->public.listener.ike_state_change = NULL; +>>>>>>> upstream/4.5.1 change_status(this, VPN_STATUS_CONNECTED); } else @@ -346,7 +359,11 @@ static gboolean initiate_connection(private_maemo_service_t *this, child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, +<<<<<<< HEAD + FALSE, 0, 0, NULL, NULL); +======= ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -370,7 +387,11 @@ static gboolean initiate_connection(private_maemo_service_t *this, this->ike_sa = ike_sa; this->status = VPN_STATUS_CONNECTING; this->public.listener.ike_updown = _ike_updown; +<<<<<<< HEAD + this->public.listener.child_state_change = _child_state_change; +======= this->public.listener.ike_state_change = _ike_state_change; +>>>>>>> upstream/4.5.1 charon->bus->add_listener(charon->bus, &this->public.listener); if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) @@ -463,7 +484,11 @@ maemo_service_t *maemo_service_create() .public = { .listener = { .ike_updown = _ike_updown, +<<<<<<< HEAD + .child_state_change = _child_state_change, +======= .ike_state_change = _ike_state_change, +>>>>>>> upstream/4.5.1 .child_updown = _child_updown, .ike_rekey = _ike_rekey, }, diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service new file mode 100644 index 000000000..7dd31ed60 --- /dev/null +++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service @@ -0,0 +1,4 @@ +[D-BUS Service] +Name=org.strongswan.charon +Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon +User=root diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 372a436a6..5f965cb8a 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index b5672dba9..c2e8aad12 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -182,8 +182,13 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); @@ -261,8 +266,13 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 4bb65bd09..d90ac0149 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index 69af7bf83..9ad535ea8 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c index ea98c056d..869520c6c 100644 --- a/src/libcharon/plugins/nm/nm_creds.c +++ b/src/libcharon/plugins/nm/nm_creds.c @@ -400,7 +400,11 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id DESTROY_IF(this->user); this->user = id->clone(id); free(this->pass); +<<<<<<< HEAD + this->pass = password ? strdup(password) : NULL; +======= this->pass = strdupnull(password); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } @@ -411,7 +415,11 @@ static void set_key_password(private_nm_creds_t *this, char *password) { this->lock->write_lock(this->lock); free(this->keypass); +<<<<<<< HEAD + this->keypass = password ? strdup(password) : NULL; +======= this->keypass = strdupnull(password); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } @@ -423,7 +431,11 @@ static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin) this->lock->write_lock(this->lock); free(this->keypass); free(this->keyid.ptr); +<<<<<<< HEAD + this->keypass = pin ? strdup(pin) : NULL; +======= this->keypass = strdupnull(pin); +>>>>>>> upstream/4.5.1 this->keyid = chunk_clone(keyid); this->lock->unlock(this->lock); } diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index 4300b57cf..e32fe65dd 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -518,8 +518,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, child_cfg = child_cfg_create(priv->name, &lifetime, NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 3d2cef13c..bac03bd03 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index b82372e30..e9fc5ef07 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 7a49088b2..6059d98a1 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 744b12fcf..fe30169b5 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 4244d3b5e..2446e257d 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index dc016012c..0ca481bb9 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -1,6 +1,9 @@ /* * Copyright (C) 2006-2008 Martin Willi +<<<<<<< HEAD +======= * Copyright (C) 2010 Andreas Steffen +>>>>>>> upstream/4.5.1 * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,13 +42,21 @@ struct private_sql_config_t { }; /** +<<<<<<< HEAD + * forward declaration +======= * Forward declaration +>>>>>>> upstream/4.5.1 */ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, identification_t *me, identification_t *other); /** +<<<<<<< HEAD + * build a traffic selector from a SQL query +======= * Build a traffic selector from an SQL query +>>>>>>> upstream/4.5.1 */ static traffic_selector_t *build_traffic_selector(private_sql_config_t *this, enumerator_t *e, bool *local) @@ -120,6 +131,18 @@ static void add_traffic_selectors(private_sql_config_t *this, } /** +<<<<<<< HEAD + * build a Child configuration from a SQL query + */ +static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) +{ + int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp; + char *name, *updown; + child_cfg_t *child_cfg; + + if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, + &updown, &hostaccess, &mode, &dpd, &close, &ipcomp)) +======= * Add ESP proposals to a child config */ static void add_esp_proposals(private_sql_config_t *this, @@ -168,14 +191,21 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown, &hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid)) +>>>>>>> upstream/4.5.1 { lifetime_cfg_t lft = { .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter } }; child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode, +<<<<<<< HEAD + dpd, close, ipcomp, 0, 0, NULL, NULL); + /* TODO: read proposal from db */ + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); +======= start, dpd, close, ipcomp, 0, reqid, NULL, NULL, 0); add_esp_proposals(this, child_cfg, id); +>>>>>>> upstream/4.5.1 add_traffic_selectors(this, child_cfg, id); return child_cfg; } @@ -191,6 +221,15 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) child_cfg_t *child_cfg; e = this->db->query(this->db, +<<<<<<< HEAD + "SELECT id, name, lifetime, rekeytime, jitter, " + "updown, hostaccess, mode, dpd_action, close_action, ipcomp " + "FROM child_configs JOIN peer_config_child_config ON id = child_cfg " + "WHERE peer_cfg = ?", + DB_INT, id, + DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, + DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); +======= "SELECT id, name, lifetime, rekeytime, jitter, updown, hostaccess, " "mode, start_action, dpd_action, close_action, ipcomp, reqid " "FROM child_configs JOIN peer_config_child_config ON id = child_cfg " @@ -198,6 +237,7 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) DB_INT, id, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); +>>>>>>> upstream/4.5.1 if (e) { while ((child_cfg = build_child_cfg(this, e))) @@ -209,6 +249,9 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) } /** +<<<<<<< HEAD + * build a ike configuration from a SQL query +======= * Add IKE proposals to an IKE config */ static void add_ike_proposals(private_sql_config_t *this, @@ -247,27 +290,44 @@ static void add_ike_proposals(private_sql_config_t *this, /** * Build an IKE config from an SQL query +>>>>>>> upstream/4.5.1 */ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e, host_t *my_host, host_t *other_host) { +<<<<<<< HEAD + int certreq, force_encap; + char *local, *remote; + + while (e->enumerate(e, &certreq, &force_encap, &local, &remote)) +======= int id, certreq, force_encap; char *local, *remote; while (e->enumerate(e, &id, &certreq, &force_encap, &local, &remote)) +>>>>>>> upstream/4.5.1 { ike_cfg_t *ike_cfg; ike_cfg = ike_cfg_create(certreq, force_encap, local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT); +<<<<<<< HEAD + /* TODO: read proposal from db */ + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); +======= add_ike_proposals(this, ike_cfg, id); +>>>>>>> upstream/4.5.1 return ike_cfg; } return NULL; } /** +<<<<<<< HEAD + * Query a IKE config by its id +======= * Query an IKE config by its id +>>>>>>> upstream/4.5.1 */ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) { @@ -275,10 +335,17 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) ike_cfg_t *ike_cfg = NULL; e = this->db->query(this->db, +<<<<<<< HEAD + "SELECT certreq, force_encap, local, remote " + "FROM ike_configs WHERE id = ?", + DB_INT, id, + DB_INT, DB_INT, DB_TEXT, DB_TEXT); +======= "SELECT id, certreq, force_encap, local, remote " "FROM ike_configs WHERE id = ?", DB_INT, id, DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT); +>>>>>>> upstream/4.5.1 if (e) { ike_cfg = build_ike_cfg(this, e, NULL, NULL); @@ -321,7 +388,11 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id) } /** +<<<<<<< HEAD + * build a peer configuration from a SQL query +======= * Build a peer config from an SQL query +>>>>>>> upstream/4.5.1 */ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, identification_t *me, identification_t *other) @@ -400,8 +471,15 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, return NULL; } +<<<<<<< HEAD +/** + * implements backend_t.get_peer_cfg_by_name. + */ +static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name) +======= METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, private_sql_config_t *this, char *name) +>>>>>>> upstream/4.5.1 { enumerator_t *e; peer_cfg_t *peer_cfg = NULL; @@ -471,8 +549,16 @@ static void ike_enumerator_destroy(ike_enumerator_t *this) free(this); } +<<<<<<< HEAD +/** + * Implementation of backend_t.create_ike_cfg_enumerator. + */ +static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this, + host_t *me, host_t *other) +======= METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, private_sql_config_t *this, host_t *me, host_t *other) +>>>>>>> upstream/4.5.1 { ike_enumerator_t *e = malloc_thing(ike_enumerator_t); @@ -484,9 +570,15 @@ METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, e->public.destroy = (void*)ike_enumerator_destroy; e->inner = this->db->query(this->db, +<<<<<<< HEAD + "SELECT certreq, force_encap, local, remote " + "FROM ike_configs", + DB_INT, DB_INT, DB_TEXT, DB_TEXT); +======= "SELECT id, certreq, force_encap, local, remote " "FROM ike_configs", DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT); +>>>>>>> upstream/4.5.1 if (!e->inner) { free(e); @@ -536,8 +628,17 @@ static void peer_enumerator_destroy(peer_enumerator_t *this) free(this); } +<<<<<<< HEAD +/** + * Implementation of backend_t.create_peer_cfg_enumerator. + */ +static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this, + identification_t *me, + identification_t *other) +======= METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, private_sql_config_t *this, identification_t *me, identification_t *other) +>>>>>>> upstream/4.5.1 { peer_enumerator_t *e = malloc_thing(peer_enumerator_t); @@ -574,8 +675,15 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, return &e->public; } +<<<<<<< HEAD +/** + * Implementation of sql_config_t.destroy. + */ +static void destroy(private_sql_config_t *this) +======= METHOD(sql_config_t, destroy, void, private_sql_config_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -585,6 +693,16 @@ METHOD(sql_config_t, destroy, void, */ sql_config_t *sql_config_create(database_t *db) { +<<<<<<< HEAD + private_sql_config_t *this = malloc_thing(private_sql_config_t); + + this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; + this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; + this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; + this->public.destroy = (void(*)(sql_config_t*))destroy; + + this->db = db; +======= private_sql_config_t *this; INIT(this, @@ -598,6 +716,7 @@ sql_config_t *sql_config_create(database_t *db) }, .db = db ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/plugins/sql/sql_cred.c b/src/libcharon/plugins/sql/sql_cred.c index 117eec921..a72450f27 100644 --- a/src/libcharon/plugins/sql/sql_cred.c +++ b/src/libcharon/plugins/sql/sql_cred.c @@ -1,5 +1,8 @@ /* +<<<<<<< HEAD +======= * Copyright (C) 2010 Tobias Brunner +>>>>>>> upstream/4.5.1 * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -38,7 +41,10 @@ struct private_sql_cred_t { database_t *db; }; +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * enumerator over private keys */ @@ -51,8 +57,16 @@ typedef struct { private_key_t *current; } private_enumerator_t; +<<<<<<< HEAD +/** + * Implementation of private_enumerator_t.public.enumerate + */ +static bool private_enumerator_enumerate(private_enumerator_t *this, + private_key_t **key) +======= METHOD(enumerator_t, private_enumerator_enumerate, bool, private_enumerator_t *this, private_key_t **key) +>>>>>>> upstream/4.5.1 { chunk_t blob; int type; @@ -61,7 +75,11 @@ METHOD(enumerator_t, private_enumerator_enumerate, bool, while (this->inner->enumerate(this->inner, &type, &blob)) { this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, +<<<<<<< HEAD + BUILD_BLOB_ASN1_DER, blob, +======= BUILD_BLOB_PEM, blob, +>>>>>>> upstream/4.5.1 BUILD_END); if (this->current) { @@ -73,14 +91,36 @@ METHOD(enumerator_t, private_enumerator_enumerate, bool, return FALSE; } +<<<<<<< HEAD +/** + * Implementation of private_enumerator_t.public.destroy + */ +static void private_enumerator_destroy(private_enumerator_t *this) +======= METHOD(enumerator_t, private_enumerator_destroy, void, private_enumerator_t *this) +>>>>>>> upstream/4.5.1 { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } +<<<<<<< HEAD +/** + * Implementation of credential_set_t.create_private_enumerator. + */ +static enumerator_t* create_private_enumerator(private_sql_cred_t *this, + key_type_t type, + identification_t *id) +{ + private_enumerator_t *e; + + e = malloc_thing(private_enumerator_t); + e->current = NULL; + e->public.enumerate = (void*)private_enumerator_enumerate; + e->public.destroy = (void*)private_enumerator_destroy; +======= METHOD(credential_set_t, create_private_enumerator, enumerator_t*, private_sql_cred_t *this, key_type_t type, identification_t *id) { @@ -92,6 +132,7 @@ METHOD(credential_set_t, create_private_enumerator, enumerator_t*, .destroy = _private_enumerator_destroy, }, ); +>>>>>>> upstream/4.5.1 if (id && id->get_type(id) != ID_ANY) { e->inner = this->db->query(this->db, @@ -118,7 +159,10 @@ METHOD(credential_set_t, create_private_enumerator, enumerator_t*, return &e->public; } +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * enumerator over certificates */ @@ -131,8 +175,16 @@ typedef struct { certificate_t *current; } cert_enumerator_t; +<<<<<<< HEAD +/** + * Implementation of cert_enumerator_t.public.enumerate + */ +static bool cert_enumerator_enumerate(cert_enumerator_t *this, + certificate_t **cert) +======= METHOD(enumerator_t, cert_enumerator_enumerate, bool, cert_enumerator_t *this, certificate_t **cert) +>>>>>>> upstream/4.5.1 { chunk_t blob; int type; @@ -141,7 +193,11 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool, while (this->inner->enumerate(this->inner, &type, &blob)) { this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, +<<<<<<< HEAD + BUILD_BLOB_ASN1_DER, blob, +======= BUILD_BLOB_PEM, blob, +>>>>>>> upstream/4.5.1 BUILD_END); if (this->current) { @@ -153,14 +209,36 @@ METHOD(enumerator_t, cert_enumerator_enumerate, bool, return FALSE; } +<<<<<<< HEAD +/** + * Implementation of cert_enumerator_t.public.destroy + */ +static void cert_enumerator_destroy(cert_enumerator_t *this) +======= METHOD(enumerator_t, cert_enumerator_destroy, void, cert_enumerator_t *this) +>>>>>>> upstream/4.5.1 { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } +<<<<<<< HEAD +/** + * Implementation of credential_set_t.create_cert_enumerator. + */ +static enumerator_t* create_cert_enumerator(private_sql_cred_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + cert_enumerator_t *e; + + e = malloc_thing(cert_enumerator_t); + e->current = NULL; + e->public.enumerate = (void*)cert_enumerator_enumerate; + e->public.destroy = (void*)cert_enumerator_destroy; +======= METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, private_sql_cred_t *this, certificate_type_t cert, key_type_t key, identification_t *id, bool trusted) @@ -173,6 +251,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, .destroy = _cert_enumerator_destroy, }, ); +>>>>>>> upstream/4.5.1 if (id && id->get_type(id) != ID_ANY) { e->inner = this->db->query(this->db, @@ -203,7 +282,10 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, return &e->public; } +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 /** * enumerator over shared keys */ @@ -220,9 +302,18 @@ typedef struct { shared_key_t *current; } shared_enumerator_t; +<<<<<<< HEAD +/** + * Implementation of shared_enumerator_t.public.enumerate + */ +static bool shared_enumerator_enumerate(shared_enumerator_t *this, + shared_key_t **shared, + id_match_t *me, id_match_t *other) +======= METHOD(enumerator_t, shared_enumerator_enumerate, bool, shared_enumerator_t *this, shared_key_t **shared, id_match_t *me, id_match_t *other) +>>>>>>> upstream/4.5.1 { chunk_t blob; int type; @@ -249,14 +340,38 @@ METHOD(enumerator_t, shared_enumerator_enumerate, bool, return FALSE; } +<<<<<<< HEAD +/** + * Implementation of shared_enumerator_t.public.destroy + */ +static void shared_enumerator_destroy(shared_enumerator_t *this) +======= METHOD(enumerator_t, shared_enumerator_destroy, void, shared_enumerator_t *this) +>>>>>>> upstream/4.5.1 { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } +<<<<<<< HEAD +/** + * Implementation of credential_set_t.create_shared_enumerator. + */ +static enumerator_t* create_shared_enumerator(private_sql_cred_t *this, + shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_enumerator_t *e; + + e = malloc_thing(shared_enumerator_t); + e->me = me; + e->other = other; + e->current = NULL; + e->public.enumerate = (void*)shared_enumerator_enumerate; + e->public.destroy = (void*)shared_enumerator_destroy; +======= METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_sql_cred_t *this, shared_key_type_t type, identification_t *me, identification_t *other) @@ -271,6 +386,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, .me = me, .other = other, ); +>>>>>>> upstream/4.5.1 if (!me && !other) { e->inner = this->db->query(this->db, @@ -314,6 +430,12 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, return &e->public; } +<<<<<<< HEAD +/** + * Implementation of credential_set_t.cache_cert. + */ +static void cache_cert(private_sql_cred_t *this, certificate_t *cert) +======= /** * enumerator over CDPs @@ -419,21 +541,44 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, METHOD(credential_set_t, cache_cert, void, private_sql_cred_t *this, certificate_t *cert) +>>>>>>> upstream/4.5.1 { /* TODO: implement CRL caching to database */ } +<<<<<<< HEAD +/** + * Implementation of sql_cred_t.destroy. + */ +static void destroy(private_sql_cred_t *this) +{ + free(this); +} +======= METHOD(sql_cred_t, destroy, void, private_sql_cred_t *this) { free(this); } +>>>>>>> upstream/4.5.1 /** * Described in header. */ sql_cred_t *sql_cred_create(database_t *db) { +<<<<<<< HEAD + private_sql_cred_t *this = malloc_thing(private_sql_cred_t); + + this->public.set.create_private_enumerator = (void*)create_private_enumerator; + this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; + this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; + this->public.set.create_cdp_enumerator = (void*)return_null; + this->public.set.cache_cert = (void*)cache_cert; + this->public.destroy = (void(*)(sql_cred_t*))destroy; + + this->db = db; +======= private_sql_cred_t *this; INIT(this, @@ -449,6 +594,7 @@ sql_cred_t *sql_cred_create(database_t *db) }, .db = db, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c index ad1eb91b1..49b48c7f4 100644 --- a/src/libcharon/plugins/sql/sql_plugin.c +++ b/src/libcharon/plugins/sql/sql_plugin.c @@ -53,8 +53,15 @@ struct private_sql_plugin_t { sql_logger_t *logger; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_sql_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_sql_plugin_t *this) +>>>>>>> upstream/4.5.1 { charon->backends->remove_backend(charon->backends, &this->config->backend); lib->credmgr->remove_set(lib->credmgr, &this->cred->set); @@ -81,6 +88,13 @@ plugin_t *sql_plugin_create() return NULL; } +<<<<<<< HEAD + this = malloc_thing(private_sql_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + this->db = lib->db->create(lib->db, uri); +======= INIT(this, .public = { .plugin = { @@ -90,6 +104,7 @@ plugin_t *sql_plugin_create() .db = lib->db->create(lib->db, uri), ); +>>>>>>> upstream/4.5.1 if (!this->db) { DBG1(DBG_CFG, "sql plugin failed to connect to database"); diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am index e561224e9..29f680174 100644 --- a/src/libcharon/plugins/stroke/Makefile.am +++ b/src/libcharon/plugins/stroke/Makefile.am @@ -21,6 +21,11 @@ libstrongswan_stroke_la_SOURCES = \ stroke_cred.h stroke_cred.c \ stroke_ca.h stroke_ca.c \ stroke_attribute.h stroke_attribute.c \ +<<<<<<< HEAD + stroke_list.h stroke_list.c \ + stroke_shared_key.h stroke_shared_key.c +======= stroke_list.h stroke_list.c +>>>>>>> upstream/4.5.1 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index ccf3eeede..3649c8ee9 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -77,7 +77,11 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_stroke_la_LIBADD = am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \ stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \ +<<<<<<< HEAD + stroke_attribute.lo stroke_list.lo stroke_shared_key.lo +======= stroke_attribute.lo stroke_list.lo +>>>>>>> upstream/4.5.1 libstrongswan_stroke_la_OBJECTS = \ $(am_libstrongswan_stroke_la_OBJECTS) libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -223,7 +227,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +272,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -292,7 +305,12 @@ libstrongswan_stroke_la_SOURCES = \ stroke_cred.h stroke_cred.c \ stroke_ca.h stroke_ca.c \ stroke_attribute.h stroke_attribute.c \ +<<<<<<< HEAD + stroke_list.h stroke_list.c \ + stroke_shared_key.h stroke_shared_key.c +======= stroke_list.h stroke_list.c +>>>>>>> upstream/4.5.1 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version all: all-am @@ -385,6 +403,10 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@ +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@ +======= +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@ .c.o: diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index 69e13deb9..57126053b 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -113,7 +113,10 @@ static void ca_section_destroy(ca_section_t *this) this->crl->destroy_function(this->crl, free); this->ocsp->destroy_function(this->ocsp, free); this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); +<<<<<<< HEAD +======= this->cert->destroy(this->cert); +>>>>>>> upstream/4.5.1 free(this->certuribase); free(this->name); free(this); @@ -208,8 +211,16 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data return enumerator; } +<<<<<<< HEAD +/** + * Implementation of credential_set_t.create_cdp_enumerator. + */ +static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, + certificate_type_t type, identification_t *id) +======= METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, private_stroke_ca_t *this, certificate_type_t type, identification_t *id) +>>>>>>> upstream/4.5.1 { cdp_data_t *data; @@ -233,9 +244,16 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp, data, (void*)cdp_data_destroy); } +<<<<<<< HEAD +/** + * Implementation of stroke_ca_t.add. + */ +static void add(private_stroke_ca_t *this, stroke_msg_t *msg) +======= METHOD(stroke_ca_t, add, void, private_stroke_ca_t *this, stroke_msg_t *msg) +>>>>>>> upstream/4.5.1 { certificate_t *cert; ca_section_t *ca; @@ -276,8 +294,15 @@ METHOD(stroke_ca_t, add, void, } } +<<<<<<< HEAD +/** + * Implementation of stroke_ca_t.del. + */ +static void del(private_stroke_ca_t *this, stroke_msg_t *msg) +======= METHOD(stroke_ca_t, del, void, private_stroke_ca_t *this, stroke_msg_t *msg) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; ca_section_t *ca = NULL; @@ -331,8 +356,15 @@ static void list_uris(linked_list_t *list, char *label, FILE *out) enumerator->destroy(enumerator); } +<<<<<<< HEAD +/** + * Implementation of stroke_ca_t.check_for_hash_and_url. + */ +static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert) +======= METHOD(stroke_ca_t, check_for_hash_and_url, void, private_stroke_ca_t *this, certificate_t* cert) +>>>>>>> upstream/4.5.1 { ca_section_t *section; enumerator_t *enumerator; @@ -369,8 +401,15 @@ METHOD(stroke_ca_t, check_for_hash_and_url, void, hasher->destroy(hasher); } +<<<<<<< HEAD +/** + * Implementation of stroke_ca_t.list. + */ +static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_ca_t, list, void, private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { bool first = TRUE; ca_section_t *section; @@ -417,8 +456,15 @@ METHOD(stroke_ca_t, list, void, this->lock->unlock(this->lock); } +<<<<<<< HEAD +/** + * Implementation of stroke_ca_t.destroy + */ +static void destroy(private_stroke_ca_t *this) +======= METHOD(stroke_ca_t, destroy, void, private_stroke_ca_t *this) +>>>>>>> upstream/4.5.1 { this->sections->destroy_function(this->sections, (void*)ca_section_destroy); this->lock->destroy(this->lock); @@ -430,6 +476,24 @@ METHOD(stroke_ca_t, destroy, void, */ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) { +<<<<<<< HEAD + private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t); + + this->public.set.create_private_enumerator = (void*)return_null; + this->public.set.create_cert_enumerator = (void*)return_null; + this->public.set.create_shared_enumerator = (void*)return_null; + this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator; + this->public.set.cache_cert = (void*)nop; + this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add; + this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del; + this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list; + this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url; + this->public.destroy = (void(*)(stroke_ca_t*))destroy; + + this->sections = linked_list_create(); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + this->cred = cred; +======= private_stroke_ca_t *this; INIT(this, @@ -451,6 +515,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), .cred = cred, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index ea7d17592..11822a3bc 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -53,8 +53,17 @@ struct private_stroke_config_t { stroke_cred_t *cred; }; +<<<<<<< HEAD +/** + * Implementation of backend_t.create_peer_cfg_enumerator. + */ +static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this, + identification_t *me, + identification_t *other) +======= METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, private_stroke_config_t *this, identification_t *me, identification_t *other) +>>>>>>> upstream/4.5.1 { this->mutex->lock(this->mutex); return enumerator_create_cleaner(this->list->create_enumerator(this->list), @@ -70,8 +79,16 @@ static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) return TRUE; } +<<<<<<< HEAD +/** + * Implementation of backend_t.create_ike_cfg_enumerator. + */ +static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this, + host_t *me, host_t *other) +======= METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, private_stroke_config_t *this, host_t *me, host_t *other) +>>>>>>> upstream/4.5.1 { this->mutex->lock(this->mutex); return enumerator_create_filter(this->list->create_enumerator(this->list), @@ -79,8 +96,15 @@ METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, (void*)this->mutex->unlock); } +<<<<<<< HEAD +/** + * implements backend_t.get_peer_cfg_by_name. + */ +static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name) +======= METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, private_stroke_config_t *this, char *name) +>>>>>>> upstream/4.5.1 { enumerator_t *e1, *e2; peer_cfg_t *current, *found = NULL; @@ -429,6 +453,15 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator->destroy(enumerator); } +<<<<<<< HEAD + /* authentication metod (class, actually) */ + if (streq(auth, "pubkey") || + streq(auth, "rsasig") || streq(auth, "rsa") || + streq(auth, "ecdsasig") || streq(auth, "ecdsa")) + { + cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + build_crl_policy(cfg, local, msg->add_conn.crl_policy); +======= /* certificatePolicies */ if (end->cert_policy) { @@ -461,6 +494,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, { cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); } +>>>>>>> upstream/4.5.1 } else if (streq(auth, "psk") || streq(auth, "secret")) { @@ -824,9 +858,15 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, child_cfg = child_cfg_create( msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, +<<<<<<< HEAD + msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, + msg->add_conn.inactivity, msg->add_conn.reqid, + &mark_in, &mark_out); +======= msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp, msg->add_conn.inactivity, msg->add_conn.reqid, &mark_in, &mark_out, msg->add_conn.tfc); +>>>>>>> upstream/4.5.1 child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); @@ -837,8 +877,15 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, return child_cfg; } +<<<<<<< HEAD +/** + * Implementation of stroke_config_t.add. + */ +static void add(private_stroke_config_t *this, stroke_msg_t *msg) +======= METHOD(stroke_config_t, add, void, private_stroke_config_t *this, stroke_msg_t *msg) +>>>>>>> upstream/4.5.1 { ike_cfg_t *ike_cfg, *existing_ike; peer_cfg_t *peer_cfg, *existing; @@ -898,8 +945,15 @@ METHOD(stroke_config_t, add, void, } } +<<<<<<< HEAD +/** + * Implementation of stroke_config_t.del. + */ +static void del(private_stroke_config_t *this, stroke_msg_t *msg) +======= METHOD(stroke_config_t, del, void, private_stroke_config_t *this, stroke_msg_t *msg) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator, *children; peer_cfg_t *peer; @@ -950,8 +1004,15 @@ METHOD(stroke_config_t, del, void, } } +<<<<<<< HEAD +/** + * Implementation of stroke_config_t.destroy + */ +static void destroy(private_stroke_config_t *this) +======= METHOD(stroke_config_t, destroy, void, private_stroke_config_t *this) +>>>>>>> upstream/4.5.1 { this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy)); this->mutex->destroy(this->mutex); @@ -963,6 +1024,21 @@ METHOD(stroke_config_t, destroy, void, */ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) { +<<<<<<< HEAD + private_stroke_config_t *this = malloc_thing(private_stroke_config_t); + + this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; + this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; + this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; + this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add; + this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del; + this->public.destroy = (void(*)(stroke_config_t*))destroy; + + this->list = linked_list_create(); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); + this->ca = ca; + this->cred = cred; +======= private_stroke_config_t *this; INIT(this, @@ -981,6 +1057,7 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) .ca = ca, .cred = cred, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 3541ab8f9..03ba4c305 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -17,8 +17,11 @@ #include <daemon.h> #include <processing/jobs/delete_ike_sa_job.h> +<<<<<<< HEAD +======= #include <processing/jobs/rekey_ike_sa_job.h> #include <processing/jobs/rekey_child_sa_job.h> +>>>>>>> upstream/4.5.1 typedef struct private_stroke_control_t private_stroke_control_t; @@ -92,8 +95,15 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) return found; } +<<<<<<< HEAD +/** + * Implementation of stroke_control_t.initiate. + */ +static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_control_t, initiate, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -137,6 +147,23 @@ METHOD(stroke_control_t, initiate, void, } /** +<<<<<<< HEAD + * Implementation of stroke_control_t.terminate. + */ +static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +{ + char *string, *pos = NULL, *name = NULL; + u_int32_t id = 0; + bool child, all = FALSE; + int len; + ike_sa_t *ike_sa; + enumerator_t *enumerator; + linked_list_t *ike_list, *child_list; + stroke_log_info_t info; + uintptr_t del; + + string = msg->terminate.name; +======= * Parse a terminate/rekey specifier */ static bool parse_specifier(char *string, u_int32_t *id, @@ -148,15 +175,37 @@ static bool parse_specifier(char *string, u_int32_t *id, *id = 0; *name = NULL; *all = FALSE; +>>>>>>> upstream/4.5.1 len = strlen(string); if (len < 1) { +<<<<<<< HEAD + DBG1(DBG_CFG, "error parsing string"); + return; +======= return FALSE; +>>>>>>> upstream/4.5.1 } switch (string[len-1]) { case '}': +<<<<<<< HEAD + child = TRUE; + pos = strchr(string, '{'); + break; + case ']': + child = FALSE; + pos = strchr(string, '['); + break; + default: + name = string; + child = FALSE; + break; + } + + if (name) +======= *child = TRUE; pos = strchr(string, '{'); break; @@ -171,18 +220,44 @@ static bool parse_specifier(char *string, u_int32_t *id, } if (*name) +>>>>>>> upstream/4.5.1 { /* is a single name */ } else if (pos == string + len - 2) { /* is name[] or name{} */ string[len-2] = '\0'; +<<<<<<< HEAD + name = string; +======= *name = string; +>>>>>>> upstream/4.5.1 } else { if (!pos) { +<<<<<<< HEAD + DBG1(DBG_CFG, "error parsing string"); + return; + } + if (*(pos + 1) == '*') + { /* is name[*] */ + all = TRUE; + *pos = '\0'; + name = string; + } + else + { /* is name[123] or name{23} */ + id = atoi(pos + 1); + if (id == 0) + { + DBG1(DBG_CFG, "error parsing string"); + return; + } + } + } +======= return FALSE; } if (*(pos + 1) == '*') @@ -220,6 +295,7 @@ METHOD(stroke_control_t, terminate, void, DBG1(DBG_CFG, "error parsing specifier string"); return; } +>>>>>>> upstream/4.5.1 info.out = out; info.level = msg->output_verbosity; @@ -306,6 +382,13 @@ METHOD(stroke_control_t, terminate, void, child_list->destroy(child_list); } +<<<<<<< HEAD +/** + * Implementation of stroke_control_t.terminate_srcip. + */ +static void terminate_srcip(private_stroke_control_t *this, + stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_control_t, rekey, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { @@ -368,6 +451,7 @@ METHOD(stroke_control_t, rekey, void, METHOD(stroke_control_t, terminate_srcip, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -432,8 +516,15 @@ METHOD(stroke_control_t, terminate_srcip, void, DESTROY_IF(end); } +<<<<<<< HEAD +/** + * Implementation of stroke_control_t.purge_ike + */ +static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_control_t, purge_ike, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; iterator_t *iterator; @@ -470,8 +561,15 @@ METHOD(stroke_control_t, purge_ike, void, list->destroy(list); } +<<<<<<< HEAD +/** + * Implementation of stroke_control_t.route. + */ +static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_control_t, route, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -509,8 +607,15 @@ METHOD(stroke_control_t, route, void, child_cfg->destroy(child_cfg); } +<<<<<<< HEAD +/** + * Implementation of stroke_control_t.unroute. + */ +static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_control_t, unroute, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { child_sa_t *child_sa; enumerator_t *enumerator; @@ -532,8 +637,15 @@ METHOD(stroke_control_t, unroute, void, fprintf(out, "configuration '%s' not found\n", msg->unroute.name); } +<<<<<<< HEAD +/** + * Implementation of stroke_control_t.destroy + */ +static void destroy(private_stroke_control_t *this) +======= METHOD(stroke_control_t, destroy, void, private_stroke_control_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -543,6 +655,17 @@ METHOD(stroke_control_t, destroy, void, */ stroke_control_t *stroke_control_create() { +<<<<<<< HEAD + private_stroke_control_t *this = malloc_thing(private_stroke_control_t); + + this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate; + this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate; + this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip; + this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike; + this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route; + this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute; + this->public.destroy = (void(*)(stroke_control_t*))destroy; +======= private_stroke_control_t *this; INIT(this, @@ -557,6 +680,7 @@ stroke_control_t *stroke_control_create() .destroy = _destroy, }, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_control.h b/src/libcharon/plugins/stroke/stroke_control.h index 869aab3d3..e4d67023a 100644 --- a/src/libcharon/plugins/stroke/stroke_control.h +++ b/src/libcharon/plugins/stroke/stroke_control.h @@ -54,6 +54,8 @@ struct stroke_control_t { void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); /** +<<<<<<< HEAD +======= * Rekey a connection. * * @param msg stroke message @@ -61,6 +63,7 @@ struct stroke_control_t { void (*rekey)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); /** +>>>>>>> upstream/4.5.1 * Delete IKE_SAs without a CHILD_SA. * * @param msg stroke message diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 83e5a9ad6..6d9440778 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1,5 +1,9 @@ /* +<<<<<<< HEAD + * Copyright (C) 2008 Tobias Brunner +======= * Copyright (C) 2008-2010 Tobias Brunner +>>>>>>> upstream/4.5.1 * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -25,6 +29,10 @@ #include <unistd.h> #include "stroke_cred.h" +<<<<<<< HEAD +#include "stroke_shared_key.h" +======= +>>>>>>> upstream/4.5.1 #include <credentials/certificates/x509.h> #include <credentials/certificates/crl.h> @@ -63,9 +71,30 @@ struct private_stroke_cred_t { stroke_cred_t public; /** +<<<<<<< HEAD + * list of trusted peer/signer/CA certificates (certificate_t) + */ + linked_list_t *certs; + + /** + * list of shared secrets (private_shared_key_t) + */ + linked_list_t *shared; + + /** + * list of private keys (private_key_t) + */ + linked_list_t *private; + + /** + * read-write lock to lists + */ + rwlock_t *lock; +======= * credentials */ mem_cred_t *creds; +>>>>>>> upstream/4.5.1 /** * cache CRLs to disk? @@ -74,6 +103,240 @@ struct private_stroke_cred_t { }; /** +<<<<<<< HEAD + * data to pass to various filters + */ +typedef struct { + private_stroke_cred_t *this; + identification_t *id; + certificate_type_t cert; + key_type_t key; +} id_data_t; + +/** + * destroy id enumerator data and unlock list + */ +static void id_data_destroy(id_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * filter function for private key enumerator + */ +static bool private_filter(id_data_t *data, + private_key_t **in, private_key_t **out) +{ + private_key_t *key; + + key = *in; + if (data->key == KEY_ANY || data->key == key->get_type(key)) + { + if (data->id == NULL) + { + *out = key; + return TRUE; + } + if (key->has_fingerprint(key, data->id->get_encoding(data->id))) + { + *out = key; + return TRUE; + } + } + return FALSE; +} + +/** + * Implements credential_set_t.create_private_enumerator + */ +static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, + key_type_t type, identification_t *id) +{ + id_data_t *data; + + data = malloc_thing(id_data_t); + data->this = this; + data->id = id; + data->key = type; + + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->private->create_enumerator(this->private), + (void*)private_filter, data, + (void*)id_data_destroy); +} + +/** + * filter function for certs enumerator + */ +static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out) +{ + public_key_t *public; + certificate_t *cert = *in; + + if (data->cert != CERT_ANY && data->cert != cert->get_type(cert)) + { + return FALSE; + } + if (data->id == NULL || cert->has_subject(cert, data->id)) + { + *out = *in; + return TRUE; + } + + public = cert->get_public_key(cert); + if (public) + { + if (data->key == KEY_ANY || data->key != public->get_type(public)) + { + if (public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = *in; + return TRUE; + } + } + public->destroy(public); + } + return FALSE; +} + +/** + * Implements credential_set_t.create_cert_enumerator + */ +static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + id_data_t *data; + + if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC)) + { + return NULL; + } + data = malloc_thing(id_data_t); + data->this = this; + data->id = id; + data->cert = cert; + data->key = key; + + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->certs->create_enumerator(this->certs), + (void*)certs_filter, data, + (void*)id_data_destroy); +} + +typedef struct { + private_stroke_cred_t *this; + identification_t *me; + identification_t *other; + shared_key_type_t type; +} shared_data_t; + +/** + * free shared key enumerator data and unlock list + */ +static void shared_data_destroy(shared_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * filter function for certs enumerator + */ +static bool shared_filter(shared_data_t *data, + stroke_shared_key_t **in, shared_key_t **out, + void **unused1, id_match_t *me, + void **unused2, id_match_t *other) +{ + id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE; + stroke_shared_key_t *stroke = *in; + shared_key_t *shared = &stroke->shared; + + if (data->type != SHARED_ANY && shared->get_type(shared) != data->type) + { + return FALSE; + } + + if (data->me) + { + my_match = stroke->has_owner(stroke, data->me); + } + if (data->other) + { + other_match = stroke->has_owner(stroke, data->other); + } + if ((data->me || data->other) && (!my_match && !other_match)) + { + return FALSE; + } + *out = shared; + if (me) + { + *me = my_match; + } + if (other) + { + *other = other_match; + } + return TRUE; +} + +/** + * Implements credential_set_t.create_shared_enumerator + */ +static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, + shared_key_type_t type, identification_t *me, + identification_t *other) +{ + shared_data_t *data = malloc_thing(shared_data_t); + + data->this = this; + data->me = me; + data->other = other; + data->type = type; + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->shared->create_enumerator(this->shared), + (void*)shared_filter, data, + (void*)shared_data_destroy); +} + +/** + * Add a certificate to chain + */ +static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) +{ + certificate_t *current; + enumerator_t *enumerator; + bool new = TRUE; + + this->lock->read_lock(this->lock); + enumerator = this->certs->create_enumerator(this->certs); + while (enumerator->enumerate(enumerator, (void**)¤t)) + { + if (current->equals(current, cert)) + { + /* cert already in queue */ + cert->destroy(cert); + cert = current; + new = FALSE; + break; + } + } + enumerator->destroy(enumerator); + + if (new) + { + this->certs->insert_last(this->certs, cert); + } + this->lock->unlock(this->lock); + return cert; +} + +/** +======= +>>>>>>> upstream/4.5.1 * Implementation of stroke_cred_t.load_ca. */ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) @@ -105,12 +368,92 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) cert->destroy(cert); return NULL; } +<<<<<<< HEAD + return (certificate_t*)add_cert(this, cert); +======= return this->creds->add_cert_ref(this->creds, TRUE, cert); +>>>>>>> upstream/4.5.1 } return NULL; } /** +<<<<<<< HEAD + * Add X.509 CRL to chain + */ +static bool add_crl(private_stroke_cred_t *this, crl_t* crl) +{ + certificate_t *current, *cert = &crl->certificate; + enumerator_t *enumerator; + bool new = TRUE, found = FALSE; + + this->lock->write_lock(this->lock); + enumerator = this->certs->create_enumerator(this->certs); + while (enumerator->enumerate(enumerator, (void**)¤t)) + { + if (current->get_type(current) == CERT_X509_CRL) + { + crl_t *crl_c = (crl_t*)current; + chunk_t authkey = crl->get_authKeyIdentifier(crl); + chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); + + /* if compare authorityKeyIdentifiers if available */ + if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c)) + { + found = TRUE; + } + else + { + identification_t *issuer = cert->get_issuer(cert); + identification_t *issuer_c = current->get_issuer(current); + + /* otherwise compare issuer distinguished names */ + if (issuer->equals(issuer, issuer_c)) + { + found = TRUE; + } + } + if (found) + { + new = crl_is_newer(crl, crl_c); + if (new) + { + this->certs->remove_at(this->certs, enumerator); + } + else + { + cert->destroy(cert); + } + break; + } + } + } + enumerator->destroy(enumerator); + + if (new) + { + this->certs->insert_last(this->certs, cert); + } + this->lock->unlock(this->lock); + return new; +} + +/** + * Add X.509 attribute certificate to chain + */ +static bool add_ac(private_stroke_cred_t *this, ac_t* ac) +{ + certificate_t *cert = &ac->certificate; + + this->lock->write_lock(this->lock); + this->certs->insert_last(this->certs, cert); + this->lock->unlock(this->lock); + return TRUE; +} + +/** +======= +>>>>>>> upstream/4.5.1 * Implementation of stroke_cred_t.load_peer. */ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename) @@ -133,10 +476,17 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename) BUILD_END); if (cert) { +<<<<<<< HEAD + cert = add_cert(this, cert); + DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", + cert->get_subject(cert), filename); + return cert->get_ref(cert); +======= cert = this->creds->add_cert_ref(this->creds, TRUE, cert); DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", cert->get_subject(cert), filename); return cert; +>>>>>>> upstream/4.5.1 } DBG1(DBG_CFG, " loading certificate from '%s' failed", filename); return NULL; @@ -191,8 +541,13 @@ static void load_certdir(private_stroke_cred_t *this, char *path, } else { +<<<<<<< HEAD + DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); +======= DBG1(DBG_CFG, " loaded ca certificate \"%Y\" " "from '%s'", cert->get_subject(cert), file); +>>>>>>> upstream/4.5.1 } } else @@ -220,7 +575,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path, } if (cert) { +<<<<<<< HEAD + add_cert(this, cert); +======= this->creds->add_cert(this->creds, TRUE, cert); +>>>>>>> upstream/4.5.1 } break; case CERT_X509_CRL: @@ -230,7 +589,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path, BUILD_END); if (cert) { +<<<<<<< HEAD + add_crl(this, (crl_t*)cert); +======= this->creds->add_crl(this->creds, (crl_t*)cert); +>>>>>>> upstream/4.5.1 DBG1(DBG_CFG, " loaded crl from '%s'", file); } else @@ -245,7 +608,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path, BUILD_END); if (cert) { +<<<<<<< HEAD + add_ac(this, (ac_t*)cert); +======= this->creds->add_cert(this->creds, FALSE, cert); +>>>>>>> upstream/4.5.1 DBG1(DBG_CFG, " loaded attribute certificate from '%s'", file); } @@ -273,7 +640,11 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) crl_t *crl = (crl_t*)cert; cert->get_ref(cert); +<<<<<<< HEAD + if (add_crl(this, crl)) +======= if (this->creds->add_crl(this->creds, crl)) +>>>>>>> upstream/4.5.1 { char buf[BUF_LEN]; chunk_t chunk, hex; @@ -594,6 +965,10 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, } /* unlock: smartcard needs the pin and potentially calls public set */ +<<<<<<< HEAD + this->lock->unlock(this->lock); +======= +>>>>>>> upstream/4.5.1 switch (format) { case SC_FORMAT_SLOT_MODULE_KEYID: @@ -615,6 +990,10 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, BUILD_PKCS11_KEYID, chunk, BUILD_END); break; } +<<<<<<< HEAD + this->lock->write_lock(this->lock); +======= +>>>>>>> upstream/4.5.1 if (mem) { lib->credmgr->remove_local_set(lib->credmgr, &mem->set); @@ -629,7 +1008,11 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, if (key) { DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); +<<<<<<< HEAD + this->private->insert_last(this->private, key); +======= this->creds->add_key(this->creds, key); +>>>>>>> upstream/4.5.1 } return TRUE; } @@ -700,8 +1083,16 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data); lib->credmgr->add_local_set(lib->credmgr, &cb->set); +<<<<<<< HEAD + /* unlock, as the builder might ask for a secret */ + this->lock->unlock(this->lock); key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_END); + this->lock->write_lock(this->lock); +======= + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, BUILD_END); +>>>>>>> upstream/4.5.1 lib->credmgr->remove_local_set(lib->credmgr, &cb->set); cb->destroy(cb); @@ -717,8 +1108,16 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, mem->add_shared(mem, shared, NULL); lib->credmgr->add_local_set(lib->credmgr, &mem->set); +<<<<<<< HEAD + /* unlock, as the builder might ask for a secret */ + this->lock->unlock(this->lock); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, BUILD_END); + this->lock->write_lock(this->lock); +======= key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_END); +>>>>>>> upstream/4.5.1 lib->credmgr->remove_local_set(lib->credmgr, &mem->set); mem->destroy(mem); @@ -727,7 +1126,11 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, { DBG1(DBG_CFG, " loaded %N private key from '%s'", key_type_names, key->get_type(key), path); +<<<<<<< HEAD + this->private->insert_last(this->private, key); +======= this->creds->add_key(this->creds, key); +>>>>>>> upstream/4.5.1 } else { @@ -742,8 +1145,12 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, shared_key_type_t type, chunk_t ids) { +<<<<<<< HEAD + stroke_shared_key_t *shared_key; +======= shared_key_t *shared_key; linked_list_t *owners; +>>>>>>> upstream/4.5.1 chunk_t secret = chunk_empty; bool any = TRUE; @@ -753,12 +1160,20 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); return FALSE; } +<<<<<<< HEAD + shared_key = stroke_shared_key_create(type, secret); +======= shared_key = shared_key_create(type, secret); +>>>>>>> upstream/4.5.1 DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, ids.len > 0 ? (char*)ids.ptr : "%any"); DBG4(DBG_CFG, " secret: %#B", &secret); +<<<<<<< HEAD + this->shared->insert_last(this->shared, shared_key); +======= owners = linked_list_create(); +>>>>>>> upstream/4.5.1 while (ids.len > 0) { chunk_t id; @@ -784,15 +1199,25 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, continue; } +<<<<<<< HEAD + shared_key->add_owner(shared_key, peer_id); +======= owners->insert_last(owners, peer_id); +>>>>>>> upstream/4.5.1 any = FALSE; } if (any) { +<<<<<<< HEAD + shared_key->add_owner(shared_key, + identification_create_from_encoding(ID_ANY, chunk_empty)); + } +======= owners->insert_last(owners, identification_create_from_encoding(ID_ANY, chunk_empty)); } this->creds->add_shared_list(this->creds, shared_key, owners); +>>>>>>> upstream/4.5.1 return TRUE; } @@ -804,6 +1229,11 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, { int line_nr = 0, fd; chunk_t src, line; +<<<<<<< HEAD + private_key_t *private; + shared_key_t *shared; +======= +>>>>>>> upstream/4.5.1 struct stat sb; void *addr; @@ -832,8 +1262,25 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, src = chunk_create(addr, sb.st_size); if (level == 0) +<<<<<<< HEAD + { + this->lock->write_lock(this->lock); + + /* flush secrets on non-recursive invocation */ + while (this->shared->remove_last(this->shared, + (void**)&shared) == SUCCESS) + { + shared->destroy(shared); + } + while (this->private->remove_last(this->private, + (void**)&private) == SUCCESS) + { + private->destroy(private); + } +======= { /* flush secrets on non-recursive invocation */ this->creds->clear_secrets(this->creds); +>>>>>>> upstream/4.5.1 } while (fetchline(&src, &line)) @@ -894,6 +1341,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) { DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); +<<<<<<< HEAD + globfree(&buf); +======= +>>>>>>> upstream/4.5.1 } else { @@ -961,6 +1412,13 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, break; } } +<<<<<<< HEAD + if (level == 0) + { + this->lock->unlock(this->lock); + } +======= +>>>>>>> upstream/4.5.1 munmap(addr, sb.st_size); close(fd); } @@ -1039,8 +1497,15 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt) */ static void destroy(private_stroke_cred_t *this) { +<<<<<<< HEAD + this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); + this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy)); + this->private->destroy_offset(this->private, offsetof(private_key_t, destroy)); + this->lock->destroy(this->lock); +======= lib->credmgr->remove_set(lib->credmgr, &this->creds->set); this->creds->destroy(this->creds); +>>>>>>> upstream/4.5.1 free(this); } @@ -1051,9 +1516,15 @@ stroke_cred_t *stroke_cred_create() { private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t); +<<<<<<< HEAD + this->public.set.create_private_enumerator = (void*)create_private_enumerator; + this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; + this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; +======= this->public.set.create_private_enumerator = (void*)return_null; this->public.set.create_cert_enumerator = (void*)return_null; this->public.set.create_shared_enumerator = (void*)return_null; +>>>>>>> upstream/4.5.1 this->public.set.create_cdp_enumerator = (void*)return_null; this->public.set.cache_cert = (void*)cache_cert; this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread; @@ -1062,8 +1533,15 @@ stroke_cred_t *stroke_cred_create() this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl; this->public.destroy = (void(*)(stroke_cred_t*))destroy; +<<<<<<< HEAD + this->certs = linked_list_create(); + this->shared = linked_list_create(); + this->private = linked_list_create(); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); +======= this->creds = mem_cred_create(); lib->credmgr->add_set(lib->credmgr, &this->creds->set); +>>>>>>> upstream/4.5.1 load_certs(this); load_secrets(this, SECRETS_FILE, 0, NULL); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 36311f092..9c71b2cd2 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -388,8 +388,15 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) enumerator->destroy(enumerator); } +<<<<<<< HEAD +/** + * Implementation of stroke_list_t.status. + */ +static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) +======= METHOD(stroke_list_t, status, void, private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator, *children; ike_cfg_t *ike_cfg; @@ -754,7 +761,11 @@ static void stroke_list_certs(linked_list_t *list, char *label, enumerator_t *enumerator; identification_t *altName; bool first_altName = TRUE; +<<<<<<< HEAD + int pathlen; +======= u_int pathlen; +>>>>>>> upstream/4.5.1 chunk_t serial, authkey; time_t notBefore, notAfter; public_key_t *public; @@ -834,10 +845,17 @@ static void stroke_list_certs(linked_list_t *list, char *label, } /* list optional pathLenConstraint */ +<<<<<<< HEAD + pathlen = x509->get_pathLenConstraint(x509); + if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) + { + fprintf(out, " pathlen: %d\n", pathlen); +======= pathlen = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen != X509_NO_CONSTRAINT) { fprintf(out, " pathlen: %u\n", pathlen); +>>>>>>> upstream/4.5.1 } /* list optional ipAddrBlocks */ @@ -977,10 +995,13 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) { fprintf(out, " serial: %#B\n", &chunk); } +<<<<<<< HEAD +======= if (crl->is_delta_crl(crl, &chunk)) { fprintf(out, " delta for: %#B\n", &chunk); } +>>>>>>> upstream/4.5.1 /* count the number of revoked certificates */ { @@ -1062,6 +1083,8 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) } /** +<<<<<<< HEAD +======= * Print the name of an algorithm plus the name of the plugin that registered it */ static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type, @@ -1081,6 +1104,7 @@ static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type, } /** +>>>>>>> upstream/4.5.1 * List of registered cryptographical algorithms */ static void list_algs(FILE *out) @@ -1091,6 +1115,51 @@ static void list_algs(FILE *out) hash_algorithm_t hash; pseudo_random_function_t prf; diffie_hellman_group_t group; +<<<<<<< HEAD + + fprintf(out, "\n"); + fprintf(out, "List of registered IKEv2 Algorithms:\n"); + fprintf(out, "\n encryption: "); + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption)) + { + fprintf(out, "%N ", encryption_algorithm_names, encryption); + } + enumerator->destroy(enumerator); + fprintf(out, "\n integrity: "); + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity)) + { + fprintf(out, "%N ", integrity_algorithm_names, integrity); + } + enumerator->destroy(enumerator); + fprintf(out, "\n aead: "); + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption)) + { + fprintf(out, "%N ", encryption_algorithm_names, encryption); + } + enumerator->destroy(enumerator); + fprintf(out, "\n hasher: "); + enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &hash)) + { + fprintf(out, "%N ", hash_algorithm_names, hash); + } + enumerator->destroy(enumerator); + fprintf(out, "\n prf: "); + enumerator = lib->crypto->create_prf_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &prf)) + { + fprintf(out, "%N ", pseudo_random_function_names, prf); + } + enumerator->destroy(enumerator); + fprintf(out, "\n dh-group: "); + enumerator = lib->crypto->create_dh_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &group)) + { + fprintf(out, "%N ", diffie_hellman_group_names, group); +======= rng_quality_t quality; const char *plugin_name; int len; @@ -1151,13 +1220,21 @@ static void list_algs(FILE *out) while (enumerator->enumerate(enumerator, &quality, &plugin_name)) { print_alg(out, &len, rng_quality_names, quality, plugin_name); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); fprintf(out, "\n"); } +<<<<<<< HEAD +/** + * Implementation of stroke_list_t.list. + */ +static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_list_t, list, void, private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { linked_list_t *cert_list = NULL; @@ -1260,8 +1337,15 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, } } +<<<<<<< HEAD +/** + * Implementation of stroke_list_t.leases + */ +static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +======= METHOD(stroke_list_t, leases, void, private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; u_int size, offline, online; @@ -1298,8 +1382,15 @@ METHOD(stroke_list_t, leases, void, DESTROY_IF(address); } +<<<<<<< HEAD +/** + * Implementation of stroke_list_t.destroy + */ +static void destroy(private_stroke_list_t *this) +======= METHOD(stroke_list_t, destroy, void, private_stroke_list_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -1309,6 +1400,17 @@ METHOD(stroke_list_t, destroy, void, */ stroke_list_t *stroke_list_create(stroke_attribute_t *attribute) { +<<<<<<< HEAD + private_stroke_list_t *this = malloc_thing(private_stroke_list_t); + + this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list; + this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status; + this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases; + this->public.destroy = (void(*)(stroke_list_t*))destroy; + + this->uptime = time_monotonic(NULL); + this->attribute = attribute; +======= private_stroke_list_t *this; INIT(this, @@ -1322,6 +1424,7 @@ stroke_list_t *stroke_list_create(stroke_attribute_t *attribute) .uptime = time_monotonic(NULL), .attribute = attribute, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 2e83d0d28..81274b599 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -36,8 +36,15 @@ struct private_stroke_plugin_t { stroke_socket_t *socket; }; +<<<<<<< HEAD +/** + * Implementation of stroke_plugin_t.destroy + */ +static void destroy(private_stroke_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_stroke_plugin_t *this) +>>>>>>> upstream/4.5.1 { this->socket->destroy(this->socket); free(this); @@ -48,6 +55,13 @@ METHOD(plugin_t, destroy, void, */ plugin_t *stroke_plugin_create() { +<<<<<<< HEAD + private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + this->socket = stroke_socket_create(); +======= private_stroke_plugin_t *this; INIT(this, @@ -59,6 +73,7 @@ plugin_t *stroke_plugin_create() .socket = stroke_socket_create(), ); +>>>>>>> upstream/4.5.1 if (this->socket == NULL) { free(this); diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.c b/src/libcharon/plugins/stroke/stroke_shared_key.c new file mode 100644 index 000000000..4f716e83a --- /dev/null +++ b/src/libcharon/plugins/stroke/stroke_shared_key.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "stroke_shared_key.h" + +#include <utils/linked_list.h> + +typedef struct private_stroke_shared_key_t private_stroke_shared_key_t; + +/** + * private data of shared_key + */ +struct private_stroke_shared_key_t { + + /** + * implements shared_key_t + */ + stroke_shared_key_t public; + + /** + * type of this key + */ + shared_key_type_t type; + + /** + * data of the key + */ + chunk_t key; + + /** + * list of key owners, as identification_t + */ + linked_list_t *owners; + + /** + * reference counter + */ + refcount_t ref; +}; + +/** + * Implementation of shared_key_t.get_type. + */ +static shared_key_type_t get_type(private_stroke_shared_key_t *this) +{ + return this->type; +} + +/** + * Implementation of shared_key_t.get_ref. + */ +static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this) +{ + ref_get(&this->ref); + return this; +} + +/** + * Implementation of shared_key_t.get_key. + */ +static chunk_t get_key(private_stroke_shared_key_t *this) +{ + return this->key; +} + +/** + * Implementation of stroke_shared_key_t.has_owner. + */ +static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner) +{ + enumerator_t *enumerator; + id_match_t match, best = ID_MATCH_NONE; + identification_t *current; + + enumerator = this->owners->create_enumerator(this->owners); + while (enumerator->enumerate(enumerator, ¤t)) + { + match = owner->matches(owner, current); + if (match > best) + { + best = match; + } + } + enumerator->destroy(enumerator); + return best; +} +/** + * Implementation of stroke_shared_key_t.add_owner. + */ +static void add_owner(private_stroke_shared_key_t *this, identification_t *owner) +{ + this->owners->insert_last(this->owners, owner); +} + +/** + * Implementation of stroke_shared_key_t.destroy + */ +static void destroy(private_stroke_shared_key_t *this) +{ + if (ref_put(&this->ref)) + { + this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy)); + chunk_free(&this->key); + free(this); + } +} + +/** + * create a shared key + */ +stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key) +{ + private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t); + + this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type; + this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key; + this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref; + this->public.shared.destroy = (void(*)(shared_key_t*))destroy; + this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner; + this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner; + + this->owners = linked_list_create(); + this->type = type; + this->key = key; + this->ref = 1; + + return &this->public; +} diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.h b/src/libcharon/plugins/stroke/stroke_shared_key.h new file mode 100644 index 000000000..05ad55083 --- /dev/null +++ b/src/libcharon/plugins/stroke/stroke_shared_key.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup stroke_shared_key stroke_shared_key + * @{ @ingroup stroke + */ + +#ifndef STROKE_SHARED_KEY_H_ +#define STROKE_SHARED_KEY_H_ + +#include <utils/identification.h> +#include <credentials/keys/shared_key.h> + +typedef struct stroke_shared_key_t stroke_shared_key_t; + +/** + * Shared key implementation for keys read from ipsec.secrets + */ +struct stroke_shared_key_t { + + /** + * Implements the shared_key_t interface. + */ + shared_key_t shared; + + /** + * Add an owner to the key. + * + * @param owner owner to add + */ + void (*add_owner)(stroke_shared_key_t *this, identification_t *owner); + + /** + * Check if a key has a specific owner. + * + * @param owner owner to check + * @return best match found + */ + id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner); +}; + +/** + * Create a stroke_shared_key instance. + */ +stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key); + +#endif /** STROKE_SHARED_KEY_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 18e77905d..e9ed86d09 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -151,7 +151,10 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) pop_string(msg, &end->ca); pop_string(msg, &end->ca2); pop_string(msg, &end->groups); +<<<<<<< HEAD +======= pop_string(msg, &end->cert_policy); +>>>>>>> upstream/4.5.1 pop_string(msg, &end->updown); DBG2(DBG_CFG, " %s=%s", label, end->address); @@ -247,6 +250,8 @@ static void stroke_terminate_srcip(private_stroke_socket_t *this, } /** +<<<<<<< HEAD +======= * rekey a connection by name/id */ static void stroke_rekey(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) @@ -258,6 +263,7 @@ static void stroke_rekey(private_stroke_socket_t *this, stroke_msg_t *msg, FILE } /** +>>>>>>> upstream/4.5.1 * route a policy (install SPD entries) */ static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) @@ -360,6 +366,8 @@ static void stroke_purge(private_stroke_socket_t *this, { lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE); } +<<<<<<< HEAD +======= if (msg->purge.flags & PURGE_CRLS) { lib->credmgr->flush_cache(lib->credmgr, CERT_X509_CRL); @@ -368,6 +376,7 @@ static void stroke_purge(private_stroke_socket_t *this, { lib->credmgr->flush_cache(lib->credmgr, CERT_X509); } +>>>>>>> upstream/4.5.1 if (msg->purge.flags & PURGE_IKE) { this->control->purge_ike(this->control, msg, out); @@ -530,9 +539,12 @@ static job_requeue_t process(stroke_job_context_t *ctx) case STR_TERMINATE_SRCIP: stroke_terminate_srcip(this, msg, out); break; +<<<<<<< HEAD +======= case STR_REKEY: stroke_rekey(this, msg, out); break; +>>>>>>> upstream/4.5.1 case STR_STATUS: stroke_status(this, msg, out, FALSE); break; diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am index 2c551813e..604536953 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.am +++ b/src/libcharon/plugins/tnc_imc/Makefile.am @@ -1,9 +1,18 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnc_imc_la_LIBADD = -ltnc + +======= -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic +>>>>>>> upstream/4.5.1 if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-imc.la else @@ -11,8 +20,12 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imc.la endif libstrongswan_tnc_imc_la_SOURCES = \ +<<<<<<< HEAD + tnc_imc_plugin.h tnc_imc_plugin.c +======= tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \ tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c +>>>>>>> upstream/4.5.1 libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in index dc44408ff..61fe74a15 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.in +++ b/src/libcharon/plugins/tnc_imc/Makefile.in @@ -74,9 +74,14 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +<<<<<<< HEAD +libstrongswan_tnc_imc_la_DEPENDENCIES = +am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo +======= libstrongswan_tnc_imc_la_LIBADD = am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo tnc_imc.lo \ tnc_imc_manager.lo tnc_imc_bind_function.lo +>>>>>>> upstream/4.5.1 libstrongswan_tnc_imc_la_OBJECTS = \ $(am_libstrongswan_tnc_imc_la_OBJECTS) libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -222,7 +227,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +272,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -274,6 +288,16 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnc_imc_la_LIBADD = -ltnc +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la +libstrongswan_tnc_imc_la_SOURCES = \ + tnc_imc_plugin.h tnc_imc_plugin.c +======= -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic @@ -282,6 +306,7 @@ AM_CFLAGS = -rdynamic libstrongswan_tnc_imc_la_SOURCES = \ tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \ tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c +>>>>>>> upstream/4.5.1 libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version all: all-am @@ -367,9 +392,12 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +<<<<<<< HEAD +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_bind_function.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_manager.Plo@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@ .c.o: diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c index 89888040a..f7d6c00d7 100644 --- a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c @@ -14,6 +14,12 @@ */ #include "tnc_imc_plugin.h" +<<<<<<< HEAD + +#include <libtnctncc.h> + +#include <daemon.h> +======= #include "tnc_imc_manager.h" #include "tnc_imc.h" @@ -140,11 +146,16 @@ static bool load_imcs(char *filename) close(fd); return TRUE; } +>>>>>>> upstream/4.5.1 METHOD(plugin_t, destroy, void, tnc_imc_plugin_t *this) { +<<<<<<< HEAD + libtnc_tncc_Terminate(); +======= charon->imcs->destroy(charon->imcs); +>>>>>>> upstream/4.5.1 free(this); } @@ -153,7 +164,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *tnc_imc_plugin_create() { +<<<<<<< HEAD + char *tnc_config, *pref_lang; +======= char *tnc_config; +>>>>>>> upstream/4.5.1 tnc_imc_plugin_t *this; INIT(this, @@ -162,6 +177,20 @@ plugin_t *tnc_imc_plugin_create() }, ); +<<<<<<< HEAD + pref_lang = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.preferred_language", "en"); + tnc_config = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config"); + + if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + { + free(this); + DBG1(DBG_TNC, "TNC IMC initialization failed"); + return NULL; + } + +======= /* Create IMC manager */ charon->imcs = tnc_imc_manager_create(); @@ -175,6 +204,7 @@ plugin_t *tnc_imc_plugin_create() free(this); return NULL; } +>>>>>>> upstream/4.5.1 return &this->plugin; } diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am index 3ba283bb7..13e8076cd 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.am +++ b/src/libcharon/plugins/tnc_imv/Makefile.am @@ -1,9 +1,18 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnc_imv_la_LIBADD = -ltnc + +======= -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic +>>>>>>> upstream/4.5.1 if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-imv.la else @@ -11,9 +20,13 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imv.la endif libstrongswan_tnc_imv_la_SOURCES = \ +<<<<<<< HEAD + tnc_imv_plugin.h tnc_imv_plugin.c +======= tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \ tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \ tnc_imv_recommendations.h tnc_imv_recommendations.c +>>>>>>> upstream/4.5.1 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in index 0324d2eb9..10190313b 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.in +++ b/src/libcharon/plugins/tnc_imv/Makefile.in @@ -74,10 +74,15 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +<<<<<<< HEAD +libstrongswan_tnc_imv_la_DEPENDENCIES = +am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo +======= libstrongswan_tnc_imv_la_LIBADD = am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \ tnc_imv_manager.lo tnc_imv_bind_function.lo \ tnc_imv_recommendations.lo +>>>>>>> upstream/4.5.1 libstrongswan_tnc_imv_la_OBJECTS = \ $(am_libstrongswan_tnc_imv_la_OBJECTS) libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -223,7 +228,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +273,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -275,6 +289,16 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnc_imv_la_LIBADD = -ltnc +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la +libstrongswan_tnc_imv_la_SOURCES = \ + tnc_imv_plugin.h tnc_imv_plugin.c +======= -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic @@ -284,6 +308,7 @@ libstrongswan_tnc_imv_la_SOURCES = \ tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \ tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \ tnc_imv_recommendations.h tnc_imv_recommendations.c +>>>>>>> upstream/4.5.1 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version all: all-am @@ -369,11 +394,15 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@ +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_bind_function.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@ +>>>>>>> upstream/4.5.1 .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c index f238f01ea..24fde3797 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c @@ -14,6 +14,12 @@ */ #include "tnc_imv_plugin.h" +<<<<<<< HEAD + +#include <libtnctncs.h> + +#include <daemon.h> +======= #include "tnc_imv_manager.h" #include "tnc_imv.h" @@ -140,11 +146,16 @@ static bool load_imvs(char *filename) close(fd); return TRUE; } +>>>>>>> upstream/4.5.1 METHOD(plugin_t, destroy, void, tnc_imv_plugin_t *this) { +<<<<<<< HEAD + libtnc_tncs_Terminate(); +======= charon->imvs->destroy(charon->imvs); +>>>>>>> upstream/4.5.1 free(this); } @@ -164,6 +175,15 @@ plugin_t *tnc_imv_plugin_create() tnc_config = lib->settings->get_str(lib->settings, "charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config"); +<<<<<<< HEAD + if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + { + free(this); + DBG1(DBG_TNC, "TNC IMV initialization failed"); + return NULL; + } + +======= /* Create IMV manager */ charon->imvs = tnc_imv_manager_create(); @@ -176,6 +196,7 @@ plugin_t *tnc_imv_plugin_create() free(this); return NULL; } +>>>>>>> upstream/4.5.1 return &this->plugin; } diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am index 1042c3514..1a034e25b 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.am +++ b/src/libcharon/plugins/tnccs_11/Makefile.am @@ -1,15 +1,31 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnccs_11_la_LIBADD = -ltnc +======= -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS} AM_CFLAGS = -rdynamic libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} +>>>>>>> upstream/4.5.1 if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnccs-11.la else plugin_LTLIBRARIES = libstrongswan-tnccs-11.la +<<<<<<< HEAD +libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_11_la_SOURCES = \ + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c +======= endif libstrongswan_tnccs_11_la_SOURCES = \ @@ -22,6 +38,7 @@ libstrongswan_tnccs_11_la_SOURCES = \ messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \ messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \ messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c +>>>>>>> upstream/4.5.1 libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in index 5ab7ccbca..a39745773 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.in +++ b/src/libcharon/plugins/tnccs_11/Makefile.in @@ -34,6 +34,10 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +<<<<<<< HEAD +@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la +======= +>>>>>>> upstream/4.5.1 subdir = src/libcharon/plugins/tnccs_11 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -74,12 +78,17 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +<<<<<<< HEAD +libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1) +am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo +======= am__DEPENDENCIES_1 = libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__DEPENDENCIES_1) am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo \ tnccs_batch.lo tnccs_msg.lo imc_imv_msg.lo tnccs_error_msg.lo \ tnccs_preferred_language_msg.lo tnccs_reason_strings_msg.lo \ tnccs_recommendation_msg.lo tnccs_tncs_contact_info_msg.lo +>>>>>>> upstream/4.5.1 libstrongswan_tnccs_11_la_OBJECTS = \ $(am_libstrongswan_tnccs_11_la_OBJECTS) libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \ @@ -226,7 +235,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,8 +280,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -278,6 +296,17 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1) +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la +libstrongswan_tnccs_11_la_SOURCES = \ + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c +======= -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS} AM_CFLAGS = -rdynamic @@ -294,6 +323,7 @@ libstrongswan_tnccs_11_la_SOURCES = \ messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \ messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \ messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c +>>>>>>> upstream/4.5.1 libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version all: all-am @@ -379,6 +409,10 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@ +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_imv_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@ @@ -389,6 +423,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_reason_strings_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_recommendation_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_tncs_contact_info_msg.Plo@am__quote@ +>>>>>>> upstream/4.5.1 .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -411,6 +446,8 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +<<<<<<< HEAD +======= tnccs_batch.lo: batch/tnccs_batch.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo @@ -467,6 +504,7 @@ tnccs_tncs_contact_info_msg.lo: messages/tnccs_tncs_contact_info_msg.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c +>>>>>>> upstream/4.5.1 mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c index 2104bf401..012a3ce6e 100644 --- a/src/libcharon/plugins/tnccs_11/tnccs_11.c +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c @@ -14,6 +14,83 @@ */ #include "tnccs_11.h" +<<<<<<< HEAD + +#include <libtnctncc.h> +#include <libtnctncs.h> + +#include <daemon.h> +#include <debug.h> + +#define TNC_SEND_BUFFER_SIZE 32 + +static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE]; + +/** + * Buffers TNCCS batch to be sent (TODO make the buffer scalable) + */ +static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len) +{ + if (id >= TNC_SEND_BUFFER_SIZE) + { + DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in " + "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); + return TNC_RESULT_FATAL; + } + if (tnc_send_buffer[id].ptr) + { + DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already " + "occupied", id); + return TNC_RESULT_FATAL; + } + tnc_send_buffer[id] = chunk_alloc(len); + memcpy(tnc_send_buffer[id].ptr, data, len); + + return TNC_RESULT_SUCCESS; +} + +/** + * Retrieves TNCCS batch to be sent + */ +static bool retrieve_batch(u_int32_t id, chunk_t *batch) +{ + if (id >= TNC_SEND_BUFFER_SIZE) + { + DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from " + "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); + return FALSE; + } + + *batch = tnc_send_buffer[id]; + return TRUE; +} + +/** + * Frees TNCCS batch that was sent + */ +static void free_batch(u_int32_t id) +{ + if (id < TNC_SEND_BUFFER_SIZE) + { + chunk_free(&tnc_send_buffer[id]); + } +} + +/** + * Define callback functions called by the libtnc library + */ +TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, + const char* messageBuffer, size_t messageLength) +{ + return buffer_batch(conn->connectionID, messageBuffer, messageLength); +} + +TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, + const char* messageBuffer, size_t messageLength) +{ + return buffer_batch(conn->connectionID, messageBuffer, messageLength); +} +======= #include "batch/tnccs_batch.h" #include "messages/tnccs_msg.h" #include "messages/imc_imv_msg.h" @@ -28,6 +105,7 @@ #include <tnc/tncif.h> #include <tnc/tncifimv.h> #include <tnc/tnccs/tnccs.h> +>>>>>>> upstream/4.5.1 typedef struct private_tnccs_11_t private_tnccs_11_t; @@ -47,6 +125,118 @@ struct private_tnccs_11_t { bool is_server; /** +<<<<<<< HEAD + * TNCC Connection to IMCs + */ + libtnc_tncc_connection* tncc_connection; + + /** + * TNCS Connection to IMVs + */ + libtnc_tncs_connection* tncs_connection; +}; + +METHOD(tls_t, process, status_t, + private_tnccs_11_t *this, void *buf, size_t buflen) +{ + u_int32_t conn_id; + + if (this->is_server && !this->tncs_connection) + { + this->tncs_connection = libtnc_tncs_CreateConnection(NULL); + if (!this->tncs_connection) + { + DBG1(DBG_TNC, "TNCS CreateConnection failed"); + return FAILED; + } + DBG1(DBG_TNC, "assigned TNCS Connection ID %u", + this->tncs_connection->connectionID); + if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCS BeginSession failed"); + return FAILED; + } + } + conn_id = this->is_server ? this->tncs_connection->connectionID + : this->tncc_connection->connectionID; + + DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u", + buflen, conn_id); + DBG3(DBG_TNC, "%.*s", buflen, buf); + + if (this->is_server) + { + if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) != + TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCS ReceiveBatch failed"); + return FAILED; + } + } + else + { + if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) != + TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCC ReceiveBatch failed"); + return FAILED; + } + } + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + chunk_t batch; + u_int32_t conn_id; + size_t len; + + if (!this->is_server && !this->tncc_connection) + { + this->tncc_connection = libtnc_tncc_CreateConnection(NULL); + if (!this->tncc_connection) + { + DBG1(DBG_TNC, "TNCC CreateConnection failed"); + return FAILED; + } + DBG1(DBG_TNC, "assigned TNCC Connection ID %u", + this->tncc_connection->connectionID); + if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCC BeginSession failed"); + return FAILED; + } + } + conn_id = this->is_server ? this->tncs_connection->connectionID + : this->tncc_connection->connectionID; + + if (!retrieve_batch(conn_id, &batch)) + { + return FAILED; + } + len = *buflen; + len = min(len, batch.len); + *buflen = len; + if (msglen) + { + *msglen = batch.len; + } + + if (batch.len) + { + DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u", + batch.len, conn_id); + DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr); + memcpy(buf, batch.ptr, len); + free_batch(conn_id); + return ALREADY_DONE; + } + else + { + return INVALID_STATE; + } +======= * Connection ID assigned to this TNCCS connection */ TNC_ConnectionID connection_id; @@ -413,6 +603,7 @@ METHOD(tls_t, build, status_t, this->mutex->unlock(this->mutex); return status; +>>>>>>> upstream/4.5.1 } METHOD(tls_t, is_server, bool, @@ -432,6 +623,41 @@ METHOD(tls_t, is_complete, bool, { TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; +<<<<<<< HEAD + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) == + TNC_RESULT_SUCCESS) + { + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + DBG1(DBG_TNC, "TNC recommendation is allow"); + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + DBG1(DBG_TNC, "TNC recommendation is isolate"); + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + DBG1(DBG_TNC, "TNC recommendation is none"); + return FALSE; + } + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group); + } + return TRUE; +======= if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { @@ -440,6 +666,7 @@ METHOD(tls_t, is_complete, bool, TNC_IMV_Evaluation_Result_names, eval); return charon->imvs->enforce_recommendation(charon->imvs, rec); +>>>>>>> upstream/4.5.1 } else { @@ -458,6 +685,21 @@ METHOD(tls_t, destroy, void, { if (this->is_server) { +<<<<<<< HEAD + if (this->tncs_connection) + { + libtnc_tncs_DeleteConnection(this->tncs_connection); + } + } + else + { + if (this->tncc_connection) + { + libtnc_tncc_DeleteConnection(this->tncc_connection); + } + libtnc_tncc_Terminate(); + } +======= charon->imvs->notify_connection_change(charon->imvs, this->connection_id, TNC_CONNECTION_STATE_DELETE); } @@ -469,6 +711,7 @@ METHOD(tls_t, destroy, void, charon->tnccs->remove_connection(charon->tnccs, this->connection_id); this->mutex->destroy(this->mutex); DESTROY_IF(this->batch); +>>>>>>> upstream/4.5.1 free(this); } @@ -490,7 +733,10 @@ tls_t *tnccs_11_create(bool is_server) .destroy = _destroy, }, .is_server = is_server, +<<<<<<< HEAD +======= .mutex = mutex_create(MUTEX_TYPE_DEFAULT), +>>>>>>> upstream/4.5.1 ); return &this->public; diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am index d72fd3e34..14f02a682 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.am +++ b/src/libcharon/plugins/tnccs_20/Makefile.am @@ -1,13 +1,33 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnccs_20_la_LIBADD = -ltnc + +======= -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls AM_CFLAGS = -rdynamic +>>>>>>> upstream/4.5.1 if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnccs-20.la else plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +<<<<<<< HEAD +libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_20_la_SOURCES = \ + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + +libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version + +======= libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la endif @@ -26,3 +46,4 @@ libstrongswan_tnccs_20_la_SOURCES = \ state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version +>>>>>>> upstream/4.5.1 diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in index 9853be338..bb0c419f4 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.in +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -34,6 +34,10 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +<<<<<<< HEAD +@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la +======= +>>>>>>> upstream/4.5.1 subdir = src/libcharon/plugins/tnccs_20 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -74,6 +78,10 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +<<<<<<< HEAD +libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1) +am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo +======= @MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES = \ @MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \ @@ -82,6 +90,7 @@ am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \ pb_access_recommendation_msg.lo pb_error_msg.lo \ pb_language_preference_msg.lo pb_reason_string_msg.lo \ pb_remediation_parameters_msg.lo pb_tnc_state_machine.lo +>>>>>>> upstream/4.5.1 libstrongswan_tnccs_20_la_OBJECTS = \ $(am_libstrongswan_tnccs_20_la_OBJECTS) libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \ @@ -228,7 +237,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,8 +282,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -280,6 +298,17 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ +<<<<<<< HEAD + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1) +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +libstrongswan_tnccs_20_la_SOURCES = \ + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c +======= -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls AM_CFLAGS = -rdynamic @@ -299,6 +328,7 @@ libstrongswan_tnccs_20_la_SOURCES = \ messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \ messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \ state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c +>>>>>>> upstream/4.5.1 libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version all: all-am @@ -384,6 +414,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +<<<<<<< HEAD +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_assessment_result_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_error_msg.Plo@am__quote@ @@ -395,6 +427,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_batch.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@ @@ -419,6 +452,8 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +<<<<<<< HEAD +======= pb_tnc_batch.lo: batch/pb_tnc_batch.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo @@ -496,6 +531,7 @@ pb_tnc_state_machine.lo: state_machine/pb_tnc_state_machine.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c +>>>>>>> upstream/4.5.1 mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c index d53fd8eb7..28cfa2cbc 100644 --- a/src/libcharon/plugins/tnccs_20/tnccs_20.c +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -1,5 +1,8 @@ /* +<<<<<<< HEAD +======= * Copyright (C) 2010 Sansar Choinyanbuu +>>>>>>> upstream/4.5.1 * Copyright (C) 2010 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -15,6 +18,12 @@ */ #include "tnccs_20.h" +<<<<<<< HEAD + +#include <debug.h> + +static chunk_t tncc_output; +======= #include "batch/pb_tnc_batch.h" #include "messages/pb_tnc_msg.h" #include "messages/pb_pa_msg.h" @@ -32,6 +41,7 @@ #include <tnc/tncif.h> #include <tnc/tncifimv.h> #include <tnc/tnccs/tnccs.h> +>>>>>>> upstream/4.5.1 typedef struct private_tnccs_20_t private_tnccs_20_t; @@ -49,6 +59,20 @@ struct private_tnccs_20_t { * TNCC if TRUE, TNCS if FALSE */ bool is_server; +<<<<<<< HEAD +}; + +METHOD(tls_t, process, status_t, + private_tnccs_20_t *this, void *buf, size_t buflen) +{ + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + return ALREADY_DONE; +======= /** * PB-TNC State Machine @@ -584,6 +608,7 @@ METHOD(tls_t, build, status_t, this->mutex->unlock(this->mutex); return status; +>>>>>>> upstream/4.5.1 } METHOD(tls_t, is_server, bool, @@ -601,6 +626,9 @@ METHOD(tls_t, get_purpose, tls_purpose_t, METHOD(tls_t, is_complete, bool, private_tnccs_20_t *this) { +<<<<<<< HEAD + return FALSE; +======= TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; @@ -616,6 +644,7 @@ METHOD(tls_t, is_complete, bool, { return FALSE; } +>>>>>>> upstream/4.5.1 } METHOD(tls_t, get_eap_msk, chunk_t, @@ -627,6 +656,8 @@ METHOD(tls_t, get_eap_msk, chunk_t, METHOD(tls_t, destroy, void, private_tnccs_20_t *this) { +<<<<<<< HEAD +======= if (this->is_server) { charon->imvs->notify_connection_change(charon->imvs, @@ -641,6 +672,7 @@ METHOD(tls_t, destroy, void, this->state_machine->destroy(this->state_machine); this->mutex->destroy(this->mutex); DESTROY_IF(this->batch); +>>>>>>> upstream/4.5.1 free(this); } @@ -662,8 +694,11 @@ tls_t *tnccs_20_create(bool is_server) .destroy = _destroy, }, .is_server = is_server, +<<<<<<< HEAD +======= .state_machine = pb_tnc_state_machine_create(is_server), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), +>>>>>>> upstream/4.5.1 ); return &this->public; diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index f7162d800..ca2522e46 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index 4e43388ec..9032d8353 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -196,8 +196,13 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, +<<<<<<< HEAD + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); +======= ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); +>>>>>>> upstream/4.5.1 child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net)); diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 5fa749e56..c2f8f43fb 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -226,7 +226,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,8 +271,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index 5dd2dc843..4b7622e17 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c index 3544dd332..7a38d2553 100644 --- a/src/libcharon/processing/jobs/acquire_job.c +++ b/src/libcharon/processing/jobs/acquire_job.c @@ -45,16 +45,30 @@ struct private_acquire_job_t { traffic_selector_t *dst_ts; }; +<<<<<<< HEAD +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_acquire_job_t *this) +======= METHOD(job_t, destroy, void, private_acquire_job_t *this) +>>>>>>> upstream/4.5.1 { DESTROY_IF(this->src_ts); DESTROY_IF(this->dst_ts); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_acquire_job_t *this) +======= METHOD(job_t, execute, void, private_acquire_job_t *this) +>>>>>>> upstream/4.5.1 { charon->traps->acquire(charon->traps, this->reqid, this->src_ts, this->dst_ts); @@ -68,6 +82,16 @@ acquire_job_t *acquire_job_create(u_int32_t reqid, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { +<<<<<<< HEAD + private_acquire_job_t *this = malloc_thing(private_acquire_job_t); + + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + this->reqid = reqid; + this->src_ts = src_ts; + this->dst_ts = dst_ts; +======= private_acquire_job_t *this; INIT(this, @@ -81,6 +105,7 @@ acquire_job_t *acquire_job_create(u_int32_t reqid, .src_ts = src_ts, .dst_ts = dst_ts, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c index 29122cd03..12b4dc1e2 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.c +++ b/src/libcharon/processing/jobs/delete_child_sa_job.c @@ -46,14 +46,28 @@ struct private_delete_child_sa_job_t { u_int32_t spi; }; +<<<<<<< HEAD +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_delete_child_sa_job_t *this) +======= METHOD(job_t, destroy, void, private_delete_child_sa_job_t *this) +>>>>>>> upstream/4.5.1 { free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_delete_child_sa_job_t *this) +======= METHOD(job_t, execute, void, private_delete_child_sa_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -80,6 +94,18 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi) { +<<<<<<< HEAD + private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->reqid = reqid; + this->protocol = protocol; + this->spi = spi; +======= private_delete_child_sa_job_t *this; INIT(this, @@ -93,6 +119,7 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, .protocol = protocol, .spi = spi, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c index da3ecf06f..2297f3fba 100644 --- a/src/libcharon/processing/jobs/delete_ike_sa_job.c +++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c @@ -41,15 +41,29 @@ struct private_delete_ike_sa_job_t { }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_delete_ike_sa_job_t *this) +======= METHOD(job_t, destroy, void, private_delete_ike_sa_job_t *this) +>>>>>>> upstream/4.5.1 { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_delete_ike_sa_job_t *this) +======= METHOD(job_t, execute, void, private_delete_ike_sa_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -98,6 +112,17 @@ METHOD(job_t, execute, void, delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool delete_if_established) { +<<<<<<< HEAD + private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t *)) destroy;; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + this->delete_if_established = delete_if_established; +======= private_delete_ike_sa_job_t *this; INIT(this, @@ -110,6 +135,7 @@ delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, .ike_sa_id = ike_sa_id->clone(ike_sa_id), .delete_if_established = delete_if_established, ); +>>>>>>> upstream/4.5.1 return &(this->public); } diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c index 5e7c7ae88..7ddd0a82b 100644 --- a/src/libcharon/processing/jobs/migrate_job.c +++ b/src/libcharon/processing/jobs/migrate_job.c @@ -57,8 +57,15 @@ struct private_migrate_job_t { host_t *remote; }; +<<<<<<< HEAD +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_migrate_job_t *this) +======= METHOD(job_t, destroy, void, private_migrate_job_t *this) +>>>>>>> upstream/4.5.1 { DESTROY_IF(this->src_ts); DESTROY_IF(this->dst_ts); @@ -67,8 +74,15 @@ METHOD(job_t, destroy, void, free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_migrate_job_t *this) +======= METHOD(job_t, execute, void, private_migrate_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa = NULL; @@ -129,6 +143,20 @@ migrate_job_t *migrate_job_create(u_int32_t reqid, policy_dir_t dir, host_t *local, host_t *remote) { +<<<<<<< HEAD + private_migrate_job_t *this = malloc_thing(private_migrate_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->reqid = reqid; + this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts; + this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts; + this->local = local; + this->remote = remote; +======= private_migrate_job_t *this; INIT(this, @@ -144,6 +172,7 @@ migrate_job_t *migrate_job_create(u_int32_t reqid, .local = local, .remote = remote, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c index b6de4fc0f..733775cfa 100644 --- a/src/libcharon/processing/jobs/process_message_job.c +++ b/src/libcharon/processing/jobs/process_message_job.c @@ -35,15 +35,29 @@ struct private_process_message_job_t { message_t *message; }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_process_message_job_t *this) +======= METHOD(job_t, destroy, void, private_process_message_job_t *this) +>>>>>>> upstream/4.5.1 { this->message->destroy(this->message); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_process_message_job_t *this) +======= METHOD(job_t, execute, void, private_process_message_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -89,6 +103,16 @@ METHOD(job_t, execute, void, */ process_message_job_t *process_message_job_create(message_t *message) { +<<<<<<< HEAD + private_process_message_job_t *this = malloc_thing(private_process_message_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void(*)(job_t*))destroy; + + /* private variables */ + this->message = message; +======= private_process_message_job_t *this; INIT(this, @@ -100,6 +124,7 @@ process_message_job_t *process_message_job_create(message_t *message) }, .message = message, ); +>>>>>>> upstream/4.5.1 return &(this->public); } diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c index 2bcee2ddf..5e147fda6 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c @@ -45,14 +45,28 @@ struct private_rekey_child_sa_job_t { u_int32_t spi; }; +<<<<<<< HEAD +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_rekey_child_sa_job_t *this) +======= METHOD(job_t, destroy, void, private_rekey_child_sa_job_t *this) +>>>>>>> upstream/4.5.1 { free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_rekey_child_sa_job_t *this) +======= METHOD(job_t, execute, void, private_rekey_child_sa_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -78,6 +92,18 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi) { +<<<<<<< HEAD + private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->reqid = reqid; + this->protocol = protocol; + this->spi = spi; +======= private_rekey_child_sa_job_t *this; INIT(this, @@ -91,6 +117,7 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, .protocol = protocol, .spi = spi, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c index dc86ba9b3..5f43b2cd5 100644 --- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c @@ -39,15 +39,29 @@ struct private_rekey_ike_sa_job_t { bool reauth; }; +<<<<<<< HEAD +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_rekey_ike_sa_job_t *this) +======= METHOD(job_t, destroy, void, private_rekey_ike_sa_job_t *this) +>>>>>>> upstream/4.5.1 { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_rekey_ike_sa_job_t *this) +======= METHOD(job_t, execute, void, private_rekey_ike_sa_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; status_t status = SUCCESS; @@ -86,6 +100,17 @@ METHOD(job_t, execute, void, */ rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth) { +<<<<<<< HEAD + private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + this->reauth = reauth; +======= private_rekey_ike_sa_job_t *this; INIT(this, @@ -98,6 +123,7 @@ rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth) .ike_sa_id = ike_sa_id->clone(ike_sa_id), .reauth = reauth, ); +>>>>>>> upstream/4.5.1 return &(this->public); } diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c index 1c78abd27..0b73f1485 100644 --- a/src/libcharon/processing/jobs/retransmit_job.c +++ b/src/libcharon/processing/jobs/retransmit_job.c @@ -40,15 +40,29 @@ struct private_retransmit_job_t { ike_sa_id_t *ike_sa_id; }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_retransmit_job_t *this) +======= METHOD(job_t, destroy, void, private_retransmit_job_t *this) +>>>>>>> upstream/4.5.1 { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_retransmit_job_t *this) +======= METHOD(job_t, execute, void, private_retransmit_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -75,6 +89,17 @@ METHOD(job_t, execute, void, */ retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id) { +<<<<<<< HEAD + private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + + /* private variables */ + this->message_id = message_id; + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); +======= private_retransmit_job_t *this; INIT(this, @@ -87,6 +112,7 @@ retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa .message_id = message_id, .ike_sa_id = ike_sa_id->clone(ike_sa_id), ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/roam_job.c b/src/libcharon/processing/jobs/roam_job.c index 74ef8bd6d..bcc96686c 100644 --- a/src/libcharon/processing/jobs/roam_job.c +++ b/src/libcharon/processing/jobs/roam_job.c @@ -38,14 +38,28 @@ struct private_roam_job_t { bool address; }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_roam_job_t *this) +======= METHOD(job_t, destroy, void, private_roam_job_t *this) +>>>>>>> upstream/4.5.1 { free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_roam_job_t *this) +======= METHOD(job_t, execute, void, private_roam_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; linked_list_t *list; @@ -90,6 +104,14 @@ METHOD(job_t, execute, void, */ roam_job_t *roam_job_create(bool address) { +<<<<<<< HEAD + private_roam_job_t *this = malloc_thing(private_roam_job_t); + + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + + this->address = address; +======= private_roam_job_t *this; INIT(this, @@ -101,6 +123,7 @@ roam_job_t *roam_job_create(bool address) }, .address = address, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/send_dpd_job.c b/src/libcharon/processing/jobs/send_dpd_job.c index 47b525363..0a0fd2144 100644 --- a/src/libcharon/processing/jobs/send_dpd_job.c +++ b/src/libcharon/processing/jobs/send_dpd_job.c @@ -38,15 +38,29 @@ struct private_send_dpd_job_t { ike_sa_id_t *ike_sa_id; }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_send_dpd_job_t *this) +======= METHOD(job_t, destroy, void, private_send_dpd_job_t *this) +>>>>>>> upstream/4.5.1 { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_send_dpd_job_t *this) +======= METHOD(job_t, execute, void, private_send_dpd_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -71,6 +85,16 @@ METHOD(job_t, execute, void, */ send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id) { +<<<<<<< HEAD + private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); +======= private_send_dpd_job_t *this; INIT(this, @@ -82,6 +106,7 @@ send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id) }, .ike_sa_id = ike_sa_id->clone(ike_sa_id), ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c index 8d98aad7e..21b78919f 100644 --- a/src/libcharon/processing/jobs/send_keepalive_job.c +++ b/src/libcharon/processing/jobs/send_keepalive_job.c @@ -38,15 +38,29 @@ struct private_send_keepalive_job_t { ike_sa_id_t *ike_sa_id; }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_send_keepalive_job_t *this) +======= METHOD(job_t, destroy, void, private_send_keepalive_job_t *this) +>>>>>>> upstream/4.5.1 { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_send_keepalive_job_t *this) +======= METHOD(job_t, execute, void, private_send_keepalive_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -65,6 +79,16 @@ METHOD(job_t, execute, void, */ send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id) { +<<<<<<< HEAD + private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t); + + /* interface functions */ + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); +======= private_send_keepalive_job_t *this; INIT(this, @@ -76,6 +100,7 @@ send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id) }, .ike_sa_id = ike_sa_id->clone(ike_sa_id), ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c index 3b4e9949f..eeaf9f1c4 100644 --- a/src/libcharon/processing/jobs/update_sa_job.c +++ b/src/libcharon/processing/jobs/update_sa_job.c @@ -43,15 +43,29 @@ struct private_update_sa_job_t { host_t *new; }; +<<<<<<< HEAD +/** + * Implements job_t.destroy. + */ +static void destroy(private_update_sa_job_t *this) +======= METHOD(job_t, destroy, void, private_update_sa_job_t *this) +>>>>>>> upstream/4.5.1 { this->new->destroy(this->new); free(this); } +<<<<<<< HEAD +/** + * Implementation of job_t.execute. + */ +static void execute(private_update_sa_job_t *this) +======= METHOD(job_t, execute, void, private_update_sa_job_t *this) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa; @@ -67,7 +81,11 @@ METHOD(job_t, execute, void, if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) && !ike_sa->has_condition(ike_sa, COND_NAT_HERE)) { +<<<<<<< HEAD + ike_sa->update_hosts(ike_sa, NULL, this->new); +======= ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE); +>>>>>>> upstream/4.5.1 } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } @@ -79,6 +97,15 @@ METHOD(job_t, execute, void, */ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new) { +<<<<<<< HEAD + private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t); + + this->public.job_interface.execute = (void (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + + this->reqid = reqid; + this->new = new; +======= private_update_sa_job_t *this; INIT(this, @@ -91,6 +118,7 @@ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new) .reqid = reqid, .new = new, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c index 83f5fbaad..3f176f9be 100644 --- a/src/libcharon/sa/authenticators/authenticator.c +++ b/src/libcharon/sa/authenticators/authenticator.c @@ -39,8 +39,12 @@ ENUM_END(auth_method_names, AUTH_ECDSA_521); */ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init) +======= chunk_t received_init, chunk_t sent_init, char reserved[3]) +>>>>>>> upstream/4.5.1 { switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) { @@ -48,6 +52,15 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, /* defaults to PUBKEY */ case AUTH_CLASS_PUBKEY: return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa, +<<<<<<< HEAD + received_nonce, sent_init); + case AUTH_CLASS_PSK: + return (authenticator_t*)psk_authenticator_create_builder(ike_sa, + received_nonce, sent_init); + case AUTH_CLASS_EAP: + return (authenticator_t*)eap_authenticator_create_builder(ike_sa, + received_nonce, sent_nonce, received_init, sent_init); +======= received_nonce, sent_init, reserved); case AUTH_CLASS_PSK: return (authenticator_t*)psk_authenticator_create_builder(ike_sa, @@ -56,6 +69,7 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, return (authenticator_t*)eap_authenticator_create_builder(ike_sa, received_nonce, sent_nonce, received_init, sent_init, reserved); +>>>>>>> upstream/4.5.1 default: return NULL; } @@ -67,8 +81,12 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init) +======= chunk_t received_init, chunk_t sent_init, char reserved[3]) +>>>>>>> upstream/4.5.1 { auth_payload_t *auth_payload; @@ -76,8 +94,12 @@ authenticator_t *authenticator_create_verifier( if (auth_payload == NULL) { return (authenticator_t*)eap_authenticator_create_verifier(ike_sa, +<<<<<<< HEAD + received_nonce, sent_nonce, received_init, sent_init); +======= received_nonce, sent_nonce, received_init, sent_init, reserved); +>>>>>>> upstream/4.5.1 } switch (auth_payload->get_auth_method(auth_payload)) { @@ -86,10 +108,17 @@ authenticator_t *authenticator_create_verifier( case AUTH_ECDSA_384: case AUTH_ECDSA_521: return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa, +<<<<<<< HEAD + sent_nonce, received_init); + case AUTH_PSK: + return (authenticator_t*)psk_authenticator_create_verifier(ike_sa, + sent_nonce, received_init); +======= sent_nonce, received_init, reserved); case AUTH_PSK: return (authenticator_t*)psk_authenticator_create_verifier(ike_sa, sent_nonce, received_init, reserved); +>>>>>>> upstream/4.5.1 default: return NULL; } diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h index d27e006a3..d30094c9b 100644 --- a/src/libcharon/sa/authenticators/authenticator.h +++ b/src/libcharon/sa/authenticators/authenticator.h @@ -130,14 +130,21 @@ struct authenticator_t { * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data +<<<<<<< HEAD +======= * @param reserved reserved bytes of the ID payload +>>>>>>> upstream/4.5.1 * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_builder( ike_sa_t *ike_sa, auth_cfg_t *cfg, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init); +======= chunk_t received_init, chunk_t sent_init, char reserved[3]); +>>>>>>> upstream/4.5.1 /** * Create an authenticator to verify signatures. @@ -148,13 +155,20 @@ authenticator_t *authenticator_create_builder( * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data +<<<<<<< HEAD +======= * @param reserved reserved bytes of the ID payload +>>>>>>> upstream/4.5.1 * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init); +======= chunk_t received_init, chunk_t sent_init, char reserved[3]); +>>>>>>> upstream/4.5.1 #endif /** AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index dea02755d..a5268e186 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -58,11 +58,14 @@ struct private_eap_authenticator_t { chunk_t sent_init; /** +<<<<<<< HEAD +======= * Reserved bytes of ID payload */ char reserved[3]; /** +>>>>>>> upstream/4.5.1 * Current EAP method processing */ eap_method_t *method; @@ -427,7 +430,11 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, other_id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, +<<<<<<< HEAD + this->msk, other_id); +======= this->msk, other_id, this->reserved); +>>>>>>> upstream/4.5.1 recv_auth_data = auth_payload->get_data(auth_payload); if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) { @@ -463,8 +470,12 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message, DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); +<<<<<<< HEAD + auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id); +======= auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id, this->reserved); +>>>>>>> upstream/4.5.1 auth_payload = auth_payload_create(); auth_payload->set_auth_method(auth_payload, AUTH_PSK); auth_payload->set_data(auth_payload, auth_data); @@ -648,8 +659,12 @@ METHOD(authenticator_t, destroy, void, */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init) +======= chunk_t received_init, chunk_t sent_init, char reserved[3]) +>>>>>>> upstream/4.5.1 { private_eap_authenticator_t *this; @@ -668,7 +683,10 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, .sent_init = sent_init, .sent_nonce = sent_nonce, ); +<<<<<<< HEAD +======= memcpy(this->reserved, reserved, sizeof(this->reserved)); +>>>>>>> upstream/4.5.1 return &this->public; } @@ -678,8 +696,12 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init) +======= chunk_t received_init, chunk_t sent_init, char reserved[3]) +>>>>>>> upstream/4.5.1 { private_eap_authenticator_t *this; @@ -698,7 +720,10 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, .sent_init = sent_init, .sent_nonce = sent_nonce, ); +<<<<<<< HEAD +======= memcpy(this->reserved, reserved, sizeof(this->reserved)); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h index 726411a18..625084d4f 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.h +++ b/src/libcharon/sa/authenticators/eap_authenticator.h @@ -75,13 +75,20 @@ struct eap_authenticator_t { * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data +<<<<<<< HEAD +======= * @param reserved reserved bytes of ID payload +>>>>>>> upstream/4.5.1 * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init); +======= chunk_t received_init, chunk_t sent_init, char reserved[3]); +>>>>>>> upstream/4.5.1 /** * Create an authenticator to authenticate EAP clients. @@ -91,12 +98,19 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data +<<<<<<< HEAD +======= * @param reserved reserved bytes of ID payload +>>>>>>> upstream/4.5.1 * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, +<<<<<<< HEAD + chunk_t received_init, chunk_t sent_init); +======= chunk_t received_init, chunk_t sent_init, char reserved[3]); +>>>>>>> upstream/4.5.1 #endif /** EAP_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c index 21fc0f9b8..9789ec93b 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/authenticators/psk_authenticator.c @@ -45,6 +45,14 @@ struct private_psk_authenticator_t { * IKE_SA_INIT message data to include in AUTH calculation */ chunk_t ike_sa_init; +<<<<<<< HEAD +}; + +/* + * Implementation of authenticator_t.build for builder + */ +static status_t build(private_psk_authenticator_t *this, message_t *message) +======= /** * Reserved bytes of ID payload @@ -54,6 +62,7 @@ struct private_psk_authenticator_t { METHOD(authenticator_t, build, status_t, private_psk_authenticator_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { identification_t *my_id, *other_id; auth_payload_t *auth_payload; @@ -73,7 +82,11 @@ METHOD(authenticator_t, build, status_t, return NOT_FOUND; } auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, +<<<<<<< HEAD + this->nonce, key->get_key(key), my_id); +======= this->nonce, key->get_key(key), my_id, this->reserved); +>>>>>>> upstream/4.5.1 key->destroy(key); DBG2(DBG_IKE, "successfully created shared key MAC"); auth_payload = auth_payload_create(); @@ -85,8 +98,15 @@ METHOD(authenticator_t, build, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of authenticator_t.process for verifier + */ +static status_t process(private_psk_authenticator_t *this, message_t *message) +======= METHOD(authenticator_t, process, status_t, private_psk_authenticator_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { chunk_t auth_data, recv_auth_data; identification_t *my_id, *other_id; @@ -114,7 +134,11 @@ METHOD(authenticator_t, process, status_t, keys_found++; auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, +<<<<<<< HEAD + this->nonce, key->get_key(key), other_id); +======= this->nonce, key->get_key(key), other_id, this->reserved); +>>>>>>> upstream/4.5.1 if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", @@ -142,8 +166,24 @@ METHOD(authenticator_t, process, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of authenticator_t.process for builder + * Implementation of authenticator_t.build for verifier + */ +static status_t return_failed() +{ + return FAILED; +} + +/** + * Implementation of authenticator_t.destroy. + */ +static void destroy(private_psk_authenticator_t *this) +======= METHOD(authenticator_t, destroy, void, private_psk_authenticator_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -152,6 +192,20 @@ METHOD(authenticator_t, destroy, void, * Described in header. */ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, +<<<<<<< HEAD + chunk_t received_nonce, chunk_t sent_init) +{ + private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; + this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->ike_sa_init = sent_init; + this->nonce = received_nonce; +======= chunk_t received_nonce, chunk_t sent_init, char reserved[3]) { @@ -171,6 +225,7 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, .nonce = received_nonce, ); memcpy(this->reserved, reserved, sizeof(this->reserved)); +>>>>>>> upstream/4.5.1 return &this->public; } @@ -179,6 +234,20 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, +<<<<<<< HEAD + chunk_t sent_nonce, chunk_t received_init) +{ + private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; + this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->ike_sa_init = received_init; + this->nonce = sent_nonce; +======= chunk_t sent_nonce, chunk_t received_init, char reserved[3]) { @@ -198,6 +267,7 @@ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, .nonce = sent_nonce, ); memcpy(this->reserved, reserved, sizeof(this->reserved)); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h index 8cf1a0f98..2897c3fe2 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.h +++ b/src/libcharon/sa/authenticators/psk_authenticator.h @@ -42,12 +42,19 @@ struct psk_authenticator_t { * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT * @param sent_init sent IKE_SA_INIT message data +<<<<<<< HEAD + * @return PSK authenticator + */ +psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_init); +======= * @param reserved reserved bytes of ID payload * @return PSK authenticator */ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_init, char reserved[3]); +>>>>>>> upstream/4.5.1 /** * Create an authenticator to verify PSK signatures. @@ -55,11 +62,18 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, * @param ike_sa associated ike_sa * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data +<<<<<<< HEAD + * @return PSK authenticator + */ +psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t sent_nonce, chunk_t received_init); +======= * @param reserved reserved bytes of ID payload * @return PSK authenticator */ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t sent_nonce, chunk_t received_init, char reserved[3]); +>>>>>>> upstream/4.5.1 #endif /** PSK_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index 247891670..030433db0 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -46,6 +46,14 @@ struct private_pubkey_authenticator_t { * IKE_SA_INIT message data to include in AUTH calculation */ chunk_t ike_sa_init; +<<<<<<< HEAD +}; + +/** + * Implementation of authenticator_t.build for builder + */ +static status_t build(private_pubkey_authenticator_t *this, message_t *message) +======= /** * Reserved bytes of ID payload @@ -55,6 +63,7 @@ struct private_pubkey_authenticator_t { METHOD(authenticator_t, build, status_t, private_pubkey_authenticator_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { chunk_t octets, auth_data; status_t status = FAILED; @@ -112,7 +121,11 @@ METHOD(authenticator_t, build, status_t, } keymat = this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, +<<<<<<< HEAD + this->nonce, id); +======= this->nonce, id, this->reserved); +>>>>>>> upstream/4.5.1 if (private->sign(private, scheme, octets, &auth_data)) { auth_payload = auth_payload_create(); @@ -131,8 +144,15 @@ METHOD(authenticator_t, build, status_t, return status; } +<<<<<<< HEAD +/** + * Implementation of authenticator_t.process for verifier + */ +static status_t process(private_pubkey_authenticator_t *this, message_t *message) +======= METHOD(authenticator_t, process, status_t, private_pubkey_authenticator_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { public_key_t *public; auth_method_t auth_method; @@ -176,7 +196,11 @@ METHOD(authenticator_t, process, status_t, id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, +<<<<<<< HEAD + this->nonce, id); +======= this->nonce, id, this->reserved); +>>>>>>> upstream/4.5.1 auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, key_type, id, auth); @@ -207,8 +231,24 @@ METHOD(authenticator_t, process, status_t, return status; } +<<<<<<< HEAD +/** + * Implementation of authenticator_t.process for builder + * Implementation of authenticator_t.build for verifier + */ +static status_t return_failed() +{ + return FAILED; +} + +/** + * Implementation of authenticator_t.destroy. + */ +static void destroy(private_pubkey_authenticator_t *this) +======= METHOD(authenticator_t, destroy, void, private_pubkey_authenticator_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -217,6 +257,20 @@ METHOD(authenticator_t, destroy, void, * Described in header. */ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, +<<<<<<< HEAD + chunk_t received_nonce, chunk_t sent_init) +{ + private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; + this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->ike_sa_init = sent_init; + this->nonce = received_nonce; +======= chunk_t received_nonce, chunk_t sent_init, char reserved[3]) { @@ -236,6 +290,7 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, .nonce = received_nonce, ); memcpy(this->reserved, reserved, sizeof(this->reserved)); +>>>>>>> upstream/4.5.1 return &this->public; } @@ -244,6 +299,20 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, +<<<<<<< HEAD + chunk_t sent_nonce, chunk_t received_init) +{ + private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; + this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->ike_sa_init = received_init; + this->nonce = sent_nonce; +======= chunk_t sent_nonce, chunk_t received_init, char reserved[3]) { @@ -263,6 +332,7 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, .nonce = sent_nonce, ); memcpy(this->reserved, reserved, sizeof(this->reserved)); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h index 4c3937ecc..9e2606b95 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.h +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.h @@ -43,12 +43,19 @@ struct pubkey_authenticator_t { * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT * @param sent_init sent IKE_SA_INIT message data +<<<<<<< HEAD + * @return public key authenticator + */ +pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_init); +======= * @param reserved reserved bytes of ID payload * @return public key authenticator */ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_init, char reserved[3]); +>>>>>>> upstream/4.5.1 /** * Create an authenticator to verify public key signatures. @@ -56,11 +63,18 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, * @param ike_sa associated ike_sa * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data +<<<<<<< HEAD + * @return public key authenticator + */ +pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t sent_nonce, chunk_t received_init); +======= * @param reserved reserved bytes of ID payload * @return public key authenticator */ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t sent_nonce, chunk_t received_init, char reserved[3]); +>>>>>>> upstream/4.5.1 #endif /** PUBKEY_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 495929965..a29e692fd 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -559,14 +559,21 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t, METHOD(child_sa_t, install, status_t, private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi, +<<<<<<< HEAD + u_int16_t cpi, bool inbound, linked_list_t *my_ts, +======= u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts, +>>>>>>> upstream/4.5.1 linked_list_t *other_ts) { u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size; traffic_selector_t *src_ts = NULL, *dst_ts = NULL; time_t now; lifetime_cfg_t *lifetime; +<<<<<<< HEAD +======= u_int32_t tfc = 0; +>>>>>>> upstream/4.5.1 host_t *src, *dst; status_t status; bool update = FALSE; @@ -591,11 +598,14 @@ METHOD(child_sa_t, install, status_t, dst = this->other_addr; this->other_spi = spi; this->other_cpi = cpi; +<<<<<<< HEAD +======= if (tfcv3) { tfc = this->config->get_tfc(this->config); } +>>>>>>> upstream/4.5.1 } DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound", @@ -626,7 +636,11 @@ METHOD(child_sa_t, install, status_t, lifetime->time.rekey = 0; } +<<<<<<< HEAD + if (this->mode == MODE_BEET) +======= if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT) +>>>>>>> upstream/4.5.1 { /* BEET requires the bound address from the traffic selectors. * TODO: We add just the first traffic selector for now, as the @@ -645,7 +659,11 @@ METHOD(child_sa_t, install, status_t, status = hydra->kernel_interface->add_sa(hydra->kernel_interface, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, +<<<<<<< HEAD + inbound ? this->mark_in : this->mark_out, +======= inbound ? this->mark_in : this->mark_out, tfc, +>>>>>>> upstream/4.5.1 lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index f17ef01ac..513807b34 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -313,13 +313,20 @@ struct child_sa_t { * @param spi SPI to use, allocated for inbound * @param cpi CPI to use, allocated for outbound * @param inbound TRUE to install an inbound SA, FALSE for outbound +<<<<<<< HEAD +======= * @param tfcv3 TRUE if peer supports ESPv3 TFC +>>>>>>> upstream/4.5.1 * @param my_ts negotiated local traffic selector list * @param other_ts negotiated remote traffic selector list * @return SUCCESS or FAILED */ status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ, +<<<<<<< HEAD + u_int32_t spi, u_int16_t cpi, bool inbound, +======= u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3, +>>>>>>> upstream/4.5.1 linked_list_t *my_ts, linked_list_t *other_ts); /** * Install the policies using some traffic selectors. diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c index 972cc98ad..f481f2059 100644 --- a/src/libcharon/sa/connect_manager.c +++ b/src/libcharon/sa/connect_manager.c @@ -1194,10 +1194,14 @@ static job_requeue_t initiate_mediated(initiate_data_t *data) DBG1(DBG_IKE, "establishing mediated connection failed"); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); } +<<<<<<< HEAD + charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa); +======= else { charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa); } +>>>>>>> upstream/4.5.1 } iterator->destroy(iterator); } diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 9b6f9d06d..58d24b48c 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -50,7 +50,10 @@ #include <processing/jobs/send_dpd_job.h> #include <processing/jobs/send_keepalive_job.h> #include <processing/jobs/rekey_ike_sa_job.h> +<<<<<<< HEAD +======= #include <encoding/payloads/unknown_payload.h> +>>>>>>> upstream/4.5.1 #ifdef ME #include <sa/tasks/ike_me.h> @@ -560,6 +563,16 @@ METHOD(ike_sa_t, send_dpd, status_t, time_t diff, delay; delay = this->peer_cfg->get_dpd(this->peer_cfg); +<<<<<<< HEAD + + if (delay == 0) + { + /* DPD disabled */ + return SUCCESS; + } + +======= +>>>>>>> upstream/4.5.1 if (this->task_manager->busy(this->task_manager)) { /* an exchange is in the air, no need to start a DPD check */ @@ -572,7 +585,11 @@ METHOD(ike_sa_t, send_dpd, status_t, last_in = get_use_time(this, TRUE); now = time_monotonic(NULL); diff = now - last_in; +<<<<<<< HEAD + if (diff >= delay) +======= if (!delay || diff >= delay) +>>>>>>> upstream/4.5.1 { /* to long ago, initiate dead peer detection */ task_t *task; @@ -598,11 +615,16 @@ METHOD(ike_sa_t, send_dpd, status_t, } } /* recheck in "interval" seconds */ +<<<<<<< HEAD + job = (job_t*)send_dpd_job_create(this->ike_sa_id); + lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); +======= if (delay) { job = (job_t*)send_dpd_job_create(this->ike_sa_id); lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); } +>>>>>>> upstream/4.5.1 return SUCCESS; } @@ -677,10 +699,14 @@ METHOD(ike_sa_t, set_state, void, } /* start DPD checks */ +<<<<<<< HEAD + send_dpd(this); +======= if (this->peer_cfg->get_dpd(this->peer_cfg)) { send_dpd(this); } +>>>>>>> upstream/4.5.1 } break; } @@ -825,7 +851,11 @@ METHOD(ike_sa_t, float_ports, void, } METHOD(ike_sa_t, update_hosts, void, +<<<<<<< HEAD + private_ike_sa_t *this, host_t *me, host_t *other) +======= private_ike_sa_t *this, host_t *me, host_t *other, bool force) +>>>>>>> upstream/4.5.1 { bool update = FALSE; @@ -858,7 +888,11 @@ METHOD(ike_sa_t, update_hosts, void, if (!other->equals(other, this->other_host)) { /* update others adress if we are NOT NATed */ +<<<<<<< HEAD + if (!has_condition(this, COND_NAT_HERE)) +======= if (force || !has_condition(this, COND_NAT_HERE)) +>>>>>>> upstream/4.5.1 { set_other_host(this, other->clone(other)); update = TRUE; @@ -891,6 +925,10 @@ METHOD(ike_sa_t, update_hosts, void, METHOD(ike_sa_t, generate_message, status_t, private_ike_sa_t *this, message_t *message, packet_t **packet) { +<<<<<<< HEAD + this->stats[STAT_OUTBOUND] = time_monotonic(NULL); + message->set_ike_sa_id(message, this->ike_sa_id); +======= if (message->is_encoded(message)) { /* already done */ *packet = message->get_packet(message); @@ -899,6 +937,7 @@ METHOD(ike_sa_t, generate_message, status_t, this->stats[STAT_OUTBOUND] = time_monotonic(NULL); message->set_ike_sa_id(message, this->ike_sa_id); charon->bus->message(charon->bus, message, FALSE); +>>>>>>> upstream/4.5.1 return message->generate(message, this->keymat->get_aead(this->keymat, FALSE), packet); } @@ -907,7 +946,11 @@ METHOD(ike_sa_t, generate_message, status_t, * send a notify back to the sender */ static void send_notify_response(private_ike_sa_t *this, message_t *request, +<<<<<<< HEAD + notify_type_t type) +======= notify_type_t type, chunk_t data) +>>>>>>> upstream/4.5.1 { message_t *response; packet_t *packet; @@ -916,7 +959,11 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request, response->set_exchange_type(response, request->get_exchange_type(request)); response->set_request(response, FALSE); response->set_message_id(response, request->get_message_id(request)); +<<<<<<< HEAD + response->add_notify(response, FALSE, type, chunk_empty); +======= response->add_notify(response, FALSE, type, data); +>>>>>>> upstream/4.5.1 if (this->my_host->is_anyaddr(this->my_host)) { this->my_host->destroy(this->my_host); @@ -1181,7 +1228,10 @@ METHOD(ike_sa_t, process_message, status_t, { status_t status; bool is_request; +<<<<<<< HEAD +======= u_int8_t type = 0; +>>>>>>> upstream/4.5.1 if (this->state == IKE_PASSIVE) { /* do not handle messages in passive state */ @@ -1192,6 +1242,11 @@ METHOD(ike_sa_t, process_message, status_t, status = message->parse_body(message, this->keymat->get_aead(this->keymat, TRUE)); +<<<<<<< HEAD + if (status != SUCCESS) + { + +======= if (status == SUCCESS) { /* check for unsupported critical payloads */ enumerator_t *enumerator; @@ -1215,6 +1270,7 @@ METHOD(ike_sa_t, process_message, status_t, } if (status != SUCCESS) { +>>>>>>> upstream/4.5.1 if (is_request) { switch (status) @@ -1223,28 +1279,40 @@ METHOD(ike_sa_t, process_message, status_t, DBG1(DBG_IKE, "critical unknown payloads found"); if (is_request) { +<<<<<<< HEAD + send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); +======= send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD, chunk_from_thing(type)); this->task_manager->incr_mid(this->task_manager, FALSE); +>>>>>>> upstream/4.5.1 } break; case PARSE_ERROR: DBG1(DBG_IKE, "message parsing failed"); if (is_request) { +<<<<<<< HEAD + send_notify_response(this, message, INVALID_SYNTAX); +======= send_notify_response(this, message, INVALID_SYNTAX, chunk_empty); this->task_manager->incr_mid(this->task_manager, FALSE); +>>>>>>> upstream/4.5.1 } break; case VERIFY_ERROR: DBG1(DBG_IKE, "message verification failed"); if (is_request) { +<<<<<<< HEAD + send_notify_response(this, message, INVALID_SYNTAX); +======= send_notify_response(this, message, INVALID_SYNTAX, chunk_empty); this->task_manager->incr_mid(this->task_manager, FALSE); +>>>>>>> upstream/4.5.1 } break; case FAILED: @@ -1253,6 +1321,13 @@ METHOD(ike_sa_t, process_message, status_t, break; case INVALID_STATE: DBG1(DBG_IKE, "found encrypted message, but no keys available"); +<<<<<<< HEAD + if (is_request) + { + send_notify_response(this, message, INVALID_SYNTAX); + } +======= +>>>>>>> upstream/4.5.1 default: break; } @@ -1282,8 +1357,12 @@ METHOD(ike_sa_t, process_message, status_t, /* no config found for these hosts, destroy */ DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N", me, other, notify_type_names, NO_PROPOSAL_CHOSEN); +<<<<<<< HEAD + send_notify_response(this, message, NO_PROPOSAL_CHOSEN); +======= send_notify_response(this, message, NO_PROPOSAL_CHOSEN, chunk_empty); +>>>>>>> upstream/4.5.1 return DESTROY_ME; } /* add a timeout if peer does not establish it completely */ diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 988100bcc..1f96f9abd 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -343,9 +343,14 @@ struct ike_sa_t { * * @param me new local host address, or NULL * @param other new remote host address, or NULL +<<<<<<< HEAD + */ + void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other); +======= * @param force force update */ void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force); +>>>>>>> upstream/4.5.1 /** * Get the own identification. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index d695c7f7c..ea31f5359 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1,7 +1,12 @@ /* +<<<<<<< HEAD + * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi +======= * Copyright (C) 2005-2011 Martin Willi * Copyright (C) 2011 revosec AG * Copyright (C) 2008 Tobias Brunner +>>>>>>> upstream/4.5.1 * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -86,9 +91,13 @@ struct entry_t { chunk_t init_hash; /** +<<<<<<< HEAD + * remote host address, required for DoS detection +======= * remote host address, required for DoS detection and duplicate * checking (host with same my_id and other_id is *not* considered * a duplicate if the address family differs) +>>>>>>> upstream/4.5.1 */ host_t *other; @@ -244,9 +253,12 @@ struct connected_peers_t { /** remote identity */ identification_t *other_id; +<<<<<<< HEAD +======= /** ip address family of peer */ int family; +>>>>>>> upstream/4.5.1 /** list of ike_sa_id_t objects of IKE_SAs between the two identities */ linked_list_t *sas; }; @@ -263,12 +275,19 @@ static void connected_peers_destroy(connected_peers_t *this) * Function that matches connected_peers_t objects by the given ids. */ static bool connected_peers_match(connected_peers_t *connected_peers, +<<<<<<< HEAD + identification_t *my_id, identification_t *other_id) +{ + return my_id->equals(my_id, connected_peers->my_id) && + other_id->equals(other_id, connected_peers->other_id); +======= identification_t *my_id, identification_t *other_id, uintptr_t family) { return my_id->equals(my_id, connected_peers->my_id) && other_id->equals(other_id, connected_peers->other_id) && family == connected_peers->family; +>>>>>>> upstream/4.5.1 } typedef struct segment_t segment_t; @@ -404,7 +423,11 @@ static void lock_all_segments(private_ike_sa_manager_t *this) { u_int i; +<<<<<<< HEAD + for (i = 0; i < this->segment_count; ++i) +======= for (i = 0; i < this->segment_count; i++) +>>>>>>> upstream/4.5.1 { this->segments[i].mutex->lock(this->segments[i].mutex); } @@ -417,7 +440,11 @@ static void unlock_all_segments(private_ike_sa_manager_t *this) { u_int i; +<<<<<<< HEAD + for (i = 0; i < this->segment_count; ++i) +======= for (i = 0; i < this->segment_count; i++) +>>>>>>> upstream/4.5.1 { this->segments[i].mutex->unlock(this->segments[i].mutex); } @@ -461,8 +488,15 @@ struct private_enumerator_t { enumerator_t *current; }; +<<<<<<< HEAD +/** + * Implementation of private_enumerator_t.enumerator.enumerate. + */ +static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment) +======= METHOD(enumerator_t, enumerate, bool, private_enumerator_t *this, entry_t **entry, u_int *segment) +>>>>>>> upstream/4.5.1 { if (this->entry) { @@ -508,8 +542,15 @@ METHOD(enumerator_t, enumerate, bool, return FALSE; } +<<<<<<< HEAD +/** + * Implementation of private_enumerator_t.enumerator.destroy. + */ +static void enumerator_destroy(private_enumerator_t *this) +======= METHOD(enumerator_t, enumerator_destroy, void, private_enumerator_t *this) +>>>>>>> upstream/4.5.1 { if (this->entry) { @@ -528,6 +569,18 @@ METHOD(enumerator_t, enumerator_destroy, void, */ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) { +<<<<<<< HEAD + private_enumerator_t *enumerator = malloc_thing(private_enumerator_t); + + enumerator->enumerator.enumerate = (void*)enumerate; + enumerator->enumerator.destroy = (void*)enumerator_destroy; + enumerator->manager = this; + enumerator->segment = 0; + enumerator->entry = NULL; + enumerator->row = 0; + enumerator->current = NULL; + +======= private_enumerator_t *enumerator; INIT(enumerator, @@ -537,6 +590,7 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) }, .manager = this, ); +>>>>>>> upstream/4.5.1 return &enumerator->enumerator; } @@ -547,6 +601,13 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; +<<<<<<< HEAD + u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; + u_int segment = row & this->segment_mask; + + lock_single_segment(this, segment); + if ((list = this->ike_sa_table[row]) == NULL) +======= u_int row, segment; row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; @@ -555,6 +616,7 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) lock_single_segment(this, segment); list = this->ike_sa_table[row]; if (!list) +>>>>>>> upstream/4.5.1 { list = this->ike_sa_table[row] = linked_list_create(); } @@ -570,6 +632,16 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; +<<<<<<< HEAD + u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; + u_int segment = row & this->segment_mask; + + if ((list = this->ike_sa_table[row]) != NULL) + { + entry_t *current; + + enumerator_t *enumerator = list->create_enumerator(list); +======= u_int row, segment; row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; @@ -581,6 +653,7 @@ static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry) enumerator_t *enumerator; enumerator = list->create_enumerator(list); +>>>>>>> upstream/4.5.1 while (enumerator->enumerate(enumerator, ¤t)) { if (current == entry) @@ -618,6 +691,13 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this, { entry_t *current; linked_list_t *list; +<<<<<<< HEAD + u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask; + u_int seg = row & this->segment_mask; + + lock_single_segment(this, seg); + if ((list = this->ike_sa_table[row]) != NULL) +======= u_int row, seg; row = ike_sa_id_hash(ike_sa_id) & this->table_mask; @@ -626,6 +706,7 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this, lock_single_segment(this, seg); list = this->ike_sa_table[row]; if (list) +>>>>>>> upstream/4.5.1 { if (list->find_first(list, match, (void**)¤t, p1, p2) == SUCCESS) { @@ -709,6 +790,21 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) { half_open_t *half_open = NULL; linked_list_t *list; +<<<<<<< HEAD + chunk_t addr = entry->other->get_address(entry->other); + u_int row = chunk_hash(addr) & this->table_mask; + u_int segment = row & this->segment_mask; + + rwlock_t *lock = this->half_open_segments[segment].lock; + lock->write_lock(lock); + if ((list = this->half_open_table[row]) == NULL) + { + list = this->half_open_table[row] = linked_list_create(); + } + else + { + half_open_t *current; +======= chunk_t addr; u_int row, segment; rwlock_t *lock; @@ -723,6 +819,7 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) { half_open_t *current; +>>>>>>> upstream/4.5.1 if (list->find_first(list, (linked_list_match_t)half_open_match, (void**)¤t, &addr) == SUCCESS) { @@ -731,6 +828,14 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) this->half_open_segments[segment].count++; } } +<<<<<<< HEAD + + if (!half_open) + { + half_open = malloc_thing(half_open_t); + half_open->other = chunk_clone(addr); + half_open->count = 1; +======= else { list = this->half_open_table[row] = linked_list_create(); @@ -742,6 +847,7 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) .other = chunk_clone(addr), .count = 1, ); +>>>>>>> upstream/4.5.1 list->insert_last(list, half_open); this->half_open_segments[segment].count++; } @@ -754,6 +860,18 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; +<<<<<<< HEAD + chunk_t addr = entry->other->get_address(entry->other); + u_int row = chunk_hash(addr) & this->table_mask; + u_int segment = row & this->segment_mask; + + rwlock_t *lock = this->half_open_segments[segment].lock; + lock->write_lock(lock); + if ((list = this->half_open_table[row]) != NULL) + { + half_open_t *current; + enumerator_t *enumerator = list->create_enumerator(list); +======= chunk_t addr; u_int row, segment; rwlock_t *lock; @@ -770,6 +888,7 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) enumerator_t *enumerator; enumerator = list->create_enumerator(list); +>>>>>>> upstream/4.5.1 while (enumerator->enumerate(enumerator, ¤t)) { if (half_open_match(current, &addr)) @@ -793,6 +912,26 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) */ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) { +<<<<<<< HEAD + linked_list_t *list; + connected_peers_t *connected_peers = NULL; + chunk_t my_id = entry->my_id->get_encoding(entry->my_id), + other_id = entry->other_id->get_encoding(entry->other_id); + u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; + u_int segment = row & this->segment_mask; + + rwlock_t *lock = this->connected_peers_segments[segment].lock; + lock->write_lock(lock); + if ((list = this->connected_peers_table[row]) == NULL) + { + list = this->connected_peers_table[row] = linked_list_create(); + } + else + { + connected_peers_t *current; + if (list->find_first(list, (linked_list_match_t)connected_peers_match, + (void**)¤t, entry->my_id, entry->other_id) == SUCCESS) +======= connected_peers_t *connected_peers = NULL; chunk_t my_id, other_id; linked_list_t *list; @@ -813,6 +952,7 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) if (list->find_first(list, (linked_list_match_t)connected_peers_match, (void**)¤t, entry->my_id, entry->other_id, (uintptr_t)entry->other->get_family(entry->other)) == SUCCESS) +>>>>>>> upstream/4.5.1 { connected_peers = current; if (connected_peers->sas->find_first(connected_peers->sas, @@ -824,6 +964,15 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) } } } +<<<<<<< HEAD + + if (!connected_peers) + { + connected_peers = malloc_thing(connected_peers_t); + connected_peers->my_id = entry->my_id->clone(entry->my_id); + connected_peers->other_id = entry->other_id->clone(entry->other_id); + connected_peers->sas = linked_list_create(); +======= else { list = this->connected_peers_table[row] = linked_list_create(); @@ -837,6 +986,7 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) .family = entry->other->get_family(entry->other), .sas = linked_list_create(), ); +>>>>>>> upstream/4.5.1 list->insert_last(list, connected_peers); } connected_peers->sas->insert_last(connected_peers->sas, @@ -850,6 +1000,26 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) */ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) { +<<<<<<< HEAD + linked_list_t *list; + chunk_t my_id = entry->my_id->get_encoding(entry->my_id), + other_id = entry->other_id->get_encoding(entry->other_id); + u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; + u_int segment = row & this->segment_mask; + + rwlock_t *lock = this->connected_peers_segments[segment].lock; + lock->write_lock(lock); + if ((list = this->connected_peers_table[row]) != NULL) + { + connected_peers_t *current; + enumerator_t *enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (connected_peers_match(current, entry->my_id, entry->other_id)) + { + ike_sa_id_t *ike_sa_id; + enumerator_t *inner = current->sas->create_enumerator(current->sas); +======= chunk_t my_id, other_id; linked_list_t *list; u_int row, segment; @@ -878,6 +1048,7 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr enumerator_t *inner; inner = current->sas->create_enumerator(current->sas); +>>>>>>> upstream/4.5.1 while (inner->enumerate(inner, &ike_sa_id)) { if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id)) @@ -903,6 +1074,22 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr } /** +<<<<<<< HEAD + * Implementation of private_ike_sa_manager_t.get_next_spi. + */ +static u_int64_t get_next_spi(private_ike_sa_manager_t *this) +{ + u_int64_t spi; + + this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi); + return spi; +} + +/** + * Implementation of of ike_sa_manager.checkout. + */ +static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) +======= * Get a random SPI for new IKE_SAs */ static u_int64_t get_spi(private_ike_sa_manager_t *this) @@ -918,6 +1105,7 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) METHOD(ike_sa_manager_t, checkout, ike_sa_t*, private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) +>>>>>>> upstream/4.5.1 { ike_sa_t *ike_sa = NULL; entry_t *entry; @@ -940,6 +1128,27 @@ METHOD(ike_sa_manager_t, checkout, ike_sa_t*, return ike_sa; } +<<<<<<< HEAD +/** + * Implementation of of ike_sa_manager.checkout_new. + */ +static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator) +{ + ike_sa_id_t *ike_sa_id; + ike_sa_t *ike_sa; + entry_t *entry; + u_int segment; + + if (initiator) + { + ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE); + } + else + { + ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE); + } + ike_sa = ike_sa_create(ike_sa_id); +======= METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, private_ike_sa_manager_t* this, bool initiator) { @@ -956,30 +1165,63 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, } ike_sa = ike_sa_create(ike_sa_id); ike_sa_id->destroy(ike_sa_id); +>>>>>>> upstream/4.5.1 DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); +<<<<<<< HEAD + if (!initiator) + { + ike_sa_id->destroy(ike_sa_id); + return ike_sa; + } + + entry = entry_create(); + entry->ike_sa_id = ike_sa_id; + entry->ike_sa = ike_sa; + segment = put_entry(this, entry); + entry->checked_out = TRUE; + unlock_single_segment(this, segment); + return entry->ike_sa; +} + +/** + * Implementation of of ike_sa_manager.checkout_by_message. + */ +static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, + message_t *message) +======= return ike_sa; } METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, private_ike_sa_manager_t* this, message_t *message) +>>>>>>> upstream/4.5.1 { u_int segment; entry_t *entry; ike_sa_t *ike_sa = NULL; +<<<<<<< HEAD + ike_sa_id_t *id = message->get_ike_sa_id(message); + +======= ike_sa_id_t *id; id = message->get_ike_sa_id(message); +>>>>>>> upstream/4.5.1 id = id->clone(id); id->switch_initiator(id); DBG2(DBG_MGR, "checkout IKE_SA by message"); if (message->get_request(message) && +<<<<<<< HEAD + message->get_exchange_type(message) == IKE_SA_INIT) +======= message->get_exchange_type(message) == IKE_SA_INIT && this->hasher) +>>>>>>> upstream/4.5.1 { /* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */ chunk_t data, hash; @@ -1015,7 +1257,11 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, message->get_exchange_type(message) == IKE_SA_INIT) { /* no IKE_SA found, create a new one */ +<<<<<<< HEAD + id->set_responder_spi(id, get_next_spi(this)); +======= id->set_responder_spi(id, get_spi(this)); +>>>>>>> upstream/4.5.1 entry = entry_create(); entry->ike_sa = ike_sa_create(id); entry->ike_sa_id = id->clone(id); @@ -1075,8 +1321,16 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, return ike_sa; } +<<<<<<< HEAD +/** + * Implementation of of ike_sa_manager.checkout_by_config. + */ +static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, + peer_cfg_t *peer_cfg) +======= METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; entry_t *entry; @@ -1131,8 +1385,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, return ike_sa; } +<<<<<<< HEAD +/** + * Implementation of of ike_sa_manager.checkout_by_id. + */ +static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, + bool child) +======= METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, private_ike_sa_manager_t *this, u_int32_t id, bool child) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; iterator_t *children; @@ -1185,8 +1447,16 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, return ike_sa; } +<<<<<<< HEAD +/** + * Implementation of of ike_sa_manager.checkout_by_name. + */ +static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name, + bool child) +======= METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, private_ike_sa_manager_t *this, char *name, bool child) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; iterator_t *children; @@ -1251,6 +1521,22 @@ static bool enumerator_filter(private_ike_sa_manager_t *this, return FALSE; } +<<<<<<< HEAD +/** + * Implementation of ike_sa_manager_t.create_enumerator. + */ +static enumerator_t *create_enumerator(private_ike_sa_manager_t* this) +{ + return enumerator_create_filter( + create_table_enumerator(this), + (void*)enumerator_filter, this, NULL); +} + +/** + * Implementation of ike_sa_manager_t.checkin. + */ +static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +======= METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*, private_ike_sa_manager_t* this) { @@ -1260,6 +1546,7 @@ METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*, METHOD(ike_sa_manager_t, checkin, void, private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +>>>>>>> upstream/4.5.1 { /* to check the SA back in, we look for the pointer of the ike_sa * in all entries. @@ -1324,16 +1611,25 @@ METHOD(ike_sa_manager_t, checkin, void, segment = put_entry(this, entry); } +<<<<<<< HEAD + /* apply identities for duplicate test (only as responder) */ + if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && + ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && +======= /* apply identities for duplicate test */ if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && +>>>>>>> upstream/4.5.1 entry->my_id == NULL && entry->other_id == NULL) { entry->my_id = my_id->clone(my_id); entry->other_id = other_id->clone(other_id); +<<<<<<< HEAD +======= if (!entry->other) { entry->other = other->clone(other); } +>>>>>>> upstream/4.5.1 put_connected_peers(this, entry); } @@ -1342,8 +1638,15 @@ METHOD(ike_sa_manager_t, checkin, void, charon->bus->set_sa(charon->bus, NULL); } +<<<<<<< HEAD +/** + * Implementation of ike_sa_manager_t.checkin_and_destroy. + */ +static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +======= METHOD(ike_sa_manager_t, checkin_and_destroy, void, private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +>>>>>>> upstream/4.5.1 { /* deletion is a bit complex, we must ensure that no thread is waiting for * this SA. @@ -1380,7 +1683,12 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void, { remove_half_open(this, entry); } +<<<<<<< HEAD + if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && + entry->my_id && entry->other_id) +======= if (entry->my_id && entry->other_id) +>>>>>>> upstream/4.5.1 { remove_connected_peers(this, entry); } @@ -1397,8 +1705,16 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void, charon->bus->set_sa(charon->bus, NULL); } +<<<<<<< HEAD + +/** + * Implementation of ike_sa_manager_t.check_uniqueness. + */ +static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +======= METHOD(ike_sa_manager_t, check_uniqueness, bool, private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace) +>>>>>>> upstream/4.5.1 { bool cancel = FALSE; peer_cfg_t *peer_cfg; @@ -1412,7 +1728,11 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, peer_cfg = ike_sa->get_peer_cfg(ike_sa); policy = peer_cfg->get_unique_policy(peer_cfg); +<<<<<<< HEAD + if (policy == UNIQUE_NO) +======= if (policy == UNIQUE_NO && !force_replace) +>>>>>>> upstream/4.5.1 { return FALSE; } @@ -1426,6 +1746,14 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, lock = this->connected_peers_segments[segment & this->segment_mask].lock; lock->read_lock(lock); +<<<<<<< HEAD + if ((list = this->connected_peers_table[row]) != NULL) + { + connected_peers_t *current; + + if (list->find_first(list, (linked_list_match_t)connected_peers_match, + (void**)¤t, me, other) == SUCCESS) +======= list = this->connected_peers_table[row]; if (list) { @@ -1436,6 +1764,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, if (list->find_first(list, (linked_list_match_t)connected_peers_match, (void**)¤t, me, other, (uintptr_t)other_host->get_family(other_host)) == SUCCESS) +>>>>>>> upstream/4.5.1 { /* clone the list, so we can release the lock */ duplicate_ids = current->sas->clone_offset(current->sas, @@ -1460,6 +1789,8 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, { continue; } +<<<<<<< HEAD +======= if (force_replace) { DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', " @@ -1467,6 +1798,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, checkin_and_destroy(this, duplicate); continue; } +>>>>>>> upstream/4.5.1 peer_cfg = duplicate->get_peer_cfg(duplicate); if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa))) { @@ -1511,6 +1843,13 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, return cancel; } +<<<<<<< HEAD +/** + * Implementation of ike_sa_manager_t.get_half_open_count. + */ +static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip) +{ +======= METHOD(ike_sa_manager_t, has_contact, bool, private_ike_sa_manager_t *this, identification_t *me, identification_t *other, int family) @@ -1546,14 +1885,24 @@ METHOD(ike_sa_manager_t, get_half_open_count, int, u_int segment, row; rwlock_t *lock; chunk_t addr; +>>>>>>> upstream/4.5.1 int count = 0; if (ip) { +<<<<<<< HEAD + linked_list_t *list; + chunk_t addr = ip->get_address(ip); + u_int row = chunk_hash(addr) & this->table_mask; + u_int segment = row & this->segment_mask; + + rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock; +======= addr = ip->get_address(ip); row = chunk_hash(addr) & this->table_mask; segment = row & this->segment_mask; lock = this->half_open_segments[segment & this->segment_mask].lock; +>>>>>>> upstream/4.5.1 lock->read_lock(lock); if ((list = this->half_open_table[row]) != NULL) { @@ -1569,19 +1918,38 @@ METHOD(ike_sa_manager_t, get_half_open_count, int, } else { +<<<<<<< HEAD + u_int segment; + + for (segment = 0; segment < this->segment_count; ++segment) + { + rwlock_t *lock; +======= for (segment = 0; segment < this->segment_count; segment++) { +>>>>>>> upstream/4.5.1 lock = this->half_open_segments[segment & this->segment_mask].lock; lock->read_lock(lock); count += this->half_open_segments[segment].count; lock->unlock(lock); } } +<<<<<<< HEAD + + return count; +} + +/** + * Implementation of ike_sa_manager_t.flush. + */ +static void flush(private_ike_sa_manager_t *this) +======= return count; } METHOD(ike_sa_manager_t, flush, void, private_ike_sa_manager_t *this) +>>>>>>> upstream/4.5.1 { /* destroy all list entries */ enumerator_t *enumerator; @@ -1645,7 +2013,12 @@ METHOD(ike_sa_manager_t, flush, void, { remove_half_open(this, entry); } +<<<<<<< HEAD + if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && + entry->my_id && entry->other_id) +======= if (entry->my_id && entry->other_id) +>>>>>>> upstream/4.5.1 { remove_connected_peers(this, entry); } @@ -1657,6 +2030,34 @@ METHOD(ike_sa_manager_t, flush, void, unlock_all_segments(this); this->rng->destroy(this->rng); +<<<<<<< HEAD + this->hasher->destroy(this->hasher); +} + +/** + * Implementation of ike_sa_manager_t.destroy. + */ +static void destroy(private_ike_sa_manager_t *this) +{ + u_int i; + + for (i = 0; i < this->table_size; ++i) + { + linked_list_t *list; + + if ((list = this->ike_sa_table[i]) != NULL) + { + list->destroy(list); + } + if ((list = this->half_open_table[i]) != NULL) + { + list->destroy(list); + } + if ((list = this->connected_peers_table[i]) != NULL) + { + list->destroy(list); + } +======= this->rng = NULL; this->hasher->destroy(this->hasher); this->hasher = NULL; @@ -1672,11 +2073,16 @@ METHOD(ike_sa_manager_t, destroy, void, DESTROY_IF(this->ike_sa_table[i]); DESTROY_IF(this->half_open_table[i]); DESTROY_IF(this->connected_peers_table[i]); +>>>>>>> upstream/4.5.1 } free(this->ike_sa_table); free(this->half_open_table); free(this->connected_peers_table); +<<<<<<< HEAD + for (i = 0; i < this->segment_count; ++i) +======= for (i = 0; i < this->segment_count; i++) +>>>>>>> upstream/4.5.1 { this->segments[i].mutex->destroy(this->segments[i].mutex); this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock); @@ -1712,6 +2118,27 @@ static u_int get_nearest_powerof2(u_int n) */ ike_sa_manager_t *ike_sa_manager_create() { +<<<<<<< HEAD + u_int i; + private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t); + + /* assign public functions */ + this->public.flush = (void(*)(ike_sa_manager_t*))flush; + this->public.destroy = (void(*)(ike_sa_manager_t*))destroy; + this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout; + this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new; + this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message; + this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config; + this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id; + this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name; + this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness; + this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator; + this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin; + this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy; + this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count; + + /* initialize private variables */ +======= private_ike_sa_manager_t *this; u_int i; @@ -1734,6 +2161,7 @@ ike_sa_manager_t *ike_sa_manager_create() }, ); +>>>>>>> upstream/4.5.1 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (this->hasher == NULL) { @@ -1749,7 +2177,10 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings, "charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE)); this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE)); @@ -1759,10 +2190,18 @@ ike_sa_manager_t *ike_sa_manager_create() "charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT)); this->segment_count = max(1, min(this->segment_count, this->table_size)); this->segment_mask = this->segment_count - 1; +<<<<<<< HEAD + + this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*)); + + this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t)); + for (i = 0; i < this->segment_count; ++i) +======= this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*)); this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t)); for (i = 0; i < this->segment_count; i++) +>>>>>>> upstream/4.5.1 { this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->segments[i].count = 0; @@ -1771,7 +2210,11 @@ ike_sa_manager_t *ike_sa_manager_create() /* we use the same table parameters for the table to track half-open SAs */ this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*)); this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); +<<<<<<< HEAD + for (i = 0; i < this->segment_count; ++i) +======= for (i = 0; i < this->segment_count; i++) +>>>>>>> upstream/4.5.1 { this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->half_open_segments[i].count = 0; @@ -1780,7 +2223,11 @@ ike_sa_manager_t *ike_sa_manager_create() /* also for the hash table used for duplicate tests */ this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*)); this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); +<<<<<<< HEAD + for (i = 0; i < this->segment_count; ++i) +======= for (i = 0; i < this->segment_count; i++) +>>>>>>> upstream/4.5.1 { this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->connected_peers_segments[i].count = 0; diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index ec157ab3a..2c81592d2 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -52,6 +52,12 @@ struct ike_sa_manager_t { /** * Create and check out a new IKE_SA. * +<<<<<<< HEAD + * @note If initiator equals FALSE, the returned IKE_SA is not registered + * in the manager. + * +======= +>>>>>>> upstream/4.5.1 * @param initiator TRUE for initiator, FALSE otherwise * @returns created and checked out IKE_SA */ @@ -106,6 +112,12 @@ struct ike_sa_manager_t { * deadlocks occur otherwise. * * @param ike_sa ike_sa to check +<<<<<<< HEAD + * @return TRUE, if the given IKE_SA has duplicates and + * should be deleted + */ + bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa); +======= * @param force_replace replace existing SAs, regardless of unique policy * @return TRUE, if the given IKE_SA has duplicates and * should be deleted @@ -123,6 +135,7 @@ struct ike_sa_manager_t { */ bool (*has_contact)(ike_sa_manager_t *this, identification_t *me, identification_t *other, int family); +>>>>>>> upstream/4.5.1 /** * Check out an IKE_SA a unique ID. diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index 33ece24b2..2721fb3b9 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -214,7 +214,11 @@ static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg, { DBG1(DBG_IKE, "%N %N (key size %d) not supported!", transform_type_names, ENCRYPTION_ALGORITHM, +<<<<<<< HEAD + encryption_algorithm_names, enc_alg, key_size); +======= encryption_algorithm_names, enc_alg, enc_size); +>>>>>>> upstream/4.5.1 signer_i->destroy(signer_i); signer_r->destroy(signer_r); return FALSE; @@ -540,7 +544,11 @@ METHOD(keymat_t, get_aead, aead_t*, METHOD(keymat_t, get_auth_octets, chunk_t, private_keymat_t *this, bool verify, chunk_t ike_sa_init, +<<<<<<< HEAD + chunk_t nonce, identification_t *id) +======= chunk_t nonce, identification_t *id, char reserved[3]) +>>>>>>> upstream/4.5.1 { chunk_t chunk, idx, octets; chunk_t skp; @@ -548,8 +556,13 @@ METHOD(keymat_t, get_auth_octets, chunk_t, skp = verify ? this->skp_verify : this->skp_build; chunk = chunk_alloca(4); +<<<<<<< HEAD + memset(chunk.ptr, 0, chunk.len); + chunk.ptr[0] = id->get_type(id); +======= chunk.ptr[0] = id->get_type(id); memcpy(chunk.ptr + 1, reserved, 3); +>>>>>>> upstream/4.5.1 idx = chunk_cata("cc", chunk, id->get_encoding(id)); DBG3(DBG_IKE, "IDx' %B", &idx); @@ -570,7 +583,11 @@ METHOD(keymat_t, get_auth_octets, chunk_t, METHOD(keymat_t, get_psk_sig, chunk_t, private_keymat_t *this, bool verify, chunk_t ike_sa_init, +<<<<<<< HEAD + chunk_t nonce, chunk_t secret, identification_t *id) +======= chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]) +>>>>>>> upstream/4.5.1 { chunk_t key_pad, key, sig, octets; @@ -578,7 +595,11 @@ METHOD(keymat_t, get_psk_sig, chunk_t, { /* EAP uses SK_p if no MSK has been established */ secret = verify ? this->skp_verify : this->skp_build; } +<<<<<<< HEAD + octets = get_auth_octets(this, verify, ike_sa_init, nonce, id); +======= octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved); +>>>>>>> upstream/4.5.1 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */ key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH); this->prf->set_key(this->prf, secret); diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index 11e0fa79a..d1d0591c5 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -117,12 +117,19 @@ struct keymat_t { * @param ike_sa_init encoded ike_sa_init message * @param nonce nonce value * @param id identity +<<<<<<< HEAD + * @return authentication octets + */ + chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, identification_t *id); +======= * @param reserved reserved bytes of id_payload * @return authentication octets */ chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id, char reserved[3]); +>>>>>>> upstream/4.5.1 /** * Build the shared secret signature used for PSK and EAP authentication. * @@ -135,12 +142,19 @@ struct keymat_t { * @param nonce nonce value * @param secret optional secret to include into signature * @param id identity +<<<<<<< HEAD + * @return signature octets + */ + chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, chunk_t secret, identification_t *id); +======= * @param reserved reserved bytes of id_payload * @return signature octets */ chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]); +>>>>>>> upstream/4.5.1 /** * Destroy a keymat_t. */ diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index 9467d1586..97c5510f2 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -465,6 +465,10 @@ METHOD(task_manager_t, initiate, status_t, /* update exchange type if a task changed it */ this->initiating.type = message->get_exchange_type(message); +<<<<<<< HEAD + charon->bus->message(charon->bus, message, FALSE); +======= +>>>>>>> upstream/4.5.1 status = this->ike_sa->generate_message(this->ike_sa, message, &this->initiating.packet); if (status != SUCCESS) @@ -653,6 +657,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request) /* message complete, send it */ DESTROY_IF(this->responding.packet); this->responding.packet = NULL; +<<<<<<< HEAD + charon->bus->message(charon->bus, message, FALSE); +======= +>>>>>>> upstream/4.5.1 status = this->ike_sa->generate_message(this->ike_sa, message, &this->responding.packet); message->destroy(message); @@ -880,12 +888,17 @@ static status_t process_request(private_task_manager_t *this, METHOD(task_manager_t, process_message, status_t, private_task_manager_t *this, message_t *msg) { +<<<<<<< HEAD + u_int32_t mid = msg->get_message_id(msg); + host_t *me = msg->get_destination(msg), *other = msg->get_source(msg); +======= host_t *me, *other; u_int32_t mid; mid = msg->get_message_id(msg); me = msg->get_destination(msg); other = msg->get_source(msg); +>>>>>>> upstream/4.5.1 if (msg->get_request(msg)) { @@ -897,6 +910,12 @@ METHOD(task_manager_t, process_message, status_t, { /* only do host updates based on verified messages */ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ +<<<<<<< HEAD + this->ike_sa->update_hosts(this->ike_sa, me, other); + } + } + charon->bus->message(charon->bus, msg, TRUE); +======= this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1); } } @@ -905,6 +924,7 @@ METHOD(task_manager_t, process_message, status_t, { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ return SUCCESS; } +>>>>>>> upstream/4.5.1 if (process_request(this, msg) != SUCCESS) { flush(this); @@ -915,15 +935,26 @@ METHOD(task_manager_t, process_message, status_t, else if ((mid == this->responding.mid - 1) && this->responding.packet) { packet_t *clone; +<<<<<<< HEAD + host_t *me, *other; +======= host_t *host; +>>>>>>> upstream/4.5.1 DBG1(DBG_IKE, "received retransmit of request with ID %d, " "retransmitting response", mid); clone = this->responding.packet->clone(this->responding.packet); +<<<<<<< HEAD + me = msg->get_destination(msg); + other = msg->get_source(msg); + clone->set_source(clone, me->clone(me)); + clone->set_destination(clone, other->clone(other)); +======= host = msg->get_destination(msg); clone->set_source(clone, host->clone(host)); host = msg->get_source(msg); clone->set_destination(clone, host->clone(host)); +>>>>>>> upstream/4.5.1 charon->sender->send(charon->sender, clone); } else @@ -942,6 +973,12 @@ METHOD(task_manager_t, process_message, status_t, { /* only do host updates based on verified messages */ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ +<<<<<<< HEAD + this->ike_sa->update_hosts(this->ike_sa, me, other); + } + } + charon->bus->message(charon->bus, msg, TRUE); +======= this->ike_sa->update_hosts(this->ike_sa, me, other, FALSE); } } @@ -950,6 +987,7 @@ METHOD(task_manager_t, process_message, status_t, { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ return SUCCESS; } +>>>>>>> upstream/4.5.1 if (process_response(this, msg) != SUCCESS) { flush(this); @@ -1012,6 +1050,8 @@ METHOD(task_manager_t, busy, bool, return (this->active_tasks->get_count(this->active_tasks) > 0); } +<<<<<<< HEAD +======= METHOD(task_manager_t, incr_mid, void, private_task_manager_t *this, bool initiate) { @@ -1025,6 +1065,7 @@ METHOD(task_manager_t, incr_mid, void, } } +>>>>>>> upstream/4.5.1 METHOD(task_manager_t, reset, void, private_task_manager_t *this, u_int32_t initiate, u_int32_t respond) { @@ -1108,7 +1149,10 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa) .queue_task = _queue_task, .initiate = _initiate, .retransmit = _retransmit, +<<<<<<< HEAD +======= .incr_mid = _incr_mid, +>>>>>>> upstream/4.5.1 .reset = _reset, .adopt_tasks = _adopt_tasks, .busy = _busy, diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index 5bc6c80c4..f5dcc8977 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -149,6 +149,8 @@ struct task_manager_t { void (*adopt_tasks) (task_manager_t *this, task_manager_t *other); /** +<<<<<<< HEAD +======= * Increment a message ID counter, in- or outbound. * * If a message is processed outside of the manager, this call increments @@ -159,6 +161,7 @@ struct task_manager_t { void (*incr_mid)(task_manager_t *this, bool initiate); /** +>>>>>>> upstream/4.5.1 * Reset message ID counters of the task manager. * * The IKEv2 protocol requires to restart exchanges with message IDs diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index fc02a334b..16f7b6d81 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -117,11 +117,14 @@ struct private_child_create_t { ipsec_mode_t mode; /** +<<<<<<< HEAD +======= * peer accepts TFC padding for this SA */ bool tfcv3; /** +>>>>>>> upstream/4.5.1 * IPComp transform to use */ ipcomp_transform_t ipcomp; @@ -460,6 +463,19 @@ static status_t select_and_install(private_child_create_t *this, { if (this->initiator) { +<<<<<<< HEAD + status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, + this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, encr_i, integ_i, + this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); + } + else + { + status_i = this->child_sa->install(this->child_sa, encr_i, integ_i, + this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, + this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); +======= status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, this->my_spi, this->my_cpi, TRUE, this->tfcv3, my_ts, other_ts); @@ -475,6 +491,7 @@ static status_t select_and_install(private_child_create_t *this, status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, this->other_spi, this->other_cpi, FALSE, this->tfcv3, my_ts, other_ts); +>>>>>>> upstream/4.5.1 } } chunk_clear(&integ_i); @@ -640,6 +657,9 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify ipcomp_transform_names, ipcomp); break; } +<<<<<<< HEAD + } +======= break; } case ESP_TFC_PADDING_NOT_SUPPORTED: @@ -647,6 +667,7 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify notify_type_names, notify->get_notify_type(notify)); this->tfcv3 = FALSE; break; +>>>>>>> upstream/4.5.1 default: break; } @@ -706,8 +727,15 @@ static void process_payloads(private_child_create_t *this, message_t *message) enumerator->destroy(enumerator); } +<<<<<<< HEAD +/** + * Implementation of task_t.build for initiator + */ +static status_t build_i(private_child_create_t *this, message_t *message) +======= METHOD(task_t, build_i, status_t, private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { host_t *me, *other, *vip; peer_cfg_t *peer_cfg; @@ -844,8 +872,15 @@ METHOD(task_t, build_i, status_t, return NEED_MORE; } +<<<<<<< HEAD +/** + * Implementation of task_t.process for responder + */ +static status_t process_r(private_child_create_t *this, message_t *message) +======= METHOD(task_t, process_r, status_t, private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { switch (message->get_exchange_type(message)) { @@ -888,8 +923,15 @@ static void handle_child_sa_failure(private_child_create_t *this, } } +<<<<<<< HEAD +/** + * Implementation of task_t.build for responder + */ +static status_t build_r(private_child_create_t *this, message_t *message) +======= METHOD(task_t, build_r, status_t, private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { peer_cfg_t *peer_cfg; payload_t *payload; @@ -967,7 +1009,11 @@ METHOD(task_t, build_r, status_t, case INTERNAL_ADDRESS_FAILURE: case FAILED_CP_REQUIRED: { +<<<<<<< HEAD + DBG1(DBG_IKE,"configuration payload negotation " +======= DBG1(DBG_IKE,"configuration payload negotiation " +>>>>>>> upstream/4.5.1 "failed, no CHILD_SA built"); enumerator->destroy(enumerator); handle_child_sa_failure(this, message); @@ -1038,8 +1084,15 @@ METHOD(task_t, build_r, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of task_t.process for initiator + */ +static status_t process_i(private_child_create_t *this, message_t *message) +======= METHOD(task_t, process_i, status_t, private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; payload_t *payload; @@ -1110,6 +1163,9 @@ METHOD(task_t, process_i, status_t, return NEED_MORE; } default: +<<<<<<< HEAD + break; +======= { if (message->get_exchange_type(message) == CREATE_CHILD_SA) { /* handle notifies if not handled in IKE_AUTH */ @@ -1125,6 +1181,7 @@ METHOD(task_t, process_i, status_t, } break; } +>>>>>>> upstream/4.5.1 } } } @@ -1176,20 +1233,49 @@ METHOD(task_t, process_i, status_t, return SUCCESS; } +<<<<<<< HEAD +/** + * Implementation of task_t.get_type + */ +static task_type_t get_type(private_child_create_t *this) +{ + return CHILD_CREATE; +} + +/** + * Implementation of child_create_t.use_reqid + */ +static void use_reqid(private_child_create_t *this, u_int32_t reqid) +======= METHOD(child_create_t, use_reqid, void, private_child_create_t *this, u_int32_t reqid) +>>>>>>> upstream/4.5.1 { this->reqid = reqid; } +<<<<<<< HEAD +/** + * Implementation of child_create_t.get_child + */ +static child_sa_t* get_child(private_child_create_t *this) +======= METHOD(child_create_t, get_child, child_sa_t*, private_child_create_t *this) +>>>>>>> upstream/4.5.1 { return this->child_sa; } +<<<<<<< HEAD +/** + * Implementation of child_create_t.get_lower_nonce + */ +static chunk_t get_lower_nonce(private_child_create_t *this) +======= METHOD(child_create_t, get_lower_nonce, chunk_t, private_child_create_t *this) +>>>>>>> upstream/4.5.1 { if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr, min(this->my_nonce.len, this->other_nonce.len)) < 0) @@ -1202,6 +1288,12 @@ METHOD(child_create_t, get_lower_nonce, chunk_t, } } +<<<<<<< HEAD +/** + * Implementation of task_t.migrate + */ +static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) +======= METHOD(task_t, get_type, task_type_t, private_child_create_t *this) { @@ -1210,6 +1302,7 @@ METHOD(task_t, get_type, task_type_t, METHOD(task_t, migrate, void, private_child_create_t *this, ike_sa_t *ike_sa) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1245,8 +1338,15 @@ METHOD(task_t, migrate, void, this->established = FALSE; } +<<<<<<< HEAD +/** + * Implementation of task_t.destroy + */ +static void destroy(private_child_create_t *this) +======= METHOD(task_t, destroy, void, private_child_create_t *this) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1282,6 +1382,20 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr) { +<<<<<<< HEAD + private_child_create_t *this = malloc_thing(private_child_create_t); + + this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child; + this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce; + this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid; + this->public.task.get_type = (task_type_t(*)(task_t*))get_type; + this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; + this->public.task.destroy = (void(*)(task_t*))destroy; + if (config) + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; +======= private_child_create_t *this; INIT(this, @@ -1312,15 +1426,49 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, { this->public.task.build = _build_i; this->public.task.process = _process_i; +>>>>>>> upstream/4.5.1 this->initiator = TRUE; config->get_ref(config); } else { +<<<<<<< HEAD + this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + this->initiator = FALSE; + } + + this->ike_sa = ike_sa; + this->config = config; + this->my_nonce = chunk_empty; + this->other_nonce = chunk_empty; + this->proposals = NULL; + this->proposal = NULL; + this->tsi = NULL; + this->tsr = NULL; + this->packet_tsi = tsi ? tsi->clone(tsi) : NULL; + this->packet_tsr = tsr ? tsr->clone(tsr) : NULL; + this->dh = NULL; + this->dh_group = MODP_NONE; + this->keymat = ike_sa->get_keymat(ike_sa); + this->child_sa = NULL; + this->mode = MODE_TUNNEL; + this->ipcomp = IPCOMP_NONE; + this->ipcomp_received = IPCOMP_NONE; + this->my_spi = 0; + this->other_spi = 0; + this->my_cpi = 0; + this->other_cpi = 0; + this->reqid = 0; + this->established = FALSE; + this->rekey = rekey; + +======= this->public.task.build = _build_r; this->public.task.process = _process_r; this->initiator = FALSE; } +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index e74ca4eef..5ffe49293 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -241,11 +241,20 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, +<<<<<<< HEAD + min(this_nonce.len, other_nonce.len)) < 0) + { + child_sa_t *child_sa; + + DBG1(DBG_IKE, "CHILD_SA rekey collision won, " + "deleting rekeyed child"); +======= min(this_nonce.len, other_nonce.len)) > 0) { child_sa_t *child_sa; DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child"); +>>>>>>> upstream/4.5.1 to_delete = this->child_sa; /* don't touch child other created, it has already been deleted */ if (!this->other_child_destroyed) @@ -258,7 +267,11 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) else { DBG1(DBG_IKE, "CHILD_SA rekey collision lost, " +<<<<<<< HEAD + "deleting redundant child"); +======= "deleting rekeyed child"); +>>>>>>> upstream/4.5.1 to_delete = this->child_create->get_child(this->child_create); } } diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index 0756c7d60..fbc177d6f 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -68,11 +68,14 @@ struct private_ike_auth_t { packet_t *other_packet; /** +<<<<<<< HEAD +======= * Reserved bytes of ID payload */ char reserved[3]; /** +>>>>>>> upstream/4.5.1 * currently active authenticator, to authenticate us */ authenticator_t *my_auth; @@ -106,11 +109,14 @@ struct private_ike_auth_t { * should we send a AUTHENTICATION_FAILED notify? */ bool authentication_failed; +<<<<<<< HEAD +======= /** * received an INITIAL_CONTACT? */ bool initial_contact; +>>>>>>> upstream/4.5.1 }; /** @@ -170,6 +176,8 @@ static status_t collect_other_init_data(private_ike_auth_t *this, } /** +<<<<<<< HEAD +======= * Get and store reserved bytes of id_payload, required for AUTH payload */ static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id) @@ -188,6 +196,7 @@ static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id) } /** +>>>>>>> upstream/4.5.1 * Get the next authentication configuration */ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local) @@ -357,8 +366,15 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) return this->peer_cfg != NULL; } +<<<<<<< HEAD +/** + * Implementation of task_t.build for initiator + */ +static status_t build_i(private_ike_auth_t *this, message_t *message) +======= METHOD(task_t, build_i, status_t, private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { auth_cfg_t *cfg; @@ -393,7 +409,11 @@ METHOD(task_t, build_i, status_t, /* check if an authenticator is in progress */ if (this->my_auth == NULL) { +<<<<<<< HEAD + identification_t *id; +======= identification_t *idi, *idr = NULL; +>>>>>>> upstream/4.5.1 id_payload_t *id_payload; /* clean up authentication config from a previous round */ @@ -404,24 +424,44 @@ METHOD(task_t, build_i, status_t, cfg = get_auth_cfg(this, FALSE); if (cfg) { +<<<<<<< HEAD + id = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (id && !id->contains_wildcards(id)) + { + this->ike_sa->set_other_id(this->ike_sa, id->clone(id)); + id_payload = id_payload_create_from_identification( + ID_RESPONDER, id); +======= idr = cfg->get(cfg, AUTH_RULE_IDENTITY); if (idr && !idr->contains_wildcards(idr)) { this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr)); id_payload = id_payload_create_from_identification( ID_RESPONDER, idr); +>>>>>>> upstream/4.5.1 message->add_payload(message, (payload_t*)id_payload); } } /* add IDi */ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE); +<<<<<<< HEAD + id = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (!id) +======= idi = cfg->get(cfg, AUTH_RULE_IDENTITY); if (!idi) +>>>>>>> upstream/4.5.1 { DBG1(DBG_CFG, "configuration misses IDi"); return FAILED; } +<<<<<<< HEAD + this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); + id_payload = id_payload_create_from_identification(ID_INITIATOR, id); + message->add_payload(message, (payload_t*)id_payload); + +======= this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi)); id_payload = id_payload_create_from_identification(ID_INITIATOR, idi); get_reserved_id_bytes(this, id_payload); @@ -440,12 +480,17 @@ METHOD(task_t, build_i, status_t, } } +>>>>>>> upstream/4.5.1 /* build authentication data */ this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD + this->my_packet->get_data(this->my_packet)); +======= this->my_packet->get_data(this->my_packet), this->reserved); +>>>>>>> upstream/4.5.1 if (!this->my_auth) { return FAILED; @@ -482,8 +527,15 @@ METHOD(task_t, build_i, status_t, return NEED_MORE; } +<<<<<<< HEAD +/** + * Implementation of task_t.process for responder + */ +static status_t process_r(private_ike_auth_t *this, message_t *message) +======= METHOD(task_t, process_r, status_t, private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { auth_cfg_t *cfg, *cand; id_payload_t *id_payload; @@ -537,7 +589,10 @@ METHOD(task_t, process_r, status_t, return FAILED; } id = id_payload->get_identification(id_payload); +<<<<<<< HEAD +======= get_reserved_id_bytes(this, id_payload); +>>>>>>> upstream/4.5.1 this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -588,8 +643,12 @@ METHOD(task_t, process_r, status_t, this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD + this->my_packet->get_data(this->my_packet)); +======= this->my_packet->get_data(this->my_packet), this->reserved); +>>>>>>> upstream/4.5.1 if (!this->other_auth) { this->authentication_failed = TRUE; @@ -613,6 +672,12 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } +<<<<<<< HEAD + /* store authentication information */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); +======= /* If authenticated (with non-EAP) and received INITIAL_CONTACT, * delete any existing IKE_SAs with that peer. */ if (message->get_message_id(message) == 1 && @@ -620,6 +685,7 @@ METHOD(task_t, process_r, status_t, { this->initial_contact = TRUE; } +>>>>>>> upstream/4.5.1 /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) @@ -629,11 +695,14 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } +<<<<<<< HEAD +======= /* store authentication information */ cfg = auth_cfg_create(); cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); +>>>>>>> upstream/4.5.1 if (!update_cfg_candidates(this, FALSE)) { this->authentication_failed = TRUE; @@ -652,8 +721,15 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } +<<<<<<< HEAD +/** + * Implementation of task_t.build for responder + */ +static status_t build_r(private_ike_auth_t *this, message_t *message) +======= METHOD(task_t, build_r, status_t, private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { auth_cfg_t *cfg; @@ -709,6 +785,10 @@ METHOD(task_t, build_r, status_t, } id_payload = id_payload_create_from_identification(ID_RESPONDER, id); +<<<<<<< HEAD + message->add_payload(message, (payload_t*)id_payload); + +======= get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); @@ -719,6 +799,7 @@ METHOD(task_t, build_r, status_t, this->initial_contact = FALSE; } +>>>>>>> upstream/4.5.1 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP) { /* EAP-only authentication */ if (!this->ike_sa->supports_extension(this->ike_sa, @@ -737,8 +818,12 @@ METHOD(task_t, build_r, status_t, this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD + this->my_packet->get_data(this->my_packet)); +======= this->my_packet->get_data(this->my_packet), this->reserved); +>>>>>>> upstream/4.5.1 if (!this->my_auth) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -800,7 +885,11 @@ METHOD(task_t, build_r, status_t, if (!this->do_another_auth && !this->expect_another_auth) { if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, +<<<<<<< HEAD + this->ike_sa)) +======= this->ike_sa, FALSE)) +>>>>>>> upstream/4.5.1 { DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy"); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -828,8 +917,15 @@ METHOD(task_t, build_r, status_t, return NEED_MORE; } +<<<<<<< HEAD +/** + * Implementation of task_t.process for initiator + */ +static status_t process_i(private_ike_auth_t *this, message_t *message) +======= METHOD(task_t, process_i, status_t, private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; payload_t *payload; @@ -911,7 +1007,10 @@ METHOD(task_t, process_i, status_t, return FAILED; } id = id_payload->get_identification(id_payload); +<<<<<<< HEAD +======= get_reserved_id_bytes(this, id_payload); +>>>>>>> upstream/4.5.1 this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -922,8 +1021,12 @@ METHOD(task_t, process_i, status_t, this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD + this->my_packet->get_data(this->my_packet)); +======= this->my_packet->get_data(this->my_packet), this->reserved); +>>>>>>> upstream/4.5.1 if (!this->other_auth) { return FAILED; @@ -949,17 +1052,28 @@ METHOD(task_t, process_i, status_t, this->other_auth->destroy(this->other_auth); this->other_auth = NULL; } +<<<<<<< HEAD + /* store authentication information, reset authenticator */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + +======= +>>>>>>> upstream/4.5.1 /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling"); return FAILED; } +<<<<<<< HEAD +======= /* store authentication information, reset authenticator */ cfg = auth_cfg_create(); cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); +>>>>>>> upstream/4.5.1 } if (this->my_auth) @@ -1020,14 +1134,28 @@ METHOD(task_t, process_i, status_t, return NEED_MORE; } +<<<<<<< HEAD +/** + * Implementation of task_t.get_type + */ +static task_type_t get_type(private_ike_auth_t *this) +======= METHOD(task_t, get_type, task_type_t, private_ike_auth_t *this) +>>>>>>> upstream/4.5.1 { return IKE_AUTHENTICATE; } +<<<<<<< HEAD +/** + * Implementation of task_t.migrate + */ +static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) +======= METHOD(task_t, migrate, void, private_ike_auth_t *this, ike_sa_t *ike_sa) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1050,8 +1178,15 @@ METHOD(task_t, migrate, void, this->candidates = linked_list_create(); } +<<<<<<< HEAD +/** + * Implementation of task_t.destroy + */ +static void destroy(private_ike_auth_t *this) +======= METHOD(task_t, destroy, void, private_ike_auth_t *this) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1069,6 +1204,39 @@ METHOD(task_t, destroy, void, */ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) { +<<<<<<< HEAD + private_ike_auth_t *this = malloc_thing(private_ike_auth_t); + + this->public.task.get_type = (task_type_t(*)(task_t*))get_type; + this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; + this->public.task.destroy = (void(*)(task_t*))destroy; + + if (initiator) + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; + } + else + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + } + + this->ike_sa = ike_sa; + this->initiator = initiator; + this->my_nonce = chunk_empty; + this->other_nonce = chunk_empty; + this->my_packet = NULL; + this->other_packet = NULL; + this->peer_cfg = NULL; + this->candidates = linked_list_create(); + this->my_auth = NULL; + this->other_auth = NULL; + this->do_another_auth = TRUE; + this->expect_another_auth = TRUE; + this->authentication_failed = FALSE; + +======= private_ike_auth_t *this; INIT(this, @@ -1092,6 +1260,7 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) this->public.task.build = _build_i; this->public.task.process = _process_i; } +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c index a59b8dcce..8da8d549a 100644 --- a/src/libcharon/sa/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/tasks/ike_cert_pre.c @@ -76,7 +76,10 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) { certreq_payload_t *certreq = (certreq_payload_t*)payload; enumerator_t *enumerator; +<<<<<<< HEAD +======= u_int unknown = 0; +>>>>>>> upstream/4.5.1 chunk_t keyid; this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); @@ -104,18 +107,26 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) } else { +<<<<<<< HEAD + DBG1(DBG_IKE, "received cert request for unknown ca " + "with keyid %Y", id); +======= DBG2(DBG_IKE, "received cert request for unknown ca " "with keyid %Y", id); unknown++; +>>>>>>> upstream/4.5.1 } id->destroy(id); } enumerator->destroy(enumerator); +<<<<<<< HEAD +======= if (unknown) { DBG1(DBG_IKE, "received %u cert requests for an unknown ca", unknown); } +>>>>>>> upstream/4.5.1 break; } case NOTIFY: @@ -260,6 +271,8 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) } break; } +<<<<<<< HEAD +======= case ENC_CRL: cert = cert_payload->get_cert(cert_payload); if (cert) @@ -269,10 +282,15 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); } break; +>>>>>>> upstream/4.5.1 case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: +<<<<<<< HEAD + case ENC_CRL: +======= +>>>>>>> upstream/4.5.1 case ENC_ARL: case ENC_SPKI: case ENC_X509_ATTRIBUTE: diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c index 44c55036e..1698ddd34 100644 --- a/src/libcharon/sa/tasks/ike_rekey.c +++ b/src/libcharon/sa/tasks/ike_rekey.c @@ -255,20 +255,32 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, +<<<<<<< HEAD + min(this_nonce.len, other_nonce.len)) < 0) +======= min(this_nonce.len, other_nonce.len)) > 0) +>>>>>>> upstream/4.5.1 { /* peer should delete this SA. Add a timeout just in case. */ job_t *job = (job_t*)delete_ike_sa_job_create( other->new_sa->get_id(other->new_sa), TRUE); lib->scheduler->schedule_job(lib->scheduler, job, 10); +<<<<<<< HEAD + DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA"); +======= DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete"); +>>>>>>> upstream/4.5.1 charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa); other->new_sa = NULL; } else { +<<<<<<< HEAD + DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA"); +======= DBG1(DBG_IKE, "IKE_SA rekey collision lost, " "deleting redundant IKE_SA"); +>>>>>>> upstream/4.5.1 /* apply host for a proper delete */ host = this->ike_sa->get_my_host(this->ike_sa); this->new_sa->set_my_host(this->new_sa, host->clone(host)); diff --git a/src/libcharon/tnccs/tnccs.c b/src/libcharon/tnccs/tnccs.c new file mode 100644 index 000000000..2facf02c8 --- /dev/null +++ b/src/libcharon/tnccs/tnccs.c @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs.h" + +ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0, + "TNCCS 1.1", + "TNCCS SOH", + "TNCCS 2.0", +); diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h new file mode 100644 index 000000000..583512e82 --- /dev/null +++ b/src/libcharon/tnccs/tnccs.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs tnccs + * @{ @ingroup libcharon + */ + +#ifndef TNCCS_H_ +#define TNCCS_H_ + +typedef enum tnccs_type_t tnccs_type_t; + +#include <library.h> + +/** + * Type of TNC Client/Server protocol + */ +enum tnccs_type_t { + TNCCS_1_1, + TNCCS_SOH, + TNCCS_2_0 +}; + +/** + * enum names for tnccs_type_t. + */ +extern enum_name_t *tnccs_type_names; + +typedef struct tnccs_t tnccs_t; + +/** + * Constructor definition for a pluggable TNCCS protocol implementation. + * + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return implementation of the tnccs_t interface + */ +typedef tnccs_t* (*tnccs_constructor_t)(bool is_server); + +#endif /** TNC_H_ @}*/ diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c new file mode 100644 index 000000000..0fd6737c0 --- /dev/null +++ b/src/libcharon/tnccs/tnccs_manager.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_manager.h" + +#include <utils/linked_list.h> +#include <threading/rwlock.h> + +typedef struct private_tnccs_manager_t private_tnccs_manager_t; +typedef struct tnccs_entry_t tnccs_entry_t; + +/** + * TNCCS constructor entry + */ +struct tnccs_entry_t { + + /** + * TNCCS protocol type + */ + tnccs_type_t type; + + /** + * constructor function to create instance + */ + tnccs_constructor_t constructor; +}; + +/** + * private data of tnccs_manager + */ +struct private_tnccs_manager_t { + + /** + * public functions + */ + tnccs_manager_t public; + + /** + * list of tnccs_entry_t's + */ + linked_list_t *protocols; + + /** + * rwlock to lock methods + */ + rwlock_t *lock; +}; + +METHOD(tnccs_manager_t, add_method, void, + private_tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor) +{ + tnccs_entry_t *entry = malloc_thing(tnccs_entry_t); + + entry->type = type; + entry->constructor = constructor; + + this->lock->write_lock(this->lock); + this->protocols->insert_last(this->protocols, entry); + this->lock->unlock(this->lock); +} + +METHOD(tnccs_manager_t, remove_method, void, + private_tnccs_manager_t *this, tnccs_constructor_t constructor) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + + this->lock->write_lock(this->lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (constructor == entry->constructor) + { + this->protocols->remove_at(this->protocols, enumerator); + free(entry); + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); +} + +METHOD(tnccs_manager_t, create_instance, tnccs_t*, + private_tnccs_manager_t *this, tnccs_type_t type, bool is_server) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + tnccs_t *protocol = NULL; + + this->lock->read_lock(this->lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (type == entry->type) + { + protocol = entry->constructor(is_server); + if (protocol) + { + break; + } + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + return protocol; +} + +METHOD(tnccs_manager_t, destroy, void, + private_tnccs_manager_t *this) +{ + this->protocols->destroy_function(this->protocols, free); + this->lock->destroy(this->lock); + free(this); +} + +/* + * See header + */ +tnccs_manager_t *tnccs_manager_create() +{ + private_tnccs_manager_t *this; + + INIT(this, + .public = { + .add_method = _add_method, + .remove_method = _remove_method, + .create_instance = _create_instance, + .destroy = _destroy, + }, + .protocols = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h new file mode 100644 index 000000000..2f4a961a7 --- /dev/null +++ b/src/libcharon/tnccs/tnccs_manager.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_manager tnccs_manager + * @{ @ingroup tnccs + */ + +#ifndef TNCCS_MANAGER_H_ +#define TNCCS_MANAGER_H_ + +#include "tnccs.h" + +typedef struct tnccs_manager_t tnccs_manager_t; + +/** + * The TNCCS manager manages all TNCCS implementations and creates instances. + * + * A plugin registers its implemented TNCCS protocol with the manager by + * providing type and a constructor function. The manager then creates + * TNCCS protocol instances via the provided constructor. + */ +struct tnccs_manager_t { + + /** + * Register a TNCCS protocol implementation. + * + * @param type TNCCS protocol type + * @param constructor constructor, returns a TNCCS protocol implementation + */ + void (*add_method)(tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor); + + /** + * Unregister a TNCCS protocol implementation using it's constructor. + * + * @param constructor constructor function to remove, as added in add_method + */ + void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor); + + /** + * Create a new TNCCS protocol instance. + * + * @param type type of the TNCCS protocol + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return TNCCS protocol instance, NULL if no constructor found + */ + tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, + bool is_server); + + /** + * Destroy a tnccs_manager instance. + */ + void (*destroy)(tnccs_manager_t *this); +}; + +/** + * Create a tnccs_manager instance. + */ +tnccs_manager_t *tnccs_manager_create(); + +#endif /** TNCCS_MANAGER_H_ @}*/ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index 46f23f4d6..f520d5669 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -217,7 +217,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -256,8 +262,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libfast/request.c b/src/libfast/request.c index a3db70e82..b606d3e72 100644 --- a/src/libfast/request.c +++ b/src/libfast/request.c @@ -120,7 +120,11 @@ static char *getenv_cb(void *null, const char *key) private_request_t *this = (private_request_t*)thread_this->get(thread_this); value = FCGX_GetParam(key, this->req.envp); +<<<<<<< HEAD + return value ? strdup(value) : NULL; +======= return strdupnull(value); +>>>>>>> upstream/4.5.1 } /** @@ -204,6 +208,8 @@ static char* get_query_data(private_request_t *this, char *name) } /** +<<<<<<< HEAD +======= * Implementation of request_t.get_env_var. */ static char* get_env_var(private_request_t *this, char *name) @@ -212,6 +218,7 @@ static char* get_env_var(private_request_t *this, char *name) } /** +>>>>>>> upstream/4.5.1 * Implementation of request_t.read_data. */ static int read_data(private_request_t *this, char *buf, int len) @@ -423,7 +430,10 @@ request_t *request_create(int fd, bool debug) this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie; this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie; this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data; +<<<<<<< HEAD +======= this->public.get_env_var = (char*(*)(request_t*, char *name))get_env_var; +>>>>>>> upstream/4.5.1 this->public.read_data = (int(*)(request_t*, char*, int))read_data; this->public.session_closed = (bool(*)(request_t*))session_closed; this->public.close_session = (void(*)(request_t*))close_session; diff --git a/src/libfast/request.h b/src/libfast/request.h index c9c1f13e2..48a82c3be 100644 --- a/src/libfast/request.h +++ b/src/libfast/request.h @@ -86,6 +86,8 @@ struct request_t { char* (*get_query_data)(request_t *this, char *name); /** +<<<<<<< HEAD +======= * Get an arbitrary environment variable. * * @param name name of the environment variable @@ -94,6 +96,7 @@ struct request_t { char* (*get_env_var)(request_t *this, char *name); /** +>>>>>>> upstream/4.5.1 * Read raw POST/PUT data from HTTP request. * * @param buf buffer to read data into diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am index 09f5fe2cd..d4571ccc7 100644 --- a/src/libfreeswan/Makefile.am +++ b/src/libfreeswan/Makefile.am @@ -1,10 +1,18 @@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ +<<<<<<< HEAD + atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ + goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ + keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ + pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ +======= atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ pfkey_v2_build.c pfkey_v2_debug.c \ pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \ pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \ +>>>>>>> upstream/4.5.1 satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ ultoa.c ultot.c @@ -14,7 +22,12 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto +<<<<<<< HEAD +dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ + keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +======= dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +>>>>>>> upstream/4.5.1 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 88ceab557..693ead287 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -58,6 +58,21 @@ libfreeswan_a_AR = $(AR) $(ARFLAGS) libfreeswan_a_LIBADD = am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \ addrtypeof.$(OBJEXT) anyaddr.$(OBJEXT) atoaddr.$(OBJEXT) \ +<<<<<<< HEAD + atoasr.$(OBJEXT) atosa.$(OBJEXT) atosubnet.$(OBJEXT) \ + atoul.$(OBJEXT) copyright.$(OBJEXT) datatot.$(OBJEXT) \ + goodmask.$(OBJEXT) initaddr.$(OBJEXT) initsaid.$(OBJEXT) \ + initsubnet.$(OBJEXT) keyblobtoid.$(OBJEXT) \ + pfkey_v2_build.$(OBJEXT) pfkey_v2_debug.$(OBJEXT) \ + pfkey_v2_ext_bits.$(OBJEXT) pfkey_v2_parse.$(OBJEXT) \ + portof.$(OBJEXT) prng.$(OBJEXT) rangetoa.$(OBJEXT) \ + rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) satoa.$(OBJEXT) \ + satot.$(OBJEXT) subnetof.$(OBJEXT) subnettoa.$(OBJEXT) \ + subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) ttoaddr.$(OBJEXT) \ + ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) ttosa.$(OBJEXT) \ + ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) ultoa.$(OBJEXT) \ + ultot.$(OBJEXT) +======= atoasr.$(OBJEXT) atosubnet.$(OBJEXT) atoul.$(OBJEXT) \ copyright.$(OBJEXT) datatot.$(OBJEXT) goodmask.$(OBJEXT) \ initaddr.$(OBJEXT) initsaid.$(OBJEXT) initsubnet.$(OBJEXT) \ @@ -69,6 +84,7 @@ am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \ ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \ ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \ ultoa.$(OBJEXT) ultot.$(OBJEXT) +>>>>>>> upstream/4.5.1 libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -232,7 +248,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -271,8 +293,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -285,11 +310,19 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ +<<<<<<< HEAD + atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ + goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ + keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ + pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ +======= atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ pfkey_v2_build.c pfkey_v2_debug.c \ pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \ pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \ +>>>>>>> upstream/4.5.1 satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ ultoa.c ultot.c @@ -299,8 +332,13 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto +<<<<<<< HEAD +dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ + keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +======= dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +>>>>>>> upstream/4.5.1 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 all: all-am @@ -357,6 +395,10 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/anyaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoasr.Po@am__quote@ +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosa.Po@am__quote@ +======= +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosubnet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoul.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/copyright.Po@am__quote@ @@ -365,14 +407,26 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@ +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyblobtoid.Po@am__quote@ +======= +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_parse.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portof.Po@am__quote@ +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prng.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satoa.Po@am__quote@ +======= @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@ +>>>>>>> upstream/4.5.1 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satot.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnetof.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettoa.Po@am__quote@ diff --git a/src/libfreeswan/atosa.3 b/src/libfreeswan/atosa.3 new file mode 100644 index 000000000..f57fcf1e9 --- /dev/null +++ b/src/libfreeswan/atosa.3 @@ -0,0 +1,217 @@ +.TH IPSEC_ATOSA 3 "11 June 2001" +.SH NAME +ipsec atosa, satoa \- convert IPsec Security Association IDs to and from ASCII +.SH SYNOPSIS +.B "#include <freeswan.h> +.sp +.B "const char *atosa(const char *src, size_t srclen," +.ti +1c +.B "struct sa_id *sa); +.br +.B "size_t satoa(struct sa_id sa, int format," +.ti +1c +.B "char *dst, size_t dstlen);" +.sp +.B "struct sa_id {" +.ti +1c +.B "struct in_addr dst;" +.ti +1c +.B "ipsec_spi_t spi;" +.ti +1c +.B "int proto;" +.br +.B "};" +.SH DESCRIPTION +These functions are obsolete; see +.IR ipsec_ttosa (3) +for their replacements. +.PP +.I Atosa +converts an ASCII Security Association (SA) specifier into an +.B sa_id +structure (containing +a destination-host address +in network byte order, +an SPI number in network byte order, and +a protocol code). +.I Satoa +does the reverse conversion, back to an ASCII SA specifier. +.PP +An SA is specified in ASCII with a mail-like syntax, e.g. +.BR esp507@1.2.3.4 . +An SA specifier contains +a protocol prefix (currently +.BR ah , +.BR esp , +or +.BR tun ), +an unsigned integer SPI number, +and an IP address. +The SPI number can be decimal or hexadecimal +(with +.B 0x +prefix), as accepted by +.IR ipsec_atoul (3). +The IP address can be any form accepted by +.IR ipsec_atoaddr (3), +e.g. dotted-decimal address or DNS name. +.PP +As a special case, the SA specifier +.B %passthrough +signifies the special SA used to indicate that packets should be +passed through unaltered. +(At present, this is a synonym for +.BR tun0x0@0.0.0.0 , +but that is subject to change without notice.) +This form is known to both +.I atosa +and +.IR satoa , +so the internal form of +.B %passthrough +is never visible. +.PP +The +.B <freeswan.h> +header file supplies the +.B sa_id +structure, as well as a data type +.B ipsec_spi_t +which is an unsigned 32-bit integer. +(There is no consistency between kernel and user on what such a type +is called, hence the header hides the differences.) +.PP +The protocol code uses the same numbers that IP does. +For user convenience, given the difficulty in acquiring the exact set of +protocol names used by the kernel, +.B <freeswan.h> +defines the names +.BR SA_ESP , +.BR SA_AH , +and +.B SA_IPIP +to have the same values as the kernel names +.BR IPPROTO_ESP , +.BR IPPROTO_AH , +and +.BR IPPROTO_IPIP . +.PP +The +.I srclen +parameter of +.I atosa +specifies the length of the ASCII string pointed to by +.IR src ; +it is an error for there to be anything else +(e.g., a terminating NUL) within that length. +As a convenience for cases where an entire NUL-terminated string is +to be converted, +a +.I srclen +value of +.B 0 +is taken to mean +.BR strlen(src) . +.PP +The +.I dstlen +parameter of +.I satoa +specifies the size of the +.I dst +parameter; +under no circumstances are more than +.I dstlen +bytes written to +.IR dst . +A result which will not fit is truncated. +.I Dstlen +can be zero, in which case +.I dst +need not be valid and no result is written, +but the return value is unaffected; +in all other cases, the (possibly truncated) result is NUL-terminated. +The +.I freeswan.h +header file defines a constant, +.BR SATOA_BUF , +which is the size of a buffer just large enough for worst-case results. +.PP +The +.I format +parameter of +.I satoa +specifies what format is to be used for the conversion. +The value +.B 0 +(not the ASCII character +.BR '0' , +but a zero value) +specifies a reasonable default +(currently +lowercase protocol prefix, lowercase hexadecimal SPI, dotted-decimal address). +The value +.B d +causes the SPI to be generated in decimal instead. +.PP +.I Atosa +returns +.B NULL +for success and +a pointer to a string-literal error message for failure; +see DIAGNOSTICS. +.I Satoa +returns +.B 0 +for a failure, and otherwise +always returns the size of buffer which would +be needed to +accommodate the full conversion result, including terminating NUL; +it is the caller's responsibility to check this against the size of +the provided buffer to determine whether truncation has occurred. +.SH SEE ALSO +ipsec_atoul(3), ipsec_atoaddr(3), inet(3) +.SH DIAGNOSTICS +Fatal errors in +.I atosa +are: +empty input; +input too small to be a legal SA specifier; +no +.B @ +in input; +unknown protocol prefix; +conversion error in +.I atoul +or +.IR atoaddr . +.PP +Fatal errors in +.I satoa +are: +unknown format; unknown protocol code. +.SH HISTORY +Written for the FreeS/WAN project by Henry Spencer. +.SH BUGS +The +.B tun +protocol code is a FreeS/WANism which may eventually disappear. +.PP +The restriction of ASCII-to-binary error reports to literal strings +(so that callers don't need to worry about freeing them or copying them) +does limit the precision of error reporting. +.PP +The ASCII-to-binary error-reporting convention lends itself +to slightly obscure code, +because many readers will not think of NULL as signifying success. +A good way to make it clearer is to write something like: +.PP +.RS +.nf +.B "const char *error;" +.sp +.B "error = atoaddr( /* ... */ );" +.B "if (error != NULL) {" +.B " /* something went wrong */" +.fi +.RE diff --git a/src/libfreeswan/atosa.c b/src/libfreeswan/atosa.c new file mode 100644 index 000000000..7339b4c3e --- /dev/null +++ b/src/libfreeswan/atosa.c @@ -0,0 +1,198 @@ +/* + * convert from ASCII form of SA ID to binary + * Copyright (C) 1998, 1999 Henry Spencer. + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + */ +#include "internal.h" +#include "freeswan.h" + +static struct satype { + char *prefix; + size_t prelen; /* strlen(prefix) */ + int proto; +} satypes[] = { + { "ah", 2, SA_AH }, + { "esp", 3, SA_ESP }, + { "tun", 3, SA_IPIP }, + { "comp", 4, SA_COMP }, + { NULL, 0, 0, } +}; + +/* + - atosa - convert ASCII "ah507@10.0.0.1" to SA identifier + */ +const char * /* NULL for success, else string literal */ +atosa(src, srclen, sa) +const char *src; +size_t srclen; /* 0 means "apply strlen" */ +struct sa_id *sa; +{ + const char *at; + const char *addr; + const char *spi = NULL; + struct satype *sat; + unsigned long ul; + const char *oops; +# define MINLEN 5 /* ah0@0 is as short as it can get */ + static char ptname[] = PASSTHROUGHNAME; +# define PTNLEN (sizeof(ptname)-1) /* -1 for NUL */ + + if (srclen == 0) + srclen = strlen(src); + if (srclen == 0) + return "empty string"; + if (srclen < MINLEN) + return "string too short to be SA specifier"; + if (srclen == PTNLEN && memcmp(src, ptname, PTNLEN) == 0) { + src = PASSTHROUGHIS; + srclen = strlen(src); + } + + at = memchr(src, '@', srclen); + if (at == NULL) + return "no @ in SA specifier"; + + for (sat = satypes; sat->prefix != NULL; sat++) + if (sat->prelen < srclen && + strncmp(src, sat->prefix, sat->prelen) == 0) { + sa->proto = sat->proto; + spi = src + sat->prelen; + break; /* NOTE BREAK OUT */ + } + if (sat->prefix == NULL) + return "SA specifier lacks valid protocol prefix"; + + if (spi >= at) + return "no SPI in SA specifier"; + oops = atoul(spi, at - spi, 13, &ul); + if (oops != NULL) + return oops; + sa->spi = htonl(ul); + + addr = at + 1; + oops = atoaddr(addr, srclen - (addr - src), &sa->dst); + if (oops != NULL) + return oops; + + return NULL; +} + + + +#ifdef ATOSA_MAIN + +#include <stdio.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> + +void regress(void); + +int +main(int argc, char *argv[]) +{ + struct sa_id sa; + char buf[100]; + const char *oops; + size_t n; + + if (argc < 2) { + fprintf(stderr, "Usage: %s {ahnnn@aaa|-r}\n", argv[0]); + exit(2); + } + + if (strcmp(argv[1], "-r") == 0) { + regress(); + fprintf(stderr, "regress() returned?!?\n"); + exit(1); + } + + oops = atosa(argv[1], 0, &sa); + if (oops != NULL) { + fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops); + exit(1); + } + n = satoa(sa, 0, buf, sizeof(buf)); + if (n > sizeof(buf)) { + fprintf(stderr, "%s: reverse conv of `%d'", argv[0], sa.proto); + fprintf(stderr, "%lu@", (long unsigned int)sa.spi); + fprintf(stderr, "%s", inet_ntoa(sa.dst)); + fprintf(stderr, " failed: need %ld bytes, have only %ld\n", + (long)n, (long)sizeof(buf)); + exit(1); + } + printf("%s\n", buf); + + exit(0); +} + +struct rtab { + char *input; + char *output; /* NULL means error expected */ +} rtab[] = { + {"esp257@1.2.3.0", "esp257@1.2.3.0"}, + {"ah0x20@1.2.3.4", "ah32@1.2.3.4"}, + {"tun011@111.2.3.99", "tun11@111.2.3.99"}, + {"", NULL}, + {"_", NULL}, + {"ah2.2", NULL}, + {"goo2@1.2.3.4", NULL}, + {"esp9@1.2.3.4", "esp9@1.2.3.4"}, + {"espp9@1.2.3.4", NULL}, + {"es9@1.2.3.4", NULL}, + {"ah@1.2.3.4", NULL}, + {"esp7x7@1.2.3.4", NULL}, + {"esp77@1.0x2.3.4", NULL}, + {PASSTHROUGHNAME, PASSTHROUGHNAME}, + {NULL, NULL} +}; + +void +regress(void) +{ + struct rtab *r; + int status = 0; + struct sa_id sa; + char in[100]; + char buf[100]; + const char *oops; + size_t n; + + for (r = rtab; r->input != NULL; r++) { + strcpy(in, r->input); + oops = atosa(in, 0, &sa); + if (oops != NULL && r->output == NULL) + {} /* okay, error expected */ + else if (oops != NULL) { + printf("`%s' atosa failed: %s\n", r->input, oops); + status = 1; + } else if (r->output == NULL) { + printf("`%s' atosa succeeded unexpectedly\n", + r->input); + status = 1; + } else { + n = satoa(sa, 'd', buf, sizeof(buf)); + if (n > sizeof(buf)) { + printf("`%s' satoa failed: need %ld\n", + r->input, (long)n); + status = 1; + } else if (strcmp(r->output, buf) != 0) { + printf("`%s' gave `%s', expected `%s'\n", + r->input, buf, r->output); + status = 1; + } + } + } + exit(status); +} + +#endif /* ATOSA_MAIN */ diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c index e55e849f7..ff4575add 100644 --- a/src/libfreeswan/copyright.c +++ b/src/libfreeswan/copyright.c @@ -27,6 +27,15 @@ static const char *co[] = { " Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,", " Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,", " Roger Wegmann, Simon Zwahlen,", +<<<<<<< HEAD + " Zuercher Hochschule Winterthur (Switzerland).", + "", + " Philip Boetschi, Tobias Brunner, Adrian Doerig, Andreas Eigenmann,", + " Fabian Hartmann, Noah Heusser, Jan Hutter, Thomas Kallenberg,", + " Daniel Roethlisberger, Joel Stillhart, Martin Willi, Daniel Wydler,", + " Andreas Steffen,", + " Hochschule fuer Technik Rapperswil (Switzerland).", +======= " ZHW Zuercher Hochschule Winterthur (Switzerland).", "", " Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,", @@ -34,6 +43,7 @@ static const char *co[] = { " Thomas Kallenberg, Daniel Roethlisberger, Joel Stillhart, Martin Willi,", " Daniel Wydler, Andreas Steffen,", " HSR Hochschule fuer Technik Rapperswil (Switzerland).", +>>>>>>> upstream/4.5.1 "", "This program is free software; you can redistribute it and/or modify it", "under the terms of the GNU General Public License as published by the", diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h index 724165bde..94a8a5266 100644 --- a/src/libfreeswan/freeswan.h +++ b/src/libfreeswan/freeswan.h @@ -158,6 +158,14 @@ err_t ttodatav(const char *src, size_t srclen, int base, size_t datatot(const char *src, size_t srclen, int format, char *buf, size_t buflen); +<<<<<<< HEAD +size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst, + size_t dstlen); +size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m, + size_t mlen, char *dst, size_t dstlen); +#define KEYID_BUF 10 /* up to 9 text digits plus NUL */ +======= +>>>>>>> upstream/4.5.1 err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port, bool *has_port_wildcard); @@ -201,6 +209,15 @@ void setportof(int port, ip_address *dst); struct sockaddr *sockaddrof(ip_address *src); size_t sockaddrlenof(const ip_address *src); +<<<<<<< HEAD +/* PRNG */ +void prng_init(struct prng *prng, const unsigned char *key, size_t keylen); +void prng_bytes(struct prng *prng, unsigned char *dst, size_t dstlen); +unsigned long prng_count(struct prng *prng); +void prng_final(struct prng *prng); + +======= +>>>>>>> upstream/4.5.1 /* odds and ends */ const char **ipsec_copyright_notice(void); @@ -283,6 +300,27 @@ rangetoa( ); #define RANGETOA_BUF 34 /* large enough for worst case result */ +<<<<<<< HEAD +/* data types for SA conversion functions */ + +/* SAs */ +const char * /* NULL for success, else string literal */ +atosa( + const char *src, + size_t srclen, /* 0 means strlen(src) */ + struct sa_id *sa +); +size_t /* space needed for full conversion */ +satoa( + struct sa_id sa, + int format, /* character; 0 means default */ + char *dst, + size_t dstlen +); +#define SATOA_BUF (3+ULTOA_BUF+ADDRTOA_BUF) + +======= +>>>>>>> upstream/4.5.1 /* generic data, e.g. keys */ const char * /* NULL for success, else string literal */ atobytes( diff --git a/src/libfreeswan/keyblobtoid.3 b/src/libfreeswan/keyblobtoid.3 new file mode 100644 index 000000000..8b5bfb0a2 --- /dev/null +++ b/src/libfreeswan/keyblobtoid.3 @@ -0,0 +1,102 @@ +.TH IPSEC_KEYBLOBTOID 3 "25 March 2002" +.SH NAME +ipsec keyblobtoid, splitkeytoid \- generate key IDs from RSA keys +.SH SYNOPSIS +.B "#include <freeswan.h> +.sp +.B "size_t keyblobtoid(const unsigned char *blob," +.ti +1c +.B "size_t bloblen, char *dst, size_t dstlen);" +.br +.B "size_t splitkeytoid(const unsigned char *e, size_t elen," +.ti +1c +.B "const unsigned char *m, size_t mlen, char *dst, +.ti +1c +.B "size_t dstlen);" +.SH DESCRIPTION +.I Keyblobtoid +and +.I splitkeytoid +generate +key IDs +from RSA keys, +for use in messages and reporting, +writing the result to +.IR dst . +A +.I key ID +is a short ASCII string identifying a key; +currently it is just the first nine characters of the base64 +encoding of the RFC 2537/3110 ``byte blob'' representation of the key. +(Beware that no finite key ID can be collision-proof: +there is always some small chance of two random keys having the +same ID.) +.PP +.I Keyblobtoid +generates a key ID from a key which is already in the form of an +RFC 2537/3110 binary key +.I blob +(encoded exponent length, exponent, modulus). +.PP +.I Splitkeytoid +generates a key ID from a key given in the form of a separate +(binary) exponent +.I e +and modulus +.IR m . +.PP +The +.I dstlen +parameter of either +specifies the size of the +.I dst +parameter; +under no circumstances are more than +.I dstlen +bytes written to +.IR dst . +A result which will not fit is truncated. +.I Dstlen +can be zero, in which case +.I dst +need not be valid and no result is written, +but the return value is unaffected; +in all other cases, the (possibly truncated) result is NUL-terminated. +The +.I freeswan.h +header file defines a constant +.B KEYID_BUF +which is the size of a buffer large enough for worst-case results. +.PP +Both functions return +.B 0 +for a failure, and otherwise +always return the size of buffer which would +be needed to +accommodate the full conversion result, including terminating NUL; +it is the caller's responsibility to check this against the size of +the provided buffer to determine whether truncation has occurred. +.P +With keys generated by +.IR ipsec_rsasigkey (3), +the first two base64 digits are always the same, +and the third carries only about one bit of information. +It's worse with keys using longer fixed exponents, +e.g. the 24-bit exponent that's common in X.509 certificates. +However, being able to relate key IDs to the full +base64 text form of keys by eye is sufficiently useful that this +waste of space seems justifiable. +The choice of nine digits is a compromise between bulk and +probability of collision. +.SH SEE ALSO +RFC 3110, +\fIRSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)\fR, +Eastlake, 2001 +(superseding the older but better-known RFC 2537). +.SH DIAGNOSTICS +Fatal errors are: +key too short to supply enough bits to construct a complete key ID +(almost certainly indicating a garbage key); +exponent too long for its length to be representable. +.SH HISTORY +Written for the FreeS/WAN project by Henry Spencer. diff --git a/src/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c new file mode 100644 index 000000000..89ab5fced --- /dev/null +++ b/src/libfreeswan/keyblobtoid.c @@ -0,0 +1,146 @@ +/* + * generate printable key IDs + * Copyright (C) 2002 Henry Spencer. + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + */ +#include "internal.h" +#include "freeswan.h" + +/* + - keyblobtoid - generate a printable key ID from an RFC 2537/3110 key blob + * Current algorithm is just to use first nine base64 digits. + */ +size_t +keyblobtoid(src, srclen, dst, dstlen) +const unsigned char *src; +size_t srclen; +char *dst; /* need not be valid if dstlen is 0 */ +size_t dstlen; +{ + char buf[KEYID_BUF]; + size_t ret; +# define NDIG 9 + + if (srclen < (NDIG*6 + 7)/8) { + strcpy(buf, "?len= ?"); + buf[5] = '0' + srclen; + ret = 0; + } else { + (void) datatot(src, srclen, 64, buf, NDIG+1); + ret = NDIG+1; + } + + if (dstlen > 0) { + if (strlen(buf)+1 > dstlen) + *(buf + dstlen - 1) = '\0'; + strcpy(dst, buf); + } + return ret; +} + +/* + - splitkeytoid - generate a printable key ID from exponent/modulus pair + * Just constructs the beginnings of a key blob and calls keyblobtoid(). + */ +size_t +splitkeytoid(e, elen, m, mlen, dst, dstlen) +const unsigned char *e; +size_t elen; +const unsigned char *m; +size_t mlen; +char *dst; /* need not be valid if dstlen is 0 */ +size_t dstlen; +{ + unsigned char buf[KEYID_BUF]; /* ample room */ + unsigned char *bufend = buf + sizeof(buf); + unsigned char *p; + size_t n; + + p = buf; + if (elen <= 255) + *p++ = elen; + else if ((elen &~ 0xffff) == 0) { + *p++ = 0; + *p++ = (elen>>8) & 0xff; + *p++ = elen & 0xff; + } else + return 0; /* unrepresentable exponent length */ + + n = bufend - p; + if (elen < n) + n = elen; + memcpy(p, e, n); + p += n; + + n = bufend - p; + if (n > 0) { + if (mlen < n) + n = mlen; + memcpy(p, m, n); + p += n; + } + + return keyblobtoid(buf, p - buf, dst, dstlen); +} + + + +#ifdef KEYBLOBTOID_MAIN + +#include <stdio.h> + +void regress(); + +int +main(argc, argv) +int argc; +char *argv[]; +{ + typedef unsigned char uc; + uc hexblob[] = "\x01\x03\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52"; + uc hexe[] = "\x03"; + uc hexm[] = "\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52\xef\x85"; + char b64nine[] = "AQOF8tZ2m"; + char b64six[] = "AQOF8t"; + char buf[100]; + size_t n; + char *b = b64nine; + size_t bl = strlen(b) + 1; + int st = 0; + + n = keyblobtoid(hexblob, strlen(hexblob), buf, sizeof(buf)); + if (n != bl) { + fprintf(stderr, "%s: keyblobtoid returned %d not %d\n", + argv[0], n, bl); + st = 1; + } + if (strcmp(buf, b) != 0) { + fprintf(stderr, "%s: keyblobtoid generated `%s' not `%s'\n", + argv[0], buf, b); + st = 1; + } + n = splitkeytoid(hexe, strlen(hexe), hexm, strlen(hexm), buf, + sizeof(buf)); + if (n != bl) { + fprintf(stderr, "%s: splitkeytoid returned %d not %d\n", + argv[0], n, bl); + st = 1; + } + if (strcmp(buf, b) != 0) { + fprintf(stderr, "%s: splitkeytoid generated `%s' not `%s'\n", + argv[0], buf, b); + st = 1; + } + exit(st); +} + +#endif /* KEYBLOBTOID_MAIN */ diff --git a/src/libfreeswan/prng.3 b/src/libfreeswan/prng.3 new file mode 100644 index 000000000..48c6ceed0 --- /dev/null +++ b/src/libfreeswan/prng.3 @@ -0,0 +1,120 @@ +.TH IPSEC_PRNG 3 "1 April 2002" +.SH NAME +ipsec prng_init \- initialize IPsec pseudorandom-number generator +.br +ipsec prng_bytes \- get bytes from IPsec pseudorandom-number generator +.br +ipsec prng_final \- close down IPsec pseudorandom-number generator +.SH SYNOPSIS +.B "#include <freeswan.h> +.sp +.B "void prng_init(struct prng *prng," +.ti +1c +.B "const unsigned char *key, size_t keylen);" +.br +.B "void prng_bytes(struct prng *prng, char *dst," +.ti +1c +.B "size_t dstlen);" +.br +.B "unsigned long prng_count(struct prng *prng);" +.br +.B "void prng_final(struct prng *prng);" +.SH DESCRIPTION +.I Prng_init +initializes a crypto-quality pseudo-random-number generator from a key; +.I prng_bytes +obtains pseudo-random bytes from it; +.I prng_count +reports the number of bytes extracted from it to date; +.I prng_final +closes it down. +It is the user's responsibility to initialize a PRNG before using it, +and not to use it again after it is closed down. +.PP +.I Prng_init +initializes, +or re-initializes, +the specified +.I prng +from the +.IR key , +whose length is given by +.IR keylen . +The user must allocate the +.B "struct prng" +pointed to by +.IR prng . +There is no particular constraint on the length of the key, +although a key longer than 256 bytes is unnecessary because +only the first 256 would be used. +Initialization requires on the order of 3000 integer operations, +independent of key length. +.PP +.I Prng_bytes +obtains +.I dstlen +pseudo-random bytes from the PRNG and puts them in +.IR buf . +This is quite fast, +on the order of 10 integer operations per byte. +.PP +.I Prng_count +reports the number of bytes obtained from the PRNG +since it was (last) initialized. +.PP +.I Prng_final +closes down a PRNG by +zeroing its internal memory, +obliterating all trace of the state used to generate its previous output. +This requires on the order of 250 integer operations. +.PP +The +.B <freeswan.h> +header file supplies the definition of the +.B prng +structure. +Examination of its innards is discouraged, as they may change. +.PP +The PRNG algorithm +used by these functions is currently identical to that of RC4(TM). +This algorithm is cryptographically strong, +sufficiently unpredictable that even a hostile observer will +have difficulty determining the next byte of output from past history, +provided it is initialized from a reasonably large key composed of +highly random bytes (see +.IR random (4)). +The usual run of software pseudo-random-number generators +(e.g. +.IR random (3)) +are +.I not +cryptographically strong. +.PP +The well-known attacks against RC4(TM), +e.g. as found in 802.11b's WEP encryption system, +apply only if multiple PRNGs are initialized with closely-related keys +(e.g., using a counter appended to a base key). +If such keys are used, the first few hundred pseudo-random bytes +from each PRNG should be discarded, +to give the PRNGs a chance to randomize their innards properly. +No useful attacks are known if the key is well randomized to begin with. +.SH SEE ALSO +random(3), random(4) +.br +Bruce Schneier, +\fIApplied Cryptography\fR, 2nd ed., 1996, ISBN 0-471-11709-9, +pp. 397-8. +.SH HISTORY +Written for the FreeS/WAN project by Henry Spencer. +.SH BUGS +If an attempt is made to obtain more than 4e9 bytes +between initializations, +the PRNG will continue to work but +.IR prng_count 's +output will stick at +.BR 4000000000 . +Fixing this would require a longer integer type and does +not seem worth the trouble, +since you should probably re-initialize before then anyway... +.PP +``RC4'' is a trademark of RSA Data Security, Inc. diff --git a/src/libfreeswan/prng.c b/src/libfreeswan/prng.c new file mode 100644 index 000000000..347f13f89 --- /dev/null +++ b/src/libfreeswan/prng.c @@ -0,0 +1,200 @@ +/* + * crypto-class pseudorandom number generator + * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397 + * Copyright (C) 2002 Henry Spencer. + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + */ +#include "internal.h" +#include "freeswan.h" + +/* + - prng_init - initialize PRNG from a key + */ +void +prng_init(prng, key, keylen) +struct prng *prng; +const unsigned char *key; +size_t keylen; +{ + unsigned char k[256]; + int i, j; + unsigned const char *p; + unsigned const char *keyend = key + keylen; + unsigned char t; + + for (i = 0; i <= 255; i++) + prng->sbox[i] = i; + p = key; + for (i = 0; i <= 255; i++) { + k[i] = *p++; + if (p >= keyend) + p = key; + } + j = 0; + for (i = 0; i <= 255; i++) { + j = (j + prng->sbox[i] + k[i]) & 0xff; + t = prng->sbox[i]; + prng->sbox[i] = prng->sbox[j]; + prng->sbox[j] = t; + k[i] = 0; /* clear out key memory */ + } + prng->i = 0; + prng->j = 0; + prng->count = 0; +} + +/* + - prng_bytes - get some pseudorandom bytes from PRNG + */ +void +prng_bytes(prng, dst, dstlen) +struct prng *prng; +unsigned char *dst; +size_t dstlen; +{ + int i, j, t; + unsigned char *p = dst; + size_t remain = dstlen; +# define MAX 4000000000ul + + while (remain > 0) { + i = (prng->i + 1) & 0xff; + prng->i = i; + j = (prng->j + prng->sbox[i]) & 0xff; + prng->j = j; + t = prng->sbox[i]; + prng->sbox[i] = prng->sbox[j]; + prng->sbox[j] = t; + t = (t + prng->sbox[i]) & 0xff; + *p++ = prng->sbox[t]; + remain--; + } + if (prng->count < MAX - dstlen) + prng->count += dstlen; + else + prng->count = MAX; +} + +/* + - prnt_count - how many bytes have been extracted from PRNG so far? + */ +unsigned long +prng_count(prng) +struct prng *prng; +{ + return prng->count; +} + +/* + - prng_final - clear out PRNG to ensure nothing left in memory + */ +void +prng_final(prng) +struct prng *prng; +{ + int i; + + for (i = 0; i <= 255; i++) + prng->sbox[i] = 0; + prng->i = 0; + prng->j = 0; + prng->count = 0; /* just for good measure */ +} + + + +#ifdef PRNG_MAIN + +#include <stdio.h> + +void regress(); + +int +main(argc, argv) +int argc; +char *argv[]; +{ + struct prng pr; + unsigned char buf[100]; + unsigned char *p; + size_t n; + + if (argc < 2) { + fprintf(stderr, "Usage: %s {key|-r}\n", argv[0]); + exit(2); + } + + if (strcmp(argv[1], "-r") == 0) { + regress(); + fprintf(stderr, "regress() returned?!?\n"); + exit(1); + } + + prng_init(&pr, argv[1], strlen(argv[1])); + prng_bytes(&pr, buf, 32); + printf("0x"); + for (p = buf, n = 32; n > 0; p++, n--) + printf("%02x", *p); + printf("\n%lu bytes\n", prng_count(&pr)); + prng_final(&pr); + exit(0); +} + +void +regress() +{ + struct prng pr; + unsigned char buf[100]; + unsigned char *p; + size_t n; + /* somewhat non-random sample key */ + unsigned char key[] = "here we go gathering nuts in May"; + /* first thirty bytes of output from that key */ + unsigned char good[] = "\x3f\x02\x8e\x4a\x2a\xea\x23\x18\x92\x7c" + "\x09\x52\x83\x61\xaa\x26\xce\xbb\x9d\x71" + "\x71\xe5\x10\x22\xaf\x60\x54\x8d\x5b\x28"; + int nzero, none; + int show = 0; + + prng_init(&pr, key, strlen(key)); + prng_bytes(&pr, buf, sizeof(buf)); + for (p = buf, n = sizeof(buf); n > 0; p++, n--) { + if (*p == 0) + nzero++; + if (*p == 255) + none++; + } + if (nzero > 3 || none > 3) { + fprintf(stderr, "suspiciously non-random output!\n"); + show = 1; + } + if (memcmp(buf, good, strlen(good)) != 0) { + fprintf(stderr, "incorrect output!\n"); + show = 1; + } + if (show) { + fprintf(stderr, "0x"); + for (p = buf, n = sizeof(buf); n > 0; p++, n--) + fprintf(stderr, "%02x", *p); + fprintf(stderr, "\n"); + exit(1); + } + if (prng_count(&pr) != sizeof(buf)) { + fprintf(stderr, "got %u bytes, but count is %lu\n", + sizeof(buf), prng_count(&pr)); + exit(1); + } + prng_final(&pr); + exit(0); +} + +#endif /* PRNG_MAIN */ diff --git a/src/libfreeswan/satoa.c b/src/libfreeswan/satoa.c new file mode 100644 index 000000000..09a152727 --- /dev/null +++ b/src/libfreeswan/satoa.c @@ -0,0 +1,100 @@ +/* + * convert from binary form of SA ID to ASCII + * Copyright (C) 1998, 1999, 2001 Henry Spencer. + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + */ +#include "internal.h" +#include "freeswan.h" + +static struct typename { + char type; + char *name; +} typenames[] = { + { SA_AH, "ah" }, + { SA_ESP, "esp" }, + { SA_IPIP, "tun" }, + { SA_COMP, "comp" }, + { SA_INT, "int" }, + { 0, NULL } +}; + +/* + - satoa - convert SA to ASCII "ah507@1.2.3.4" + */ +size_t /* space needed for full conversion */ +satoa(sa, format, dst, dstlen) +struct sa_id sa; +int format; /* character */ +char *dst; /* need not be valid if dstlen is 0 */ +size_t dstlen; +{ + size_t len = 0; /* 0 means not handled yet */ + int base; + struct typename *tn; + char buf[30+ADDRTOA_BUF]; + + switch (format) { + case 0: + base = 16; /* temporarily at least */ + break; + case 'd': + base = 10; + break; + default: + return 0; + break; + } + + for (tn = typenames; tn->name != NULL; tn++) + if (sa.proto == tn->type) + break; + if (tn->name == NULL) + return 0; + + if (strcmp(tn->name, PASSTHROUGHTYPE) == 0 && + sa.spi == PASSTHROUGHSPI && + sa.dst.s_addr == PASSTHROUGHDST) { + strcpy(buf, PASSTHROUGHNAME); + len = strlen(buf); + } else if (sa.proto == SA_INT && sa.dst.s_addr == 0) { + char *p; + + switch (ntohl(sa.spi)) { + case SPI_PASS: p = "%pass"; break; + case SPI_DROP: p = "%drop"; break; + case SPI_REJECT: p = "%reject"; break; + case SPI_HOLD: p = "%hold"; break; + case SPI_TRAP: p = "%trap"; break; + case SPI_TRAPSUBNET: p = "%trapsubnet"; break; + default: p = NULL; break; + } + if (p != NULL) { + strcpy(buf, p); + len = strlen(buf); + } + } + + if (len == 0) { + strcpy(buf, tn->name); + len = strlen(buf); + len += ultoa(ntohl(sa.spi), base, buf+len, sizeof(buf)-len); + *(buf+len-1) = '@'; + len += addrtoa(sa.dst, 0, buf+len, sizeof(buf)-len); + } + + if (dst != NULL) { + if (len > dstlen) + *(buf+dstlen-1) = '\0'; + strcpy(dst, buf); + } + return len; +} diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 8b1e7384f..4f65ac93f 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -271,7 +271,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -310,8 +316,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 4fd5a7535..894bfb3bb 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -78,8 +78,13 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, +<<<<<<< HEAD + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, + mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, +======= u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, +>>>>>>> upstream/4.5.1 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) @@ -89,8 +94,13 @@ METHOD(kernel_interface_t, add_sa, status_t, return NOT_SUPPORTED; } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, +<<<<<<< HEAD + mark, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, + cpi, encap, inbound, src_ts, dst_ts); +======= mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi, encap, inbound, src_ts, dst_ts); +>>>>>>> upstream/4.5.1 } METHOD(kernel_interface_t, update_sa, status_t, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index ec73fa1f7..200628f8c 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -91,7 +91,10 @@ struct kernel_interface_t { * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA * @param mark optional mark for this SA +<<<<<<< HEAD +======= * @param tfc Traffic Flow Confidentiality padding for this SA +>>>>>>> upstream/4.5.1 * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -109,7 +112,11 @@ struct kernel_interface_t { status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, +<<<<<<< HEAD + lifetime_cfg_t *lifetime, +======= u_int32_t tfc, lifetime_cfg_t *lifetime, +>>>>>>> upstream/4.5.1 u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 3e2d8b9ce..7145dda8e 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -204,7 +204,10 @@ struct kernel_ipsec_t { * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA * @param mark mark for this SA +<<<<<<< HEAD +======= * @param tfc Traffic Flow Confidentiality padding for this SA +>>>>>>> upstream/4.5.1 * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -222,7 +225,11 @@ struct kernel_ipsec_t { status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, +<<<<<<< HEAD + mark_t mark, lifetime_cfg_t *lifetime, +======= mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, +>>>>>>> upstream/4.5.1 u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 2da06a89c..45ecb9924 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c index 0f66b680a..1edb92c1f 100644 --- a/src/libhydra/plugins/attr/attr_plugin.c +++ b/src/libhydra/plugins/attr/attr_plugin.c @@ -36,8 +36,15 @@ struct private_attr_plugin_t { attr_provider_t *provider; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_attr_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_attr_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider); this->provider->destroy(this->provider); @@ -49,6 +56,13 @@ METHOD(plugin_t, destroy, void, */ plugin_t *attr_plugin_create() { +<<<<<<< HEAD + private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + this->provider = attr_provider_create(); +======= private_attr_plugin_t *this; INIT(this, @@ -59,6 +73,7 @@ plugin_t *attr_plugin_create() }, .provider = attr_provider_create(), ); +>>>>>>> upstream/4.5.1 hydra->attributes->add_provider(hydra->attributes, &this->provider->provider); return &this->public.plugin; diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index 26e7a3038..729738d60 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -232,7 +232,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -271,8 +277,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c index ca9de023e..e47f9f03a 100644 --- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c +++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c @@ -43,8 +43,15 @@ struct private_attr_sql_plugin_t { }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_attr_sql_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_attr_sql_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); this->attribute->destroy(this->attribute); @@ -57,17 +64,31 @@ METHOD(plugin_t, destroy, void, */ plugin_t *attr_sql_plugin_create() { +<<<<<<< HEAD + char *uri; + private_attr_sql_plugin_t *this; + + uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL); +======= private_attr_sql_plugin_t *this; char *uri; uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL); +>>>>>>> upstream/4.5.1 if (!uri) { DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); return NULL; } +<<<<<<< HEAD + this = malloc_thing(private_attr_sql_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + this->db = lib->db->create(lib->db, uri); +======= INIT(this, .public = { .plugin = { @@ -77,6 +98,7 @@ plugin_t *attr_sql_plugin_create() .db = lib->db->create(lib->db, uri), ); +>>>>>>> upstream/4.5.1 if (!this->db) { DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index 7d2464456..e4de26b60 100644 --- a/src/libhydra/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index cf9a3e1fd..f98dfcec5 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1668,7 +1668,11 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, +<<<<<<< HEAD + u_int8_t protocol, u_int32_t reqid, mark_t mark, +======= u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, +>>>>>>> upstream/4.5.1 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c index 3c312ca2b..cbfc59a10 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c @@ -32,8 +32,15 @@ struct private_kernel_klips_plugin_t { kernel_klips_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_klips_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_kernel_klips_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); @@ -45,6 +52,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_klips_plugin_create() { +<<<<<<< HEAD + private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + +======= private_kernel_klips_plugin_t *this; INIT(this, @@ -54,6 +67,7 @@ plugin_t *kernel_klips_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index c7404fe06..d293347cf 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -224,7 +224,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,8 +269,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 4dc80785c..bd3f4a122 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -58,8 +58,13 @@ #endif /*IPV6_XFRM_POLICY*/ /** default priority of installed policies */ +<<<<<<< HEAD +#define PRIO_LOW 3000 +#define PRIO_HIGH 2000 +======= #define PRIO_LOW 1024 #define PRIO_HIGH 512 +>>>>>>> upstream/4.5.1 /** * map the limit for bytes and packets to XFRM_INF per default @@ -866,7 +871,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, +<<<<<<< HEAD + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, +======= u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, +>>>>>>> upstream/4.5.1 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts, traffic_selector_t* dst_ts) @@ -882,7 +891,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (ipcomp != IPCOMP_NONE && cpi != 0) { lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; +<<<<<<< HEAD + add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, +======= add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, +>>>>>>> upstream/4.5.1 &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, FALSE, inbound, NULL, NULL); ipcomp = IPCOMP_NONE; @@ -920,7 +933,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->flags |= XFRM_STATE_AF_UNSPEC; break; case MODE_BEET: +<<<<<<< HEAD +======= case MODE_TRANSPORT: +>>>>>>> upstream/4.5.1 if(src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); @@ -1154,6 +1170,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } +<<<<<<< HEAD +======= if (tfc) { u_int32_t *tfcpad; @@ -1172,6 +1190,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } +>>>>>>> upstream/4.5.1 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { if (mark.value) @@ -1706,6 +1725,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); policy_info->sel = policy->sel; policy_info->dir = policy->direction; +<<<<<<< HEAD + /* calculate priority based on source selector size, small size = high prio */ + policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; + policy_info->priority -= policy->sel.prefixlen_s * 10; + policy_info->priority -= policy->sel.proto ? 2 : 0; + policy_info->priority -= policy->sel.sport_mask ? 1 : 0; +======= /* calculate priority based on selector size, small size = high prio */ policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; @@ -1716,6 +1742,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy->sel.dport_mask ? 0 : 2; policy_info->priority += policy->sel.proto ? 0 : 1; +>>>>>>> upstream/4.5.1 policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW : XFRM_POLICY_BLOCK; policy_info->share = XFRM_SHARE_ANY; @@ -1837,8 +1864,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t, if (route->if_name) { +<<<<<<< HEAD +======= DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", src_ts, route->gateway, route->src_ip, route->if_name); +>>>>>>> upstream/4.5.1 switch (hydra->kernel_interface->add_route( hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c index 9fc1a03f5..b75a2be80 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -33,8 +33,15 @@ struct private_kernel_netlink_plugin_t { kernel_netlink_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_netlink_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_kernel_netlink_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); @@ -48,6 +55,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_netlink_plugin_create() { +<<<<<<< HEAD + private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + +======= private_kernel_netlink_plugin_t *this; INIT(this, @@ -57,6 +70,7 @@ plugin_t *kernel_netlink_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); hydra->kernel_interface->add_net_interface(hydra->kernel_interface, diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index 40363f319..3f2976959 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 681811528..69d0da6e5 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -99,8 +99,13 @@ #endif /** default priority of installed policies */ +<<<<<<< HEAD +#define PRIO_LOW 3000 +#define PRIO_HIGH 2000 +======= #define PRIO_LOW 1024 #define PRIO_HIGH 512 +>>>>>>> upstream/4.5.1 #ifdef __APPLE__ /** from xnu/bsd/net/pfkeyv2.h */ @@ -1206,7 +1211,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, +<<<<<<< HEAD + u_int8_t protocol, u_int32_t reqid, mark_t mark, +======= u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, +>>>>>>> upstream/4.5.1 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1651,6 +1660,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t, pol->sadb_x_policy_dir = dir2kernel(direction); pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY +<<<<<<< HEAD + /* calculate priority based on source selector size, small size = high prio */ + pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; + pol->sadb_x_policy_priority -= policy->src.mask * 10; + pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; + pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; +======= /* calculate priority based on selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; pol->sadb_x_policy_priority -= policy->src.mask; @@ -1659,6 +1675,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) || policy->dst.net->get_port(policy->dst.net) ? 0 : 2; pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1; +>>>>>>> upstream/4.5.1 #endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c index 9e7a7904d..e2ed954fb 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c @@ -32,8 +32,15 @@ struct private_kernel_pfkey_plugin_t { kernel_pfkey_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_pfkey_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_kernel_pfkey_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); @@ -45,6 +52,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_pfkey_plugin_create() { +<<<<<<< HEAD + private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + +======= private_kernel_pfkey_plugin_t *this; INIT(this, @@ -54,6 +67,7 @@ plugin_t *kernel_pfkey_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index 4db374b75..24f8ffc4e 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c index a4cb53edd..bae3a2ac6 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -32,8 +32,15 @@ struct private_kernel_pfroute_plugin_t { kernel_pfroute_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_pfroute_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_kernel_pfroute_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); @@ -45,6 +52,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_pfroute_plugin_create() { +<<<<<<< HEAD + private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + +======= private_kernel_pfroute_plugin_t *this; INIT(this, @@ -54,6 +67,7 @@ plugin_t *kernel_pfroute_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 hydra->kernel_interface->add_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index e6c5fb712..646d1dba9 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c index ad18c7060..c60521cd1 100644 --- a/src/libhydra/plugins/resolve/resolve_plugin.c +++ b/src/libhydra/plugins/resolve/resolve_plugin.c @@ -36,8 +36,15 @@ struct private_resolve_plugin_t { resolve_handler_t *handler; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_resolve_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_resolve_plugin_t *this) +>>>>>>> upstream/4.5.1 { hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); this->handler->destroy(this->handler); @@ -49,6 +56,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *resolve_plugin_create() { +<<<<<<< HEAD + private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + this->handler = resolve_handler_create(); +======= private_resolve_plugin_t *this; INIT(this, @@ -59,6 +72,7 @@ plugin_t *resolve_plugin_create() }, .handler = resolve_handler_create(), ); +>>>>>>> upstream/4.5.1 hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); return &this->public.plugin; diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index ef7a6ee38..3191ade0f 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -192,7 +192,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -231,8 +237,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 6a29d8eea..894d3ae65 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -30,7 +30,12 @@ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ credentials/certificates/certificate.c credentials/certificates/certificate.h \ +<<<<<<< HEAD +credentials/certificates/x509.h credentials/certificates/x509.c \ +credentials/certificates/ac.h \ +======= credentials/certificates/x509.h credentials/certificates/ac.h \ +>>>>>>> upstream/4.5.1 credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -135,6 +140,8 @@ else SUBDIRS = . endif +<<<<<<< HEAD +======= if USE_AF_ALG SUBDIRS += plugins/af_alg if MONOLITHIC @@ -142,6 +149,7 @@ if MONOLITHIC endif endif +>>>>>>> upstream/4.5.1 if USE_AES SUBDIRS += plugins/aes if MONOLITHIC @@ -233,6 +241,8 @@ if MONOLITHIC endif endif +<<<<<<< HEAD +======= if USE_CONSTRAINTS SUBDIRS += plugins/constraints if MONOLITHIC @@ -240,6 +250,7 @@ if MONOLITHIC endif endif +>>>>>>> upstream/4.5.1 if USE_PUBKEY SUBDIRS += plugins/pubkey if MONOLITHIC @@ -282,6 +293,8 @@ if MONOLITHIC endif endif +<<<<<<< HEAD +======= if USE_SOUP SUBDIRS += plugins/soup if MONOLITHIC @@ -289,6 +302,7 @@ if MONOLITHIC endif endif +>>>>>>> upstream/4.5.1 if USE_LDAP SUBDIRS += plugins/ldap if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 76b4f70c6..af1e5bf3d 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -44,6 +44,72 @@ host_triplet = @host@ @USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h @USE_VSTR_TRUE@am__append_6 = -lvstr +<<<<<<< HEAD +@USE_AES_TRUE@am__append_7 = plugins/aes +@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_8 = plugins/aes/libstrongswan-aes.la +@USE_DES_TRUE@am__append_9 = plugins/des +@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_10 = plugins/des/libstrongswan-des.la +@USE_BLOWFISH_TRUE@am__append_11 = plugins/blowfish +@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_12 = plugins/blowfish/libstrongswan-blowfish.la +@USE_MD4_TRUE@am__append_13 = plugins/md4 +@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_14 = plugins/md4/libstrongswan-md4.la +@USE_MD5_TRUE@am__append_15 = plugins/md5 +@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_16 = plugins/md5/libstrongswan-md5.la +@USE_SHA1_TRUE@am__append_17 = plugins/sha1 +@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_18 = plugins/sha1/libstrongswan-sha1.la +@USE_SHA2_TRUE@am__append_19 = plugins/sha2 +@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_20 = plugins/sha2/libstrongswan-sha2.la +@USE_GMP_TRUE@am__append_21 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_22 = plugins/gmp/libstrongswan-gmp.la +@USE_RANDOM_TRUE@am__append_23 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_24 = plugins/random/libstrongswan-random.la +@USE_HMAC_TRUE@am__append_25 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_26 = plugins/hmac/libstrongswan-hmac.la +@USE_XCBC_TRUE@am__append_27 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_29 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la +@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PGP_TRUE@am__append_37 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la +@USE_PEM_TRUE@am__append_41 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_43 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la +@USE_LDAP_TRUE@am__append_45 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_47 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_59 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la +@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_63 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_65 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_67 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la +@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la +======= @USE_AF_ALG_TRUE@am__append_7 = plugins/af_alg @MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg/libstrongswan-af-alg.la @USE_AES_TRUE@am__append_9 = plugins/aes @@ -114,6 +180,7 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_74 = plugins/gcm/libstrongswan-gcm.la @USE_TEST_VECTORS_TRUE@am__append_75 = plugins/test_vectors @MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_76 = plugins/test_vectors/libstrongswan-test-vectors.la +>>>>>>> upstream/4.5.1 subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -168,8 +235,12 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ $(am__append_60) $(am__append_62) $(am__append_64) \ +<<<<<<< HEAD + $(am__append_66) $(am__append_68) $(am__append_70) +======= $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) +>>>>>>> upstream/4.5.1 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \ @@ -194,7 +265,12 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ credentials/keys/shared_key.h \ credentials/certificates/certificate.c \ credentials/certificates/certificate.h \ +<<<<<<< HEAD + credentials/certificates/x509.h \ + credentials/certificates/x509.c credentials/certificates/ac.h \ +======= credentials/certificates/x509.h credentials/certificates/ac.h \ +>>>>>>> upstream/4.5.1 credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -244,7 +320,11 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \ credential_factory.lo builder.lo cred_encoding.lo \ private_key.lo public_key.lo shared_key.lo certificate.lo \ +<<<<<<< HEAD + x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \ +======= crl.lo ocsp_response.lo ietf_attributes.lo \ +>>>>>>> upstream/4.5.1 credential_manager.lo auth_cfg_wrapper.lo \ ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \ callback_cred.lo auth_cfg.lo database_factory.lo \ @@ -284,6 +364,16 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags +<<<<<<< HEAD +DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ + plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \ + plugins/random plugins/hmac plugins/xcbc plugins/x509 \ + plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \ + plugins/dnskey plugins/pem plugins/curl plugins/ldap \ + plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ + plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \ + plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors +======= DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \ plugins/sha2 plugins/gmp plugins/random plugins/hmac \ @@ -294,6 +384,7 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \ plugins/test_vectors +>>>>>>> upstream/4.5.1 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -439,7 +530,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -478,8 +575,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -515,7 +615,12 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ credentials/keys/shared_key.h \ credentials/certificates/certificate.c \ credentials/certificates/certificate.h \ +<<<<<<< HEAD + credentials/certificates/x509.h \ + credentials/certificates/x509.c credentials/certificates/ac.h \ +======= credentials/certificates/x509.h credentials/certificates/ac.h \ +>>>>>>> upstream/4.5.1 credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -566,8 +671,12 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ $(am__append_60) $(am__append_62) $(am__append_64) \ +<<<<<<< HEAD + $(am__append_66) $(am__append_68) $(am__append_70) +======= $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) +>>>>>>> upstream/4.5.1 INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \ @@ -600,9 +709,13 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ +<<<<<<< HEAD +@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) +======= @MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ @MONOLITHIC_FALSE@ $(am__append_75) +>>>>>>> upstream/4.5.1 # build plugins with their own Makefile ####################################### @@ -621,9 +734,13 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ +<<<<<<< HEAD +@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) +======= @MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ @MONOLITHIC_TRUE@ $(am__append_75) +>>>>>>> upstream/4.5.1 all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -761,6 +878,10 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@ +<<<<<<< HEAD +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@ +======= +>>>>>>> upstream/4.5.1 .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -944,6 +1065,16 @@ certificate.lo: credentials/certificates/certificate.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c +<<<<<<< HEAD +x509.lo: credentials/certificates/x509.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/certificates/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c + +======= +>>>>>>> upstream/4.5.1 crl.lo: credentials/certificates/crl.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index f80c2b93b..7f198f9aa 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -126,6 +126,8 @@ chunk_t asn1_build_known_oid(int n) /* * Defined in header. */ +<<<<<<< HEAD +======= chunk_t asn1_oid_from_string(char *str) { enumerator_t *enumerator; @@ -220,6 +222,7 @@ char *asn1_oid_to_string(chunk_t oid) /* * Defined in header. */ +>>>>>>> upstream/4.5.1 size_t asn1_length(chunk_t *blob) { u_char n; diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 05a060827..70411c999 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -115,6 +115,8 @@ int asn1_known_oid(chunk_t object); chunk_t asn1_build_known_oid(int n); /** +<<<<<<< HEAD +======= * Convert human readable OID to ASN.1 DER encoding, without OID header. * * @param str OID string (e.g. 1.2.345.67.8) @@ -131,6 +133,7 @@ chunk_t asn1_oid_from_string(char *str); char* asn1_oid_to_string(chunk_t oid); /** +>>>>>>> upstream/4.5.1 * Returns the length of an ASN.1 object * The blob pointer is advanced past the tag length fields * diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c index 2a7a38a52..fe02690d9 100644 --- a/src/libstrongswan/asn1/asn1_parser.c +++ b/src/libstrongswan/asn1/asn1_parser.c @@ -78,8 +78,15 @@ struct private_asn1_parser_t { chunk_t blobs[ASN1_MAX_LEVEL + 2]; }; +<<<<<<< HEAD +/** + * Implementation of asn1_parser_t.iterate + */ +static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object) +======= METHOD(asn1_parser_t, iterate, bool, private_asn1_parser_t *this, int *objectID, chunk_t *object) +>>>>>>> upstream/4.5.1 { chunk_t *blob, *blob1; u_char *start_ptr; @@ -232,33 +239,68 @@ end: return this->success; } +<<<<<<< HEAD +/** + * Implementation of asn1_parser_t.get_level + */ +static u_int get_level(private_asn1_parser_t *this) +======= METHOD(asn1_parser_t, get_level, u_int, private_asn1_parser_t *this) +>>>>>>> upstream/4.5.1 { return this->level0 + this->objects[this->line].level; } +<<<<<<< HEAD +/** + * Implementation of asn1_parser_t.set_top_level + */ +static void set_top_level(private_asn1_parser_t *this, u_int level0) +======= METHOD(asn1_parser_t, set_top_level, void, private_asn1_parser_t *this, u_int level0) +>>>>>>> upstream/4.5.1 { this->level0 = level0; } +<<<<<<< HEAD +/** + * Implementation of asn1_parser_t.set_flags + */ +static void set_flags(private_asn1_parser_t *this, bool implicit, bool private) +======= METHOD(asn1_parser_t, set_flags, void, private_asn1_parser_t *this, bool implicit, bool private) +>>>>>>> upstream/4.5.1 { this->implicit = implicit; this->private = private; } +<<<<<<< HEAD +/** + * Implementation of asn1_parser_t.success + */ +static bool success(private_asn1_parser_t *this) +======= METHOD(asn1_parser_t, success, bool, private_asn1_parser_t *this) +>>>>>>> upstream/4.5.1 { return this->success; } +<<<<<<< HEAD +/** + * Implementation of asn1_parser_t.destroy + */ +static void destroy(private_asn1_parser_t *this) +======= METHOD(asn1_parser_t, destroy, void, private_asn1_parser_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -268,6 +310,22 @@ METHOD(asn1_parser_t, destroy, void, */ asn1_parser_t* asn1_parser_create(asn1Object_t const *objects, chunk_t blob) { +<<<<<<< HEAD + private_asn1_parser_t *this = malloc_thing(private_asn1_parser_t); + + memset(this, '\0', sizeof(private_asn1_parser_t)); + this->objects = objects; + this->blobs[0] = blob; + this->line = -1; + this->success = TRUE; + + this->public.iterate = (bool (*)(asn1_parser_t*, int*, chunk_t*))iterate; + this->public.get_level = (u_int (*)(asn1_parser_t*))get_level; + this->public.set_top_level = (void (*)(asn1_parser_t*, u_int))set_top_level; + this->public.set_flags = (void (*)(asn1_parser_t*, bool, bool))set_flags; + this->public.success = (bool (*)(asn1_parser_t*))success; + this->public.destroy = (void (*)(asn1_parser_t*))destroy; +======= private_asn1_parser_t *this; INIT(this, @@ -284,6 +342,7 @@ asn1_parser_t* asn1_parser_create(asn1Object_t const *objects, chunk_t blob) .line = -1, .success = TRUE, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 57a00a39e..b823d6189 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -10,6 +10,364 @@ #include "oid.h" const oid_t oid_names[] = { +<<<<<<< HEAD + {0x02, 7, 1, 0, "ITU-T Administration" }, /* 0 */ + { 0x82, 0, 1, 1, "" }, /* 1 */ + { 0x06, 0, 1, 2, "Germany ITU-T member" }, /* 2 */ + { 0x01, 0, 1, 3, "Deutsche Telekom AG" }, /* 3 */ + { 0x0A, 0, 1, 4, "" }, /* 4 */ + { 0x07, 0, 1, 5, "" }, /* 5 */ + { 0x14, 0, 0, 6, "ND" }, /* 6 */ + {0x09, 18, 1, 0, "data" }, /* 7 */ + { 0x92, 0, 1, 1, "" }, /* 8 */ + { 0x26, 0, 1, 2, "" }, /* 9 */ + { 0x89, 0, 1, 3, "" }, /* 10 */ + { 0x93, 0, 1, 4, "" }, /* 11 */ + { 0xF2, 0, 1, 5, "" }, /* 12 */ + { 0x2C, 0, 1, 6, "" }, /* 13 */ + { 0x64, 0, 1, 7, "pilot" }, /* 14 */ + { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ + { 0x01, 17, 0, 9, "UID" }, /* 16 */ + { 0x19, 0, 0, 9, "DC" }, /* 17 */ + {0x55, 64, 1, 0, "X.500" }, /* 18 */ + { 0x04, 36, 1, 1, "X.509" }, /* 19 */ + { 0x03, 21, 0, 2, "CN" }, /* 20 */ + { 0x04, 22, 0, 2, "S" }, /* 21 */ + { 0x05, 23, 0, 2, "SN" }, /* 22 */ + { 0x06, 24, 0, 2, "C" }, /* 23 */ + { 0x07, 25, 0, 2, "L" }, /* 24 */ + { 0x08, 26, 0, 2, "ST" }, /* 25 */ + { 0x0A, 27, 0, 2, "O" }, /* 26 */ + { 0x0B, 28, 0, 2, "OU" }, /* 27 */ + { 0x0C, 29, 0, 2, "T" }, /* 28 */ + { 0x0D, 30, 0, 2, "D" }, /* 29 */ + { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ + { 0x29, 32, 0, 2, "N" }, /* 31 */ + { 0x2A, 33, 0, 2, "G" }, /* 32 */ + { 0x2B, 34, 0, 2, "I" }, /* 33 */ + { 0x2D, 35, 0, 2, "ID" }, /* 34 */ + { 0x48, 0, 0, 2, "role" }, /* 35 */ + { 0x1D, 0, 1, 1, "id-ce" }, /* 36 */ + { 0x09, 38, 0, 2, "subjectDirectoryAttrs" }, /* 37 */ + { 0x0E, 39, 0, 2, "subjectKeyIdentifier" }, /* 38 */ + { 0x0F, 40, 0, 2, "keyUsage" }, /* 39 */ + { 0x10, 41, 0, 2, "privateKeyUsagePeriod" }, /* 40 */ + { 0x11, 42, 0, 2, "subjectAltName" }, /* 41 */ + { 0x12, 43, 0, 2, "issuerAltName" }, /* 42 */ + { 0x13, 44, 0, 2, "basicConstraints" }, /* 43 */ + { 0x14, 45, 0, 2, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, 2, "reasonCode" }, /* 45 */ + { 0x17, 47, 0, 2, "holdInstructionCode" }, /* 46 */ + { 0x18, 48, 0, 2, "invalidityDate" }, /* 47 */ + { 0x1B, 49, 0, 2, "deltaCrlIndicator" }, /* 48 */ + { 0x1C, 50, 0, 2, "issuingDistributionPoint" }, /* 49 */ + { 0x1D, 51, 0, 2, "certificateIssuer" }, /* 50 */ + { 0x1E, 52, 0, 2, "nameConstraints" }, /* 51 */ + { 0x1F, 53, 0, 2, "crlDistributionPoints" }, /* 52 */ + { 0x20, 55, 1, 2, "certificatePolicies" }, /* 53 */ + { 0x00, 0, 0, 3, "anyPolicy" }, /* 54 */ + { 0x21, 56, 0, 2, "policyMappings" }, /* 55 */ + { 0x23, 57, 0, 2, "authorityKeyIdentifier" }, /* 56 */ + { 0x24, 58, 0, 2, "policyConstraints" }, /* 57 */ + { 0x25, 60, 1, 2, "extendedKeyUsage" }, /* 58 */ + { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 59 */ + { 0x2E, 61, 0, 2, "freshestCRL" }, /* 60 */ + { 0x36, 62, 0, 2, "inhibitAnyPolicy" }, /* 61 */ + { 0x37, 63, 0, 2, "targetInformation" }, /* 62 */ + { 0x38, 0, 0, 2, "noRevAvail" }, /* 63 */ + {0x2A, 161, 1, 0, "" }, /* 64 */ + { 0x83, 77, 1, 1, "" }, /* 65 */ + { 0x08, 0, 1, 2, "jp" }, /* 66 */ + { 0x8C, 0, 1, 3, "" }, /* 67 */ + { 0x9A, 0, 1, 4, "" }, /* 68 */ + { 0x4B, 0, 1, 5, "" }, /* 69 */ + { 0x3D, 0, 1, 6, "" }, /* 70 */ + { 0x01, 0, 1, 7, "security" }, /* 71 */ + { 0x01, 0, 1, 8, "algorithm" }, /* 72 */ + { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 73 */ + { 0x02, 75, 0, 10, "camellia128-cbc" }, /* 74 */ + { 0x03, 76, 0, 10, "camellia192-cbc" }, /* 75 */ + { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 76 */ + { 0x86, 0, 1, 1, "" }, /* 77 */ + { 0x48, 0, 1, 2, "us" }, /* 78 */ + { 0x86, 120, 1, 3, "" }, /* 79 */ + { 0xF6, 85, 1, 4, "" }, /* 80 */ + { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 81 */ + { 0x07, 0, 1, 6, "Entrust" }, /* 82 */ + { 0x41, 0, 1, 7, "nsn-ce" }, /* 83 */ + { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 84 */ + { 0xF7, 0, 1, 4, "" }, /* 85 */ + { 0x0D, 0, 1, 5, "RSADSI" }, /* 86 */ + { 0x01, 115, 1, 6, "PKCS" }, /* 87 */ + { 0x01, 97, 1, 7, "PKCS-1" }, /* 88 */ + { 0x01, 90, 0, 8, "rsaEncryption" }, /* 89 */ + { 0x02, 91, 0, 8, "md2WithRSAEncryption" }, /* 90 */ + { 0x04, 92, 0, 8, "md5WithRSAEncryption" }, /* 91 */ + { 0x05, 93, 0, 8, "sha-1WithRSAEncryption" }, /* 92 */ + { 0x0B, 94, 0, 8, "sha256WithRSAEncryption" }, /* 93 */ + { 0x0C, 95, 0, 8, "sha384WithRSAEncryption" }, /* 94 */ + { 0x0D, 96, 0, 8, "sha512WithRSAEncryption" }, /* 95 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 96 */ + { 0x07, 104, 1, 7, "PKCS-7" }, /* 97 */ + { 0x01, 99, 0, 8, "data" }, /* 98 */ + { 0x02, 100, 0, 8, "signedData" }, /* 99 */ + { 0x03, 101, 0, 8, "envelopedData" }, /* 100 */ + { 0x04, 102, 0, 8, "signedAndEnvelopedData" }, /* 101 */ + { 0x05, 103, 0, 8, "digestedData" }, /* 102 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 103 */ + { 0x09, 0, 1, 7, "PKCS-9" }, /* 104 */ + { 0x01, 106, 0, 8, "E" }, /* 105 */ + { 0x02, 107, 0, 8, "unstructuredName" }, /* 106 */ + { 0x03, 108, 0, 8, "contentType" }, /* 107 */ + { 0x04, 109, 0, 8, "messageDigest" }, /* 108 */ + { 0x05, 110, 0, 8, "signingTime" }, /* 109 */ + { 0x06, 111, 0, 8, "counterSignature" }, /* 110 */ + { 0x07, 112, 0, 8, "challengePassword" }, /* 111 */ + { 0x08, 113, 0, 8, "unstructuredAddress" }, /* 112 */ + { 0x0E, 114, 0, 8, "extensionRequest" }, /* 113 */ + { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 114 */ + { 0x02, 118, 1, 6, "digestAlgorithm" }, /* 115 */ + { 0x02, 117, 0, 7, "md2" }, /* 116 */ + { 0x05, 0, 0, 7, "md5" }, /* 117 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 118 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 119 */ + { 0xCE, 0, 1, 3, "" }, /* 120 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 121 */ + { 0x02, 124, 1, 5, "id-publicKeyType" }, /* 122 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 123 */ + { 0x03, 154, 1, 5, "ellipticCurve" }, /* 124 */ + { 0x00, 146, 1, 6, "c-TwoCurve" }, /* 125 */ + { 0x01, 127, 0, 7, "c2pnb163v1" }, /* 126 */ + { 0x02, 128, 0, 7, "c2pnb163v2" }, /* 127 */ + { 0x03, 129, 0, 7, "c2pnb163v3" }, /* 128 */ + { 0x04, 130, 0, 7, "c2pnb176w1" }, /* 129 */ + { 0x05, 131, 0, 7, "c2tnb191v1" }, /* 130 */ + { 0x06, 132, 0, 7, "c2tnb191v2" }, /* 131 */ + { 0x07, 133, 0, 7, "c2tnb191v3" }, /* 132 */ + { 0x08, 134, 0, 7, "c2onb191v4" }, /* 133 */ + { 0x09, 135, 0, 7, "c2onb191v5" }, /* 134 */ + { 0x0A, 136, 0, 7, "c2pnb208w1" }, /* 135 */ + { 0x0B, 137, 0, 7, "c2tnb239v1" }, /* 136 */ + { 0x0C, 138, 0, 7, "c2tnb239v2" }, /* 137 */ + { 0x0D, 139, 0, 7, "c2tnb239v3" }, /* 138 */ + { 0x0E, 140, 0, 7, "c2onb239v4" }, /* 139 */ + { 0x0F, 141, 0, 7, "c2onb239v5" }, /* 140 */ + { 0x10, 142, 0, 7, "c2pnb272w1" }, /* 141 */ + { 0x11, 143, 0, 7, "c2pnb304w1" }, /* 142 */ + { 0x12, 144, 0, 7, "c2tnb359v1" }, /* 143 */ + { 0x13, 145, 0, 7, "c2pnb368w1" }, /* 144 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 145 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 146 */ + { 0x01, 148, 0, 7, "prime192v1" }, /* 147 */ + { 0x02, 149, 0, 7, "prime192v2" }, /* 148 */ + { 0x03, 150, 0, 7, "prime192v3" }, /* 149 */ + { 0x04, 151, 0, 7, "prime239v1" }, /* 150 */ + { 0x05, 152, 0, 7, "prime239v2" }, /* 151 */ + { 0x06, 153, 0, 7, "prime239v3" }, /* 152 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 153 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 154 */ + { 0x01, 156, 0, 6, "ecdsa-with-SHA1" }, /* 155 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 156 */ + { 0x01, 158, 0, 7, "ecdsa-with-SHA224" }, /* 157 */ + { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */ + { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */ + {0x2B, 309, 1, 0, "" }, /* 161 */ + { 0x06, 223, 1, 1, "dod" }, /* 162 */ + { 0x01, 0, 1, 2, "internet" }, /* 163 */ + { 0x04, 183, 1, 3, "private" }, /* 164 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 165 */ + { 0x82, 176, 1, 5, "" }, /* 166 */ + { 0x37, 0, 1, 6, "Microsoft" }, /* 167 */ + { 0x0A, 172, 1, 7, "" }, /* 168 */ + { 0x03, 0, 1, 8, "" }, /* 169 */ + { 0x03, 171, 0, 9, "msSGC" }, /* 170 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */ + { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */ + { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 175 */ + { 0x89, 0, 1, 5, "" }, /* 176 */ + { 0x31, 0, 1, 6, "" }, /* 177 */ + { 0x01, 0, 1, 7, "" }, /* 178 */ + { 0x01, 0, 1, 8, "" }, /* 179 */ + { 0x02, 0, 1, 9, "" }, /* 180 */ + { 0x02, 182, 0, 10, "" }, /* 181 */ + { 0x4B, 0, 0, 10, "TCGID" }, /* 182 */ + { 0x05, 0, 1, 3, "security" }, /* 183 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 184 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 185 */ + { 0x01, 190, 1, 6, "id-pe" }, /* 186 */ + { 0x01, 188, 0, 7, "authorityInfoAccess" }, /* 187 */ + { 0x03, 189, 0, 7, "qcStatements" }, /* 188 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 189 */ + { 0x02, 193, 1, 6, "id-qt" }, /* 190 */ + { 0x01, 192, 0, 7, "cps" }, /* 191 */ + { 0x02, 0, 0, 7, "unotice" }, /* 192 */ + { 0x03, 203, 1, 6, "id-kp" }, /* 193 */ + { 0x01, 195, 0, 7, "serverAuth" }, /* 194 */ + { 0x02, 196, 0, 7, "clientAuth" }, /* 195 */ + { 0x03, 197, 0, 7, "codeSigning" }, /* 196 */ + { 0x04, 198, 0, 7, "emailProtection" }, /* 197 */ + { 0x05, 199, 0, 7, "ipsecEndSystem" }, /* 198 */ + { 0x06, 200, 0, 7, "ipsecTunnel" }, /* 199 */ + { 0x07, 201, 0, 7, "ipsecUser" }, /* 200 */ + { 0x08, 202, 0, 7, "timeStamping" }, /* 201 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 202 */ + { 0x08, 205, 1, 6, "id-otherNames" }, /* 203 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 204 */ + { 0x0A, 210, 1, 6, "id-aca" }, /* 205 */ + { 0x01, 207, 0, 7, "authenticationInfo" }, /* 206 */ + { 0x02, 208, 0, 7, "accessIdentity" }, /* 207 */ + { 0x03, 209, 0, 7, "chargingIdentity" }, /* 208 */ + { 0x04, 0, 0, 7, "group" }, /* 209 */ + { 0x0B, 211, 0, 6, "subjectInfoAccess" }, /* 210 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 211 */ + { 0x01, 220, 1, 7, "ocsp" }, /* 212 */ + { 0x01, 214, 0, 8, "basic" }, /* 213 */ + { 0x02, 215, 0, 8, "nonce" }, /* 214 */ + { 0x03, 216, 0, 8, "crl" }, /* 215 */ + { 0x04, 217, 0, 8, "response" }, /* 216 */ + { 0x05, 218, 0, 8, "noCheck" }, /* 217 */ + { 0x06, 219, 0, 8, "archiveCutoff" }, /* 218 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 219 */ + { 0x02, 221, 0, 7, "caIssuers" }, /* 220 */ + { 0x03, 222, 0, 7, "timeStamping" }, /* 221 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 222 */ + { 0x0E, 229, 1, 1, "oiw" }, /* 223 */ + { 0x03, 0, 1, 2, "secsig" }, /* 224 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 225 */ + { 0x07, 227, 0, 4, "des-cbc" }, /* 226 */ + { 0x1A, 228, 0, 4, "sha-1" }, /* 227 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 228 */ + { 0x24, 275, 1, 1, "TeleTrusT" }, /* 229 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 230 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 231 */ + { 0x01, 236, 1, 4, "rsaSignature" }, /* 232 */ + { 0x02, 234, 0, 5, "rsaSigWithripemd160" }, /* 233 */ + { 0x03, 235, 0, 5, "rsaSigWithripemd128" }, /* 234 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 235 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 236 */ + { 0x01, 238, 0, 5, "ecSignWithsha1" }, /* 237 */ + { 0x02, 239, 0, 5, "ecSignWithripemd160" }, /* 238 */ + { 0x03, 240, 0, 5, "ecSignWithmd2" }, /* 239 */ + { 0x04, 241, 0, 5, "ecSignWithmd5" }, /* 240 */ + { 0x05, 258, 1, 5, "ttt-ecg" }, /* 241 */ + { 0x01, 246, 1, 6, "fieldType" }, /* 242 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 243 */ + { 0x01, 0, 1, 8, "basisType" }, /* 244 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 245 */ + { 0x02, 248, 1, 6, "keyType" }, /* 246 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 247 */ + { 0x03, 249, 0, 6, "curve" }, /* 248 */ + { 0x04, 256, 1, 6, "signatures" }, /* 249 */ + { 0x01, 251, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 250 */ + { 0x02, 252, 0, 7, "ecgdsa-with-SHA1" }, /* 251 */ + { 0x03, 253, 0, 7, "ecgdsa-with-SHA224" }, /* 252 */ + { 0x04, 254, 0, 7, "ecgdsa-with-SHA256" }, /* 253 */ + { 0x05, 255, 0, 7, "ecgdsa-with-SHA384" }, /* 254 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 255 */ + { 0x05, 0, 1, 6, "module" }, /* 256 */ + { 0x01, 0, 0, 7, "1" }, /* 257 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 258 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 259 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 260 */ + { 0x01, 262, 0, 8, "brainpoolP160r1" }, /* 261 */ + { 0x02, 263, 0, 8, "brainpoolP160t1" }, /* 262 */ + { 0x03, 264, 0, 8, "brainpoolP192r1" }, /* 263 */ + { 0x04, 265, 0, 8, "brainpoolP192t1" }, /* 264 */ + { 0x05, 266, 0, 8, "brainpoolP224r1" }, /* 265 */ + { 0x06, 267, 0, 8, "brainpoolP224t1" }, /* 266 */ + { 0x07, 268, 0, 8, "brainpoolP256r1" }, /* 267 */ + { 0x08, 269, 0, 8, "brainpoolP256t1" }, /* 268 */ + { 0x09, 270, 0, 8, "brainpoolP320r1" }, /* 269 */ + { 0x0A, 271, 0, 8, "brainpoolP320t1" }, /* 270 */ + { 0x0B, 272, 0, 8, "brainpoolP384r1" }, /* 271 */ + { 0x0C, 273, 0, 8, "brainpoolP384t1" }, /* 272 */ + { 0x0D, 274, 0, 8, "brainpoolP512r1" }, /* 273 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 274 */ + { 0x81, 0, 1, 1, "" }, /* 275 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 276 */ + { 0x00, 0, 1, 3, "curve" }, /* 277 */ + { 0x01, 279, 0, 4, "sect163k1" }, /* 278 */ + { 0x02, 280, 0, 4, "sect163r1" }, /* 279 */ + { 0x03, 281, 0, 4, "sect239k1" }, /* 280 */ + { 0x04, 282, 0, 4, "sect113r1" }, /* 281 */ + { 0x05, 283, 0, 4, "sect113r2" }, /* 282 */ + { 0x06, 284, 0, 4, "secp112r1" }, /* 283 */ + { 0x07, 285, 0, 4, "secp112r2" }, /* 284 */ + { 0x08, 286, 0, 4, "secp160r1" }, /* 285 */ + { 0x09, 287, 0, 4, "secp160k1" }, /* 286 */ + { 0x0A, 288, 0, 4, "secp256k1" }, /* 287 */ + { 0x0F, 289, 0, 4, "sect163r2" }, /* 288 */ + { 0x10, 290, 0, 4, "sect283k1" }, /* 289 */ + { 0x11, 291, 0, 4, "sect283r1" }, /* 290 */ + { 0x16, 292, 0, 4, "sect131r1" }, /* 291 */ + { 0x17, 293, 0, 4, "sect131r2" }, /* 292 */ + { 0x18, 294, 0, 4, "sect193r1" }, /* 293 */ + { 0x19, 295, 0, 4, "sect193r2" }, /* 294 */ + { 0x1A, 296, 0, 4, "sect233k1" }, /* 295 */ + { 0x1B, 297, 0, 4, "sect233r1" }, /* 296 */ + { 0x1C, 298, 0, 4, "secp128r1" }, /* 297 */ + { 0x1D, 299, 0, 4, "secp128r2" }, /* 298 */ + { 0x1E, 300, 0, 4, "secp160r2" }, /* 299 */ + { 0x1F, 301, 0, 4, "secp192k1" }, /* 300 */ + { 0x20, 302, 0, 4, "secp224k1" }, /* 301 */ + { 0x21, 303, 0, 4, "secp224r1" }, /* 302 */ + { 0x22, 304, 0, 4, "secp384r1" }, /* 303 */ + { 0x23, 305, 0, 4, "secp521r1" }, /* 304 */ + { 0x24, 306, 0, 4, "sect409k1" }, /* 305 */ + { 0x25, 307, 0, 4, "sect409r1" }, /* 306 */ + { 0x26, 308, 0, 4, "sect571k1" }, /* 307 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 308 */ + {0x60, 0, 1, 0, "" }, /* 309 */ + { 0x86, 0, 1, 1, "" }, /* 310 */ + { 0x48, 0, 1, 2, "" }, /* 311 */ + { 0x01, 0, 1, 3, "organization" }, /* 312 */ + { 0x65, 331, 1, 4, "gov" }, /* 313 */ + { 0x03, 0, 1, 5, "csor" }, /* 314 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 315 */ + { 0x01, 326, 1, 7, "aes" }, /* 316 */ + { 0x02, 318, 0, 8, "id-aes128-CBC" }, /* 317 */ + { 0x06, 319, 0, 8, "id-aes128-GCM" }, /* 318 */ + { 0x07, 320, 0, 8, "id-aes128-CCM" }, /* 319 */ + { 0x16, 321, 0, 8, "id-aes192-CBC" }, /* 320 */ + { 0x1A, 322, 0, 8, "id-aes192-GCM" }, /* 321 */ + { 0x1B, 323, 0, 8, "id-aes192-CCM" }, /* 322 */ + { 0x2A, 324, 0, 8, "id-aes256-CBC" }, /* 323 */ + { 0x2E, 325, 0, 8, "id-aes256-GCM" }, /* 324 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 325 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 326 */ + { 0x01, 328, 0, 8, "id-SHA-256" }, /* 327 */ + { 0x02, 329, 0, 8, "id-SHA-384" }, /* 328 */ + { 0x03, 330, 0, 8, "id-SHA-512" }, /* 329 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 330 */ + { 0x86, 0, 1, 4, "" }, /* 331 */ + { 0xf8, 0, 1, 5, "" }, /* 332 */ + { 0x42, 345, 1, 6, "netscape" }, /* 333 */ + { 0x01, 340, 1, 7, "" }, /* 334 */ + { 0x01, 336, 0, 8, "nsCertType" }, /* 335 */ + { 0x03, 337, 0, 8, "nsRevocationUrl" }, /* 336 */ + { 0x04, 338, 0, 8, "nsCaRevocationUrl" }, /* 337 */ + { 0x08, 339, 0, 8, "nsCaPolicyUrl" }, /* 338 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 339 */ + { 0x03, 343, 1, 7, "directory" }, /* 340 */ + { 0x01, 0, 1, 8, "" }, /* 341 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 342 */ + { 0x04, 0, 1, 7, "policy" }, /* 343 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 344 */ + { 0x45, 0, 1, 6, "verisign" }, /* 345 */ + { 0x01, 0, 1, 7, "pki" }, /* 346 */ + { 0x09, 0, 1, 8, "attributes" }, /* 347 */ + { 0x02, 349, 0, 9, "messageType" }, /* 348 */ + { 0x03, 350, 0, 9, "pkiStatus" }, /* 349 */ + { 0x04, 351, 0, 9, "failInfo" }, /* 350 */ + { 0x05, 352, 0, 9, "senderNonce" }, /* 351 */ + { 0x06, 353, 0, 9, "recipientNonce" }, /* 352 */ + { 0x07, 354, 0, 9, "transID" }, /* 353 */ + { 0x08, 355, 0, 9, "extensionReq" }, /* 354 */ + { 0x08, 0, 0, 9, "extensionReq" } /* 355 */ +======= {0x02, 7, 1, 0, "ITU-T Administration" }, /* 0 */ { 0x82, 0, 1, 1, "" }, /* 1 */ { 0x06, 0, 1, 2, "Germany ITU-T member" }, /* 2 */ @@ -369,4 +727,5 @@ const oid_t oid_names[] = { { 0x07, 357, 0, 9, "transID" }, /* 356 */ { 0x08, 358, 0, 9, "extensionReq" }, /* 357 */ { 0x08, 0, 0, 9, "extensionReq" } /* 358 */ +>>>>>>> upstream/4.5.1 }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index b6ee9a10d..e9de81ccf 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -49,11 +49,16 @@ extern const oid_t oid_names[]; #define OID_DELTA_CRL_INDICATOR 48 #define OID_NAME_CONSTRAINTS 51 #define OID_CRL_DISTRIBUTION_POINTS 52 +<<<<<<< HEAD +#define OID_ANY_POLICY 54 +#define OID_AUTHORITY_KEY_ID 56 +======= #define OID_CERTIFICATE_POLICIES 53 #define OID_ANY_POLICY 54 #define OID_POLICY_MAPPINGS 55 #define OID_AUTHORITY_KEY_ID 56 #define OID_POLICY_CONSTRAINTS 57 +>>>>>>> upstream/4.5.1 #define OID_EXTENDED_KEY_USAGE 58 #define OID_FRESHEST_CRL 60 #define OID_INHIBIT_ANY_POLICY 61 @@ -120,6 +125,95 @@ extern const oid_t oid_names[]; #define OID_ECDSA_WITH_SHA384 159 #define OID_ECDSA_WITH_SHA512 160 #define OID_USER_PRINCIPAL_NAME 175 +<<<<<<< HEAD +#define OID_TCGID 182 +#define OID_AUTHORITY_INFO_ACCESS 187 +#define OID_IP_ADDR_BLOCKS 189 +#define OID_SERVER_AUTH 194 +#define OID_CLIENT_AUTH 195 +#define OID_OCSP_SIGNING 202 +#define OID_XMPP_ADDR 204 +#define OID_AUTHENTICATION_INFO 206 +#define OID_ACCESS_IDENTITY 207 +#define OID_CHARGING_IDENTITY 208 +#define OID_GROUP 209 +#define OID_OCSP 212 +#define OID_BASIC 213 +#define OID_NONCE 214 +#define OID_CRL 215 +#define OID_RESPONSE 216 +#define OID_NO_CHECK 217 +#define OID_ARCHIVE_CUTOFF 218 +#define OID_SERVICE_LOCATOR 219 +#define OID_CA_ISSUERS 220 +#define OID_DES_CBC 226 +#define OID_SHA1 227 +#define OID_SHA1_WITH_RSA_OIW 228 +#define OID_ECGDSA_PUBKEY 247 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 250 +#define OID_ECGDSA_SIG_WITH_SHA1 251 +#define OID_ECGDSA_SIG_WITH_SHA224 252 +#define OID_ECGDSA_SIG_WITH_SHA256 253 +#define OID_ECGDSA_SIG_WITH_SHA384 254 +#define OID_ECGDSA_SIG_WITH_SHA512 255 +#define OID_SECT163K1 278 +#define OID_SECT163R1 279 +#define OID_SECT239K1 280 +#define OID_SECT113R1 281 +#define OID_SECT113R2 282 +#define OID_SECT112R1 283 +#define OID_SECT112R2 284 +#define OID_SECT160R1 285 +#define OID_SECT160K1 286 +#define OID_SECT256K1 287 +#define OID_SECT163R2 288 +#define OID_SECT283K1 289 +#define OID_SECT283R1 290 +#define OID_SECT131R1 291 +#define OID_SECT131R2 292 +#define OID_SECT193R1 293 +#define OID_SECT193R2 294 +#define OID_SECT233K1 295 +#define OID_SECT233R1 296 +#define OID_SECT128R1 297 +#define OID_SECT128R2 298 +#define OID_SECT160R2 299 +#define OID_SECT192K1 300 +#define OID_SECT224K1 301 +#define OID_SECT224R1 302 +#define OID_SECT384R1 303 +#define OID_SECT521R1 304 +#define OID_SECT409K1 305 +#define OID_SECT409R1 306 +#define OID_SECT571K1 307 +#define OID_SECT571R1 308 +#define OID_AES128_CBC 317 +#define OID_AES128_GCM 318 +#define OID_AES128_CCM 319 +#define OID_AES192_CBC 320 +#define OID_AES192_GCM 321 +#define OID_AES192_CCM 322 +#define OID_AES256_CBC 323 +#define OID_AES256_GCM 324 +#define OID_AES256_CCM 325 +#define OID_SHA256 327 +#define OID_SHA384 328 +#define OID_SHA512 329 +#define OID_SHA224 330 +#define OID_NS_REVOCATION_URL 336 +#define OID_NS_CA_REVOCATION_URL 337 +#define OID_NS_CA_POLICY_URL 338 +#define OID_NS_COMMENT 339 +#define OID_EMPLOYEE_NUMBER 342 +#define OID_PKI_MESSAGE_TYPE 348 +#define OID_PKI_STATUS 349 +#define OID_PKI_FAIL_INFO 350 +#define OID_PKI_SENDER_NONCE 351 +#define OID_PKI_RECIPIENT_NONCE 352 +#define OID_PKI_TRANS_ID 353 + +#define OID_MAX 356 +======= #define OID_STRONGSWAN 178 #define OID_TCGID 185 #define OID_AUTHORITY_INFO_ACCESS 190 @@ -210,5 +304,6 @@ extern const oid_t oid_names[]; #define OID_PKI_TRANS_ID 356 #define OID_MAX 359 +>>>>>>> upstream/4.5.1 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index e2931c7dd..bf37dd624 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -51,11 +51,19 @@ 0x1D "certificateIssuer" 0x1E "nameConstraints" OID_NAME_CONSTRAINTS 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS +<<<<<<< HEAD + 0x20 "certificatePolicies" + 0x00 "anyPolicy" OID_ANY_POLICY + 0x21 "policyMappings" + 0x23 "authorityKeyIdentifier" OID_AUTHORITY_KEY_ID + 0x24 "policyConstraints" +======= 0x20 "certificatePolicies" OID_CERTIFICATE_POLICIES 0x00 "anyPolicy" OID_ANY_POLICY 0x21 "policyMappings" OID_POLICY_MAPPINGS 0x23 "authorityKeyIdentifier" OID_AUTHORITY_KEY_ID 0x24 "policyConstraints" OID_POLICY_CONSTRAINTS +>>>>>>> upstream/4.5.1 0x25 "extendedKeyUsage" OID_EXTENDED_KEY_USAGE 0x00 "anyExtendedKeyUsage" 0x2E "freshestCRL" OID_FRESHEST_CRL @@ -124,7 +132,11 @@ 0x01 "id-ecPublicKey" OID_EC_PUBLICKEY 0x03 "ellipticCurve" 0x00 "c-TwoCurve" +<<<<<<< HEAD + 0x01 "c2pnb163v1" OID_C2PNB163V1 +======= 0x01 "c2pnb163v1" OID_C2PNB163V1 +>>>>>>> upstream/4.5.1 0x02 "c2pnb163v2" OID_C2PNB163V2 0x03 "c2pnb163v3" OID_C2PNB163V3 0x04 "c2pnb176w1" OID_C2PNB176W1 @@ -174,16 +186,23 @@ 0x02 "msCertificateTypeExtension" 0x02 "msSmartcardLogon" 0x03 "msUPN" OID_USER_PRINCIPAL_NAME +<<<<<<< HEAD +======= 0xA0 "" 0x2A "ITA" 0x01 "strongSwan" OID_STRONGSWAN +>>>>>>> upstream/4.5.1 0x89 "" 0x31 "" 0x01 "" 0x01 "" 0x02 "" 0x02 "" +<<<<<<< HEAD + 0x4B "TCGID" OID_TCGID +======= 0x4B "TCGID" OID_TCGID +>>>>>>> upstream/4.5.1 0x05 "security" 0x05 "mechanisms" 0x07 "id-pkix" @@ -192,8 +211,13 @@ 0x03 "qcStatements" 0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS 0x02 "id-qt" +<<<<<<< HEAD + 0x01 "cps" + 0x02 "unotice" +======= 0x01 "cps" OID_POLICY_QUALIFIER_CPS 0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE +>>>>>>> upstream/4.5.1 0x03 "id-kp" 0x01 "serverAuth" OID_SERVER_AUTH 0x02 "clientAuth" OID_CLIENT_AUTH diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 23a3f62d9..9c7df81a6 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -131,13 +131,19 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *cert = (certificate_t*)entry->value; cert->destroy(cert); break; } +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -149,8 +155,11 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 break; } } @@ -176,8 +185,11 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 /* integer type */ enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -188,12 +200,18 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 /* pointer type */ enumerator->current->value = va_arg(args, void*); break; @@ -245,8 +263,11 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_EAP_TYPE: return (void*)EAP_NAK; case AUTH_RULE_EAP_VENDOR: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 return (void*)0; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: @@ -258,12 +279,18 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 default: return NULL; } @@ -286,8 +313,11 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -298,12 +328,18 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 /* pointer type */ entry->value = va_arg(args, void*); break; @@ -374,6 +410,40 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: { +<<<<<<< HEAD + cert_validation_t validated, required; + + required = (uintptr_t)value; + validated = (uintptr_t)get(this, t1); + switch (required) + { + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %N is %N, " + "but requires at least %N", auth_rule_names, + t1, cert_validation_names, validated, + cert_validation_names, required); + } + break; + } +======= uintptr_t validated; e2 = create_enumerator(this); @@ -413,6 +483,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } } e2->destroy(e2); +>>>>>>> upstream/4.5.1 break; } case AUTH_RULE_IDENTITY: @@ -496,6 +567,8 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, e2->destroy(e2); break; } +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: { @@ -561,11 +634,15 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } break; } +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 /* skip helpers */ continue; } @@ -612,7 +689,10 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *cert = (certificate_t*)value; @@ -624,8 +704,11 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: case AUTH_RULE_EAP_VENDOR: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 { add(this, type, (uintptr_t)value); break; @@ -640,7 +723,10 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, id->clone(id)); break; } +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -693,8 +779,11 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 { if (i1->value == i2->value) { @@ -708,7 +797,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *c1, *c2; @@ -739,7 +831,10 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) } continue; } +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -822,13 +917,19 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: +<<<<<<< HEAD +======= case AUTH_HELPER_REVOCATION_CERT: +>>>>>>> upstream/4.5.1 { certificate_t *cert = (certificate_t*)entry->value; clone->add(clone, entry->type, cert->get_ref(cert)); break; } +<<<<<<< HEAD +======= case AUTH_RULE_CERT_POLICY: +>>>>>>> upstream/4.5.1 case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -840,8 +941,11 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: +<<<<<<< HEAD +======= case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: +>>>>>>> upstream/4.5.1 clone->add(clone, entry->type, (uintptr_t)entry->value); break; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 489ce1134..659a7c9ef 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -90,12 +90,15 @@ enum auth_rule_t { * The group membership constraint is fulfilled if the subject is member of * one group defined in the constraints. */ AUTH_RULE_GROUP, +<<<<<<< HEAD +======= /** required RSA public key strength, u_int in bits */ AUTH_RULE_RSA_STRENGTH, /** required ECDSA public key strength, u_int in bits */ AUTH_RULE_ECDSA_STRENGTH, /** certificatePolicy constraint, numerical OID as char* */ AUTH_RULE_CERT_POLICY, +>>>>>>> upstream/4.5.1 /** intermediate certificate, certificate_t* */ AUTH_HELPER_IM_CERT, @@ -105,8 +108,11 @@ enum auth_rule_t { AUTH_HELPER_IM_HASH_URL, /** Hash and URL of a end-entity certificate, char* */ AUTH_HELPER_SUBJECT_HASH_URL, +<<<<<<< HEAD +======= /** revocation certificate (CRL, OCSP), certificate_t* */ AUTH_HELPER_REVOCATION_CERT, +>>>>>>> upstream/4.5.1 }; /** diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index f9a277a2c..4d3a78eab 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -43,6 +43,10 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_CRL_DISTRIBUTION_POINTS", "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", +<<<<<<< HEAD + "BUILD_X509_FLAG", + "BUILD_REVOKED_ENUMERATOR", +======= "BUILD_PERMITTED_NAME_CONSTRAINTS", "BUILD_EXCLUDED_NAME_CONSTRAINTS", "BUILD_CERTIFICATE_POLICIES", @@ -53,6 +57,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_X509_FLAG", "BUILD_REVOKED_ENUMERATOR", "BUILD_BASE_CRL", +>>>>>>> upstream/4.5.1 "BUILD_CHALLENGE_PWD", "BUILD_PKCS11_MODULE", "BUILD_PKCS11_SLOT", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 325b668cd..fc93a6007 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -87,12 +87,18 @@ enum builder_part_t { BUILD_CA_CERT, /** a certificate, certificate_t* */ BUILD_CERT, +<<<<<<< HEAD + /** CRL distribution point URIs, linked_list_t* containing char* */ +======= /** CRL distribution point URIs, x509_cdp_t* */ +>>>>>>> upstream/4.5.1 BUILD_CRL_DISTRIBUTION_POINTS, /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ BUILD_OCSP_ACCESS_LOCATIONS, /** certificate path length constraint */ BUILD_PATHLEN, +<<<<<<< HEAD +======= /** permitted X509 name constraints, linked_list_t* of identification_t* */ BUILD_PERMITTED_NAME_CONSTRAINTS, /** excluded X509 name constraints, linked_list_t* of identification_t* */ @@ -107,12 +113,16 @@ enum builder_part_t { BUILD_POLICY_INHIBIT_MAPPING, /** inhibitAnyPolicy constraint, int */ BUILD_POLICY_INHIBIT_ANY, +>>>>>>> upstream/4.5.1 /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ BUILD_REVOKED_ENUMERATOR, +<<<<<<< HEAD +======= /** Base CRL serial for a delta CRL, chunk_t, */ BUILD_BASE_CRL, +>>>>>>> upstream/4.5.1 /** PKCS#10 challenge password */ BUILD_CHALLENGE_PWD, /** friendly name of a PKCS#11 module, null terminated char* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 733d9d612..f329281d3 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -40,6 +40,14 @@ struct cert_validator_t { * @param subject subject certificate to check * @param issuer issuer of subject * @param online wheter to do online revocation checking +<<<<<<< HEAD + * @param pathlen the current length of the path up to the root CA + * @param auth container for resulting authentication info + */ + bool (*validate)(cert_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, + auth_cfg_t *auth); +======= * @param pathlen the current length of the path bottom-up * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info @@ -47,6 +55,7 @@ struct cert_validator_t { bool (*validate)(cert_validator_t *this, certificate_t *subject, certificate_t *issuer, bool online, u_int pathlen, bool anchor, auth_cfg_t *auth); +>>>>>>> upstream/4.5.1 }; #endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 2f3497474..11ad7f2f3 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -72,6 +72,8 @@ struct crl_t { chunk_t (*get_authKeyIdentifier)(crl_t *this); /** +<<<<<<< HEAD +======= * Is this CRL a delta CRL? * * @param base_crl gets to baseCrlNumber, if this is a delta CRL @@ -87,6 +89,7 @@ struct crl_t { enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this); /** +>>>>>>> upstream/4.5.1 * Create an enumerator over all revoked certificates. * * The enumerator takes 3 pointer arguments: diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c new file mode 100644 index 000000000..66dc192c1 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "x509.h" + +ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS, + "X509_NONE", + "X509_CA", + "X509_AA", + "X509_OCSP_SIGNER", + "X509_SERVER_AUTH", + "X509_CLIENT_AUTH", + "X509_SELF_SIGNED", + "X509_IP_ADDR_BLOCKS", +); + diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index fec02dbad..3ab26c8c5 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,6 +24,12 @@ #include <utils/enumerator.h> #include <credentials/certificates/certificate.h> +<<<<<<< HEAD +#define X509_NO_PATH_LEN_CONSTRAINT -1 + +typedef struct x509_t x509_t; +typedef enum x509_flag_t x509_flag_t; +======= /* constraints are currently restricted to the range 0..127 */ #define X509_NO_CONSTRAINT 255 @@ -33,6 +39,7 @@ typedef struct x509_policy_mapping_t x509_policy_mapping_t; typedef struct x509_cdp_t x509_cdp_t; typedef enum x509_flag_t x509_flag_t; typedef enum x509_constraint_t x509_constraint_t; +>>>>>>> upstream/4.5.1 /** * X.509 certificate flags. @@ -54,6 +61,14 @@ enum x509_flag_t { X509_SELF_SIGNED = (1<<5), /** cert has an ipAddrBlocks extension */ X509_IP_ADDR_BLOCKS = (1<<6), +<<<<<<< HEAD +}; + +/** + * enum names for x509 flags + */ +extern enum_name_t *x509_flag_names; +======= /** cert has CRL sign key usage */ X509_CRL_SIGN = (1<<7), }; @@ -103,6 +118,7 @@ struct x509_cdp_t { /** CRL issuer */ identification_t *issuer; }; +>>>>>>> upstream/4.5.1 /** * X.509 certificate interface. @@ -146,12 +162,20 @@ struct x509_t { chunk_t (*get_authKeyIdentifier)(x509_t *this); /** +<<<<<<< HEAD + * Get an optional path length constraint. + * + * @return pathLenConstraint, -1 if no constraint exists + */ + int (*get_pathLenConstraint)(x509_t *this); +======= * Get a numerical X.509 constraint. * * @param type type of constraint to get * @return constraint, X509_NO_CONSTRAINT if none found */ u_int (*get_constraint)(x509_t *this, x509_constraint_t type); +>>>>>>> upstream/4.5.1 /** * Create an enumerator over all subjectAltNames. @@ -161,9 +185,15 @@ struct x509_t { enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); /** +<<<<<<< HEAD + * Create an enumerator over all CRL URIs. + * + * @return enumerator over URIs as char* +======= * Create an enumerator over all CRL URIs and CRL Issuers. * * @return enumerator over x509_cdp_t +>>>>>>> upstream/4.5.1 */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); @@ -180,6 +210,8 @@ struct x509_t { * @return enumerator over ipAddrBlocks as traffic_selector_t* */ enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); +<<<<<<< HEAD +======= /** * Create an enumerator over name constraints. @@ -204,6 +236,7 @@ struct x509_t { enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this); +>>>>>>> upstream/4.5.1 }; #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 27b97eab3..3e54368ff 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,13 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, +<<<<<<< HEAD + certificate_t *subject, certificate_t *issuer, + bool online, int pathlen, auth_cfg_t *auth) +======= certificate_t *subject, certificate_t *issuer, bool online, int pathlen, bool trusted, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { time_t not_before, not_after; cert_validator_t *validator; @@ -471,12 +476,36 @@ static bool check_certificate(private_credential_manager_t *this, ¬_before, FALSE, ¬_after, FALSE); return FALSE; } +<<<<<<< HEAD + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + int pathlen_constraint; + x509_t *x509; + + /* check path length constraint */ + x509 = (x509_t*)issuer; + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + } +======= +>>>>>>> upstream/4.5.1 enumerator = this->validators->create_enumerator(this->validators); while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, +<<<<<<< HEAD + online, pathlen, auth)) +======= online, pathlen, trusted, auth)) +>>>>>>> upstream/4.5.1 { enumerator->destroy(enumerator); return FALSE; @@ -534,6 +563,8 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this, } /** +<<<<<<< HEAD +======= * Get the strength of certificate, add it to auth */ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) @@ -565,6 +596,7 @@ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) } /** +>>>>>>> upstream/4.5.1 * try to verify the trust chain of subject, return TRUE if trusted */ static bool verify_trust_chain(private_credential_manager_t *this, @@ -576,9 +608,13 @@ static bool verify_trust_chain(private_credential_manager_t *this, int pathlen; auth = auth_cfg_create(); +<<<<<<< HEAD + current = subject->get_ref(subject); +======= get_key_strength(subject, auth); current = subject->get_ref(subject); auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current)); +>>>>>>> upstream/4.5.1 for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { @@ -623,17 +659,25 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } +<<<<<<< HEAD + if (!check_certificate(this, current, issuer, online, pathlen, + current == subject ? auth : NULL)) +======= if (!check_certificate(this, current, issuer, online, pathlen, trusted, auth)) +>>>>>>> upstream/4.5.1 { trusted = FALSE; issuer->destroy(issuer); break; } +<<<<<<< HEAD +======= if (issuer) { get_key_strength(issuer, auth); } +>>>>>>> upstream/4.5.1 current->destroy(current); current = issuer; if (trusted) @@ -657,6 +701,8 @@ static bool verify_trust_chain(private_credential_manager_t *this, } /** +<<<<<<< HEAD +======= * List find match function for certificates */ static bool cert_equals(certificate_t *a, certificate_t *b) @@ -665,6 +711,7 @@ static bool cert_equals(certificate_t *a, certificate_t *b) } /** +>>>>>>> upstream/4.5.1 * enumerator for trusted certificates */ typedef struct { @@ -684,8 +731,11 @@ typedef struct { certificate_t *pretrusted; /** currently enumerating auth config */ auth_cfg_t *auth; +<<<<<<< HEAD +======= /** list of failed candidates */ linked_list_t *failed; +>>>>>>> upstream/4.5.1 } trusted_enumerator_t; METHOD(enumerator_t, trusted_enumerate, bool, @@ -713,6 +763,13 @@ METHOD(enumerator_t, trusted_enumerate, bool, verify_trust_chain(this->this, this->pretrusted, this->auth, TRUE, this->online)) { +<<<<<<< HEAD + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + *cert = this->pretrusted; +======= DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; @@ -721,6 +778,7 @@ METHOD(enumerator_t, trusted_enumerate, bool, this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, this->pretrusted->get_ref(this->pretrusted)); } +>>>>>>> upstream/4.5.1 if (auth) { *auth = this->auth; @@ -738,12 +796,15 @@ METHOD(enumerator_t, trusted_enumerate, bool, continue; } +<<<<<<< HEAD +======= if (this->failed->find_first(this->failed, (void*)cert_equals, NULL, current) == SUCCESS) { /* check each candidate only once */ continue; } +>>>>>>> upstream/4.5.1 DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, @@ -756,7 +817,10 @@ METHOD(enumerator_t, trusted_enumerate, bool, } return TRUE; } +<<<<<<< HEAD +======= this->failed->insert_last(this->failed, current->get_ref(current)); +>>>>>>> upstream/4.5.1 } return FALSE; } @@ -767,7 +831,10 @@ METHOD(enumerator_t, trusted_destroy, void, DESTROY_IF(this->pretrusted); DESTROY_IF(this->auth); DESTROY_IF(this->candidates); +<<<<<<< HEAD +======= this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy)); +>>>>>>> upstream/4.5.1 free(this); } @@ -786,7 +853,10 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, .type = type, .id = id, .online = online, +<<<<<<< HEAD +======= .failed = linked_list_create(), +>>>>>>> upstream/4.5.1 ); return &enumerator->public; } diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 225fabe31..046ccfd12 100644 --- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -132,8 +132,12 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) } } else if (rule != AUTH_HELPER_SUBJECT_CERT && +<<<<<<< HEAD + rule != AUTH_HELPER_IM_CERT) +======= rule != AUTH_HELPER_IM_CERT && rule != AUTH_HELPER_REVOCATION_CERT) +>>>>>>> upstream/4.5.1 { /* handle only HELPER certificates */ continue; } diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index e023e8443..5a2385b72 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -1,6 +1,9 @@ /* +<<<<<<< HEAD +======= * Copyright (C) 2010 Tobias Brunner * Hochschule fuer Technik Rapperwsil +>>>>>>> upstream/4.5.1 * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -56,11 +59,14 @@ struct private_mem_cred_t { * List of shared keys, as shared_entry_t */ linked_list_t *shared; +<<<<<<< HEAD +======= /** * List of CDPs, as cdp_t */ linked_list_t *cdps; +>>>>>>> upstream/4.5.1 }; /** @@ -151,6 +157,23 @@ static bool certificate_equals(certificate_t *item, certificate_t *cert) return item->equals(item, cert); } +<<<<<<< HEAD +METHOD(mem_cred_t, add_cert, void, + private_mem_cred_t *this, bool trusted, certificate_t *cert) +{ + this->lock->write_lock(this->lock); + if (this->untrusted->find_last(this->untrusted, + (linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS) + { + if (trusted) + { + this->trusted->insert_last(this->trusted, cert->get_ref(cert)); + } + this->untrusted->insert_last(this->untrusted, cert->get_ref(cert)); + } + cert->destroy(cert); + this->lock->unlock(this->lock); +======= /** * Add a certificate the the cache. Returns a reference to "cert" or a * previously cached certificate that equals "cert". @@ -249,6 +272,7 @@ METHOD(mem_cred_t, add_crl, bool, } this->lock->unlock(this->lock); return new; +>>>>>>> upstream/4.5.1 } /** @@ -308,7 +332,11 @@ METHOD(mem_cred_t, add_key, void, private_mem_cred_t *this, private_key_t *key) { this->lock->write_lock(this->lock); +<<<<<<< HEAD + this->keys->insert_last(this->keys, key); +======= this->keys->insert_first(this->keys, key); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } @@ -432,6 +460,20 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, (void*)shared_filter, data, (void*)shared_data_destroy); } +<<<<<<< HEAD +METHOD(mem_cred_t, add_shared, void, + private_mem_cred_t *this, shared_key_t *shared, ...) +{ + shared_entry_t *entry; + identification_t *id; + va_list args; + + INIT(entry, + .shared = shared, + .owners = linked_list_create(), + ); + +======= METHOD(mem_cred_t, add_shared_list, void, private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners) { @@ -454,18 +496,27 @@ METHOD(mem_cred_t, add_shared, void, linked_list_t *owners = linked_list_create(); va_list args; +>>>>>>> upstream/4.5.1 va_start(args, shared); do { id = va_arg(args, identification_t*); if (id) { +<<<<<<< HEAD + entry->owners->insert_last(entry->owners, id); +======= owners->insert_first(owners, id); +>>>>>>> upstream/4.5.1 } } while (id); va_end(args); +<<<<<<< HEAD + this->lock->write_lock(this->lock); + this->shared->insert_last(this->shared, entry); +======= add_shared_list(this, shared, owners); } @@ -563,6 +614,7 @@ METHOD(mem_cred_t, clear_secrets, void, this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); this->keys = linked_list_create(); this->shared = linked_list_create(); +>>>>>>> upstream/4.5.1 this->lock->unlock(this->lock); } @@ -574,6 +626,15 @@ METHOD(mem_cred_t, clear_, void, offsetof(certificate_t, destroy)); this->untrusted->destroy_offset(this->untrusted, offsetof(certificate_t, destroy)); +<<<<<<< HEAD + this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); + this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->trusted = linked_list_create(); + this->untrusted = linked_list_create(); + this->keys = linked_list_create(); + this->shared = linked_list_create(); + this->lock->unlock(this->lock); +======= this->cdps->destroy_function(this->cdps, (void*)cdp_destroy); this->trusted = linked_list_create(); this->untrusted = linked_list_create(); @@ -581,6 +642,7 @@ METHOD(mem_cred_t, clear_, void, this->lock->unlock(this->lock); clear_secrets(this); +>>>>>>> upstream/4.5.1 } METHOD(mem_cred_t, destroy, void, @@ -591,7 +653,10 @@ METHOD(mem_cred_t, destroy, void, this->untrusted->destroy(this->untrusted); this->keys->destroy(this->keys); this->shared->destroy(this->shared); +<<<<<<< HEAD +======= this->cdps->destroy(this->cdps); +>>>>>>> upstream/4.5.1 this->lock->destroy(this->lock); free(this); } @@ -609,6 +674,15 @@ mem_cred_t *mem_cred_create() .create_shared_enumerator = _create_shared_enumerator, .create_private_enumerator = _create_private_enumerator, .create_cert_enumerator = _create_cert_enumerator, +<<<<<<< HEAD + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .add_cert = _add_cert, + .add_key = _add_key, + .add_shared = _add_shared, + .clear = _clear_, +======= .create_cdp_enumerator = _create_cdp_enumerator, .cache_cert = (void*)nop, }, @@ -621,13 +695,17 @@ mem_cred_t *mem_cred_create() .add_cdp = _add_cdp, .clear = _clear_, .clear_secrets = _clear_secrets, +>>>>>>> upstream/4.5.1 .destroy = _destroy, }, .trusted = linked_list_create(), .untrusted = linked_list_create(), .keys = linked_list_create(), .shared = linked_list_create(), +<<<<<<< HEAD +======= .cdps = linked_list_create(), +>>>>>>> upstream/4.5.1 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h index eb46b065b..274e07566 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.h +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -1,6 +1,9 @@ /* +<<<<<<< HEAD +======= * Copyright (C) 2010 Tobias Brunner * Hochschule fuer Technik Rapperswil +>>>>>>> upstream/4.5.1 * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -26,8 +29,11 @@ typedef struct mem_cred_t mem_cred_t; #include <credentials/credential_set.h> +<<<<<<< HEAD +======= #include <credentials/certificates/crl.h> #include <utils/linked_list.h> +>>>>>>> upstream/4.5.1 /** * Generic in-memory credential set. @@ -48,6 +54,8 @@ struct mem_cred_t { void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert); /** +<<<<<<< HEAD +======= * Add a certificate to the credential set, returning a reference to it or * to a cached duplicate. * @@ -68,6 +76,7 @@ struct mem_cred_t { bool (*add_crl)(mem_cred_t *this, crl_t *crl); /** +>>>>>>> upstream/4.5.1 * Add a private key to the credential set. * * @param key key, reference gets owned by set @@ -78,11 +87,17 @@ struct mem_cred_t { * Add a shared key to the credential set. * * @param shared shared key to add, gets owned by set +<<<<<<< HEAD + * @param ... NULL terminated list of owners identification_t* +======= * @param ... NULL terminated list of owners (identification_t*) +>>>>>>> upstream/4.5.1 */ void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...); /** +<<<<<<< HEAD +======= * Add a shared key to the credential set. * * @param shared shared key to add, gets owned by set @@ -101,17 +116,21 @@ struct mem_cred_t { identification_t *id, char *uri); /** +>>>>>>> upstream/4.5.1 * Clear all credentials from the credential set. */ void (*clear)(mem_cred_t *this); /** +<<<<<<< HEAD +======= * Clear the secrets (private and shared keys, not the certificates) from * the credential set. */ void (*clear_secrets)(mem_cred_t *this); /** +>>>>>>> upstream/4.5.1 * Destroy a mem_cred_t. */ void (*destroy)(mem_cred_t *this); diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index 2d13896d6..96b4630f7 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -20,6 +20,15 @@ #include <utils/linked_list.h> #include <crypto/crypto_tester.h> +<<<<<<< HEAD +typedef struct entry_t entry_t; +struct entry_t { + /* algorithm */ + u_int algo; + /* benchmarked speed */ + u_int speed; + /* constructor */ +======= const char *default_plugin_name = "default"; typedef struct entry_t entry_t; @@ -43,6 +52,7 @@ struct entry_t { /** * constructor */ +>>>>>>> upstream/4.5.1 union { crypter_constructor_t create_crypter; aead_constructor_t create_aead; @@ -144,8 +154,12 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*, { if (this->test_on_create && !this->tester->test_crypter(this->tester, algo, key_size, +<<<<<<< HEAD + entry->create_crypter, NULL)) +======= entry->create_crypter, NULL, default_plugin_name)) +>>>>>>> upstream/4.5.1 { continue; } @@ -177,8 +191,12 @@ METHOD(crypto_factory_t, create_aead, aead_t*, { if (this->test_on_create && !this->tester->test_aead(this->tester, algo, key_size, +<<<<<<< HEAD + entry->create_aead, NULL)) +======= entry->create_aead, NULL, default_plugin_name)) +>>>>>>> upstream/4.5.1 { continue; } @@ -209,8 +227,12 @@ METHOD(crypto_factory_t, create_signer, signer_t*, { if (this->test_on_create && !this->tester->test_signer(this->tester, algo, +<<<<<<< HEAD + entry->create_signer, NULL)) +======= entry->create_signer, NULL, default_plugin_name)) +>>>>>>> upstream/4.5.1 { continue; } @@ -242,8 +264,12 @@ METHOD(crypto_factory_t, create_hasher, hasher_t*, { if (this->test_on_create && algo != HASH_PREFERRED && !this->tester->test_hasher(this->tester, algo, +<<<<<<< HEAD + entry->create_hasher, NULL)) +======= entry->create_hasher, NULL, default_plugin_name)) +>>>>>>> upstream/4.5.1 { continue; } @@ -274,8 +300,12 @@ METHOD(crypto_factory_t, create_prf, prf_t*, { if (this->test_on_create && !this->tester->test_prf(this->tester, algo, +<<<<<<< HEAD + entry->create_prf, NULL)) +======= entry->create_prf, NULL, default_plugin_name)) +>>>>>>> upstream/4.5.1 { continue; } @@ -307,8 +337,12 @@ METHOD(crypto_factory_t, create_rng, rng_t*, { if (this->test_on_create && !this->tester->test_rng(this->tester, quality, +<<<<<<< HEAD + entry->create_rng, NULL)) +======= entry->create_rng, NULL, default_plugin_name)) +>>>>>>> upstream/4.5.1 { continue; } @@ -372,8 +406,12 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*, * Insert an algorithm entry to a list */ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, +<<<<<<< HEAD + int algo, u_int speed, void *create) +======= int algo, const char *plugin_name, u_int speed, void *create) +>>>>>>> upstream/4.5.1 { entry_t *entry, *current; linked_list_t *tmp; @@ -381,7 +419,10 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, INIT(entry, .algo = algo, +<<<<<<< HEAD +======= .plugin_name = plugin_name, +>>>>>>> upstream/4.5.1 .speed = speed, ); entry->create = create; @@ -415,16 +456,27 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, } METHOD(crypto_factory_t, add_crypter, void, +<<<<<<< HEAD + private_crypto_factory_t *this, encryption_algorithm_t algo, + crypter_constructor_t create) +======= private_crypto_factory_t *this, encryption_algorithm_t algo, const char *plugin_name, crypter_constructor_t create) +>>>>>>> upstream/4.5.1 { u_int speed = 0; if (!this->test_on_add || this->tester->test_crypter(this->tester, algo, 0, create, +<<<<<<< HEAD + this->bench ? &speed : NULL)) + { + add_entry(this, this->crypters, algo, speed, create); +======= this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->crypters, algo, plugin_name, speed, create); +>>>>>>> upstream/4.5.1 } } @@ -449,16 +501,27 @@ METHOD(crypto_factory_t, remove_crypter, void, } METHOD(crypto_factory_t, add_aead, void, +<<<<<<< HEAD + private_crypto_factory_t *this, encryption_algorithm_t algo, + aead_constructor_t create) +======= private_crypto_factory_t *this, encryption_algorithm_t algo, const char *plugin_name, aead_constructor_t create) +>>>>>>> upstream/4.5.1 { u_int speed = 0; if (!this->test_on_add || this->tester->test_aead(this->tester, algo, 0, create, +<<<<<<< HEAD + this->bench ? &speed : NULL)) + { + add_entry(this, this->aeads, algo, speed, create); +======= this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->aeads, algo, plugin_name, speed, create); +>>>>>>> upstream/4.5.1 } } @@ -483,16 +546,27 @@ METHOD(crypto_factory_t, remove_aead, void, } METHOD(crypto_factory_t, add_signer, void, +<<<<<<< HEAD + private_crypto_factory_t *this, integrity_algorithm_t algo, + signer_constructor_t create) +======= private_crypto_factory_t *this, integrity_algorithm_t algo, const char *plugin_name, signer_constructor_t create) +>>>>>>> upstream/4.5.1 { u_int speed = 0; if (!this->test_on_add || this->tester->test_signer(this->tester, algo, create, +<<<<<<< HEAD + this->bench ? &speed : NULL)) + { + add_entry(this, this->signers, algo, speed, create); +======= this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->signers, algo, plugin_name, speed, create); +>>>>>>> upstream/4.5.1 } } @@ -517,16 +591,27 @@ METHOD(crypto_factory_t, remove_signer, void, } METHOD(crypto_factory_t, add_hasher, void, +<<<<<<< HEAD + private_crypto_factory_t *this, hash_algorithm_t algo, + hasher_constructor_t create) +======= private_crypto_factory_t *this, hash_algorithm_t algo, const char *plugin_name, hasher_constructor_t create) +>>>>>>> upstream/4.5.1 { u_int speed = 0; if (!this->test_on_add || this->tester->test_hasher(this->tester, algo, create, +<<<<<<< HEAD + this->bench ? &speed : NULL)) + { + add_entry(this, this->hashers, algo, speed, create); +======= this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->hashers, algo, plugin_name, speed, create); +>>>>>>> upstream/4.5.1 } } @@ -551,16 +636,27 @@ METHOD(crypto_factory_t, remove_hasher, void, } METHOD(crypto_factory_t, add_prf, void, +<<<<<<< HEAD + private_crypto_factory_t *this, pseudo_random_function_t algo, + prf_constructor_t create) +======= private_crypto_factory_t *this, pseudo_random_function_t algo, const char *plugin_name, prf_constructor_t create) +>>>>>>> upstream/4.5.1 { u_int speed = 0; if (!this->test_on_add || this->tester->test_prf(this->tester, algo, create, +<<<<<<< HEAD + this->bench ? &speed : NULL)) + { + add_entry(this, this->prfs, algo, speed, create); +======= this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->prfs, algo, plugin_name, speed, create); +>>>>>>> upstream/4.5.1 } } @@ -586,15 +682,25 @@ METHOD(crypto_factory_t, remove_prf, void, METHOD(crypto_factory_t, add_rng, void, private_crypto_factory_t *this, rng_quality_t quality, +<<<<<<< HEAD + rng_constructor_t create) +======= const char *plugin_name, rng_constructor_t create) +>>>>>>> upstream/4.5.1 { u_int speed = 0; if (!this->test_on_add || this->tester->test_rng(this->tester, quality, create, +<<<<<<< HEAD + this->bench ? &speed : NULL)) + { + add_entry(this, this->rngs, quality, speed, create); +======= this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->rngs, quality, plugin_name, speed, create); +>>>>>>> upstream/4.5.1 } } @@ -619,10 +725,17 @@ METHOD(crypto_factory_t, remove_rng, void, } METHOD(crypto_factory_t, add_dh, void, +<<<<<<< HEAD + private_crypto_factory_t *this, diffie_hellman_group_t group, + dh_constructor_t create) +{ + add_entry(this, this->dhs, group, 0, create); +======= private_crypto_factory_t *this, diffie_hellman_group_t group, const char *plugin_name, dh_constructor_t create) { add_entry(this, this->dhs, group, plugin_name, 0, create); +>>>>>>> upstream/4.5.1 } METHOD(crypto_factory_t, remove_dh, void, @@ -684,11 +797,17 @@ static enumerator_t *create_enumerator(private_crypto_factory_t *this, /** * Filter function to enumerate algorithm, not entry */ +<<<<<<< HEAD +static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo) +{ + *algo = (*entry)->algo; +======= static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo, void *i2, const char **plugin_name) { *algo = (*entry)->algo; *plugin_name = (*entry)->plugin_name; +>>>>>>> upstream/4.5.1 return TRUE; } @@ -707,11 +826,17 @@ METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ +<<<<<<< HEAD +static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo) +{ + *algo = (*entry)->algo; +======= static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo, void *i2, const char **plugin_name) { *algo = (*entry)->algo; *plugin_name = (*entry)->plugin_name; +>>>>>>> upstream/4.5.1 return TRUE; } @@ -724,11 +849,17 @@ METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ +<<<<<<< HEAD +static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo) +{ + *algo = (*entry)->algo; +======= static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo, void *i2, const char **plugin_name) { *algo = (*entry)->algo; *plugin_name = (*entry)->plugin_name; +>>>>>>> upstream/4.5.1 return TRUE; } @@ -741,11 +872,17 @@ METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ +<<<<<<< HEAD +static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo) +{ + *algo = (*entry)->algo; +======= static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo, void *i2, const char **plugin_name) { *algo = (*entry)->algo; *plugin_name = (*entry)->plugin_name; +>>>>>>> upstream/4.5.1 return TRUE; } @@ -758,11 +895,17 @@ METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ +<<<<<<< HEAD +static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group) +{ + *group = (*entry)->algo; +======= static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group, void *i2, const char **plugin_name) { *group = (*entry)->algo; *plugin_name = (*entry)->plugin_name; +>>>>>>> upstream/4.5.1 return TRUE; } @@ -772,6 +915,8 @@ METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*, return create_enumerator(this, this->dhs, dh_filter); } +<<<<<<< HEAD +======= /** * Filter function to enumerate algorithm, not entry */ @@ -788,6 +933,7 @@ METHOD(crypto_factory_t, create_rng_enumerator, enumerator_t*, { return create_enumerator(this, this->rngs, rng_filter); } +>>>>>>> upstream/4.5.1 METHOD(crypto_factory_t, add_test_vector, void, private_crypto_factory_t *this, transform_type_t type, void *vector) { @@ -862,7 +1008,10 @@ crypto_factory_t *crypto_factory_create() .create_hasher_enumerator = _create_hasher_enumerator, .create_prf_enumerator = _create_prf_enumerator, .create_dh_enumerator = _create_dh_enumerator, +<<<<<<< HEAD +======= .create_rng_enumerator = _create_rng_enumerator, +>>>>>>> upstream/4.5.1 .add_test_vector = _add_test_vector, .destroy = _destroy, }, diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index 8e5db6355..61c46b59c 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -33,8 +33,11 @@ typedef struct crypto_factory_t crypto_factory_t; #include <crypto/diffie_hellman.h> #include <crypto/transform.h> +<<<<<<< HEAD +======= #define CRYPTO_MAX_ALG_LINE 120 /* characters */ +>>>>>>> upstream/4.5.1 /** * Constructor function for crypters */ @@ -146,12 +149,19 @@ struct crypto_factory_t { * Register a crypter constructor. * * @param algo algorithm to constructor +<<<<<<< HEAD +======= * @param plugin_name plugin that registered this algorithm +>>>>>>> upstream/4.5.1 * @param create constructor function for that algorithm * @return */ void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo, +<<<<<<< HEAD + crypter_constructor_t create); +======= const char *plugin_name, crypter_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Unregister a crypter constructor. @@ -171,23 +181,37 @@ struct crypto_factory_t { * Register a aead constructor. * * @param algo algorithm to constructor +<<<<<<< HEAD +======= * @param plugin_name plugin that registered this algorithm +>>>>>>> upstream/4.5.1 * @param create constructor function for that algorithm * @return */ void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo, +<<<<<<< HEAD + aead_constructor_t create); +======= const char *plugin_name, aead_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Register a signer constructor. * * @param algo algorithm to constructor +<<<<<<< HEAD +======= * @param plugin_name plugin that registered this algorithm +>>>>>>> upstream/4.5.1 * @param create constructor function for that algorithm * @return */ void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo, +<<<<<<< HEAD + signer_constructor_t create); +======= const char *plugin_name, signer_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Unregister a signer constructor. @@ -203,12 +227,19 @@ struct crypto_factory_t { * create_hasher(HASH_PREFERRED). * * @param algo algorithm to constructor +<<<<<<< HEAD +======= * @param plugin_name plugin that registered this algorithm +>>>>>>> upstream/4.5.1 * @param create constructor function for that algorithm * @return */ void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo, +<<<<<<< HEAD + hasher_constructor_t create); +======= const char *plugin_name, hasher_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Unregister a hasher constructor. @@ -221,12 +252,19 @@ struct crypto_factory_t { * Register a prf constructor. * * @param algo algorithm to constructor +<<<<<<< HEAD +======= * @param plugin_name plugin that registered this algorithm +>>>>>>> upstream/4.5.1 * @param create constructor function for that algorithm * @return */ void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo, +<<<<<<< HEAD + prf_constructor_t create); +======= const char *plugin_name, prf_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Unregister a prf constructor. @@ -239,11 +277,17 @@ struct crypto_factory_t { * Register a source of randomness. * * @param quality quality of randomness this RNG serves +<<<<<<< HEAD + * @param create constructor function for such a quality + */ + void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, rng_constructor_t create); +======= * @param plugin_name plugin that registered this algorithm * @param create constructor function for such a quality */ void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, const char *plugin_name, rng_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Unregister a source of randomness. @@ -256,12 +300,19 @@ struct crypto_factory_t { * Register a diffie hellman constructor. * * @param group dh group to constructor +<<<<<<< HEAD +======= * @param plugin_name plugin that registered this algorithm +>>>>>>> upstream/4.5.1 * @param create constructor function for that algorithm * @return */ void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group, +<<<<<<< HEAD + dh_constructor_t create); +======= const char *plugin_name, dh_constructor_t create); +>>>>>>> upstream/4.5.1 /** * Unregister a diffie hellman constructor. @@ -313,6 +364,8 @@ struct crypto_factory_t { enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this); /** +<<<<<<< HEAD +======= * Create an enumerator over all registered random generators. * * @return enumerator over rng_quality_t @@ -320,6 +373,7 @@ struct crypto_factory_t { enumerator_t* (*create_rng_enumerator)(crypto_factory_t *this); /** +>>>>>>> upstream/4.5.1 * Add a test vector to the crypto factory. * * @param type type of the test vector diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 276f4329a..d4a8728e2 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -165,7 +165,11 @@ static u_int bench_crypter(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_crypter, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, +<<<<<<< HEAD + crypter_constructor_t create, u_int *speed) +======= crypter_constructor_t create, u_int *speed, const char *plugin_name) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; crypter_test_vector_t *vector; @@ -188,11 +192,15 @@ METHOD(crypto_tester_t, test_crypter, bool, } crypter = create(alg, vector->key_size); if (!crypter) +<<<<<<< HEAD + { /* key size not supported... */ +======= { DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", encryption_algorithm_names, alg, plugin_name, BITS_PER_BYTE * vector->key_size); failed = TRUE; +>>>>>>> upstream/4.5.1 continue; } @@ -235,14 +243,25 @@ METHOD(crypto_tester_t, test_crypter, bool, crypter->destroy(crypter); if (failed) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + encryption_algorithm_names, alg, get_name(vector)); +======= DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", encryption_algorithm_names, alg, plugin_name, get_name(vector)); +>>>>>>> upstream/4.5.1 break; } } enumerator->destroy(enumerator); if (!tested) { +<<<<<<< HEAD + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg); + return !this->required; +======= if (failed) { DBG1(DBG_LIB,"disable %N[%s]: no key size supported", @@ -256,12 +275,22 @@ METHOD(crypto_tester_t, test_crypter, bool, encryption_algorithm_names, alg, plugin_name); return !this->required; } +>>>>>>> upstream/4.5.1 } if (!failed) { if (speed) { *speed = bench_crypter(this, alg, create); +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + encryption_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + encryption_algorithm_names, alg, tested); +======= DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", encryption_algorithm_names, alg, tested, plugin_name, *speed); } @@ -269,6 +298,7 @@ METHOD(crypto_tester_t, test_crypter, bool, { DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", encryption_algorithm_names, alg, plugin_name, tested); +>>>>>>> upstream/4.5.1 } } return !failed; @@ -324,7 +354,11 @@ static u_int bench_aead(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_aead, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, +<<<<<<< HEAD + aead_constructor_t create, u_int *speed) +======= aead_constructor_t create, u_int *speed, const char *plugin_name) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; aead_test_vector_t *vector; @@ -348,11 +382,15 @@ METHOD(crypto_tester_t, test_aead, bool, } aead = create(alg, vector->key_size); if (!aead) +<<<<<<< HEAD + { /* key size not supported... */ +======= { DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", encryption_algorithm_names, alg, plugin_name, BITS_PER_BYTE * vector->key_size); failed = TRUE; +>>>>>>> upstream/4.5.1 continue; } @@ -405,14 +443,25 @@ METHOD(crypto_tester_t, test_aead, bool, aead->destroy(aead); if (failed) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + encryption_algorithm_names, alg, get_name(vector)); +======= DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", encryption_algorithm_names, alg, plugin_name, get_name(vector)); +>>>>>>> upstream/4.5.1 break; } } enumerator->destroy(enumerator); if (!tested) { +<<<<<<< HEAD + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg); + return !this->required; +======= if (failed) { DBG1(DBG_LIB,"disable %N[%s]: no key size supported", @@ -426,12 +475,22 @@ METHOD(crypto_tester_t, test_aead, bool, encryption_algorithm_names, alg, plugin_name); return !this->required; } +>>>>>>> upstream/4.5.1 } if (!failed) { if (speed) { *speed = bench_aead(this, alg, create); +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + encryption_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + encryption_algorithm_names, alg, tested); +======= DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", encryption_algorithm_names, alg, plugin_name, tested, *speed); } @@ -439,6 +498,7 @@ METHOD(crypto_tester_t, test_aead, bool, { DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", encryption_algorithm_names, alg, plugin_name, tested); +>>>>>>> upstream/4.5.1 } } return !failed; @@ -486,7 +546,11 @@ static u_int bench_signer(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_signer, bool, private_crypto_tester_t *this, integrity_algorithm_t alg, +<<<<<<< HEAD + signer_constructor_t create, u_int *speed) +======= signer_constructor_t create, u_int *speed, const char *plugin_name) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; signer_test_vector_t *vector; @@ -508,8 +572,13 @@ METHOD(crypto_tester_t, test_signer, bool, signer = create(alg); if (!signer) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: creating instance failed", + integrity_algorithm_names, alg); +======= DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", integrity_algorithm_names, alg, plugin_name); +>>>>>>> upstream/4.5.1 failed = TRUE; break; } @@ -564,17 +633,28 @@ METHOD(crypto_tester_t, test_signer, bool, signer->destroy(signer); if (failed) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + integrity_algorithm_names, alg, get_name(vector)); +======= DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", integrity_algorithm_names, alg, plugin_name, get_name(vector)); +>>>>>>> upstream/4.5.1 break; } } enumerator->destroy(enumerator); if (!tested) { +<<<<<<< HEAD + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? "disabled" : "enabled ", + integrity_algorithm_names, alg); +======= DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", integrity_algorithm_names, alg, plugin_name); +>>>>>>> upstream/4.5.1 return !this->required; } if (!failed) @@ -582,6 +662,15 @@ METHOD(crypto_tester_t, test_signer, bool, if (speed) { *speed = bench_signer(this, alg, create); +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + integrity_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + integrity_algorithm_names, alg, tested); +======= DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", integrity_algorithm_names, alg, plugin_name, tested, *speed); } @@ -589,6 +678,7 @@ METHOD(crypto_tester_t, test_signer, bool, { DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", integrity_algorithm_names, alg, plugin_name, tested); +>>>>>>> upstream/4.5.1 } } return !failed; @@ -630,7 +720,11 @@ static u_int bench_hasher(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_hasher, bool, private_crypto_tester_t *this, hash_algorithm_t alg, +<<<<<<< HEAD + hasher_constructor_t create, u_int *speed) +======= hasher_constructor_t create, u_int *speed, const char *plugin_name) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; hasher_test_vector_t *vector; @@ -652,8 +746,13 @@ METHOD(crypto_tester_t, test_hasher, bool, hasher = create(alg); if (!hasher) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: creating instance failed", + hash_algorithm_names, alg); +======= DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", hash_algorithm_names, alg, plugin_name); +>>>>>>> upstream/4.5.1 failed = TRUE; break; } @@ -695,17 +794,28 @@ METHOD(crypto_tester_t, test_hasher, bool, hasher->destroy(hasher); if (failed) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + hash_algorithm_names, alg, get_name(vector)); +======= DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", hash_algorithm_names, alg, plugin_name, get_name(vector)); +>>>>>>> upstream/4.5.1 break; } } enumerator->destroy(enumerator); if (!tested) { +<<<<<<< HEAD + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? "disabled" : "enabled ", + hash_algorithm_names, alg); +======= DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", hash_algorithm_names, alg, plugin_name); +>>>>>>> upstream/4.5.1 return !this->required; } if (!failed) @@ -713,6 +823,15 @@ METHOD(crypto_tester_t, test_hasher, bool, if (speed) { *speed = bench_hasher(this, alg, create); +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + hash_algorithm_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + hash_algorithm_names, alg, tested); +======= DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", hash_algorithm_names, alg, plugin_name, tested, *speed); } @@ -720,6 +839,7 @@ METHOD(crypto_tester_t, test_hasher, bool, { DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", hash_algorithm_names, alg, plugin_name, tested); +>>>>>>> upstream/4.5.1 } } return !failed; @@ -761,7 +881,11 @@ static u_int bench_prf(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_prf, bool, private_crypto_tester_t *this, pseudo_random_function_t alg, +<<<<<<< HEAD + prf_constructor_t create, u_int *speed) +======= prf_constructor_t create, u_int *speed, const char *plugin_name) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; prf_test_vector_t *vector; @@ -783,8 +907,13 @@ METHOD(crypto_tester_t, test_prf, bool, prf = create(alg); if (!prf) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: creating instance failed", + pseudo_random_function_names, alg); +======= DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", pseudo_random_function_names, alg, plugin_name); +>>>>>>> upstream/4.5.1 failed = TRUE; break; } @@ -837,17 +966,28 @@ METHOD(crypto_tester_t, test_prf, bool, prf->destroy(prf); if (failed) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + pseudo_random_function_names, alg, get_name(vector)); +======= DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", pseudo_random_function_names, alg, plugin_name, get_name(vector)); +>>>>>>> upstream/4.5.1 break; } } enumerator->destroy(enumerator); if (!tested) { +<<<<<<< HEAD + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? "disabled" : "enabled ", + pseudo_random_function_names, alg); +======= DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", pseudo_random_function_names, alg, plugin_name); +>>>>>>> upstream/4.5.1 return !this->required; } if (!failed) @@ -855,6 +995,15 @@ METHOD(crypto_tester_t, test_prf, bool, if (speed) { *speed = bench_prf(this, alg, create); +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + pseudo_random_function_names, alg, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + pseudo_random_function_names, alg, tested); +======= DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", pseudo_random_function_names, alg, plugin_name, tested, *speed); } @@ -862,6 +1011,7 @@ METHOD(crypto_tester_t, test_prf, bool, { DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", pseudo_random_function_names, alg, plugin_name, tested); +>>>>>>> upstream/4.5.1 } } return !failed; @@ -900,7 +1050,11 @@ static u_int bench_rng(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_rng, bool, private_crypto_tester_t *this, rng_quality_t quality, +<<<<<<< HEAD + rng_constructor_t create, u_int *speed) +======= rng_constructor_t create, u_int *speed, const char *plugin_name) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; rng_test_vector_t *vector; @@ -909,8 +1063,13 @@ METHOD(crypto_tester_t, test_rng, bool, if (!this->rng_true && quality == RNG_TRUE) { +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: skipping test (disabled by config)", + rng_quality_names, quality); +======= DBG1(DBG_LIB, "enabled %N[%s]: skipping test (disabled by config)", rng_quality_names, quality, plugin_name); +>>>>>>> upstream/4.5.1 return TRUE; } @@ -929,8 +1088,13 @@ METHOD(crypto_tester_t, test_rng, bool, rng = create(quality); if (!rng) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: creating instance failed", + rng_quality_names, quality); +======= DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", rng_quality_names, quality, plugin_name); +>>>>>>> upstream/4.5.1 failed = TRUE; break; } @@ -959,17 +1123,28 @@ METHOD(crypto_tester_t, test_rng, bool, rng->destroy(rng); if (failed) { +<<<<<<< HEAD + DBG1(DBG_LIB, "disabled %N: %s test vector failed", + rng_quality_names, quality, get_name(vector)); +======= DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", rng_quality_names, quality, plugin_name, get_name(vector)); +>>>>>>> upstream/4.5.1 break; } } enumerator->destroy(enumerator); if (!tested) { +<<<<<<< HEAD + DBG1(DBG_LIB, "%s %N: no test vectors found", + this->required ? ", disabled" : "enabled ", + rng_quality_names, quality); +======= DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? ", disabled" : "enabled ", rng_quality_names, quality, plugin_name); +>>>>>>> upstream/4.5.1 return !this->required; } if (!failed) @@ -977,6 +1152,15 @@ METHOD(crypto_tester_t, test_rng, bool, if (speed) { *speed = bench_rng(this, quality, create); +<<<<<<< HEAD + DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", + rng_quality_names, quality, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N: passed %u test vectors", + rng_quality_names, quality, tested); +======= DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", rng_quality_names, quality, plugin_name, tested, *speed); } @@ -984,6 +1168,7 @@ METHOD(crypto_tester_t, test_rng, bool, { DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", rng_quality_names, quality, plugin_name, tested); +>>>>>>> upstream/4.5.1 } } return !failed; diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h index 019c87c39..1354bec52 100644 --- a/src/libstrongswan/crypto/crypto_tester.h +++ b/src/libstrongswan/crypto/crypto_tester.h @@ -143,7 +143,11 @@ struct crypto_tester_t { */ bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create, +<<<<<<< HEAD + u_int *speed); +======= u_int *speed, const char *plugin_name); +>>>>>>> upstream/4.5.1 /** * Test an aead algorithm, optionally using a specified key size. @@ -156,7 +160,11 @@ struct crypto_tester_t { */ bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, aead_constructor_t create, +<<<<<<< HEAD + u_int *speed); +======= u_int *speed, const char *plugin_name); +>>>>>>> upstream/4.5.1 /** * Test a signer algorithm. * @@ -166,8 +174,12 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg, +<<<<<<< HEAD + signer_constructor_t create, u_int *speed); +======= signer_constructor_t create, u_int *speed, const char *plugin_name); +>>>>>>> upstream/4.5.1 /** * Test a hasher algorithm. * @@ -177,8 +189,12 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg, +<<<<<<< HEAD + hasher_constructor_t create, u_int *speed); +======= hasher_constructor_t create, u_int *speed, const char *plugin_name); +>>>>>>> upstream/4.5.1 /** * Test a PRF algorithm. * @@ -188,8 +204,12 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg, +<<<<<<< HEAD + prf_constructor_t create, u_int *speed); +======= prf_constructor_t create, u_int *speed, const char *plugin_name); +>>>>>>> upstream/4.5.1 /** * Test a RNG implementation. * @@ -199,8 +219,12 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality, +<<<<<<< HEAD + rng_constructor_t create, u_int *speed); +======= rng_constructor_t create, u_int *speed, const char *plugin_name); +>>>>>>> upstream/4.5.1 /** * Add a test vector to test a crypter. * diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h index e98a3a211..cb28d4e2d 100644 --- a/src/libstrongswan/eap/eap.h +++ b/src/libstrongswan/eap/eap.h @@ -82,7 +82,11 @@ extern enum_name_t *eap_type_short_names; * Lookup the EAP method type from a string. * * @param name EAP method name (such as "md5", "aka") +<<<<<<< HEAD + * @return method type, 0 if unkown +======= * @return method type, 0 if unknown +>>>>>>> upstream/4.5.1 */ eap_type_t eap_type_from_string(char *name); diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c index 5c811bd17..df6a73a81 100644 --- a/src/libstrongswan/enum.c +++ b/src/libstrongswan/enum.c @@ -43,7 +43,11 @@ int enum_from_name(enum_name_t *e, char *name) { do { +<<<<<<< HEAD + int i, count = e->last - e->first; +======= int i, count = e->last - e->first + 1; +>>>>>>> upstream/4.5.1 for (i = 0; i < count; i++) { diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c index b007c8b08..2c5f5f688 100644 --- a/src/libstrongswan/fetcher/fetcher_manager.c +++ b/src/libstrongswan/fetcher/fetcher_manager.c @@ -92,7 +92,11 @@ static status_t fetch(private_fetcher_manager_t *this, va_start(args, response); while (good) { +<<<<<<< HEAD + opt = va_arg(args, fetcher_option_t); +======= opt = va_arg(args, int); +>>>>>>> upstream/4.5.1 switch (opt) { case FETCH_REQUEST_DATA: @@ -109,7 +113,11 @@ static status_t fetch(private_fetcher_manager_t *this, good = fetcher->set_option(fetcher, opt, va_arg(args, u_int)); continue; case FETCH_END: +<<<<<<< HEAD + break;; +======= break; +>>>>>>> upstream/4.5.1 } break; } diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c index e962aba70..7060f9ea0 100644 --- a/src/libstrongswan/integrity_checker.c +++ b/src/libstrongswan/integrity_checker.c @@ -57,8 +57,16 @@ struct private_integrity_checker_t { int checksum_count; }; +<<<<<<< HEAD +/** + * Implementation of integrity_checker_t.build_file + */ +static u_int32_t build_file(private_integrity_checker_t *this, char *file, + size_t *len) +======= METHOD(integrity_checker_t, build_file, u_int32_t, private_integrity_checker_t *this, char *file, size_t *len) +>>>>>>> upstream/4.5.1 { u_int32_t checksum; chunk_t contents; @@ -133,8 +141,16 @@ static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli) return 0; } +<<<<<<< HEAD +/** + * Implementation of integrity_checker_t.build_segment + */ +static u_int32_t build_segment(private_integrity_checker_t *this, void *sym, + size_t *len) +======= METHOD(integrity_checker_t, build_segment, u_int32_t, private_integrity_checker_t *this, void *sym, size_t *len) +>>>>>>> upstream/4.5.1 { chunk_t segment; Dl_info dli; @@ -174,8 +190,16 @@ static integrity_checksum_t *find_checksum(private_integrity_checker_t *this, return NULL; } +<<<<<<< HEAD +/** + * Implementation of integrity_checker_t.check_file + */ +static bool check_file(private_integrity_checker_t *this, + char *name, char *file) +======= METHOD(integrity_checker_t, check_file, bool, private_integrity_checker_t *this, char *name, char *file) +>>>>>>> upstream/4.5.1 { integrity_checksum_t *cs; u_int32_t sum; @@ -208,8 +232,16 @@ METHOD(integrity_checker_t, check_file, bool, return TRUE; } +<<<<<<< HEAD +/** + * Implementation of integrity_checker_t.check_segment + */ +static bool check_segment(private_integrity_checker_t *this, + char *name, void *sym) +======= METHOD(integrity_checker_t, check_segment, bool, private_integrity_checker_t *this, char *name, void *sym) +>>>>>>> upstream/4.5.1 { integrity_checksum_t *cs; u_int32_t sum; @@ -242,8 +274,15 @@ METHOD(integrity_checker_t, check_segment, bool, return TRUE; } +<<<<<<< HEAD +/** + * Implementation of integrity_checker_t.check + */ +static bool check(private_integrity_checker_t *this, char *name, void *sym) +======= METHOD(integrity_checker_t, check, bool, private_integrity_checker_t *this, char *name, void *sym) +>>>>>>> upstream/4.5.1 { Dl_info dli; @@ -263,8 +302,15 @@ METHOD(integrity_checker_t, check, bool, return TRUE; } +<<<<<<< HEAD +/** + * Implementation of integrity_checker_t.destroy. + */ +static void destroy(private_integrity_checker_t *this) +======= METHOD(integrity_checker_t, destroy, void, private_integrity_checker_t *this) +>>>>>>> upstream/4.5.1 { if (this->handle) { @@ -278,6 +324,19 @@ METHOD(integrity_checker_t, destroy, void, */ integrity_checker_t *integrity_checker_create(char *checksum_library) { +<<<<<<< HEAD + private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t); + + this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file; + this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file; + this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment; + this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment; + this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check; + this->public.destroy = (void(*)(integrity_checker_t*))destroy; + + this->checksum_count = 0; + this->handle = NULL; +======= private_integrity_checker_t *this; INIT(this, @@ -291,6 +350,7 @@ integrity_checker_t *integrity_checker_create(char *checksum_library) }, ); +>>>>>>> upstream/4.5.1 if (checksum_library) { this->handle = dlopen(checksum_library, RTLD_LAZY); diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 9835cd5b9..6e4aeb9d6 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c index 1c060b6c8..b859d3167 100644 --- a/src/libstrongswan/plugins/aes/aes_plugin.c +++ b/src/libstrongswan/plugins/aes/aes_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "aes_crypter.h" +<<<<<<< HEAD +======= static const char *plugin_name = "aes"; +>>>>>>> upstream/4.5.1 typedef struct private_aes_plugin_t private_aes_plugin_t; /** @@ -56,7 +59,11 @@ plugin_t *aes_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, +======= lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, +>>>>>>> upstream/4.5.1 (crypter_constructor_t)aes_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 1a3533f03..fa255ad23 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 251722f60..14f25d015 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c index 5232eca28..03f46a63a 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c @@ -19,8 +19,11 @@ #include <library.h> #include "blowfish_crypter.h" +<<<<<<< HEAD +======= static const char *plugin_name = "blowfish"; +>>>>>>> upstream/4.5.1 typedef struct private_blowfish_plugin_t private_blowfish_plugin_t; /** @@ -57,7 +60,11 @@ plugin_t *blowfish_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, +======= lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, +>>>>>>> upstream/4.5.1 (crypter_constructor_t)blowfish_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 371e5b2f4..504d1938a 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c index a4c89b548..15c548e64 100644 --- a/src/libstrongswan/plugins/ccm/ccm_plugin.c +++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c @@ -19,8 +19,11 @@ #include "ccm_aead.h" +<<<<<<< HEAD +======= static const char *plugin_name = "ccm"; +>>>>>>> upstream/4.5.1 typedef struct private_ccm_plugin_t private_ccm_plugin_t; /** @@ -49,12 +52,29 @@ METHOD(plugin_t, destroy, void, plugin_t *ccm_plugin_create() { private_ccm_plugin_t *this; +<<<<<<< HEAD +======= crypter_t *crypter; +>>>>>>> upstream/4.5.1 INIT(this, .public.plugin.destroy = _destroy, ); +<<<<<<< HEAD + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, + (aead_constructor_t)ccm_aead_create); +======= crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0); if (crypter) { @@ -77,6 +97,7 @@ plugin_t *ccm_plugin_create() lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, plugin_name, (aead_constructor_t)ccm_aead_create); } +>>>>>>> upstream/4.5.1 return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index 2f6be07e2..ecee15d56 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c index 9f1bf957f..dc6cba562 100644 --- a/src/libstrongswan/plugins/ctr/ctr_plugin.c +++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c @@ -19,8 +19,11 @@ #include "ctr_ipsec_crypter.h" +<<<<<<< HEAD +======= static const char *plugin_name = "ctr"; +>>>>>>> upstream/4.5.1 typedef struct private_ctr_plugin_t private_ctr_plugin_t; /** @@ -49,7 +52,10 @@ METHOD(plugin_t, destroy, void, plugin_t *ctr_plugin_create() { private_ctr_plugin_t *this; +<<<<<<< HEAD +======= crypter_t *crypter; +>>>>>>> upstream/4.5.1 INIT(this, .public = { @@ -59,6 +65,13 @@ plugin_t *ctr_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, + (crypter_constructor_t)ctr_ipsec_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, + (crypter_constructor_t)ctr_ipsec_crypter_create); + +======= crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); if (crypter) { @@ -73,5 +86,6 @@ plugin_t *ctr_plugin_create() lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name, (crypter_constructor_t)ctr_ipsec_crypter_create); } +>>>>>>> upstream/4.5.1 return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index e61c73041..f2192399c 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 82e24e810..e58188098 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -104,7 +104,10 @@ METHOD(fetcher_t, fetch, status_t, METHOD(fetcher_t, set_option, bool, private_curl_fetcher_t *this, fetcher_option_t option, ...) { +<<<<<<< HEAD +======= bool supported = TRUE; +>>>>>>> upstream/4.5.1 va_list args; va_start(args, option); @@ -116,7 +119,11 @@ METHOD(fetcher_t, set_option, bool, curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr); curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len); +<<<<<<< HEAD + return TRUE; +======= break; +>>>>>>> upstream/4.5.1 } case FETCH_REQUEST_TYPE: { @@ -125,25 +132,44 @@ METHOD(fetcher_t, set_option, bool, snprintf(header, BUF_LEN, "Content-Type: %s", request_type); this->headers = curl_slist_append(this->headers, header); +<<<<<<< HEAD + return TRUE; +======= break; +>>>>>>> upstream/4.5.1 } case FETCH_REQUEST_HEADER: { char *header = va_arg(args, char*); this->headers = curl_slist_append(this->headers, header); +<<<<<<< HEAD + return TRUE; +======= break; +>>>>>>> upstream/4.5.1 } case FETCH_HTTP_VERSION_1_0: { curl_easy_setopt(this->curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); +<<<<<<< HEAD + return TRUE; +======= break; +>>>>>>> upstream/4.5.1 } case FETCH_TIMEOUT: { curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, va_arg(args, u_int)); +<<<<<<< HEAD + return TRUE; + } + default: + return FALSE; + } +======= break; } default: @@ -152,6 +178,7 @@ METHOD(fetcher_t, set_option, bool, } va_end(args); return supported; +>>>>>>> upstream/4.5.1 } METHOD(fetcher_t, destroy, void, diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c index 387da03aa..41026f407 100644 --- a/src/libstrongswan/plugins/curl/curl_plugin.c +++ b/src/libstrongswan/plugins/curl/curl_plugin.c @@ -34,8 +34,15 @@ struct private_curl_plugin_t { curl_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of curl_plugin_t.curltroy + */ +static void destroy(private_curl_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_curl_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->fetcher->remove_fetcher(lib->fetcher, (fetcher_constructor_t)curl_fetcher_create); @@ -49,6 +56,11 @@ METHOD(plugin_t, destroy, void, plugin_t *curl_plugin_create() { CURLcode res; +<<<<<<< HEAD + private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_curl_plugin_t *this; INIT(this, @@ -58,6 +70,7 @@ plugin_t *curl_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 res = curl_global_init(CURL_GLOBAL_NOTHING); if (res == CURLE_OK) diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index e45988ca9..9f49f45f4 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c index d420d789e..14c5420ea 100644 --- a/src/libstrongswan/plugins/des/des_plugin.c +++ b/src/libstrongswan/plugins/des/des_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "des_crypter.h" +<<<<<<< HEAD +======= static const char *plugin_name = "des"; +>>>>>>> upstream/4.5.1 typedef struct private_des_plugin_t private_des_plugin_t; /** @@ -56,11 +59,19 @@ plugin_t *des_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + (crypter_constructor_t)des_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_DES, + (crypter_constructor_t)des_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, +======= lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)des_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)des_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, +>>>>>>> upstream/4.5.1 (crypter_constructor_t)des_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index d1dce4679..262d64565 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c index d11b149df..75743ae2e 100644 --- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c +++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c @@ -31,8 +31,15 @@ struct private_dnskey_plugin_t { dnskey_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of dnskey_plugin_t.dnskeytroy + */ +static void destroy(private_dnskey_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_dnskey_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)dnskey_public_key_load); @@ -44,6 +51,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *dnskey_plugin_create() { +<<<<<<< HEAD + private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + +======= private_dnskey_plugin_t *this; INIT(this, @@ -53,6 +66,7 @@ plugin_t *dnskey_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)dnskey_public_key_load); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index ab1ed6d00..6bd31f0e1 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c index ee71f6efd..27a3b9cc6 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c @@ -106,8 +106,12 @@ static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[]) * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78, * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16 */ +<<<<<<< HEAD +static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) +======= METHOD(prf_t, get_bytes, void, private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) +>>>>>>> upstream/4.5.1 { int i; u_int8_t xval[this->b]; @@ -140,6 +144,19 @@ METHOD(prf_t, get_bytes, void, /* 3.3 done already, mod q not used */ } +<<<<<<< HEAD +/** + * Implementation of prf_t.get_block_size. + */ +static size_t get_block_size(private_fips_prf_t *this) +{ + return 2 * this->b; +} +/** + * Implementation of prf_t.allocate_bytes. + */ +static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk) +======= METHOD(prf_t, get_block_size, size_t, private_fips_prf_t *this) { @@ -147,19 +164,34 @@ METHOD(prf_t, get_block_size, size_t, } METHOD(prf_t, allocate_bytes, void, private_fips_prf_t *this, chunk_t seed, chunk_t *chunk) +>>>>>>> upstream/4.5.1 { *chunk = chunk_alloc(get_block_size(this)); get_bytes(this, seed, chunk->ptr); } +<<<<<<< HEAD +/** + * Implementation of prf_t.get_key_size. + */ +static size_t get_key_size(private_fips_prf_t *this) +======= METHOD(prf_t, get_key_size, size_t, private_fips_prf_t *this) +>>>>>>> upstream/4.5.1 { return this->b; } +<<<<<<< HEAD +/** + * Implementation of prf_t.set_key. + */ +static void set_key(private_fips_prf_t *this, chunk_t key) +======= METHOD(prf_t, set_key, void, private_fips_prf_t *this, chunk_t key) +>>>>>>> upstream/4.5.1 { /* save key as "key mod 2^b" */ chunk_mod(this->b, key, this->key); @@ -191,8 +223,15 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[]) this->keyed_prf->get_bytes(this->keyed_prf, c, res); } +<<<<<<< HEAD +/** + * Implementation of prf_t.destroy. + */ +static void destroy(private_fips_prf_t *this) +======= METHOD(prf_t, destroy, void, private_fips_prf_t *this) +>>>>>>> upstream/4.5.1 { this->keyed_prf->destroy(this->keyed_prf); free(this->key); @@ -204,6 +243,16 @@ METHOD(prf_t, destroy, void, */ fips_prf_t *fips_prf_create(pseudo_random_function_t algo) { +<<<<<<< HEAD + private_fips_prf_t *this = malloc_thing(private_fips_prf_t); + + this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes; + this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes; + this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size; + this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size; + this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key; + this->public.prf_interface.destroy = (void (*) (prf_t *))destroy; +======= private_fips_prf_t *this; INIT(this, @@ -218,6 +267,7 @@ fips_prf_t *fips_prf_create(pseudo_random_function_t algo) }, }, ); +>>>>>>> upstream/4.5.1 switch (algo) { diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c index 3cce6ad91..202d6653a 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "fips_prf.h" +<<<<<<< HEAD +======= static const char *plugin_name = "fips-prf"; +>>>>>>> upstream/4.5.1 typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t; /** @@ -33,8 +36,15 @@ struct private_fips_prf_plugin_t { fips_prf_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of fips_prf_plugin_t.destroy + */ +static void destroy(private_fips_prf_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_fips_prf_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->crypto->remove_prf(lib->crypto, (prf_constructor_t)fips_prf_create); @@ -46,6 +56,14 @@ METHOD(plugin_t, destroy, void, */ plugin_t *fips_prf_plugin_create() { +<<<<<<< HEAD + private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, + (prf_constructor_t)fips_prf_create); +======= private_fips_prf_plugin_t *this; prf_t *prf; @@ -64,6 +82,7 @@ plugin_t *fips_prf_plugin_create() lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, plugin_name, (prf_constructor_t)fips_prf_create); } +>>>>>>> upstream/4.5.1 return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index 9e0b49776..7f5a59abd 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c index a438fb073..984026778 100644 --- a/src/libstrongswan/plugins/gcm/gcm_plugin.c +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c @@ -19,8 +19,11 @@ #include "gcm_aead.h" +<<<<<<< HEAD +======= static const char *plugin_name = "gcm"; +>>>>>>> upstream/4.5.1 typedef struct private_gcm_plugin_t private_gcm_plugin_t; /** @@ -49,12 +52,23 @@ METHOD(plugin_t, destroy, void, plugin_t *gcm_plugin_create() { private_gcm_plugin_t *this; +<<<<<<< HEAD +======= crypter_t *crypter; +>>>>>>> upstream/4.5.1 INIT(this, .public.plugin.destroy = _destroy, ); +<<<<<<< HEAD + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, + (aead_constructor_t)gcm_aead_create); +======= crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0); if (crypter) { @@ -66,6 +80,7 @@ plugin_t *gcm_plugin_create() lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, plugin_name, (aead_constructor_t)gcm_aead_create); } +>>>>>>> upstream/4.5.1 return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 1bcada7dc..bb4e29b3b 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index a53fed448..c709d497f 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -29,8 +29,11 @@ #include <errno.h> #include <gcrypt.h> +<<<<<<< HEAD +======= static const char *plugin_name = "gcrypt"; +>>>>>>> upstream/4.5.1 typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t; /** @@ -150,6 +153,81 @@ plugin_t *gcrypt_plugin_create() ); /* hashers */ +<<<<<<< HEAD + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD4, + (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD5, + (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + (hasher_constructor_t)gcrypt_hasher_create); + + /* crypters */ + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_DES, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, + (crypter_constructor_t)gcrypt_crypter_create); +#ifdef HAVE_GCRY_CIPHER_CAMELLIA + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, + (crypter_constructor_t)gcrypt_crypter_create); +#endif /* HAVE_GCRY_CIPHER_CAMELLIA */ + lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, + (crypter_constructor_t)gcrypt_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, + (crypter_constructor_t)gcrypt_crypter_create); + + /* random numbers */ + lib->crypto->add_rng(lib->crypto, RNG_WEAK, + (rng_constructor_t)gcrypt_rng_create); + lib->crypto->add_rng(lib->crypto, RNG_STRONG, + (rng_constructor_t)gcrypt_rng_create); + lib->crypto->add_rng(lib->crypto, RNG_TRUE, + (rng_constructor_t)gcrypt_rng_create); + + /* diffie hellman groups, using modp */ + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_224, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_256, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_160, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + (dh_constructor_t)gcrypt_dh_create); + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, +======= lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, @@ -223,6 +301,7 @@ plugin_t *gcrypt_plugin_create() lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, +>>>>>>> upstream/4.5.1 (dh_constructor_t)gcrypt_dh_create_custom); /* RSA */ diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index f73bfb406..dde840936 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index e9bfbcc28..798602e84 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -20,8 +20,11 @@ #include "gmp_rsa_private_key.h" #include "gmp_rsa_public_key.h" +<<<<<<< HEAD +======= static const char *plugin_name = "gmp"; +>>>>>>> upstream/4.5.1 typedef struct private_gmp_plugin_t private_gmp_plugin_t; /** @@ -66,6 +69,32 @@ plugin_t *gmp_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_224, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_256, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_160, + (dh_constructor_t)gmp_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + (dh_constructor_t)gmp_diffie_hellman_create); + + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, +======= lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, @@ -90,6 +119,7 @@ plugin_t *gmp_plugin_create() (dh_constructor_t)gmp_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, +>>>>>>> upstream/4.5.1 (dh_constructor_t)gmp_diffie_hellman_create_custom); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index 72cc23b72..e8355ab21 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c index 76d6157ae..c15a29b1c 100644 --- a/src/libstrongswan/plugins/hmac/hmac_plugin.c +++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c @@ -19,8 +19,11 @@ #include "hmac_signer.h" #include "hmac_prf.h" +<<<<<<< HEAD +======= static const char *plugin_name = "hmac"; +>>>>>>> upstream/4.5.1 typedef struct private_hmac_plugin_t private_hmac_plugin_t; /** @@ -50,7 +53,10 @@ METHOD(plugin_t, destroy, void, plugin_t *hmac_plugin_create() { private_hmac_plugin_t *this; +<<<<<<< HEAD +======= hasher_t *hasher; +>>>>>>> upstream/4.5.1 INIT(this, .public = { @@ -60,6 +66,39 @@ plugin_t *hmac_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, + (prf_constructor_t)hmac_prf_create); + + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, + (signer_constructor_t)hmac_signer_create); +======= hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (hasher) { @@ -116,6 +155,7 @@ plugin_t *hmac_plugin_create() lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, plugin_name, (signer_constructor_t)hmac_signer_create); } +>>>>>>> upstream/4.5.1 return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 7235784e2..7dd7e92f0 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c index e6c592217..57c367ca1 100644 --- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c +++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c @@ -100,8 +100,13 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response) } +<<<<<<< HEAD +static status_t fetch(private_ldap_fetcher_t *this, char *url, + chunk_t *result, va_list args) +======= METHOD(fetcher_t, fetch, status_t, private_ldap_fetcher_t *this, char *url, chunk_t *result) +>>>>>>> upstream/4.5.1 { LDAP *ldap; LDAPURLDesc *lurl; @@ -166,8 +171,15 @@ METHOD(fetcher_t, fetch, status_t, } +<<<<<<< HEAD +/** + * Implementation of fetcher_t.set_option. + */ +static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...) +======= METHOD(fetcher_t, set_option, bool, private_ldap_fetcher_t *this, fetcher_option_t option, ...) +>>>>>>> upstream/4.5.1 { va_list args; @@ -184,8 +196,15 @@ METHOD(fetcher_t, set_option, bool, } } +<<<<<<< HEAD +/** + * Implements ldap_fetcher_t.destroy + */ +static void destroy(private_ldap_fetcher_t *this) +======= METHOD(fetcher_t, destroy, void, private_ldap_fetcher_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -195,6 +214,15 @@ METHOD(fetcher_t, destroy, void, */ ldap_fetcher_t *ldap_fetcher_create() { +<<<<<<< HEAD + private_ldap_fetcher_t *this = malloc_thing(private_ldap_fetcher_t); + + this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch; + this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option; + this->public.interface.destroy = (void (*)(fetcher_t*))destroy; + + this->timeout = DEFAULT_TIMEOUT; +======= private_ldap_fetcher_t *this; INIT(this, @@ -207,6 +235,7 @@ ldap_fetcher_t *ldap_fetcher_create() }, .timeout = DEFAULT_TIMEOUT, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c index 3682ddd1f..434a023ce 100644 --- a/src/libstrongswan/plugins/ldap/ldap_plugin.c +++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c @@ -31,8 +31,15 @@ struct private_ldap_plugin_t { ldap_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of ldap_plugin_t.destroy + */ +static void destroy(private_ldap_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_ldap_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->fetcher->remove_fetcher(lib->fetcher, (fetcher_constructor_t)ldap_fetcher_create); @@ -44,6 +51,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *ldap_plugin_create() { +<<<<<<< HEAD + private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_ldap_plugin_t *this; INIT(this, @@ -53,6 +65,7 @@ plugin_t *ldap_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->fetcher->add_fetcher(lib->fetcher, (fetcher_constructor_t)ldap_fetcher_create, "ldap://"); diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index ea1a7a69a..4f69538a8 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c index cea1a61f3..cdb0fe914 100644 --- a/src/libstrongswan/plugins/md4/md4_plugin.c +++ b/src/libstrongswan/plugins/md4/md4_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "md4_hasher.h" +<<<<<<< HEAD +======= static const char *plugin_name = "md4"; +>>>>>>> upstream/4.5.1 typedef struct private_md4_plugin_t private_md4_plugin_t; /** @@ -33,8 +36,15 @@ struct private_md4_plugin_t { md4_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of md4_plugin_t.destroy + */ +static void destroy(private_md4_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_md4_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)md4_hasher_create); @@ -46,6 +56,13 @@ METHOD(plugin_t, destroy, void, */ plugin_t *md4_plugin_create() { +<<<<<<< HEAD + private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + lib->crypto->add_hasher(lib->crypto, HASH_MD4, +======= private_md4_plugin_t *this; INIT(this, @@ -57,6 +74,7 @@ plugin_t *md4_plugin_create() ); lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, +>>>>>>> upstream/4.5.1 (hasher_constructor_t)md4_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 05f101564..c0ffec7ad 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c index d11173817..015274ddf 100644 --- a/src/libstrongswan/plugins/md5/md5_plugin.c +++ b/src/libstrongswan/plugins/md5/md5_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "md5_hasher.h" +<<<<<<< HEAD +======= static const char *plugin_name = "md5"; +>>>>>>> upstream/4.5.1 typedef struct private_md5_plugin_t private_md5_plugin_t; /** @@ -33,8 +36,15 @@ struct private_md5_plugin_t { md5_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of md5_plugin_t.destroy + */ +static void destroy(private_md5_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_md5_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)md5_hasher_create); @@ -46,6 +56,13 @@ METHOD(plugin_t, destroy, void, */ plugin_t *md5_plugin_create() { +<<<<<<< HEAD + private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + lib->crypto->add_hasher(lib->crypto, HASH_MD5, +======= private_md5_plugin_t *this; INIT(this, @@ -57,6 +74,7 @@ plugin_t *md5_plugin_create() ); lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, +>>>>>>> upstream/4.5.1 (hasher_constructor_t)md5_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 4880415b3..7a6c57dd1 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index 5fbfa0f28..0b9f8285d 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -474,8 +474,15 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...) return TRUE; } +<<<<<<< HEAD +/** + * Implementation of database_t.query. + */ +static enumerator_t* query(private_mysql_database_t *this, char *sql, ...) +======= METHOD(database_t, query, enumerator_t*, private_mysql_database_t *this, char *sql, ...) +>>>>>>> upstream/4.5.1 { MYSQL_STMT *stmt; va_list args; @@ -561,8 +568,15 @@ METHOD(database_t, query, enumerator_t*, return (enumerator_t*)enumerator; } +<<<<<<< HEAD +/** + * Implementation of database_t.execute. + */ +static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...) +======= METHOD(database_t, execute, int, private_mysql_database_t *this, int *rowid, char *sql, ...) +>>>>>>> upstream/4.5.1 { MYSQL_STMT *stmt; va_list args; @@ -590,14 +604,28 @@ METHOD(database_t, execute, int, return affected; } +<<<<<<< HEAD +/** + * Implementation of database_t.get_driver + */ +static db_driver_t get_driver(private_mysql_database_t *this) +======= METHOD(database_t, get_driver,db_driver_t, private_mysql_database_t *this) +>>>>>>> upstream/4.5.1 { return DB_MYSQL; } +<<<<<<< HEAD +/** + * Implementation of database_t.destroy + */ +static void destroy(private_mysql_database_t *this) +======= METHOD(database_t, destroy, void, private_mysql_database_t *this) +>>>>>>> upstream/4.5.1 { this->pool->destroy_function(this->pool, (void*)conn_destroy); this->mutex->destroy(this->mutex); @@ -669,6 +697,14 @@ mysql_database_t *mysql_database_create(char *uri) return NULL; } +<<<<<<< HEAD + this = malloc_thing(private_mysql_database_t); + + this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query; + this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute; + this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; + this->public.db.destroy = (void(*)(database_t*))destroy; +======= INIT(this, .public = { .db = { @@ -679,6 +715,7 @@ mysql_database_t *mysql_database_create(char *uri) }, }, ); +>>>>>>> upstream/4.5.1 if (!parse_uri(this, uri)) { diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c index 65d8681cb..738bbeddb 100644 --- a/src/libstrongswan/plugins/mysql/mysql_plugin.c +++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c @@ -32,8 +32,15 @@ struct private_mysql_plugin_t { mysql_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_mysql_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_mysql_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->db->remove_database(lib->db, (database_constructor_t)mysql_database_create); @@ -54,6 +61,10 @@ plugin_t *mysql_plugin_create() return NULL; } +<<<<<<< HEAD + this = malloc_thing(private_mysql_plugin_t); + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= INIT(this, .public = { .plugin = { @@ -61,6 +72,7 @@ plugin_t *mysql_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->db->add_database(lib->db, (database_constructor_t)mysql_database_create); diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index b43be29f1..4048bbd02 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -226,7 +226,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,8 +271,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 58401faa5..7708af958 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -382,8 +382,11 @@ static private_openssl_crl_t *create_empty() }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, +<<<<<<< HEAD +======= .is_delta_crl = (void*)return_false, .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty, +>>>>>>> upstream/4.5.1 .create_enumerator = _create_enumerator, }, }, @@ -460,6 +463,9 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_crlNumber_ext(this, ext); break; default: +<<<<<<< HEAD + ok = TRUE; +======= ok = X509_EXTENSION_get_critical(ext) == 0 || !lib->settings->get_bool(lib->settings, "libstrongswan.x509.enforce_critical", TRUE); @@ -468,6 +474,7 @@ static bool parse_extensions(private_openssl_crl_t *this) DBG1(DBG_LIB, "found unsupported critical X.509 " "CRL extension"); } +>>>>>>> upstream/4.5.1 break; } if (!ok) diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 0050572ee..cf48b4c15 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -41,8 +41,11 @@ #include "openssl_x509.h" #include "openssl_crl.h" +<<<<<<< HEAD +======= static const char *plugin_name = "openssl"; +>>>>>>> upstream/4.5.1 typedef struct private_openssl_plugin_t private_openssl_plugin_t; /** @@ -274,6 +277,87 @@ plugin_t *openssl_plugin_create() } /* crypter */ +<<<<<<< HEAD + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_RC5, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_DES, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_NULL, + (crypter_constructor_t)openssl_crypter_create); + + /* hasher */ + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD2, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD4, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD5, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + (hasher_constructor_t)openssl_hasher_create); + + /* prf */ + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + (prf_constructor_t)openssl_sha1_prf_create); + + /* (ec) diffie hellman */ + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_224, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_2048_256, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); +#ifndef OPENSSL_NO_EC + lib->crypto->add_dh(lib->crypto, ECP_256_BIT, + (dh_constructor_t)openssl_ec_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, ECP_384_BIT, + (dh_constructor_t)openssl_ec_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, ECP_521_BIT, + (dh_constructor_t)openssl_ec_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, ECP_224_BIT, + (dh_constructor_t)openssl_ec_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, ECP_192_BIT, + (dh_constructor_t)openssl_ec_diffie_hellman_create); +#endif /* OPENSSL_NO_EC */ + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_1024_160, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + (dh_constructor_t)openssl_diffie_hellman_create); + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, +======= lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name, @@ -353,6 +437,7 @@ plugin_t *openssl_plugin_create() lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, +>>>>>>> upstream/4.5.1 (dh_constructor_t)openssl_diffie_hellman_create); /* rsa */ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index f7495b2ae..7c7f2aa06 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -84,7 +84,11 @@ struct private_openssl_x509_t { /** * Pathlen constraint */ +<<<<<<< HEAD + int pathlen; +======= u_char pathlen; +>>>>>>> upstream/4.5.1 /** * certificate subject @@ -137,7 +141,11 @@ struct private_openssl_x509_t { linked_list_t *issuerAltNames; /** +<<<<<<< HEAD + * List of CRL URIs +======= * List of CRL URIs, as x509_cdp_t +>>>>>>> upstream/4.5.1 */ linked_list_t *crl_uris; @@ -153,6 +161,8 @@ struct private_openssl_x509_t { }; /** +<<<<<<< HEAD +======= * Destroy a CRL URI struct */ static void crl_uri_destroy(x509_cdp_t *this) @@ -163,6 +173,7 @@ static void crl_uri_destroy(x509_cdp_t *this) } /** +>>>>>>> upstream/4.5.1 * Convert a GeneralName to an identification_t. */ static identification_t *general_name2id(GENERAL_NAME *name) @@ -250,6 +261,12 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t, return chunk_empty; } +<<<<<<< HEAD +METHOD(x509_t, get_pathLenConstraint, int, + private_openssl_x509_t *this) +{ + return this->pathlen; +======= METHOD(x509_t, get_constraint, u_int, private_openssl_x509_t *this, x509_constraint_t type) { @@ -260,6 +277,7 @@ METHOD(x509_t, get_constraint, u_int, default: return X509_NO_CONSTRAINT; } +>>>>>>> upstream/4.5.1 } METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, @@ -280,6 +298,16 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, return this->ocsp_uris->create_enumerator(this->ocsp_uris); } +<<<<<<< HEAD +METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + /* TODO */ + return enumerator_create_empty(); +} + +======= +>>>>>>> upstream/4.5.1 METHOD(certificate_t, get_type, certificate_type_t, private_openssl_x509_t *this) { @@ -492,7 +520,11 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->issuerAltNames->destroy_offset(this->issuerAltNames, offsetof(identification_t, destroy)); +<<<<<<< HEAD + this->crl_uris->destroy_function(this->crl_uris, free); +======= this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); +>>>>>>> upstream/4.5.1 this->ocsp_uris->destroy_function(this->ocsp_uris, free); free(this); } @@ -526,6 +558,13 @@ static private_openssl_x509_t *create_empty() .get_serial = _get_serial, .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, .get_authKeyIdentifier = _get_authKeyIdentifier, +<<<<<<< HEAD + .get_pathLenConstraint = _get_pathLenConstraint, + .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, + .create_crl_uri_enumerator = _create_crl_uri_enumerator, + .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, + .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, +======= .get_constraint = _get_constraint, .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, .create_crl_uri_enumerator = _create_crl_uri_enumerator, @@ -534,13 +573,18 @@ static private_openssl_x509_t *create_empty() .create_name_constraint_enumerator = (void*)enumerator_create_empty, .create_cert_policy_enumerator = (void*)enumerator_create_empty, .create_policy_mapping_enumerator = (void*)enumerator_create_empty, +>>>>>>> upstream/4.5.1 }, }, .subjectAltNames = linked_list_create(), .issuerAltNames = linked_list_create(), .crl_uris = linked_list_create(), .ocsp_uris = linked_list_create(), +<<<<<<< HEAD + .pathlen = X509_NO_PATH_LEN_CONSTRAINT, +======= .pathlen = X509_NO_CONSTRAINT, +>>>>>>> upstream/4.5.1 .ref = 1, ); @@ -586,7 +630,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, X509_EXTENSION *ext) { BASIC_CONSTRAINTS *constraints; +<<<<<<< HEAD +======= long pathlen; +>>>>>>> upstream/4.5.1 constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext); if (constraints) @@ -597,10 +644,14 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, } if (constraints->pathlen) { +<<<<<<< HEAD + this->pathlen = ASN1_INTEGER_get(constraints->pathlen); +======= pathlen = ASN1_INTEGER_get(constraints->pathlen); this->pathlen = (pathlen >= 0 && pathlen < 128) ? pathlen : X509_NO_CONSTRAINT; +>>>>>>> upstream/4.5.1 } BASIC_CONSTRAINTS_free(constraints); return TRUE; @@ -616,10 +667,16 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; +<<<<<<< HEAD + identification_t *id; + char *uri; + int i, j, point_num, name_num; +======= identification_t *id, *issuer; x509_cdp_t *entry; char *uri; int i, j, k, point_num, name_num, issuer_num; +>>>>>>> upstream/4.5.1 cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -644,6 +701,9 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { if (asprintf(&uri, "%Y", id) > 0) { +<<<<<<< HEAD + this->crl_uris->insert_first(this->crl_uris, uri); +======= if (cdp->CRLissuer) { issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer); @@ -670,12 +730,16 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, ); this->crl_uris->insert_last(this->crl_uris, entry); } +>>>>>>> upstream/4.5.1 } id->destroy(id); } } } +<<<<<<< HEAD +======= +>>>>>>> upstream/4.5.1 DIST_POINT_free(cdp); } } @@ -808,6 +872,9 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_crlDistributionPoints_ext(this, ext); break; default: +<<<<<<< HEAD + ok = TRUE; +======= ok = X509_EXTENSION_get_critical(ext) == 0 || !lib->settings->get_bool(lib->settings, "libstrongswan.x509.enforce_critical", TRUE); @@ -815,6 +882,7 @@ static bool parse_extensions(private_openssl_x509_t *this) { DBG1(DBG_LIB, "found unsupported critical X.509 extension"); } +>>>>>>> upstream/4.5.1 break; } if (!ok) @@ -872,6 +940,8 @@ static bool parse_certificate(private_openssl_x509_t *this) { return FALSE; } +<<<<<<< HEAD +======= if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2) { DBG1(DBG_LIB, "unsupported x509 version: %d", @@ -879,6 +949,7 @@ static bool parse_certificate(private_openssl_x509_t *this) return FALSE; } +>>>>>>> upstream/4.5.1 this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509)); this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509)); @@ -922,7 +993,11 @@ static bool parse_certificate(private_openssl_x509_t *this) if (!parse_extensions(this)) { +<<<<<<< HEAD + return TRUE; +======= return FALSE; +>>>>>>> upstream/4.5.1 } parse_extKeyUsage(this); diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 7c89d0abd..24c7441d7 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index 695823acf..a78f2076b 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -23,8 +23,11 @@ #include <library.h> #include <debug.h> +<<<<<<< HEAD +======= static const char *plugin_name = "padlock"; +>>>>>>> upstream/4.5.1 typedef struct private_padlock_plugin_t private_padlock_plugin_t; typedef enum padlock_feature_t padlock_feature_t; @@ -163,21 +166,37 @@ plugin_t *padlock_plugin_create() if (this->features & PADLOCK_RNG_ENABLED) { +<<<<<<< HEAD + lib->crypto->add_rng(lib->crypto, RNG_TRUE, + (rng_constructor_t)padlock_rng_create); + lib->crypto->add_rng(lib->crypto, RNG_STRONG, + (rng_constructor_t)padlock_rng_create); + lib->crypto->add_rng(lib->crypto, RNG_WEAK, +======= lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)padlock_rng_create); lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)padlock_rng_create); lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name, +>>>>>>> upstream/4.5.1 (rng_constructor_t)padlock_rng_create); } if (this->features & PADLOCK_ACE2_ENABLED) { +<<<<<<< HEAD + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, +======= lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, +>>>>>>> upstream/4.5.1 (crypter_constructor_t)padlock_aes_crypter_create); } if (this->features & PADLOCK_PHE_ENABLED) { +<<<<<<< HEAD + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, +======= lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, +>>>>>>> upstream/4.5.1 (hasher_constructor_t)padlock_sha1_hasher_create); } return &this->public.plugin; diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 60740eb35..5a2469145 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 9c8237e4d..2a69e4ea6 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -111,7 +111,11 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, } /* compute and allocate maximum size of PEM object */ +<<<<<<< HEAD + pem_chars = 4*(asn1.len + 2)/3; +======= pem_chars = 4 * ((asn1.len + 2) / 3); +>>>>>>> upstream/4.5.1 pem_lines = (asn1.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE; *encoding = chunk_alloc(5 + 2*(6 + strlen(label) + 6) + 3 + pem_chars + pem_lines); pos = encoding->ptr; diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c index f2415a318..0e6a4788c 100644 --- a/src/libstrongswan/plugins/pem/pem_plugin.c +++ b/src/libstrongswan/plugins/pem/pem_plugin.c @@ -33,8 +33,15 @@ struct private_pem_plugin_t { pem_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of pem_plugin_t.pemtroy + */ +static void destroy(private_pem_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_pem_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)pem_private_key_load); @@ -50,6 +57,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *pem_plugin_create() { +<<<<<<< HEAD + private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_pem_plugin_t *this; INIT(this, @@ -59,6 +71,7 @@ plugin_t *pem_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 /* register private key PEM decoding builders */ lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index ab14f8ced..336e293be 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c index eaf0a1088..762eb061f 100644 --- a/src/libstrongswan/plugins/pgp/pgp_plugin.c +++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c @@ -33,8 +33,15 @@ struct private_pgp_plugin_t { pgp_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of pgp_plugin_t.pgptroy + */ +static void destroy(private_pgp_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_pgp_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)pgp_public_key_load); @@ -54,6 +61,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *pgp_plugin_create() { +<<<<<<< HEAD + private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + +======= private_pgp_plugin_t *this; INIT(this, @@ -63,6 +76,7 @@ plugin_t *pgp_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pgp_public_key_load); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, @@ -71,8 +85,15 @@ plugin_t *pgp_plugin_create() (builder_function_t)pgp_private_key_load); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)pgp_private_key_load); +<<<<<<< HEAD + + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE, + (builder_function_t)pgp_cert_load); + +======= lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE, (builder_function_t)pgp_cert_load); +>>>>>>> upstream/4.5.1 lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 8ed4a08e9..2169d022c 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c index 33732f8a4..d91de0e7f 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c @@ -32,8 +32,15 @@ struct private_pkcs1_plugin_t { pkcs1_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of pkcs1_plugin_t.pkcs1troy + */ +static void destroy(private_pkcs1_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_pkcs1_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)pkcs1_public_key_load); @@ -50,6 +57,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *pkcs1_plugin_create() { +<<<<<<< HEAD + private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_pkcs1_plugin_t *this; INIT(this, @@ -59,6 +71,7 @@ plugin_t *pkcs1_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pkcs1_public_key_load); diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index 6c03b0497..8d6bad565 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c index a81ec1147..6783699e5 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c @@ -55,6 +55,16 @@ struct private_pkcs11_creds_t { * Find certificates, optionally trusted */ static void find_certificates(private_pkcs11_creds_t *this, +<<<<<<< HEAD + CK_SESSION_HANDLE session, CK_BBOOL trusted) +{ + CK_OBJECT_CLASS class = CKO_CERTIFICATE; + CK_CERTIFICATE_TYPE type = CKC_X_509; + CK_ATTRIBUTE tmpl[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_CERTIFICATE_TYPE, &type, sizeof(type)}, + {CKA_TRUSTED, &trusted, sizeof(trusted)}, +======= CK_SESSION_HANDLE session) { CK_OBJECT_CLASS class = CKO_CERTIFICATE; @@ -63,12 +73,16 @@ static void find_certificates(private_pkcs11_creds_t *this, CK_ATTRIBUTE tmpl[] = { {CKA_CLASS, &class, sizeof(class)}, {CKA_CERTIFICATE_TYPE, &type, sizeof(type)}, +>>>>>>> upstream/4.5.1 }; CK_OBJECT_HANDLE object; CK_ATTRIBUTE attr[] = { {CKA_VALUE, NULL, 0}, {CKA_LABEL, NULL, 0}, +<<<<<<< HEAD +======= {CKA_TRUSTED, &trusted, sizeof(trusted)} +>>>>>>> upstream/4.5.1 }; enumerator_t *enumerator; linked_list_t *raw; @@ -76,6 +90,13 @@ static void find_certificates(private_pkcs11_creds_t *this, struct { chunk_t value; chunk_t label; +<<<<<<< HEAD + } *entry; + + raw = linked_list_create(); + enumerator = this->lib->create_object_enumerator(this->lib, + session, tmpl, countof(tmpl), attr, countof(attr)); +======= bool trusted; } *entry; int count = countof(attr); @@ -89,6 +110,7 @@ static void find_certificates(private_pkcs11_creds_t *this, } enumerator = this->lib->create_object_enumerator(this->lib, session, tmpl, countof(tmpl), attr, count); +>>>>>>> upstream/4.5.1 while (enumerator->enumerate(enumerator, &object)) { entry = malloc(sizeof(*entry)); @@ -96,7 +118,10 @@ static void find_certificates(private_pkcs11_creds_t *this, chunk_create(attr[0].pValue, attr[0].ulValueLen)); entry->label = chunk_clone( chunk_create(attr[1].pValue, attr[1].ulValueLen)); +<<<<<<< HEAD +======= entry->trusted = trusted; +>>>>>>> upstream/4.5.1 raw->insert_last(raw, entry); } enumerator->destroy(enumerator); @@ -109,10 +134,17 @@ static void find_certificates(private_pkcs11_creds_t *this, if (cert) { DBG1(DBG_CFG, " loaded %strusted cert '%.*s'", +<<<<<<< HEAD + trusted ? "" : "un", entry->label.len, entry->label.ptr); + /* trusted certificates are also returned as untrusted */ + this->untrusted->insert_last(this->untrusted, cert); + if (trusted) +======= entry->trusted ? "" : "un", entry->label.len, entry->label.ptr); /* trusted certificates are also returned as untrusted */ this->untrusted->insert_last(this->untrusted, cert); if (entry->trusted) +>>>>>>> upstream/4.5.1 { this->trusted->insert_last(this->trusted, cert->get_ref(cert)); } @@ -145,7 +177,12 @@ static bool load_certificates(private_pkcs11_creds_t *this) return FALSE; } +<<<<<<< HEAD + find_certificates(this, session, CK_TRUE); + find_certificates(this, session, CK_FALSE); +======= find_certificates(this, session); +>>>>>>> upstream/4.5.1 this->lib->f->C_CloseSession(session); return TRUE; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c index 6f7926808..6d819da34 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c @@ -466,11 +466,14 @@ struct private_pkcs11_library_t { * Name as passed to the constructor */ char *name; +<<<<<<< HEAD +======= /** * Supported feature set */ pkcs11_feature_t features; +>>>>>>> upstream/4.5.1 }; METHOD(pkcs11_library_t, get_name, char*, @@ -479,12 +482,15 @@ METHOD(pkcs11_library_t, get_name, char*, return this->name; } +<<<<<<< HEAD +======= METHOD(pkcs11_library_t, get_features, pkcs11_feature_t, private_pkcs11_library_t *this) { return this->features; } +>>>>>>> upstream/4.5.1 /** * Object enumerator */ @@ -777,6 +783,11 @@ static CK_RV UnlockMutex(CK_VOID_PTR data) } /** +<<<<<<< HEAD + * Initialize a PKCS#11 library + */ +static bool initialize(private_pkcs11_library_t *this, char *name, char *file) +======= * Check if the library has at least a given cryptoki version */ static bool has_version(CK_INFO *info, int major, int minor) @@ -803,19 +814,27 @@ static void check_features(private_pkcs11_library_t *this, CK_INFO *info) */ static bool initialize(private_pkcs11_library_t *this, char *name, char *file, bool os_locking) +>>>>>>> upstream/4.5.1 { CK_C_GetFunctionList pC_GetFunctionList; CK_INFO info; CK_RV rv; +<<<<<<< HEAD + CK_C_INITIALIZE_ARGS args = { +======= static CK_C_INITIALIZE_ARGS args = { +>>>>>>> upstream/4.5.1 .CreateMutex = CreateMutex, .DestroyMutex = DestroyMutex, .LockMutex = LockMutex, .UnlockMutex = UnlockMutex, }; +<<<<<<< HEAD +======= static CK_C_INITIALIZE_ARGS args_os = { .flags = CKF_OS_LOCKING_OK, }; +>>>>>>> upstream/4.5.1 pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList"); if (!pC_GetFunctionList) @@ -830,6 +849,16 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file, name, ck_rv_names, rv); return FALSE; } +<<<<<<< HEAD + + rv = this->public.f->C_Initialize(&args); + if (rv == CKR_CANT_LOCK) + { /* try OS locking */ + memset(&args, 0, sizeof(args)); + args.flags = CKF_OS_LOCKING_OK; + rv = this->public.f->C_Initialize(&args); + } +======= if (os_locking) { rv = CKR_CANT_LOCK; @@ -843,6 +872,7 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file, os_locking = TRUE; rv = this->public.f->C_Initialize(&args_os); } +>>>>>>> upstream/4.5.1 if (rv != CKR_OK) { DBG1(DBG_CFG, "C_Initialize() error for '%s': %N", @@ -868,26 +898,40 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file, DBG1(DBG_CFG, " %s: %s v%d.%d", info.manufacturerID, info.libraryDescription, info.libraryVersion.major, info.libraryVersion.minor); +<<<<<<< HEAD + if (args.flags & CKF_OS_LOCKING_OK) + { + DBG1(DBG_CFG, " uses OS locking functions"); + } +======= if (os_locking) { DBG1(DBG_CFG, " uses OS locking functions"); } check_features(this, &info); +>>>>>>> upstream/4.5.1 return TRUE; } /** * See header */ +<<<<<<< HEAD +pkcs11_library_t *pkcs11_library_create(char *name, char *file) +======= pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking) +>>>>>>> upstream/4.5.1 { private_pkcs11_library_t *this; INIT(this, .public = { .get_name = _get_name, +<<<<<<< HEAD +======= .get_features = _get_features, +>>>>>>> upstream/4.5.1 .create_object_enumerator = _create_object_enumerator, .create_mechanism_enumerator = _create_mechanism_enumerator, .destroy = _destroy, @@ -903,7 +947,11 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking) return NULL; } +<<<<<<< HEAD + if (!initialize(this, name, file)) +======= if (!initialize(this, name, file, os_locking)) +>>>>>>> upstream/4.5.1 { dlclose(this->handle); free(this); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h index abe023448..384258089 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h @@ -21,7 +21,10 @@ #ifndef PKCS11_LIBRARY_H_ #define PKCS11_LIBRARY_H_ +<<<<<<< HEAD +======= typedef enum pkcs11_feature_t pkcs11_feature_t; +>>>>>>> upstream/4.5.1 typedef struct pkcs11_library_t pkcs11_library_t; #include "pkcs11.h" @@ -30,6 +33,8 @@ typedef struct pkcs11_library_t pkcs11_library_t; #include <utils/enumerator.h> /** +<<<<<<< HEAD +======= * Optional PKCS#11 features some libraries support, some not */ enum pkcs11_feature_t { @@ -40,6 +45,7 @@ enum pkcs11_feature_t { }; /** +>>>>>>> upstream/4.5.1 * A loaded and initialized PKCS#11 library. */ struct pkcs11_library_t { @@ -57,6 +63,8 @@ struct pkcs11_library_t { char* (*get_name)(pkcs11_library_t *this); /** +<<<<<<< HEAD +======= * Get the feature set supported by this library. * * @return ORed set of features supported @@ -64,6 +72,7 @@ struct pkcs11_library_t { pkcs11_feature_t (*get_features)(pkcs11_library_t *this); /** +>>>>>>> upstream/4.5.1 * Create an enumerator over CK_OBJECT_HANDLE using a search template. * * An optional attribute array is automatically filled in with the @@ -121,9 +130,15 @@ void pkcs11_library_trim(char *str, int len); * * @param name an arbitrary name, for debugging * @param file pkcs11 library file to dlopen() +<<<<<<< HEAD + * @return library abstraction + */ +pkcs11_library_t *pkcs11_library_create(char *name, char *file); +======= * @param os_lock enforce OS Locking for this library * @return library abstraction */ pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock); +>>>>>>> upstream/4.5.1 #endif /** PKCS11_LIBRARY_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c index 9308e9c25..b7ca3538c 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -373,10 +373,14 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, free(entry); continue; } +<<<<<<< HEAD + entry->lib = pkcs11_library_create(module, entry->path); +======= entry->lib = pkcs11_library_create(module, entry->path, lib->settings->get_bool(lib->settings, "libstrongswan.plugins.pkcs11.modules.%s.os_locking", FALSE, module)); +>>>>>>> upstream/4.5.1 if (!entry->lib) { free(entry); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c index 071d2f782..b02873870 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c @@ -26,8 +26,11 @@ #include "pkcs11_public_key.h" #include "pkcs11_hasher.h" +<<<<<<< HEAD +======= static const char *plugin_name = "pkcs11"; +>>>>>>> upstream/4.5.1 typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t; /** @@ -148,6 +151,19 @@ plugin_t *pkcs11_plugin_create() if (lib->settings->get_bool(lib->settings, "libstrongswan.plugins.pkcs11.use_hasher", FALSE)) { +<<<<<<< HEAD + lib->crypto->add_hasher(lib->crypto, HASH_MD2, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_MD5, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + (hasher_constructor_t)pkcs11_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, +======= lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, @@ -159,6 +175,7 @@ plugin_t *pkcs11_plugin_create() lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, +>>>>>>> upstream/4.5.1 (hasher_constructor_t)pkcs11_hasher_create); } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index b4cc7a805..6d2c93c98 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -401,6 +401,20 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid) }; CK_OBJECT_HANDLE object; CK_KEY_TYPE type; +<<<<<<< HEAD + CK_BBOOL reauth; + CK_ATTRIBUTE attr[] = { + {CKA_KEY_TYPE, &type, sizeof(type)}, + {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)}, + {CKA_MODULUS, NULL, 0}, + {CKA_PUBLIC_EXPONENT, NULL, 0}, + }; + enumerator_t *enumerator; + chunk_t modulus, pubexp; + + enumerator = this->lib->create_object_enumerator(this->lib, + this->session, tmpl, countof(tmpl), attr, countof(attr)); +======= CK_BBOOL reauth = FALSE; CK_ATTRIBUTE attr[] = { {CKA_KEY_TYPE, &type, sizeof(type)}, @@ -419,18 +433,28 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid) } enumerator = this->lib->create_object_enumerator(this->lib, this->session, tmpl, countof(tmpl), attr, count); +>>>>>>> upstream/4.5.1 if (enumerator->enumerate(enumerator, &object)) { switch (type) { case CKK_RSA: +<<<<<<< HEAD + if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1) +======= if (attr[1].ulValueLen == -1 || attr[2].ulValueLen == -1) +>>>>>>> upstream/4.5.1 { DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed"); break; } +<<<<<<< HEAD + modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen); + pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen); +======= modulus = chunk_create(attr[1].pValue, attr[1].ulValueLen); pubexp = chunk_create(attr[2].pValue, attr[2].ulValueLen); +>>>>>>> upstream/4.5.1 this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, BUILD_RSA_MODULUS, modulus, BUILD_RSA_PUB_EXP, pubexp, BUILD_END); diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index 473db5ccf..4429d9436 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -50,6 +50,17 @@ struct private_plugin_loader_t { linked_list_t *names; }; +<<<<<<< HEAD +#ifdef MONOLITHIC +/** + * load a single plugin in monolithic mode + */ +static plugin_t* load_plugin(private_plugin_loader_t *this, + char *path, char *name) +{ + char create[128]; + plugin_t *plugin; +======= /** * create a plugin * returns: NOT_FOUND, if the constructor was not found @@ -59,11 +70,36 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle, char *name, bool integrity, plugin_t **plugin) { char create[128]; +>>>>>>> upstream/4.5.1 plugin_constructor_t constructor; if (snprintf(create, sizeof(create), "%s_plugin_create", name) >= sizeof(create)) { +<<<<<<< HEAD + return NULL; + } + translate(create, "-", "_"); + constructor = dlsym(RTLD_DEFAULT, create); + if (constructor == NULL) + { + DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name, + create); + return NULL; + } + plugin = constructor(); + if (plugin == NULL) + { + DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name, + create); + return NULL; + } + DBG2(DBG_LIB, "plugin '%s': loaded successfully", name); + + return plugin; +} +#else +======= return FAILED; } translate(create, "-", "_"); @@ -95,12 +131,29 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle, return SUCCESS; } +>>>>>>> upstream/4.5.1 /** * load a single plugin */ static plugin_t* load_plugin(private_plugin_loader_t *this, char *path, char *name) { +<<<<<<< HEAD + char create[128]; + char file[PATH_MAX]; + void *handle; + plugin_t *plugin; + plugin_constructor_t constructor; + + if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, + name) >= sizeof(file) || + snprintf(create, sizeof(create), "%s_plugin_create", + name) >= sizeof(create)) + { + return NULL; + } + translate(create, "-", "_"); +======= char file[PATH_MAX]; void *handle; plugin_t *plugin; @@ -121,6 +174,7 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, { return NULL; } +>>>>>>> upstream/4.5.1 if (lib->integrity) { if (!lib->integrity->check_file(lib->integrity, name, file)) @@ -136,6 +190,42 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); return NULL; } +<<<<<<< HEAD + constructor = dlsym(handle, create); + if (constructor == NULL) + { + DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name, + create); + dlclose(handle); + return NULL; + } + if (lib->integrity) + { + if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + { + DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name); + dlclose(handle); + return NULL; + } + DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests", + name); + } + plugin = constructor(); + if (plugin == NULL) + { + DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name, + create); + dlclose(handle); + return NULL; + } + DBG2(DBG_LIB, "plugin '%s': loaded successfully", name); + + /* we do not store or free dlopen() handles, leak_detective requires + * the modules to keep loaded until leak report */ + return plugin; +} +#endif +======= if (create_plugin(this, handle, name, TRUE, &plugin) != SUCCESS) { dlclose(handle); @@ -167,6 +257,7 @@ static bool plugin_loaded(private_plugin_loader_t *this, char *name) enumerator->destroy(enumerator); return found; } +>>>>>>> upstream/4.5.1 /** * Implementation of plugin_loader_t.load_plugins. @@ -177,10 +268,18 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) char *token; bool critical_failed = FALSE; +<<<<<<< HEAD +#ifndef MONOLITHIC +======= +>>>>>>> upstream/4.5.1 if (path == NULL) { path = PLUGINDIR; } +<<<<<<< HEAD +#endif +======= +>>>>>>> upstream/4.5.1 enumerator = enumerator_create_token(list, " ", " "); while (!critical_failed && enumerator->enumerate(enumerator, &token)) @@ -196,11 +295,14 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) critical = TRUE; token[len-1] = '\0'; } +<<<<<<< HEAD +======= if (plugin_loaded(this, token)) { free(token); continue; } +>>>>>>> upstream/4.5.1 plugin = load_plugin(this, path, token); if (plugin) { diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 46349f9ba..bb2564238 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c index cc12217a4..3546c9bf9 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c @@ -31,8 +31,15 @@ struct private_pubkey_plugin_t { pubkey_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of pubkey_plugin_t.pubkeytroy + */ +static void destroy(private_pubkey_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_pubkey_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)pubkey_cert_wrap); @@ -44,6 +51,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *pubkey_plugin_create() { +<<<<<<< HEAD + private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_pubkey_plugin_t *this; INIT(this, @@ -53,6 +65,7 @@ plugin_t *pubkey_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE, (builder_function_t)pubkey_cert_wrap); diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 21f8aff11..fbdf35170 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c index cc5cb0a3c..f70998334 100644 --- a/src/libstrongswan/plugins/random/random_plugin.c +++ b/src/libstrongswan/plugins/random/random_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "random_rng.h" +<<<<<<< HEAD +======= static const char *plugin_name = "random"; +>>>>>>> upstream/4.5.1 typedef struct private_random_plugin_t private_random_plugin_t; /** @@ -33,8 +36,15 @@ struct private_random_plugin_t { random_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of random_plugin_t.gmptroy + */ +static void destroy(private_random_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_random_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->crypto->remove_rng(lib->crypto, (rng_constructor_t)random_rng_create); @@ -46,6 +56,15 @@ METHOD(plugin_t, destroy, void, */ plugin_t *random_plugin_create() { +<<<<<<< HEAD + private_random_plugin_t *this = malloc_thing(private_random_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + lib->crypto->add_rng(lib->crypto, RNG_STRONG, + (rng_constructor_t)random_rng_create); + lib->crypto->add_rng(lib->crypto, RNG_TRUE, +======= private_random_plugin_t *this; INIT(this, @@ -59,6 +78,7 @@ plugin_t *random_plugin_create() lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)random_rng_create); lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, +>>>>>>> upstream/4.5.1 (rng_constructor_t)random_rng_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c index 1d99a63d5..e4247a3cc 100644 --- a/src/libstrongswan/plugins/random/random_rng.c +++ b/src/libstrongswan/plugins/random/random_rng.c @@ -55,8 +55,16 @@ struct private_random_rng_t { char *file; }; +<<<<<<< HEAD +/** + * Implementation of random_rng_t.get_bytes. + */ +static void get_bytes(private_random_rng_t *this, size_t bytes, + u_int8_t *buffer) +======= METHOD(rng_t, get_bytes, void, private_random_rng_t *this, size_t bytes, u_int8_t *buffer) +>>>>>>> upstream/4.5.1 { size_t done; ssize_t got; @@ -78,15 +86,30 @@ METHOD(rng_t, get_bytes, void, } } +<<<<<<< HEAD +/** + * Implementation of random_rng_t.allocate_bytes. + */ +static void allocate_bytes(private_random_rng_t *this, size_t bytes, + chunk_t *chunk) +======= METHOD(rng_t, allocate_bytes, void, private_random_rng_t *this, size_t bytes, chunk_t *chunk) +>>>>>>> upstream/4.5.1 { *chunk = chunk_alloc(bytes); get_bytes(this, chunk->len, chunk->ptr); } +<<<<<<< HEAD +/** + * Implementation of random_rng_t.destroy. + */ +static void destroy(private_random_rng_t *this) +======= METHOD(rng_t, destroy, void, private_random_rng_t *this) +>>>>>>> upstream/4.5.1 { close(this->dev); free(this); @@ -97,6 +120,14 @@ METHOD(rng_t, destroy, void, */ random_rng_t *random_rng_create(rng_quality_t quality) { +<<<<<<< HEAD + private_random_rng_t *this = malloc_thing(private_random_rng_t); + + /* public functions */ + this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes; + this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes; + this->public.rng.destroy = (void (*) (rng_t *))destroy; +======= private_random_rng_t *this; INIT(this, @@ -108,6 +139,7 @@ random_rng_t *random_rng_create(rng_quality_t quality) }, }, ); +>>>>>>> upstream/4.5.1 if (quality == RNG_TRUE) { diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 4ed4b9694..19ec1e719 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -223,7 +223,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,8 +268,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index def169275..dc8b849c7 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -93,13 +93,20 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, /** * check the signature of an OCSP response */ +<<<<<<< HEAD +static bool verify_ocsp(ocsp_response_t *response) +======= static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { certificate_t *issuer, *subject; identification_t *responder; ocsp_response_wrapper_t *wrapper; enumerator_t *enumerator; +<<<<<<< HEAD +======= auth_cfg_t *current; +>>>>>>> upstream/4.5.1 bool verified = FALSE; wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); @@ -109,16 +116,23 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) responder = subject->get_issuer(subject); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, responder, FALSE); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &issuer, NULL)) +======= while (enumerator->enumerate(enumerator, &issuer, ¤t)) +>>>>>>> upstream/4.5.1 { if (lib->credmgr->issued_by(lib->credmgr, subject, issuer)) { DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", issuer->get_subject(issuer)); +<<<<<<< HEAD +======= if (auth) { auth->merge(auth, current, FALSE); } +>>>>>>> upstream/4.5.1 verified = TRUE; break; } @@ -134,8 +148,12 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) * Get the better of two OCSP responses, and check for usable OCSP info */ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, +<<<<<<< HEAD + x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) +======= x509_t *subject, x509_t *issuer, cert_validation_t *valid, auth_cfg_t *auth, bool cache) +>>>>>>> upstream/4.5.1 { ocsp_response_t *response; time_t revocation, this_update, next_update, valid_until; @@ -145,7 +163,11 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, response = (ocsp_response_t*)cand; /* check ocsp signature */ +<<<<<<< HEAD + if (!verify_ocsp(response)) +======= if (!verify_ocsp(response, auth)) +>>>>>>> upstream/4.5.1 { DBG1(DBG_CFG, "ocsp response verification failed"); cand->destroy(cand); @@ -226,8 +248,12 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); +<<<<<<< HEAD + best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); +======= best = get_better_ocsp(current, best, subject, issuer, &valid, auth, FALSE); +>>>>>>> upstream/4.5.1 if (best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached ocsp response"); @@ -254,7 +280,11 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, +<<<<<<< HEAD + &valid, TRUE); +======= &valid, auth, TRUE); +>>>>>>> upstream/4.5.1 if (best && valid != VALIDATION_STALE) { break; @@ -276,7 +306,11 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, +<<<<<<< HEAD + &valid, TRUE); +======= &valid, auth, TRUE); +>>>>>>> upstream/4.5.1 if (best && valid != VALIDATION_STALE) { break; @@ -330,25 +364,39 @@ static certificate_t* fetch_crl(char *url) /** * check the signature of an CRL */ +<<<<<<< HEAD +static bool verify_crl(certificate_t *crl) +======= static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { certificate_t *issuer; enumerator_t *enumerator; bool verified = FALSE; +<<<<<<< HEAD + + enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, + KEY_ANY, crl->get_issuer(crl), FALSE); + while (enumerator->enumerate(enumerator, &issuer, NULL)) +======= auth_cfg_t *current; enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, crl->get_issuer(crl), FALSE); while (enumerator->enumerate(enumerator, &issuer, ¤t)) +>>>>>>> upstream/4.5.1 { if (lib->credmgr->issued_by(lib->credmgr, crl, issuer)) { DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); +<<<<<<< HEAD +======= if (auth) { auth->merge(auth, current, FALSE); } +>>>>>>> upstream/4.5.1 verified = TRUE; break; } @@ -362,13 +410,23 @@ static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) * Get the better of two CRLs, and check for usable CRL info */ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, +<<<<<<< HEAD + x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) +======= x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth, bool cache, crl_t *base) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; time_t revocation, valid_until; crl_reason_t reason; chunk_t serial; +<<<<<<< HEAD + crl_t *crl; + + /* check CRL signature */ + if (!verify_crl(cand)) +======= crl_t *crl = (crl_t*)cand; if (base) @@ -391,12 +449,17 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, /* check CRL signature */ if (!verify_crl(cand, auth)) +>>>>>>> upstream/4.5.1 { DBG1(DBG_CFG, "crl response verification failed"); cand->destroy(cand); return best; } +<<<<<<< HEAD + crl = (crl_t*)cand; +======= +>>>>>>> upstream/4.5.1 enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { @@ -441,6 +504,81 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, } /** +<<<<<<< HEAD + * validate a x509 certificate using CRL + */ +static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + identification_t *keyid = NULL; + certificate_t *best = NULL; + certificate_t *current; + public_key_t *public; + enumerator_t *enumerator; + chunk_t chunk; + char *uri = NULL; + + /* derive the authorityKeyIdentifier from the issuer's public key */ + current = &issuer->interface; + public = current->get_public_key(current); + if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + + /* find a cached crl by authorityKeyIdentifier */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_CRL, KEY_ANY, keyid, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + best = get_better_crl(current, best, subject, issuer, + &valid, FALSE); + if (best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached crl"); + break; + } + } + enumerator->destroy(enumerator); + + /* fallback to fetching crls from credential sets cdps */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_CRL, keyid); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_crl(uri); + if (current) + { + best = get_better_crl(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + keyid->destroy(keyid); + } + DESTROY_IF(public); + + /* fallback to fetching crls from cdps from subject's certificate */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = subject->create_crl_uri_enumerator(subject); + + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_crl(uri); + if (current) + { + best = get_better_crl(current, best, subject, issuer, + &valid, TRUE); +======= * Find or fetch a certificate for a given crlIssuer */ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, @@ -626,6 +764,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, } best = get_better_crl(current, best, subject, &valid, auth, TRUE, NULL); +>>>>>>> upstream/4.5.1 if (best && valid != VALIDATION_STALE) { break; @@ -635,6 +774,10 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, enumerator->destroy(enumerator); } +<<<<<<< HEAD + /* an uri was found, but no result. switch validation state to failed */ + if (valid == VALIDATION_SKIPPED && uri) +======= /* look for delta CRLs */ if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE)) { @@ -643,6 +786,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, /* an uri was found, but no result. switch validation state to failed */ if (valid == VALIDATION_SKIPPED && uri_found) +>>>>>>> upstream/4.5.1 { valid = VALIDATION_FAILED; } @@ -665,8 +809,12 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, METHOD(cert_validator_t, validate, bool, private_revocation_validator_t *this, certificate_t *subject, +<<<<<<< HEAD + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +======= certificate_t *issuer, bool online, u_int pathlen, bool anchor, auth_cfg_t *auth) +>>>>>>> upstream/4.5.1 { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509 && @@ -674,8 +822,12 @@ METHOD(cert_validator_t, validate, bool, { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); +<<<<<<< HEAD + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth)) +======= switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, pathlen ? NULL : auth)) +>>>>>>> upstream/4.5.1 { case VALIDATION_GOOD: DBG1(DBG_CFG, "certificate status is good"); @@ -693,8 +845,12 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); break; } +<<<<<<< HEAD + switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth)) +======= switch (check_crl((x509_t*)subject, (x509_t*)issuer, pathlen ? NULL : auth)) +>>>>>>> upstream/4.5.1 { case VALIDATION_GOOD: DBG1(DBG_CFG, "certificate status is good"); diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 3d96f4339..95e4e403d 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c index dda2cbc1a..fcb75dfa2 100644 --- a/src/libstrongswan/plugins/sha1/sha1_plugin.c +++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c @@ -19,8 +19,11 @@ #include "sha1_hasher.h" #include "sha1_prf.h" +<<<<<<< HEAD +======= static const char *plugin_name = "sha1"; +>>>>>>> upstream/4.5.1 typedef struct private_sha1_plugin_t private_sha1_plugin_t; /** @@ -34,8 +37,15 @@ struct private_sha1_plugin_t { sha1_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of sha1_plugin_t.destroy + */ +static void destroy(private_sha1_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_sha1_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)sha1_hasher_create); @@ -49,6 +59,15 @@ METHOD(plugin_t, destroy, void, */ plugin_t *sha1_plugin_create() { +<<<<<<< HEAD + private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + (hasher_constructor_t)sha1_hasher_create); + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, +======= private_sha1_plugin_t *this; INIT(this, @@ -62,6 +81,7 @@ plugin_t *sha1_plugin_create() lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)sha1_hasher_create); lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name, +>>>>>>> upstream/4.5.1 (prf_constructor_t)sha1_prf_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index fcbfa0c44..0dc56ac37 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -219,7 +219,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,8 +264,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c index a5937dbb2..b47f07b8d 100644 --- a/src/libstrongswan/plugins/sha2/sha2_plugin.c +++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c @@ -18,8 +18,11 @@ #include <library.h> #include "sha2_hasher.h" +<<<<<<< HEAD +======= static const char *plugin_name = "sha2"; +>>>>>>> upstream/4.5.1 typedef struct private_sha2_plugin_t private_sha2_plugin_t; /** @@ -33,8 +36,15 @@ struct private_sha2_plugin_t { sha2_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of sha2_plugin_t.destroy + */ +static void destroy(private_sha2_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_sha2_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)sha2_hasher_create); @@ -46,6 +56,19 @@ METHOD(plugin_t, destroy, void, */ plugin_t *sha2_plugin_create() { +<<<<<<< HEAD + private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)sha2_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + (hasher_constructor_t)sha2_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + (hasher_constructor_t)sha2_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, +======= private_sha2_plugin_t *this; INIT(this, @@ -63,6 +86,7 @@ plugin_t *sha2_plugin_create() lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, +>>>>>>> upstream/4.5.1 (hasher_constructor_t)sha2_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index ae015d1a8..bf952acc5 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -222,7 +222,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,8 +267,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index f9e06199e..e1c51f098 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -213,8 +213,15 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...) return TRUE; } +<<<<<<< HEAD +/** + * Implementation of database_t.query. + */ +static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...) +======= METHOD(database_t, query, enumerator_t*, private_sqlite_database_t *this, char *sql, ...) +>>>>>>> upstream/4.5.1 { sqlite3_stmt *stmt; va_list args; @@ -246,8 +253,15 @@ METHOD(database_t, query, enumerator_t*, return (enumerator_t*)enumerator; } +<<<<<<< HEAD +/** + * Implementation of database_t.execute. + */ +static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...) +======= METHOD(database_t, execute, int, private_sqlite_database_t *this, int *rowid, char *sql, ...) +>>>>>>> upstream/4.5.1 { sqlite3_stmt *stmt; int affected = -1; @@ -279,8 +293,15 @@ METHOD(database_t, execute, int, return affected; } +<<<<<<< HEAD +/** + * Implementation of database_t.get_driver + */ +static db_driver_t get_driver(private_sqlite_database_t *this) +======= METHOD(database_t, get_driver, db_driver_t, private_sqlite_database_t *this) +>>>>>>> upstream/4.5.1 { return DB_SQLITE; } @@ -296,8 +317,15 @@ static int busy_handler(private_sqlite_database_t *this, int count) return 1; } +<<<<<<< HEAD +/** + * Implementation of database_t.destroy + */ +static void destroy(private_sqlite_database_t *this) +======= METHOD(database_t, destroy, void, private_sqlite_database_t *this) +>>>>>>> upstream/4.5.1 { sqlite3_close(this->db); this->mutex->destroy(this->mutex); @@ -321,6 +349,16 @@ sqlite_database_t *sqlite_database_create(char *uri) } file = uri + 9; +<<<<<<< HEAD + this = malloc_thing(private_sqlite_database_t); + + this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query; + this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute; + this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; + this->public.db.destroy = (void(*)(database_t*))destroy; + + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); +======= INIT(this, .public = { .db = { @@ -332,12 +370,17 @@ sqlite_database_t *sqlite_database_create(char *uri) }, .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), ); +>>>>>>> upstream/4.5.1 if (sqlite3_open(file, &this->db) != SQLITE_OK) { DBG1(DBG_LIB, "opening SQLite database '%s' failed: %s", file, sqlite3_errmsg(this->db)); +<<<<<<< HEAD + destroy(this); +======= _destroy(this); +>>>>>>> upstream/4.5.1 return NULL; } diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c index e0b8e6ce1..e0bdf0634 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c @@ -31,8 +31,15 @@ struct private_sqlite_plugin_t { sqlite_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_sqlite_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_sqlite_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->db->remove_database(lib->db, (database_constructor_t)sqlite_database_create); @@ -44,6 +51,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *sqlite_plugin_create() { +<<<<<<< HEAD + private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_sqlite_plugin_t *this; INIT(this, @@ -53,6 +65,7 @@ plugin_t *sqlite_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->db->add_database(lib->db, (database_constructor_t)sqlite_database_create); diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 9dccb05e3..651fb8a9f 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -227,7 +227,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,8 +272,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c index 176bc438d..c021ef67b 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c @@ -104,8 +104,15 @@ struct private_test_vectors_plugin_t { test_vectors_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of test_vectors_plugin_t.test_vectorstroy + */ +static void destroy(private_test_vectors_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_test_vectors_plugin_t *this) +>>>>>>> upstream/4.5.1 { free(this); } @@ -115,6 +122,12 @@ METHOD(plugin_t, destroy, void, */ plugin_t *test_vectors_plugin_create() { +<<<<<<< HEAD + private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t); + int i; + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_test_vectors_plugin_t *this; int i; @@ -125,6 +138,7 @@ plugin_t *test_vectors_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 for (i = 0; i < countof(crypter); i++) { diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 57deab98e..785d6441c 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -221,7 +221,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,8 +266,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 526dbe8c6..0eabc8010 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -117,7 +117,11 @@ struct private_x509_cert_t { linked_list_t *subjectAltNames; /** +<<<<<<< HEAD + * List of crlDistributionPoints as allocated char* +======= * List of crlDistributionPoints as x509_cdp_t* +>>>>>>> upstream/4.5.1 */ linked_list_t *crl_uris; @@ -132,6 +136,8 @@ struct private_x509_cert_t { linked_list_t *ipAddrBlocks; /** +<<<<<<< HEAD +======= * List of permitted name constraints */ linked_list_t *permitted_names; @@ -152,6 +158,7 @@ struct private_x509_cert_t { linked_list_t *policy_mappings; /** +>>>>>>> upstream/4.5.1 * certificate's embedded public key */ public_key_t *public_key; @@ -174,6 +181,9 @@ struct private_x509_cert_t { /** * Path Length Constraint */ +<<<<<<< HEAD + int pathLenConstraint; +======= u_char pathLenConstraint; /** @@ -190,6 +200,7 @@ struct private_x509_cert_t { * inhibitAnyPolicy Constraint */ u_char inhibit_any; +>>>>>>> upstream/4.5.1 /** * x509 constraints and other flags @@ -222,6 +233,8 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars( ); /** +<<<<<<< HEAD +======= * Destroy a CertificateDistributionPoint */ static void crl_uri_destroy(x509_cdp_t *this) @@ -269,6 +282,7 @@ static u_int parse_constraint(chunk_t object) } /** +>>>>>>> upstream/4.5.1 * ASN.1 definition of a basicConstraints extension */ static const asn1Object_t basicConstraintsObjects[] = { @@ -310,7 +324,19 @@ static void parse_basicConstraints(chunk_t blob, int level0, case BASIC_CONSTRAINTS_PATH_LEN: if (isCA) { +<<<<<<< HEAD + if (object.len == 0) + { + this->pathLenConstraint = 0; + } + else if (object.len == 1) + { + this->pathLenConstraint = *object.ptr; + } + /* we ignore path length constraints > 127 */ +======= this->pathLenConstraint = parse_constraint(object); +>>>>>>> upstream/4.5.1 } break; default: @@ -648,7 +674,11 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, } break; default: +<<<<<<< HEAD + /* unkown accessMethod, ignoring */ +======= /* unknown accessMethod, ignoring */ +>>>>>>> upstream/4.5.1 break; } break; @@ -663,6 +693,8 @@ end: } /** +<<<<<<< HEAD +======= * Extract KeyUsage flags */ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) @@ -717,6 +749,7 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) } /** +>>>>>>> upstream/4.5.1 * ASN.1 definition of a extendedKeyUsage extension */ static const asn1Object_t extendedKeyUsageObjects[] = { @@ -728,7 +761,11 @@ static const asn1Object_t extendedKeyUsageObjects[] = { #define EXT_KEY_USAGE_PURPOSE_ID 1 /** +<<<<<<< HEAD + * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned +======= * Extracts extendedKeyUsage OIDs +>>>>>>> upstream/4.5.1 */ static void parse_extendedKeyUsage(chunk_t blob, int level0, private_x509_cert_t *this) @@ -777,11 +814,18 @@ static const asn1Object_t crlDistributionPointsObjects[] = { { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ +<<<<<<< HEAD + { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */ +======= { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ +>>>>>>> upstream/4.5.1 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +<<<<<<< HEAD +#define CRL_DIST_POINTS_FULLNAME 3 +======= #define CRL_DIST_POINTS 1 #define CRL_DIST_POINTS_FULLNAME 3 #define CRL_DIST_POINTS_ISSUER 10 @@ -830,10 +874,21 @@ static void add_cdps(linked_list_t *list, linked_list_t *uris, id->destroy(id); } } +>>>>>>> upstream/4.5.1 /** * Extracts one or several crlDistributionPoints into a list */ +<<<<<<< HEAD +static void parse_crlDistributionPoints(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + asn1_parser_t *parser; + chunk_t object; + int objectID; + linked_list_t *list = linked_list_create(); + +======= void x509_parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list) { @@ -844,11 +899,36 @@ void x509_parse_crlDistributionPoints(chunk_t blob, int level0, uris = linked_list_create(); issuers = linked_list_create(); +>>>>>>> upstream/4.5.1 parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) { +<<<<<<< HEAD + if (objectID == CRL_DIST_POINTS_FULLNAME) + { + identification_t *id; + + /* append extracted generalNames to existing chained list */ + x509_parse_generalNames(object, parser->get_level(parser)+1, + TRUE, list); + + while (list->remove_last(list, (void**)&id) == SUCCESS) + { + char *uri; + + if (asprintf(&uri, "%Y", id) > 0) + { + this->crl_uris->insert_last(this->crl_uris, uri); + } + id->destroy(id); + } + } + } + parser->destroy(parser); + list->destroy(list); +======= switch (objectID) { case CRL_DIST_POINTS: @@ -1099,6 +1179,7 @@ static void parse_policyConstraints(chunk_t blob, int level0, } } parser->destroy(parser); +>>>>>>> upstream/4.5.1 } /** @@ -1293,6 +1374,14 @@ static const asn1Object_t certObjects[] = { #define X509_OBJ_SIGNATURE 25 /** +<<<<<<< HEAD + * forward declaration + */ +static bool issued_by(private_x509_cert_t *this, certificate_t *issuer); + +/** +======= +>>>>>>> upstream/4.5.1 * Parses an X.509v3 certificate */ static bool parse_certificate(private_x509_cert_t *this) @@ -1392,8 +1481,12 @@ static bool parse_certificate(private_x509_cert_t *this) parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: +<<<<<<< HEAD + parse_crlDistributionPoints(object, level, this); +======= x509_parse_crlDistributionPoints(object, level, this->crl_uris); +>>>>>>> upstream/4.5.1 break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, @@ -1403,7 +1496,11 @@ static bool parse_certificate(private_x509_cert_t *this) parse_authorityInfoAccess(object, level, this); break; case OID_KEY_USAGE: +<<<<<<< HEAD + /* TODO parse the flags */ +======= parse_keyUsage(object, this); +>>>>>>> upstream/4.5.1 break; case OID_EXTENDED_KEY_USAGE: parse_extendedKeyUsage(object, level, this); @@ -1411,6 +1508,8 @@ static bool parse_certificate(private_x509_cert_t *this) case OID_IP_ADDR_BLOCKS: parse_ipAddrBlocks(object, level, this); break; +<<<<<<< HEAD +======= case OID_NAME_CONSTRAINTS: parse_nameConstraints(object, level, this); break; @@ -1431,6 +1530,7 @@ static bool parse_certificate(private_x509_cert_t *this) } this->inhibit_any = parse_constraint(object); break; +>>>>>>> upstream/4.5.1 case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: case OID_NS_CA_POLICY_URL: @@ -1443,9 +1543,15 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, +<<<<<<< HEAD + "libstrongswan.plugins.x509.enforce_critical", FALSE)) + { + DBG1(DBG_LIB, "critical %s extension not supported", +======= "libstrongswan.x509.enforce_critical", TRUE)) { DBG1(DBG_LIB, "critical '%s' extension not supported", +>>>>>>> upstream/4.5.1 (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end; @@ -1478,9 +1584,13 @@ end: hasher_t *hasher; /* check if the certificate is self-signed */ +<<<<<<< HEAD + if (issued_by(this, &this->public.interface.interface)) +======= if (this->public.interface.interface.issued_by( &this->public.interface.interface, &this->public.interface.interface)) +>>>>>>> upstream/4.5.1 { this->flags |= X509_SELF_SIGNED; } @@ -1497,26 +1607,54 @@ end: return success; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_type + */ +static certificate_type_t get_type(private_x509_cert_t *this) +======= METHOD(certificate_t, get_type, certificate_type_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return CERT_X509; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_subject + */ +static identification_t* get_subject(private_x509_cert_t *this) +======= METHOD(certificate_t, get_subject, identification_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->subject; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_issuer + */ +static identification_t* get_issuer(private_x509_cert_t *this) +======= METHOD(certificate_t, get_issuer, identification_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->issuer; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.has_subject. + */ +static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject) +======= METHOD(certificate_t, has_subject, id_match_t, private_x509_cert_t *this, identification_t *subject) +>>>>>>> upstream/4.5.1 { identification_t *current; enumerator_t *enumerator; @@ -1557,15 +1695,29 @@ METHOD(certificate_t, has_subject, id_match_t, return best; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.has_issuer. + */ +static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer) +======= METHOD(certificate_t, has_issuer, id_match_t, private_x509_cert_t *this, identification_t *issuer) +>>>>>>> upstream/4.5.1 { /* issuerAltNames currently not supported */ return this->issuer->matches(this->issuer, issuer); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.issued_by. + */ +static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) +======= METHOD(certificate_t, issued_by, bool, private_x509_cert_t *this, certificate_t *issuer) +>>>>>>> upstream/4.5.1 { public_key_t *key; signature_scheme_t scheme; @@ -1612,13 +1764,44 @@ METHOD(certificate_t, issued_by, bool, return valid; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_public_key + */ +static public_key_t* get_public_key(private_x509_cert_t *this) +======= METHOD(certificate_t, get_public_key, public_key_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { this->public_key->get_ref(this->public_key); return this->public_key; } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_ref + */ +static private_x509_cert_t* get_ref(private_x509_cert_t *this) +{ + ref_get(&this->ref); + return this; +} + +/** + * Implementation of x509_cert_t.get_flags. + */ +static x509_flag_t get_flags(private_x509_cert_t *this) +{ + return this->flags; +} + +/** + * Implementation of x509_cert_t.get_validity. + */ +static bool get_validity(private_x509_cert_t *this, time_t *when, + time_t *not_before, time_t *not_after) +======= METHOD(certificate_t, get_ref, certificate_t*, private_x509_cert_t *this) { @@ -1629,6 +1812,7 @@ METHOD(certificate_t, get_ref, certificate_t*, METHOD(certificate_t, get_validity, bool, private_x509_cert_t *this, time_t *when, time_t *not_before, time_t *not_after) +>>>>>>> upstream/4.5.1 { time_t t = when ? *when : time(NULL); @@ -1643,8 +1827,16 @@ METHOD(certificate_t, get_validity, bool, return (t >= this->notBefore && t <= this->notAfter); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.get_encoding. + */ +static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) +======= METHOD(certificate_t, get_encoding, bool, private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding) +>>>>>>> upstream/4.5.1 { if (type == CERT_ASN1_DER) { @@ -1655,8 +1847,15 @@ METHOD(certificate_t, get_encoding, bool, CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.equals. + */ +static bool equals(private_x509_cert_t *this, certificate_t *other) +======= METHOD(certificate_t, equals, bool, private_x509_cert_t *this, certificate_t *other) +>>>>>>> upstream/4.5.1 { chunk_t encoding; bool equal; @@ -1682,6 +1881,12 @@ METHOD(certificate_t, equals, bool, return equal; } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_serial. + */ +static chunk_t get_serial(private_x509_cert_t *this) +======= METHOD(x509_t, get_flags, x509_flag_t, private_x509_cert_t *this) { @@ -1690,12 +1895,20 @@ METHOD(x509_t, get_flags, x509_flag_t, METHOD(x509_t, get_serial, chunk_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->serialNumber; } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_subjectKeyIdentifier. + */ +static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) +======= METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { if (this->subjectKeyIdentifier.ptr) { @@ -1717,12 +1930,33 @@ METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, } } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_authKeyIdentifier. + */ +static chunk_t get_authKeyIdentifier(private_x509_cert_t *this) +======= METHOD(x509_t, get_authKeyIdentifier, chunk_t, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->authKeyIdentifier; } +<<<<<<< HEAD +/** + * Implementation of x509_t.get_pathLenConstraint. + */ +static int get_pathLenConstraint(private_x509_cert_t *this) +{ + return this->pathLenConstraint; +} + +/** + * Implementation of x509_cert_t.create_subjectAltName_enumerator. + */ +static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, get_constraint, u_int, private_x509_cert_t *this, x509_constraint_t type) { @@ -1743,28 +1977,56 @@ METHOD(x509_t, get_constraint, u_int, METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->subjectAltNames->create_enumerator(this->subjectAltNames); } +<<<<<<< HEAD +/** + * Implementation of x509_cert_t.create_ocsp_uri_enumerator. + */ +static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->ocsp_uris->create_enumerator(this->ocsp_uris); } +<<<<<<< HEAD +/** + * Implementation of x509_cert_t.create_crl_uri_enumerator. + */ +static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->crl_uris->create_enumerator(this->crl_uris); } +<<<<<<< HEAD +/** + * Implementation of x509_cert_t.create_ipAddrBlock_enumerator. + */ +static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this) +======= METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks); } +<<<<<<< HEAD +/** + * Implementation of certificate_t.destroy. + */ +static void destroy(private_x509_cert_t *this) +======= METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*, private_x509_cert_t *this, bool perm) { @@ -1789,11 +2051,17 @@ METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*, METHOD(certificate_t, destroy, void, private_x509_cert_t *this) +>>>>>>> upstream/4.5.1 { if (ref_put(&this->ref)) { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); +<<<<<<< HEAD + this->crl_uris->destroy_function(this->crl_uris, free); + this->ocsp_uris->destroy_function(this->ocsp_uris, free); + this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); +======= this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, @@ -1806,6 +2074,7 @@ METHOD(certificate_t, destroy, void, (void*)cert_policy_destroy); this->policy_mappings->destroy_function(this->policy_mappings, (void*)policy_mapping_destroy); +>>>>>>> upstream/4.5.1 DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -1827,6 +2096,56 @@ METHOD(certificate_t, destroy, void, */ static private_x509_cert_t* create_empty(void) { +<<<<<<< HEAD + private_x509_cert_t *this = malloc_thing(private_x509_cert_t); + + this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type; + this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject; + this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer; + this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject; + this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer; + this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; + this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; + this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; + this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; + this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; + this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; + this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags; + this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial; + this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier; + this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier; + this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint; + this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; + this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; + this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; + this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator; + + this->encoding = chunk_empty; + this->encoding_hash = chunk_empty; + this->tbsCertificate = chunk_empty; + this->version = 1; + this->serialNumber = chunk_empty; + this->notBefore = 0; + this->notAfter = 0; + this->public_key = NULL; + this->subject = NULL; + this->issuer = NULL; + this->subjectAltNames = linked_list_create(); + this->crl_uris = linked_list_create(); + this->ocsp_uris = linked_list_create(); + this->ipAddrBlocks = linked_list_create(); + this->subjectKeyIdentifier = chunk_empty; + this->authKeyIdentifier = chunk_empty; + this->authKeySerialNumber = chunk_empty; + this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + this->algorithm = 0; + this->signature = chunk_empty; + this->flags = 0; + this->ref = 1; + this->parsed = FALSE; + +======= private_x509_cert_t *this; INIT(this, @@ -1875,10 +2194,13 @@ static private_x509_cert_t* create_empty(void) .inhibit_any = X509_NO_CONSTRAINT, .ref = 1, ); +>>>>>>> upstream/4.5.1 return this; } /** +<<<<<<< HEAD +======= * Build a generalName from an id */ chunk_t build_generalName(identification_t *id) @@ -1909,11 +2231,16 @@ chunk_t build_generalName(identification_t *id) } /** +>>>>>>> upstream/4.5.1 * Encode a linked list of subjectAltNames */ chunk_t x509_build_subjectAltNames(linked_list_t *list) { +<<<<<<< HEAD + chunk_t subjectAltNames = chunk_empty; +======= chunk_t subjectAltNames = chunk_empty, name; +>>>>>>> upstream/4.5.1 enumerator_t *enumerator; identification_t *id; @@ -1925,7 +2252,33 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &id)) { +<<<<<<< HEAD + int context; + chunk_t name; + + switch (id->get_type(id)) + { + case ID_RFC822_ADDR: + context = ASN1_CONTEXT_S_1; + break; + case ID_FQDN: + context = ASN1_CONTEXT_S_2; + break; + case ID_IPV4_ADDR: + case ID_IPV6_ADDR: + context = ASN1_CONTEXT_S_7; + break; + default: + DBG1(DBG_LIB, "encoding %N as subjectAltName not supported", + id_type_names, id->get_type(id)); + enumerator->destroy(enumerator); + free(subjectAltNames.ptr); + return chunk_empty; + } + name = asn1_wrap(context, "c", id->get_encoding(id)); +======= name = build_generalName(id); +>>>>>>> upstream/4.5.1 subjectAltNames = chunk_cat("mm", subjectAltNames, name); } enumerator->destroy(enumerator); @@ -1939,6 +2292,8 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) } /** +<<<<<<< HEAD +======= * Encode CRL distribution points extension from a x509_cdp_t list */ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) @@ -1980,6 +2335,7 @@ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) } /** +>>>>>>> upstream/4.5.1 * Generate and sign a new certificate */ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, @@ -1987,6 +2343,14 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; +<<<<<<< HEAD + chunk_t ocspSigning = chunk_empty; + chunk_t basicConstraints = chunk_empty; + chunk_t keyUsage = chunk_empty; + chunk_t subjectAltNames = chunk_empty; + chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; + chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; +======= chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty; chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty; chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty; @@ -1994,6 +2358,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; +>>>>>>> upstream/4.5.1 identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -2047,8 +2412,34 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* encode subjectAltNames */ subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames); +<<<<<<< HEAD + /* encode CRL distribution points extension */ + enumerator = cert->crl_uris->create_enumerator(cert->crl_uris); + while (enumerator->enumerate(enumerator, &uri)) + { + chunk_t distributionPoint; + + distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_S_6, "c", + chunk_create(uri, strlen(uri)))))); + + crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, + distributionPoint); + } + enumerator->destroy(enumerator); + if (crlDistributionPoints.ptr) + { + crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); + } +======= crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris, OID_CRL_DISTRIBUTION_POINTS); +>>>>>>> upstream/4.5.1 /* encode OCSP URIs in authorityInfoAccess extension */ enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris); @@ -2077,10 +2468,18 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t pathLenConstraint = chunk_empty; +<<<<<<< HEAD + if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT) + { + char pathlen = (char)cert->pathLenConstraint; + + pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen)); +======= if (cert->pathLenConstraint != X509_NO_CONSTRAINT) { pathLenConstraint = asn1_integer("c", chunk_from_thing(cert->pathLenConstraint)); +>>>>>>> upstream/4.5.1 } basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_build_known_oid(OID_BASIC_CONSTRAINTS), @@ -2091,6 +2490,15 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), pathLenConstraint))); +<<<<<<< HEAD + keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_KEY_USAGE), + asn1_wrap(ASN1_BOOLEAN, "c", + chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_BIT_STRING, "c", + chunk_from_chars(0x01, 0x06)))); +======= /* set CertificateSign and implicitly CRLsign */ keyUsageBits = chunk_from_chars(0x01, 0x06); } @@ -2105,6 +2513,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), asn1_wrap(ASN1_OCTET_STRING, "m", asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits))); +>>>>>>> upstream/4.5.1 } /* add serverAuth extendedKeyUsage flag */ @@ -2133,7 +2542,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ +<<<<<<< HEAD + if (cert->flags & (X509_CA | X509_OCSP_SIGNER)) +======= if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN)) +>>>>>>> upstream/4.5.1 { chunk_t keyid; @@ -2161,6 +2574,17 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid)))); } } +<<<<<<< HEAD + if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr || + crlDistributionPoints.ptr) + { + extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", + asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm", + basicConstraints, keyUsage, subjectKeyIdentifier, + authKeyIdentifier, subjectAltNames, + extendedKeyUsage, crlDistributionPoints, + authorityInfoAccess)); +======= if (cert->permitted_names->get_count(cert->permitted_names) || cert->excluded_names->get_count(cert->excluded_names)) @@ -2308,6 +2732,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, extendedKeyUsage, crlDistributionPoints, authorityInfoAccess, nameConstraints, certPolicies, policyMappings, policyConstraints, inhibitAnyPolicy)); +>>>>>>> upstream/4.5.1 } cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", @@ -2390,7 +2815,10 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; hash_algorithm_t digest_alg = HASH_SHA1; +<<<<<<< HEAD +======= u_int constraint; +>>>>>>> upstream/4.5.1 cert = create_empty(); while (TRUE) @@ -2434,6 +2862,15 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) { enumerator_t *enumerator; linked_list_t *list; +<<<<<<< HEAD + char *uri; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &uri)) + { + cert->crl_uris->insert_last(cert->crl_uris, strdup(uri)); +======= x509_cdp_t *in, *cdp; list = va_arg(args, linked_list_t*); @@ -2445,6 +2882,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, ); cert->crl_uris->insert_last(cert->crl_uris, cdp); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); continue; @@ -2465,6 +2903,13 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) continue; } case BUILD_PATHLEN: +<<<<<<< HEAD + cert->pathLenConstraint = va_arg(args, int); + if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127) + { + cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + } +======= constraint = va_arg(args, u_int); cert->pathLenConstraint = (constraint < 128) ? constraint : X509_NO_CONSTRAINT; @@ -2555,6 +3000,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) constraint = va_arg(args, u_int); cert->inhibit_any = (constraint < 128) ? constraint : X509_NO_CONSTRAINT; +>>>>>>> upstream/4.5.1 continue; case BUILD_NOT_BEFORE_TIME: cert->notBefore = va_arg(args, time_t); diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 758505ab5..3e62681f5 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -100,11 +100,14 @@ struct private_x509_crl_t { linked_list_t *revoked; /** +<<<<<<< HEAD +======= * List of Freshest CRL distribution points */ linked_list_t *crl_uris; /** +>>>>>>> upstream/4.5.1 * Authority Key Identifier */ chunk_t authKeyIdentifier; @@ -115,11 +118,14 @@ struct private_x509_crl_t { chunk_t authKeySerialNumber; /** +<<<<<<< HEAD +======= * Number of BaseCRL, if a delta CRL */ chunk_t baseCrlNumber; /** +>>>>>>> upstream/4.5.1 * Signature algorithm */ int algorithm; @@ -143,6 +149,11 @@ struct private_x509_crl_t { /** * from x509_cert */ +<<<<<<< HEAD +extern chunk_t x509_parse_authorityKeyIdentifier( + chunk_t blob, int level0, + chunk_t *authKeySerialNumber); +======= extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeySerialNumber); @@ -156,6 +167,7 @@ extern void x509_parse_crlDistributionPoints(chunk_t blob, int level0, * from x509_cert */ extern chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn); +>>>>>>> upstream/4.5.1 /** * ASN.1 definition of an X.509 certificate revocation list @@ -226,7 +238,11 @@ static bool parse(private_x509_crl_t *this) int objectID; int sig_alg = OID_UNKNOWN; bool success = FALSE; +<<<<<<< HEAD + bool critical; +======= bool critical = FALSE; +>>>>>>> upstream/4.5.1 revoked_t *revoked = NULL; parser = asn1_parser_create(crlObjects, this->encoding); @@ -278,6 +294,28 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_CRL_ENTRY_EXTN_VALUE: case CRL_OBJ_EXTN_VALUE: +<<<<<<< HEAD + { + int extn_oid = asn1_known_oid(extnID); + + if (revoked && extn_oid == OID_CRL_REASON_CODE) + { + if (*object.ptr == ASN1_ENUMERATED && + asn1_length(&object) == 1) + { + revoked->reason = *object.ptr; + } + DBG2(DBG_LIB, " '%N'", crl_reason_names, + revoked->reason); + } + else if (extn_oid == OID_AUTHORITY_KEY_ID) + { + this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, + level, &this->authKeySerialNumber); + } + else if (extn_oid == OID_CRL_NUMBER) + { +======= { int extn_oid = asn1_known_oid(extnID); @@ -301,12 +339,18 @@ static bool parse(private_x509_crl_t *this) object, level, &this->authKeySerialNumber); break; case OID_CRL_NUMBER: +>>>>>>> upstream/4.5.1 if (!asn1_parse_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) { goto end; } this->crlNumber = object; +<<<<<<< HEAD + } + } + break; +======= break; case OID_FRESHEST_CRL: x509_parse_crlDistributionPoints(object, level, @@ -333,6 +377,7 @@ static bool parse(private_x509_crl_t *this) } break; } +>>>>>>> upstream/4.5.1 case CRL_OBJ_ALGORITHM: { this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); @@ -390,6 +435,8 @@ METHOD(crl_t, get_authKeyIdentifier, chunk_t, return this->authKeyIdentifier; } +<<<<<<< HEAD +======= METHOD(crl_t, is_delta_crl, bool, private_x509_crl_t *this, chunk_t *base_crl) { @@ -410,6 +457,7 @@ METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*, return this->crl_uris->create_enumerator(this->crl_uris); } +>>>>>>> upstream/4.5.1 METHOD(crl_t, create_enumerator, enumerator_t*, private_x509_crl_t *this) { @@ -454,7 +502,11 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } +<<<<<<< HEAD + if (!(x509->get_flags(x509) & X509_CA)) +======= if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) +>>>>>>> upstream/4.5.1 { return FALSE; } @@ -567,6 +619,8 @@ static void revoked_destroy(revoked_t *revoked) free(revoked); } +<<<<<<< HEAD +======= /** * Destroy a CDP entry */ @@ -577,20 +631,27 @@ static void cdp_destroy(x509_cdp_t *this) free(this); } +>>>>>>> upstream/4.5.1 METHOD(certificate_t, destroy, void, private_x509_crl_t *this) { if (ref_put(&this->ref)) { this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); +<<<<<<< HEAD +======= this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy); +>>>>>>> upstream/4.5.1 DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); if (this->generated) { free(this->crlNumber.ptr); +<<<<<<< HEAD +======= free(this->baseCrlNumber.ptr); +>>>>>>> upstream/4.5.1 free(this->signature.ptr); free(this->tbsCertList.ptr); } @@ -624,13 +685,19 @@ static private_x509_crl_t* create_empty(void) }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, +<<<<<<< HEAD +======= .is_delta_crl = _is_delta_crl, .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator, +>>>>>>> upstream/4.5.1 .create_enumerator = _create_enumerator, }, }, .revoked = linked_list_create(), +<<<<<<< HEAD +======= .crl_uris = linked_list_create(), +>>>>>>> upstream/4.5.1 .ref = 1, ); return this; @@ -699,7 +766,10 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, private_key_t *key, hash_algorithm_t digest_alg) { chunk_t extensions = chunk_empty, certList = chunk_empty, serial; +<<<<<<< HEAD +======= chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty; +>>>>>>> upstream/4.5.1 enumerator_t *enumerator; crl_reason_t reason; time_t date; @@ -707,7 +777,11 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, x509 = (x509_t*)cert; +<<<<<<< HEAD + this->issuer = cert->get_issuer(cert); +======= this->issuer = cert->get_subject(cert); +>>>>>>> upstream/4.5.1 this->issuer = this->issuer->clone(this->issuer); this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); @@ -742,6 +816,10 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, } enumerator->destroy(enumerator); +<<<<<<< HEAD + extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", +======= crlDistributionPoints = x509_build_crlDistributionPoints(this->crl_uris, OID_FRESHEST_CRL); @@ -757,6 +835,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", asn1_wrap(ASN1_SEQUENCE, "mmmm", +>>>>>>> upstream/4.5.1 asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), asn1_wrap(ASN1_OCTET_STRING, "m", @@ -766,8 +845,14 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_CRL_NUMBER), asn1_wrap(ASN1_OCTET_STRING, "m", +<<<<<<< HEAD + asn1_integer("c", this->crlNumber)) + ) + )); +======= asn1_integer("c", this->crlNumber))), crlDistributionPoints, baseCrlNumber)); +>>>>>>> upstream/4.5.1 this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", ASN1_INTEGER_1, @@ -830,6 +915,8 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) case BUILD_REVOKED_ENUMERATOR: read_revoked(crl, va_arg(args, enumerator_t*)); continue; +<<<<<<< HEAD +======= case BUILD_BASE_CRL: crl->baseCrlNumber = va_arg(args, chunk_t); crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber); @@ -853,6 +940,7 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) enumerator->destroy(enumerator); continue; } +>>>>>>> upstream/4.5.1 case BUILD_END: break; default: diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index d40cc3567..a3c071f12 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -36,8 +36,15 @@ struct private_x509_plugin_t { x509_plugin_t public; }; +<<<<<<< HEAD +/** + * Implementation of x509_plugin_t.x509troy + */ +static void destroy(private_x509_plugin_t *this) +======= METHOD(plugin_t, destroy, void, private_x509_plugin_t *this) +>>>>>>> upstream/4.5.1 { lib->creds->remove_builder(lib->creds, (builder_function_t)x509_cert_gen); @@ -67,6 +74,11 @@ METHOD(plugin_t, destroy, void, */ plugin_t *x509_plugin_create() { +<<<<<<< HEAD + private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; +======= private_x509_plugin_t *this; INIT(this, @@ -76,6 +88,7 @@ plugin_t *x509_plugin_create() }, }, ); +>>>>>>> upstream/4.5.1 lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE, (builder_function_t)x509_cert_gen); diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 06d7a2121..22b3c9543 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c index 65e88335c..19d5a03fe 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c +++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c @@ -19,8 +19,11 @@ #include "xcbc_signer.h" #include "xcbc_prf.h" +<<<<<<< HEAD +======= static const char *plugin_name = "xcbc"; +>>>>>>> upstream/4.5.1 typedef struct private_xcbc_plugin_t private_xcbc_plugin_t; /** @@ -50,7 +53,10 @@ METHOD(plugin_t, destroy, void, plugin_t *xcbc_plugin_create() { private_xcbc_plugin_t *this; +<<<<<<< HEAD +======= crypter_t *crypter; +>>>>>>> upstream/4.5.1 INIT(this, .public = { @@ -60,6 +66,17 @@ plugin_t *xcbc_plugin_create() }, ); +<<<<<<< HEAD + lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, + (signer_constructor_t)xcbc_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, + (signer_constructor_t)xcbc_signer_create); + +======= crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); if (crypter) { @@ -78,6 +95,7 @@ plugin_t *xcbc_plugin_create() lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, plugin_name, (signer_constructor_t)xcbc_signer_create); } +>>>>>>> upstream/4.5.1 return &this->public.plugin; } diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c index 7e7045d69..1f57ffcce 100644 --- a/src/libstrongswan/printf_hook.c +++ b/src/libstrongswan/printf_hook.c @@ -377,8 +377,15 @@ int vstr_wrapper_vasprintf(char **str, const char *format, va_list args) } #endif +<<<<<<< HEAD +/** + * Implementation of printf_hook_t.add_handler. + */ +static void add_handler(private_printf_hook_t *this, char spec, +======= METHOD(printf_hook_t, add_handler, void, private_printf_hook_t *this, char spec, +>>>>>>> upstream/4.5.1 printf_hook_function_t hook, ...) { int i = -1; @@ -437,8 +444,15 @@ METHOD(printf_hook_t, add_handler, void, } } +<<<<<<< HEAD +/** + * Implementation of printf_hook_t.destroy + */ +static void destroy(private_printf_hook_t *this) +======= METHOD(printf_hook_t, destroy, void, private_printf_hook_t *this) +>>>>>>> upstream/4.5.1 { int i; #ifdef USE_VSTR @@ -473,6 +487,12 @@ METHOD(printf_hook_t, destroy, void, */ printf_hook_t *printf_hook_create() { +<<<<<<< HEAD + private_printf_hook_t *this = malloc_thing(private_printf_hook_t); + + this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler; + this->public.destroy = (void(*)(printf_hook_t*))destroy; +======= private_printf_hook_t *this; INIT(this, @@ -481,6 +501,7 @@ printf_hook_t *printf_hook_create() .destroy = _destroy, }, ); +>>>>>>> upstream/4.5.1 memset(printf_hooks, 0, sizeof(printf_hooks)); diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c index 723aec908..6c0d9aa84 100644 --- a/src/libstrongswan/processing/processor.c +++ b/src/libstrongswan/processing/processor.c @@ -248,7 +248,11 @@ static void destroy(private_processor_t *this) /* * Described in header. */ +<<<<<<< HEAD +processor_t *processor_create(size_t pool_size) +======= processor_t *processor_create() +>>>>>>> upstream/4.5.1 { private_processor_t *this = malloc_thing(private_processor_t); diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 32da194ef..f675f51f1 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -393,15 +393,23 @@ static bool equals(private_traffic_selector_t *this, private_traffic_selector_t switch (this->type) { case TS_IPV4_ADDR_RANGE: +<<<<<<< HEAD + if (memeq(this->from4, other->from4, sizeof(this->from4))) +======= if (memeq(this->from4, other->from4, sizeof(this->from4)) && memeq(this->to4, other->to4, sizeof(this->to4))) +>>>>>>> upstream/4.5.1 { return TRUE; } break; case TS_IPV6_ADDR_RANGE: +<<<<<<< HEAD + if (memeq(this->from6, other->from6, sizeof(this->from6))) +======= if (memeq(this->from6, other->from6, sizeof(this->from6)) && memeq(this->to6, other->to6, sizeof(this->to6))) +>>>>>>> upstream/4.5.1 { return TRUE; } diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c index bd279f51d..c16c6a1f1 100644 --- a/src/libstrongswan/settings.c +++ b/src/libstrongswan/settings.c @@ -1,5 +1,8 @@ /* +<<<<<<< HEAD +======= * Copyright (C) 2010 Tobias Brunner +>>>>>>> upstream/4.5.1 * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -19,17 +22,24 @@ #include <stdarg.h> #include <stdio.h> #include <errno.h> +<<<<<<< HEAD +======= #include <limits.h> #include <glob.h> #include <libgen.h> +>>>>>>> upstream/4.5.1 #include "settings.h" #include "debug.h" #include "utils/linked_list.h" +<<<<<<< HEAD + +======= #include "threading/rwlock.h" #define MAX_INCLUSION_LEVEL 10 +>>>>>>> upstream/4.5.1 typedef struct private_settings_t private_settings_t; typedef struct section_t section_t; @@ -51,6 +61,11 @@ struct private_settings_t { section_t *top; /** +<<<<<<< HEAD + * allocated file text + */ + char *text; +======= * contents of loaded files and in-memory settings (char*) */ linked_list_t *contents; @@ -59,6 +74,7 @@ struct private_settings_t { * lock to safely access the settings */ rwlock_t *lock; +>>>>>>> upstream/4.5.1 }; /** @@ -99,6 +115,8 @@ struct kv_t { }; /** +<<<<<<< HEAD +======= * create a key/value pair */ static kv_t *kv_create(char *key, char *value) @@ -162,6 +180,7 @@ static bool kv_find(kv_t *this, char *key) } /** +>>>>>>> upstream/4.5.1 * Print a format key, but consume already processed arguments */ static bool print_key(char *buf, int len, char *start, char *key, va_list args) @@ -210,6 +229,16 @@ static bool print_key(char *buf, int len, char *start, char *key, va_list args) } /** +<<<<<<< HEAD + * find a section by a given key, using buffered key, reusable buffer + */ +static section_t *find_section_buffered(section_t *section, + char *start, char *key, va_list args, char *buf, int len) +{ + char *pos; + enumerator_t *enumerator; + section_t *current, *found = NULL; +======= * Find a section by a given key, using buffered key, reusable buffer. * If "ensure" is TRUE, the sections are created if they don't exist. */ @@ -219,6 +248,7 @@ static section_t *find_section_buffered(section_t *section, { char *pos; section_t *found = NULL; +>>>>>>> upstream/4.5.1 if (section == NULL) { @@ -234,6 +264,21 @@ static section_t *find_section_buffered(section_t *section, { return NULL; } +<<<<<<< HEAD + enumerator = section->sections->create_enumerator(section->sections); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (streq(current->name, buf)) + { + found = current; + break; + } + } + enumerator->destroy(enumerator); + if (found && pos) + { + return find_section_buffered(found, start, pos, args, buf, len); +======= if (section->sections->find_first(section->sections, (linked_list_match_t)section_find, (void**)&found, buf) != SUCCESS) @@ -247,11 +292,19 @@ static section_t *find_section_buffered(section_t *section, if (found && pos) { return find_section_buffered(found, start, pos, args, buf, len, ensure); +>>>>>>> upstream/4.5.1 } return found; } /** +<<<<<<< HEAD + * find a section by a given key + */ +static section_t *find_section(section_t *section, char *key, va_list args) +{ + char buf[128], keybuf[512]; +======= * Find a section by a given key (thread-safe). */ static section_t *find_section(private_settings_t *this, section_t *section, @@ -259,11 +312,27 @@ static section_t *find_section(private_settings_t *this, section_t *section, { char buf[128], keybuf[512]; section_t *found; +>>>>>>> upstream/4.5.1 if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } +<<<<<<< HEAD + return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); +} + +/** + * Find the string value for a key, using buffered key, reusable buffer + */ +static char *find_value_buffered(section_t *section, + char *start, char *key, va_list args, char *buf, int len) +{ + char *pos, *value = NULL; + enumerator_t *enumerator; + kv_t *kv; + section_t *current, *found = NULL; +======= this->lock->read_lock(this->lock); found = find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf), FALSE); @@ -303,6 +372,7 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key, char *pos; kv_t *kv = NULL; section_t *found = NULL; +>>>>>>> upstream/4.5.1 if (section == NULL) { @@ -319,6 +389,22 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key, { return NULL; } +<<<<<<< HEAD + enumerator = section->sections->create_enumerator(section->sections); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (streq(current->name, buf)) + { + found = current; + break; + } + } + enumerator->destroy(enumerator); + if (found) + { + return find_value_buffered(found, start, pos, args, buf, len); + } +======= if (section->sections->find_first(section->sections, (linked_list_match_t)section_find, (void**)&found, buf) != SUCCESS) @@ -332,6 +418,7 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key, } return find_value_buffered(found, start, pos, args, buf, len, ensure); +>>>>>>> upstream/4.5.1 } else { @@ -339,6 +426,28 @@ static kv_t *find_value_buffered(section_t *section, char *start, char *key, { return NULL; } +<<<<<<< HEAD + enumerator = section->kv->create_enumerator(section->kv); + while (enumerator->enumerate(enumerator, &kv)) + { + if (streq(kv->key, buf)) + { + value = kv->value; + break; + } + } + enumerator->destroy(enumerator); + } + return value; +} + +/** + * Find the string value for a key + */ +static char *find_value(section_t *section, char *key, va_list args) +{ + char buf[128], keybuf[512]; +======= if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find, (void**)&kv, buf) != SUCCESS) { @@ -360,11 +469,21 @@ static char *find_value(private_settings_t *this, section_t *section, { char buf[128], keybuf[512], *value = NULL; kv_t *kv; +>>>>>>> upstream/4.5.1 if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } +<<<<<<< HEAD + return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); +} + +/** + * Implementation of settings_t.get. + */ +static char* get_str(private_settings_t *this, char *key, char *def, ...) +======= this->lock->read_lock(this->lock); kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf), FALSE); @@ -413,12 +532,17 @@ static void set_value(private_settings_t *this, section_t *section, METHOD(settings_t, get_str, char*, private_settings_t *this, char *key, char *def, ...) +>>>>>>> upstream/4.5.1 { char *value; va_list args; va_start(args, def); +<<<<<<< HEAD + value = find_value(this->top, key, args); +======= value = find_value(this, this->top, key, args); +>>>>>>> upstream/4.5.1 va_end(args); if (value) { @@ -428,6 +552,31 @@ METHOD(settings_t, get_str, char*, } /** +<<<<<<< HEAD + * Implementation of settings_t.get_bool. + */ +static bool get_bool(private_settings_t *this, char *key, bool def, ...) +{ + char *value; + va_list args; + + va_start(args, def); + value = find_value(this->top, key, args); + va_end(args); + if (value) + { + if (strcaseeq(value, "true") || + strcaseeq(value, "enabled") || + strcaseeq(value, "yes") || + strcaseeq(value, "1")) + { + return TRUE; + } + else if (strcaseeq(value, "false") || + strcaseeq(value, "disabled") || + strcaseeq(value, "no") || + strcaseeq(value, "0")) +======= * Described in header */ inline bool settings_value_as_bool(char *value, bool def) @@ -445,6 +594,7 @@ inline bool settings_value_as_bool(char *value, bool def) strcaseeq(value, "no") || strcaseeq(value, "false") || strcaseeq(value, "disabled")) +>>>>>>> upstream/4.5.1 { return FALSE; } @@ -452,6 +602,20 @@ inline bool settings_value_as_bool(char *value, bool def) return def; } +<<<<<<< HEAD +/** + * Implementation of settings_t.get_int. + */ +static int get_int(private_settings_t *this, char *key, int def, ...) +{ + char *value; + int intval; + va_list args; + + va_start(args, def); + value = find_value(this->top, key, args); + va_end(args); +======= METHOD(settings_t, get_bool, bool, private_settings_t *this, char *key, bool def, ...) { @@ -470,6 +634,7 @@ METHOD(settings_t, get_bool, bool, inline int settings_value_as_int(char *value, int def) { int intval; +>>>>>>> upstream/4.5.1 if (value) { errno = 0; @@ -482,6 +647,20 @@ inline int settings_value_as_int(char *value, int def) return def; } +<<<<<<< HEAD +/** + * Implementation of settings_t.get_double. + */ +static double get_double(private_settings_t *this, char *key, double def, ...) +{ + char *value; + double dval; + va_list args; + + va_start(args, def); + value = find_value(this->top, key, args); + va_end(args); +======= METHOD(settings_t, get_int, int, private_settings_t *this, char *key, int def, ...) { @@ -500,6 +679,7 @@ METHOD(settings_t, get_int, int, inline double settings_value_as_double(char *value, double def) { double dval; +>>>>>>> upstream/4.5.1 if (value) { errno = 0; @@ -512,6 +692,20 @@ inline double settings_value_as_double(char *value, double def) return def; } +<<<<<<< HEAD +/** + * Implementation of settings_t.get_time. + */ +static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ...) +{ + char *value, *endptr; + u_int32_t timeval; + va_list args; + + va_start(args, def); + value = find_value(this->top, key, args); + va_end(args); +======= METHOD(settings_t, get_double, double, private_settings_t *this, char *key, double def, ...) { @@ -531,6 +725,7 @@ inline u_int32_t settings_value_as_time(char *value, u_int32_t def) { char *endptr; u_int32_t timeval; +>>>>>>> upstream/4.5.1 if (value) { errno = 0; @@ -549,7 +744,11 @@ inline u_int32_t settings_value_as_time(char *value, u_int32_t def) timeval *= 60; break; case 's': /* time in seconds */ +<<<<<<< HEAD + default: +======= default: +>>>>>>> upstream/4.5.1 break; } return timeval; @@ -558,6 +757,8 @@ inline u_int32_t settings_value_as_time(char *value, u_int32_t def) return def; } +<<<<<<< HEAD +======= METHOD(settings_t, get_time, u_int32_t, private_settings_t *this, char *key, u_int32_t def, ...) { @@ -627,6 +828,7 @@ METHOD(settings_t, set_time, void, va_end(args); } +>>>>>>> upstream/4.5.1 /** * Enumerate section names, not sections */ @@ -636,24 +838,42 @@ static bool section_filter(void *null, section_t **in, char **out) return TRUE; } +<<<<<<< HEAD +/** + * Implementation of settings_t.create_section_enumerator + */ +static enumerator_t* create_section_enumerator(private_settings_t *this, + char *key, ...) +======= METHOD(settings_t, create_section_enumerator, enumerator_t*, private_settings_t *this, char *key, ...) +>>>>>>> upstream/4.5.1 { section_t *section; va_list args; va_start(args, key); +<<<<<<< HEAD + section = find_section(this->top, key, args); +======= section = find_section(this, this->top, key, args); +>>>>>>> upstream/4.5.1 va_end(args); if (!section) { return enumerator_create_empty(); } +<<<<<<< HEAD + return enumerator_create_filter( + section->sections->create_enumerator(section->sections), + (void*)section_filter, NULL, NULL); +======= this->lock->read_lock(this->lock); return enumerator_create_filter( section->sections->create_enumerator(section->sections), (void*)section_filter, this->lock, (void*)this->lock->unlock); +>>>>>>> upstream/4.5.1 } /** @@ -667,24 +887,53 @@ static bool kv_filter(void *null, kv_t **in, char **key, return TRUE; } +<<<<<<< HEAD +/** + * Implementation of settings_t.create_key_value_enumerator + */ +static enumerator_t* create_key_value_enumerator(private_settings_t *this, + char *key, ...) +======= METHOD(settings_t, create_key_value_enumerator, enumerator_t*, private_settings_t *this, char *key, ...) +>>>>>>> upstream/4.5.1 { section_t *section; va_list args; va_start(args, key); +<<<<<<< HEAD + section = find_section(this->top, key, args); +======= section = find_section(this, this->top, key, args); +>>>>>>> upstream/4.5.1 va_end(args); if (!section) { return enumerator_create_empty(); } +<<<<<<< HEAD + return enumerator_create_filter( + section->kv->create_enumerator(section->kv), + (void*)kv_filter, NULL, NULL); +} + +/** + * destroy a section + */ +static void section_destroy(section_t *this) +{ + this->kv->destroy_function(this->kv, free); + this->sections->destroy_function(this->sections, (void*)section_destroy); + + free(this); +======= this->lock->read_lock(this->lock); return enumerator_create_filter( section->kv->create_enumerator(section->kv), (void*)kv_filter, this->lock, (void*)this->lock->unlock); +>>>>>>> upstream/4.5.1 } /** @@ -762,6 +1011,26 @@ static char parse(char **text, char *skip, char *term, char *br, char **token) } /** +<<<<<<< HEAD + * Parse a section + */ +static section_t* parse_section(char **text, char *name) +{ + section_t *sub, *section; + bool finished = FALSE; + char *key, *value, *inner; + + static int lev = 0; + lev++; + + section = malloc_thing(section_t); + section->name = name; + section->sections = linked_list_create(); + section->kv = linked_list_create(); + + while (!finished) + { +======= * Check if "text" starts with "pattern". * Characters in "skip" are skipped first. If found, TRUE is returned and "text" * is modified to point to the character right after "pattern". @@ -832,11 +1101,20 @@ static bool parse_section(linked_list_t *contents, char *file, int level, } continue; } +>>>>>>> upstream/4.5.1 switch (parse(text, "\t\n ", "{=#", NULL, &key)) { case '{': if (parse(text, "\t ", "}", "{", &inner)) { +<<<<<<< HEAD + sub = parse_section(&inner, key); + if (sub) + { + section->sections->insert_last(section->sections, sub); + continue; + } +======= section_t *sub; if (!strlen(key)) { @@ -866,12 +1144,19 @@ static bool parse_section(linked_list_t *contents, char *file, int level, } DBG1(DBG_LIB, "parsing subsection '%s' failed", key); break; +>>>>>>> upstream/4.5.1 } DBG1(DBG_LIB, "matching '}' not found near %s", *text); break; case '=': if (parse(text, "\t ", "\n", NULL, &value)) { +<<<<<<< HEAD + kv_t *kv = malloc_thing(kv_t); + kv->key = key; + kv->value = value; + section->kv->insert_last(section->kv, kv); +======= kv_t *kv; if (!strlen(key)) { @@ -890,6 +1175,7 @@ static bool parse_section(linked_list_t *contents, char *file, int level, { /* replace with the most recently read value */ kv->value = value; } +>>>>>>> upstream/4.5.1 continue; } DBG1(DBG_LIB, "parsing value failed near %s", *text); @@ -901,6 +1187,80 @@ static bool parse_section(linked_list_t *contents, char *file, int level, finished = TRUE; continue; } +<<<<<<< HEAD + section_destroy(section); + return NULL; + } + return section; +} + +/** + * Implementation of settings_t.destroy + */ +static void destroy(private_settings_t *this) +{ + if (this->top) + { + section_destroy(this->top); + } + free(this->text); + free(this); +} + +/* + * see header file + */ +settings_t *settings_create(char *file) +{ + private_settings_t *this; + char *pos; + FILE *fd; + int len; + + this = malloc_thing(private_settings_t); + this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str; + this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int; + this->public.get_double = (double(*)(settings_t*, char *key, double def, ...))get_double; + this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time; + this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool; + this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator; + this->public.create_key_value_enumerator = (enumerator_t*(*)(settings_t*, char *key, ...))create_key_value_enumerator; + this->public.destroy = (void(*)(settings_t*))destroy; + + this->top = NULL; + this->text = NULL; + + if (file == NULL) + { + file = STRONGSWAN_CONF; + } + fd = fopen(file, "r"); + if (fd == NULL) + { + DBG1(DBG_LIB, "'%s' does not exist or is not readable", file); + return &this->public; + } + fseek(fd, 0, SEEK_END); + len = ftell(fd); + rewind(fd); + this->text = malloc(len + 1); + this->text[len] = '\0'; + if (fread(this->text, 1, len, fd) != len) + { + free(this->text); + this->text = NULL; + return &this->public; + } + fclose(fd); + + pos = this->text; + this->top = parse_section(&pos, NULL); + if (this->top == NULL) + { + free(this->text); + this->text = NULL; + } +======= return FALSE; } return TRUE; @@ -1167,6 +1527,7 @@ settings_t *settings_create(char *file) load_files(this, file); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h index bc3df3706..9da217630 100644 --- a/src/libstrongswan/settings.h +++ b/src/libstrongswan/settings.h @@ -1,5 +1,8 @@ /* +<<<<<<< HEAD +======= * Copyright (C) 2010 Tobias Brunner +>>>>>>> upstream/4.5.1 * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -28,6 +31,16 @@ typedef struct settings_t settings_t; #include "utils/enumerator.h" /** +<<<<<<< HEAD + * Generic configuration options read from a config file. + * + * The syntax is quite simple: + * + * settings := (section|keyvalue)* + * section := name { settings } + * keyvalue := key = value\n + * +======= * Convert a string value returned by a key/value enumerator to a boolean. * * @see settings_t.create_key_value_enumerator() @@ -76,6 +89,7 @@ u_int32_t settings_value_as_time(char *value, u_int32_t def); * section := name { settings } * keyvalue := key = value\n * @endcode +>>>>>>> upstream/4.5.1 * E.g.: * @code a = b @@ -95,6 +109,8 @@ u_int32_t settings_value_as_time(char *value, u_int32_t def); * * Currently only a limited set of printf format specifiers are supported * (namely %s, %d and %N, see implementation for details). +<<<<<<< HEAD +======= * * \section includes Including other files * Other files can be included, using the include statement e.g. @@ -140,6 +156,7 @@ u_int32_t settings_value_as_time(char *value, u_int32_t def); section-two { } @endcode +>>>>>>> upstream/4.5.1 */ struct settings_t { @@ -194,6 +211,8 @@ struct settings_t { u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...); /** +<<<<<<< HEAD +======= * Set a string value. * * @param key key including sections, printf style format @@ -239,6 +258,7 @@ struct settings_t { void (*set_time)(settings_t *this, char *key, u_int32_t value, ...); /** +>>>>>>> upstream/4.5.1 * Create an enumerator over subsection names of a section. * * @param section section including parents, printf style format @@ -252,13 +272,19 @@ struct settings_t { * Create an enumerator over key/value pairs in a section. * * @param section section name to list key/value pairs of, printf style +<<<<<<< HEAD + * @param ... argmuent list for section +======= * @param ... argument list for section +>>>>>>> upstream/4.5.1 * @return enumerator over (char *key, char *value) */ enumerator_t* (*create_key_value_enumerator)(settings_t *this, char *section, ...); /** +<<<<<<< HEAD +======= * Load settings from the files matching the given pattern. * * Existing sections are extended, existing values replaced, by those found @@ -293,6 +319,7 @@ struct settings_t { char *section, ...); /** +>>>>>>> upstream/4.5.1 * Destroy a settings instance. */ void (*destroy)(settings_t *this); diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index 2ab061a74..357858c9e 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -247,6 +247,8 @@ bool return_false() } /** +<<<<<<< HEAD +======= * returns FAILED */ status_t return_failed() @@ -255,6 +257,7 @@ status_t return_failed() } /** +>>>>>>> upstream/4.5.1 * nop operation */ void nop() diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index ed61895ee..e07af53aa 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -57,7 +57,11 @@ #define streq(x,y) (strcmp(x, y) == 0) /** +<<<<<<< HEAD + * Macro compares two strings for equality +======= * Macro compares two strings for equality, length limited +>>>>>>> upstream/4.5.1 */ #define strneq(x,y,len) (strncmp(x, y, len) == 0) @@ -67,6 +71,8 @@ #define strcaseeq(x,y) (strcasecmp(x, y) == 0) /** +<<<<<<< HEAD +======= * Macro compares two strings for equality ignoring case, length limited */ #define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0) @@ -77,6 +83,7 @@ #define strdupnull(x) ({ char *_x = x; _x ? strdup(_x) : NULL; }) /** +>>>>>>> upstream/4.5.1 * Macro compares two binary blobs for equality */ #define memeq(x,y,len) (memcmp(x, y, len) == 0) @@ -392,11 +399,14 @@ bool return_true(); bool return_false(); /** +<<<<<<< HEAD +======= * returns FAILED */ status_t return_failed(); /** +>>>>>>> upstream/4.5.1 * Write a 16-bit host order value in network order to an unaligned address. * * @param host host order 16-bit value diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index 41224e8c2..5f1318b9a 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -132,11 +132,18 @@ static void log_(private_backtrace_t *this, FILE *file, bool detailed) /** * Implementation of backtrace_t.contains_function */ +<<<<<<< HEAD +static bool contains_function(private_backtrace_t *this, char *function) +{ +#ifdef HAVE_DLADDR + int i; +======= static bool contains_function(private_backtrace_t *this, char *function[], int count) { #ifdef HAVE_DLADDR int i, j; +>>>>>>> upstream/4.5.1 for (i = 0; i< this->frame_count; i++) { @@ -144,12 +151,18 @@ static bool contains_function(private_backtrace_t *this, if (dladdr(this->frames[i], &info) && info.dli_sname) { +<<<<<<< HEAD + if (streq(info.dli_sname, function)) + { + return TRUE; +======= for (j = 0; j < count; j++) { if (streq(info.dli_sname, function[j])) { return TRUE; } +>>>>>>> upstream/4.5.1 } } } @@ -183,7 +196,11 @@ backtrace_t *backtrace_create(int skip) this->frame_count = frame_count; this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_; +<<<<<<< HEAD + this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function; +======= this->public.contains_function = (bool(*)(backtrace_t*, char *function[], int count))contains_function; +>>>>>>> upstream/4.5.1 this->public.destroy = (void(*)(backtrace_t*))destroy; return &this->public; diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index e8ccfc1bd..712122afb 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -41,6 +41,14 @@ struct backtrace_t { void (*log)(backtrace_t *this, FILE *file, bool detailed); /** +<<<<<<< HEAD + * Check if the backtrace contains a frame in a specific function. + * + * @param function name + * @return TRUE if function is in the stack + */ + bool (*contains_function)(backtrace_t *this, char *function); +======= * Check if the backtrace contains a frame having a function in a list. * * @param function name array @@ -48,6 +56,7 @@ struct backtrace_t { * @return TRUE if one of the functions is in the stack */ bool (*contains_function)(backtrace_t *this, char *function[], int count); +>>>>>>> upstream/4.5.1 /** * Destroy a backtrace instance. diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c index 49b0bb68c..9a0f92b3c 100644 --- a/src/libstrongswan/utils/hashtable.c +++ b/src/libstrongswan/utils/hashtable.c @@ -186,7 +186,11 @@ static void rehash(private_hashtable_t *this) linked_list_t **old_table; u_int row, old_capacity; +<<<<<<< HEAD + if (this->capacity < MAX_CAPACITY) +======= if (this->capacity >= MAX_CAPACITY) +>>>>>>> upstream/4.5.1 { return; } @@ -249,7 +253,10 @@ METHOD(hashtable_t, put, void*, { old_value = pair->value; pair->value = value; +<<<<<<< HEAD +======= pair->key = key; +>>>>>>> upstream/4.5.1 break; } } diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index ffeebd05c..1fba6a587 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -476,10 +476,13 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { return host_create_any_port(af ? af : AF_INET6, port); } +<<<<<<< HEAD +======= if (af == AF_INET && strchr(string, ':')) { /* do not try to convert v6 addresses for v4 family */ return NULL; } +>>>>>>> upstream/4.5.1 memset(&hints, 0, sizeof(hints)); hints.ai_family = af; @@ -568,6 +571,8 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) /* * Described in header. */ +<<<<<<< HEAD +======= host_t *host_create_from_subnet(char *string, int *bits) { char *pos, buf[64]; @@ -603,6 +608,7 @@ host_t *host_create_from_subnet(char *string, int *bits) /* * Described in header. */ +>>>>>>> upstream/4.5.1 host_t *host_create_any(int family) { private_host_t *this = host_create_empty(); diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h index 0a1be6e47..b9cd81148 100644 --- a/src/libstrongswan/utils/host.h +++ b/src/libstrongswan/utils/host.h @@ -190,6 +190,8 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port); host_t *host_create_from_sockaddr(sockaddr_t *sockaddr); /** +<<<<<<< HEAD +======= * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits. * * @param string string to parse @@ -199,6 +201,7 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr); host_t *host_create_from_subnet(char *string, int *bits); /** +>>>>>>> upstream/4.5.1 * Create a host without an address, a "any" host. * * @param family family of the any host diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index fd2716deb..facf9f6de 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -281,13 +281,20 @@ static void dntoa(chunk_t dn, char *buf, size_t len) chunk_t oid_data, data, printable; u_char type; int oid, written; +<<<<<<< HEAD + bool finished = FALSE; +======= bool finished = FALSE, empty = TRUE; +>>>>>>> upstream/4.5.1 e = create_rdn_enumerator(dn); while (e->enumerate(e, &oid_data, &type, &data)) { +<<<<<<< HEAD +======= empty = FALSE; +>>>>>>> upstream/4.5.1 oid = asn1_known_oid(oid_data); if (oid == OID_UNKNOWN) @@ -331,11 +338,15 @@ static void dntoa(chunk_t dn, char *buf, size_t len) break; } } +<<<<<<< HEAD + if (!finished) +======= if (empty) { snprintf(buf, len, ""); } else if (!finished) +>>>>>>> upstream/4.5.1 { snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); } diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 52e92951b..ef2ea8e14 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -218,6 +218,27 @@ char *whitelist[] = { "gcry_create_nonce", /* NSPR */ "PR_CallOnce", +<<<<<<< HEAD +}; + +/** + * check if a stack frame contains functions listed above + */ +static bool is_whitelisted(backtrace_t *backtrace) +{ + int i; + for (i = 0; i < sizeof(whitelist)/sizeof(char*); i++) + { + if (backtrace->contains_function(backtrace, whitelist[i])) + { + return TRUE; + } + } + return FALSE; +} + +/** +======= /* libapr */ "apr_pool_create_ex", /* glib */ @@ -235,6 +256,7 @@ char *whitelist[] = { }; /** +>>>>>>> upstream/4.5.1 * Report leaks at library destruction */ static void report(private_leak_detective_t *this, bool detailed) @@ -246,8 +268,12 @@ static void report(private_leak_detective_t *this, bool detailed) for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) { +<<<<<<< HEAD + if (is_whitelisted(hdr->backtrace)) +======= if (hdr->backtrace->contains_function(hdr->backtrace, whitelist, countof(whitelist))) +>>>>>>> upstream/4.5.1 { whitelisted++; } diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c index e51780290..fe3d37966 100644 --- a/src/libstrongswan/utils/optionsfrom.c +++ b/src/libstrongswan/utils/optionsfrom.c @@ -61,8 +61,16 @@ struct private_options_t { char *buffers[MAX_USES]; }; +<<<<<<< HEAD +/** + * Defined in header + */ +bool from(private_options_t *this, char *filename, int *argcp, char **argvp[], + int optind) +======= METHOD(options_t, from, bool, private_options_t *this, char *filename, int *argcp, char **argvp[], int optind) +>>>>>>> upstream/4.5.1 { int newargc; int next; /* place for next argument */ @@ -179,8 +187,15 @@ METHOD(options_t, from, bool, return good; } +<<<<<<< HEAD +/** + * Defined in header + */ +void destroy(private_options_t *this) +======= METHOD(options_t, destroy, void, private_options_t *this) +>>>>>>> upstream/4.5.1 { while (this->nuses >= 0) { @@ -195,6 +210,19 @@ METHOD(options_t, destroy, void, */ options_t *options_create(void) { +<<<<<<< HEAD + private_options_t *this = malloc_thing(private_options_t); + + /* initialize */ + this->newargv = NULL; + this->room = 0; + this->nuses = -1; + memset(this->buffers, '\0', MAX_USES); + + /* public functions */ + this->public.from = (bool (*) (options_t*,char*,int*,char***,int))from; + this->public.destroy = (void (*) (options_t*))destroy; +======= private_options_t *this; INIT(this, @@ -205,6 +233,7 @@ options_t *options_create(void) }, .nuses = -1, ); +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 93e8b4a9b..8eeed98b3 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -195,7 +195,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -234,8 +240,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libtls/tls.h b/src/libtls/tls.h index e2c377ad3..f929f43fc 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -202,7 +202,11 @@ struct tls_t { /** * Check if TLS negotiation completed successfully. * +<<<<<<< HEAD + * @return TRUE if TLS negotation and authentication complete +======= * @return TRUE if TLS negotiation and authentication complete +>>>>>>> upstream/4.5.1 */ bool (*is_complete)(tls_t *this); diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index b4eaf4d79..14eb270a2 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -626,6 +626,17 @@ static void filter_suite(private_tls_crypto_t *this, suite_algs_t suites[], int *count, int offset, enumerator_t*(*create_enumerator)(crypto_factory_t*)) { +<<<<<<< HEAD + suite_algs_t current; + int i, remaining = 0; + enumerator_t *enumerator; + + memset(¤t, 0, sizeof(current)); + for (i = 0; i < *count; i++) + { + enumerator = create_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, ((char*)¤t) + offset)) +======= const char *plugin_name; suite_algs_t current; int *current_alg, i, remaining = 0; @@ -638,6 +649,7 @@ static void filter_suite(private_tls_crypto_t *this, { enumerator = create_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, current_alg, &plugin_name)) +>>>>>>> upstream/4.5.1 { if ((suites[i].encr == ENCR_NULL || !current.encr || current.encr == suites[i].encr) && @@ -1063,11 +1075,18 @@ METHOD(tls_crypto_t, get_signature_algorithms, void, enumerator_t *enumerator; hash_algorithm_t alg; tls_hash_algorithm_t hash; +<<<<<<< HEAD + + supported = tls_writer_create(32); + enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &alg)) +======= const char *plugin_name; supported = tls_writer_create(32); enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &alg, &plugin_name)) +>>>>>>> upstream/4.5.1 { switch (alg) { diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c index 8204a3441..2f3627485 100644 --- a/src/libtls/tls_eap.c +++ b/src/libtls/tls_eap.c @@ -303,13 +303,23 @@ METHOD(tls_eap_t, process, status_t, DBG2(DBG_TLS, "received %N acknowledgement packet", eap_type_names, this->type); status = build_pkt(this, pkt->identifier, out); +<<<<<<< HEAD + if (status == INVALID_STATE && + this->tls->is_complete(this->tls)) +======= if (status == INVALID_STATE && this->tls->is_complete(this->tls)) +>>>>>>> upstream/4.5.1 { return SUCCESS; } return status; } status = process_pkt(this, pkt); +<<<<<<< HEAD + if (status != NEED_MORE) + { + return status; +======= switch (status) { case NEED_MORE: @@ -318,6 +328,7 @@ METHOD(tls_eap_t, process, status_t, return this->tls->is_complete(this->tls) ? SUCCESS : FAILED; default: return status; +>>>>>>> upstream/4.5.1 } } status = build_pkt(this, pkt->identifier, out); diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c index 2b3cd8cac..f13cdc931 100644 --- a/src/libtls/tls_reader.c +++ b/src/libtls/tls_reader.c @@ -52,8 +52,13 @@ METHOD(tls_reader_t, read_uint8, bool, { if (this->buf.len < 1) { +<<<<<<< HEAD + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 8); +======= DBG1(DBG_TLS, "%d bytes insufficient to parse u_int8 data", this->buf.len); +>>>>>>> upstream/4.5.1 return FALSE; } *res = this->buf.ptr[0]; @@ -66,8 +71,13 @@ METHOD(tls_reader_t, read_uint16, bool, { if (this->buf.len < 2) { +<<<<<<< HEAD + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 16); +======= DBG1(DBG_TLS, "%d bytes insufficient to parse u_int16 data", this->buf.len); +>>>>>>> upstream/4.5.1 return FALSE; } *res = untoh16(this->buf.ptr); @@ -80,8 +90,13 @@ METHOD(tls_reader_t, read_uint24, bool, { if (this->buf.len < 3) { +<<<<<<< HEAD + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 24); +======= DBG1(DBG_TLS, "%d bytes insufficient to parse u_int24 data", this->buf.len); +>>>>>>> upstream/4.5.1 return FALSE; } *res = untoh32(this->buf.ptr) >> 8; @@ -94,8 +109,13 @@ METHOD(tls_reader_t, read_uint32, bool, { if (this->buf.len < 4) { +<<<<<<< HEAD + DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", + this->buf.len, 32); +======= DBG1(DBG_TLS, "%d bytes insufficient to parse u_int32 data", this->buf.len); +>>>>>>> upstream/4.5.1 return FALSE; } *res = untoh32(this->buf.ptr); @@ -108,7 +128,11 @@ METHOD(tls_reader_t, read_data, bool, { if (this->buf.len < len) { +<<<<<<< HEAD + DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data", +======= DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes of data", +>>>>>>> upstream/4.5.1 this->buf.len, len); return FALSE; } diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c index e87c2efea..d7382e3fd 100644 --- a/src/libtls/tls_writer.c +++ b/src/libtls/tls_writer.c @@ -226,7 +226,11 @@ tls_writer_t *tls_writer_create(u_int32_t bufsize) .get_buf = _get_buf, .destroy = _destroy, }, +<<<<<<< HEAD + .increase = bufsize ?: 32, +======= .increase = bufsize ? max(bufsize, 4) : 32, +>>>>>>> upstream/4.5.1 ); if (bufsize) { diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 2e139f839..f2def7d98 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -236,7 +236,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -275,8 +281,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 9c9662f7f..cc8fc02af 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -226,7 +226,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,8 +271,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index ec4657e55..b551d6a7b 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -220,7 +220,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,8 +265,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index c6651fdf5..701413f8f 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -197,7 +197,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -236,8 +242,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pki/command.c b/src/pki/command.c index 0142b4ab7..245b22af3 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -201,7 +201,11 @@ int command_usage(char *error) } for (i = 0; cmds[active].options[i].name; i++) { +<<<<<<< HEAD + fprintf(out, " --%-8s (-%c) %s\n", +======= fprintf(out, " --%-15s (-%c) %s\n", +>>>>>>> upstream/4.5.1 cmds[active].options[i].name, cmds[active].options[i].op, cmds[active].options[i].desc); } diff --git a/src/pki/command.h b/src/pki/command.h index a6f8bc758..70a26f712 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -29,7 +29,11 @@ /** * Maximum number of options in a command (+1) */ +<<<<<<< HEAD +#define MAX_OPTIONS 20 +======= #define MAX_OPTIONS 32 +>>>>>>> upstream/4.5.1 /** * Maximum number of usage summary lines (+1) diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 6a5686d92..c6fd50029 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -18,13 +18,18 @@ #include "pki.h" #include <debug.h> +<<<<<<< HEAD +======= #include <asn1/asn1.h> +>>>>>>> upstream/4.5.1 #include <utils/linked_list.h> #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> #include <credentials/certificates/pkcs10.h> /** +<<<<<<< HEAD +======= * Free cert policy with OID */ static void destroy_cert_policy(x509_cert_policy_t *policy) @@ -53,6 +58,7 @@ static void destroy_cdp(x509_cdp_t *this) } /** +>>>>>>> upstream/4.5.1 * Issue a certificate using a CA certificate and key */ static int issue() @@ -66,26 +72,38 @@ static int issue() char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL; char *error = NULL, *keyid = NULL; identification_t *id = NULL; +<<<<<<< HEAD + linked_list_t *san, *cdps, *ocsp; + int lifetime = 1095; + int pathlen = X509_NO_PATH_LEN_CONSTRAINT; +======= linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; +>>>>>>> upstream/4.5.1 chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after; x509_flag_t flags = 0; x509_t *x509; +<<<<<<< HEAD +======= x509_cdp_t *cdp = NULL; x509_cert_policy_t *policy = NULL; +>>>>>>> upstream/4.5.1 char *arg; san = linked_list_create(); cdps = linked_list_create(); ocsp = linked_list_create(); +<<<<<<< HEAD +======= permitted = linked_list_create(); excluded = linked_list_create(); policies = linked_list_create(); mappings = linked_list_create(); +>>>>>>> upstream/4.5.1 while (TRUE) { @@ -147,6 +165,8 @@ static int issue() case 'p': pathlen = atoi(arg); continue; +<<<<<<< HEAD +======= case 'n': permitted->insert_last(permitted, identification_create_from_string(arg)); @@ -220,6 +240,7 @@ static int issue() case 'A': inhibit_any = atoi(arg); continue; +>>>>>>> upstream/4.5.1 case 'e': if (streq(arg, "serverAuth")) { @@ -229,10 +250,13 @@ static int issue() { flags |= X509_CLIENT_AUTH; } +<<<<<<< HEAD +======= else if (streq(arg, "crlSign")) { flags |= X509_CRL_SIGN; } +>>>>>>> upstream/4.5.1 else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; @@ -241,6 +265,13 @@ static int issue() case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) { +<<<<<<< HEAD + return command_usage("invalid output format"); + } + continue; + case 'u': + cdps->insert_last(cdps, arg); +======= error = "invalid output format"; goto usage; } @@ -258,6 +289,7 @@ static int issue() goto usage; } cdp->issuer = identification_create_from_string(arg); +>>>>>>> upstream/4.5.1 continue; case 'o': ocsp->insert_last(ocsp, arg); @@ -270,6 +302,15 @@ static int issue() } break; } +<<<<<<< HEAD + + if (!pkcs10 && !dn) + { + error = "--dn is required"; + goto usage; + } +======= +>>>>>>> upstream/4.5.1 if (!cacert) { error = "--cacert is required"; @@ -280,7 +321,11 @@ static int issue() error = "--cakey or --keyid is required"; goto usage; } +<<<<<<< HEAD + if (dn) +======= if (dn && *dn) +>>>>>>> upstream/4.5.1 { id = identification_create_from_string(dn); if (id->get_type(id) != ID_DER_ASN1_DN) @@ -425,12 +470,15 @@ static int issue() goto end; } +<<<<<<< HEAD +======= if (!id) { id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk_from_chars(ASN1_SEQUENCE, 0)); } +>>>>>>> upstream/4.5.1 not_before = time(NULL); not_after = not_before + lifetime * 24 * 60 * 60; @@ -442,6 +490,9 @@ static int issue() BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_CRL_DISTRIBUTION_POINTS, cdps, +<<<<<<< HEAD + BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END); +======= BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, @@ -451,6 +502,7 @@ static int issue() BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, BUILD_POLICY_INHIBIT_ANY, inhibit_any, BUILD_END); +>>>>>>> upstream/4.5.1 if (!cert) { error = "generating certificate failed"; @@ -475,11 +527,15 @@ end: DESTROY_IF(public); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); +<<<<<<< HEAD + cdps->destroy(cdps); +======= permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); cdps->destroy_function(cdps, (void*)destroy_cdp); +>>>>>>> upstream/4.5.1 ocsp->destroy(ocsp); free(encoding.ptr); free(serial.ptr); @@ -493,11 +549,15 @@ end: usage: san->destroy_offset(san, offsetof(identification_t, destroy)); +<<<<<<< HEAD + cdps->destroy(cdps); +======= permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); cdps->destroy_function(cdps, (void*)destroy_cdp); +>>>>>>> upstream/4.5.1 ocsp->destroy(ocsp); return command_usage(error); } @@ -511,6 +571,30 @@ static void __attribute__ ((constructor))reg() issue, 'i', "issue", "issue a certificate using a CA certificate and key", {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex", +<<<<<<< HEAD + " --cacert file --dn subject-dn [--san subjectAltName]+", + "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", + "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "public key/request file to issue, default: stdin"}, + {"type", 't', 1, "type of input, default: pub"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, + {"dn", 'd', 1, "distinguished name to include as subject"}, + {"san", 'a', 1, "subjectAltName to include in certificate"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"ca", 'b', 0, "include CA basicConstraint, default: no"}, + {"pathlen", 'p', 1, "set path length constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, + {"crl", 'u', 1, "CRL distribution point URI to include"}, + {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, +======= " --cacert file [--dn subject-dn] [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+", @@ -547,6 +631,7 @@ static void __attribute__ ((constructor))reg() {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, +>>>>>>> upstream/4.5.1 } }); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index ee6f30c98..b2716f6a8 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -15,7 +15,10 @@ #include "pki.h" +<<<<<<< HEAD +======= #include <asn1/asn1.h> +>>>>>>> upstream/4.5.1 #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> #include <credentials/certificates/crl.h> @@ -73,11 +76,16 @@ static void print_x509(x509_t *x509) chunk_t chunk; bool first; char *uri; +<<<<<<< HEAD + int len; + x509_flag_t flags; +======= int len, explicit, inhibit; x509_flag_t flags; x509_cdp_t *cdp; x509_cert_policy_t *policy; x509_policy_mapping_t *mapping; +>>>>>>> upstream/4.5.1 chunk = x509->get_serial(x509); printf("serial: %#B\n", &chunk); @@ -109,10 +117,13 @@ static void print_x509(x509_t *x509) { printf("CA "); } +<<<<<<< HEAD +======= if (flags & X509_CRL_SIGN) { printf("CRLSign "); } +>>>>>>> upstream/4.5.1 if (flags & X509_AA) { printf("AA "); @@ -141,15 +152,27 @@ static void print_x509(x509_t *x509) first = TRUE; enumerator = x509->create_crl_uri_enumerator(x509); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("CRL URIs: %s\n", uri); +======= while (enumerator->enumerate(enumerator, &cdp)) { if (first) { printf("CRL URIs: %s", cdp->uri); +>>>>>>> upstream/4.5.1 first = FALSE; } else { +<<<<<<< HEAD + printf(" %s\n", uri); + } +======= printf(" %s", cdp->uri); } if (cdp->issuer) @@ -157,6 +180,7 @@ static void print_x509(x509_t *x509) printf(" (CRL issuer: %Y)", cdp->issuer); } printf("\n"); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); @@ -176,12 +200,19 @@ static void print_x509(x509_t *x509) } enumerator->destroy(enumerator); +<<<<<<< HEAD + len = x509->get_pathLenConstraint(x509); + if (len != X509_NO_PATH_LEN_CONSTRAINT) +======= len = x509->get_constraint(x509, X509_PATH_LEN); if (len != X509_NO_CONSTRAINT) +>>>>>>> upstream/4.5.1 { printf("pathlen: %d\n", len); } +<<<<<<< HEAD +======= first = TRUE; enumerator = x509->create_name_constraint_enumerator(x509, TRUE); while (enumerator->enumerate(enumerator, &id)) @@ -281,6 +312,7 @@ static void print_x509(x509_t *x509) } } +>>>>>>> upstream/4.5.1 chunk = x509->get_authKeyIdentifier(x509); if (chunk.ptr) { @@ -324,6 +356,16 @@ static void print_crl(crl_t *crl) crl_reason_t reason; chunk_t chunk; int count = 0; +<<<<<<< HEAD + char buf[64]; + struct tm tm; + + chunk = crl->get_serial(crl); + printf("serial: %#B\n", &chunk); + chunk = crl->get_authKeyIdentifier(crl); + printf("authKeyId: %#B\n", &chunk); + +======= bool first; char buf[64]; struct tm tm; @@ -359,6 +401,7 @@ static void print_crl(crl_t *crl) } enumerator->destroy(enumerator); +>>>>>>> upstream/4.5.1 enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) { diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index c7788ff62..7f46d3324 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -20,6 +20,8 @@ #include <utils/linked_list.h> #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> +<<<<<<< HEAD +======= #include <asn1/asn1.h> /** @@ -40,6 +42,7 @@ static void destroy_policy_mapping(x509_policy_mapping_t *mapping) free(mapping->subject.ptr); free(mapping); } +>>>>>>> upstream/4.5.1 /** * Create a self signed certificate. @@ -54,23 +57,35 @@ static int self() public_key_t *public = NULL; char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL; identification_t *id = NULL; +<<<<<<< HEAD + linked_list_t *san, *ocsp; + int lifetime = 1095; + int pathlen = X509_NO_PATH_LEN_CONSTRAINT; +======= linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; +>>>>>>> upstream/4.5.1 chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after; x509_flag_t flags = 0; +<<<<<<< HEAD +======= x509_cert_policy_t *policy = NULL; +>>>>>>> upstream/4.5.1 char *arg; san = linked_list_create(); ocsp = linked_list_create(); +<<<<<<< HEAD +======= permitted = linked_list_create(); excluded = linked_list_create(); policies = linked_list_create(); mappings = linked_list_create(); +>>>>>>> upstream/4.5.1 while (TRUE) { @@ -130,6 +145,8 @@ static int self() case 'p': pathlen = atoi(arg); continue; +<<<<<<< HEAD +======= case 'n': permitted->insert_last(permitted, identification_create_from_string(arg)); @@ -203,6 +220,7 @@ static int self() case 'A': inhibit_any = atoi(arg); continue; +>>>>>>> upstream/4.5.1 case 'e': if (streq(arg, "serverAuth")) { @@ -212,10 +230,13 @@ static int self() { flags |= X509_CLIENT_AUTH; } +<<<<<<< HEAD +======= else if (streq(arg, "crlSign")) { flags |= X509_CRL_SIGN; } +>>>>>>> upstream/4.5.1 else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; @@ -224,8 +245,12 @@ static int self() case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) { +<<<<<<< HEAD + return command_usage("invalid output format"); +======= error = "invalid output format"; goto usage; +>>>>>>> upstream/4.5.1 } continue; case 'o': @@ -310,6 +335,9 @@ static int self() BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san, +<<<<<<< HEAD + BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END); +======= BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, @@ -319,6 +347,7 @@ static int self() BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, BUILD_POLICY_INHIBIT_ANY, inhibit_any, BUILD_END); +>>>>>>> upstream/4.5.1 if (!cert) { error = "generating certificate failed"; @@ -341,10 +370,13 @@ end: DESTROY_IF(public); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); +<<<<<<< HEAD +======= permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); +>>>>>>> upstream/4.5.1 ocsp->destroy(ocsp); free(encoding.ptr); free(serial.ptr); @@ -358,10 +390,13 @@ end: usage: san->destroy_offset(san, offsetof(identification_t, destroy)); +<<<<<<< HEAD +======= permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); +>>>>>>> upstream/4.5.1 ocsp->destroy(ocsp); return command_usage(error); } @@ -377,6 +412,25 @@ static void __attribute__ ((constructor))reg() {"[--in file | --keyid hex] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", +<<<<<<< HEAD + "[--flag serverAuth|clientAuth|ocspSigning]+", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "private key input file, default: stdin"}, + {"keyid", 'x', 1, "keyid on smartcard of private key"}, + {"type", 't', 1, "type of input key, default: rsa"}, + {"dn", 'd', 1, "subject and issuer distinguished name"}, + {"san", 'a', 1, "subjectAltName to include in certificate"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"ca", 'b', 0, "include CA basicConstraint, default: no"}, + {"pathlen", 'p', 1, "set path length constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, + {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, +======= "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", "[--nc-permitted name] [--nc-excluded name]", "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", @@ -407,6 +461,7 @@ static void __attribute__ ((constructor))reg() {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, +>>>>>>> upstream/4.5.1 } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 4b1c12e5c..07e4add48 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -98,6 +98,8 @@ static int read_serial(char *file, char *buf, int buflen) } /** +<<<<<<< HEAD +======= * Destroy a CDP */ static void cdp_destroy(x509_cdp_t *this) @@ -107,6 +109,7 @@ static void cdp_destroy(x509_cdp_t *this) } /** +>>>>>>> upstream/4.5.1 * Sign a CRL */ static int sign_crl() @@ -119,12 +122,22 @@ static int sign_crl() x509_t *x509; hash_algorithm_t digest = HASH_SHA1; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; +<<<<<<< HEAD +======= char *basecrl = NULL; +>>>>>>> upstream/4.5.1 char serial[512], crl_serial[8], *keyid = NULL; int serial_len = 0; crl_reason_t reason = CRL_REASON_UNSPECIFIED; time_t thisUpdate, nextUpdate, date = time(NULL); int lifetime = 15; +<<<<<<< HEAD + linked_list_t *list; + enumerator_t *enumerator, *lastenum = NULL; + chunk_t encoding = chunk_empty; + + list = linked_list_create(); +======= linked_list_t *list, *cdps; enumerator_t *enumerator, *lastenum = NULL; x509_cdp_t *cdp; @@ -132,6 +145,7 @@ static int sign_crl() list = linked_list_create(); cdps = linked_list_create(); +>>>>>>> upstream/4.5.1 memset(crl_serial, 0, sizeof(crl_serial)); @@ -202,6 +216,8 @@ static int sign_crl() reason = CRL_REASON_UNSPECIFIED; continue; } +<<<<<<< HEAD +======= case 'b': basecrl = arg; continue; @@ -211,6 +227,7 @@ static int sign_crl() ); cdps->insert_last(cdps, cdp); continue; +>>>>>>> upstream/4.5.1 case 'r': if (streq(arg, "key-compromise")) { @@ -283,9 +300,15 @@ static int sign_crl() goto error; } x509 = (x509_t*)ca; +<<<<<<< HEAD + if (!(x509->get_flags(x509) & X509_CA)) + { + error = "CA certificate misses CA basicConstraint"; +======= if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) { error = "CA certificate misses CA basicConstraint / CRLSign keyUsage"; +>>>>>>> upstream/4.5.1 goto error; } public = ca->get_public_key(ca); @@ -323,6 +346,8 @@ static int sign_crl() thisUpdate = time(NULL); nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; +<<<<<<< HEAD +======= if (basecrl) { lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -339,6 +364,7 @@ static int sign_crl() lastcrl = NULL; } +>>>>>>> upstream/4.5.1 if (lastupdate) { lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -352,10 +378,13 @@ static int sign_crl() min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); lastenum = lastcrl->create_enumerator(lastcrl); } +<<<<<<< HEAD +======= else { lastenum = enumerator_create_empty(); } +>>>>>>> upstream/4.5.1 chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); @@ -365,12 +394,20 @@ static int sign_crl() BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, +<<<<<<< HEAD + BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest, + lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum, + BUILD_END); + enumerator->destroy(enumerator); + DESTROY_IF(lastenum); +======= BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest, BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber, BUILD_END); enumerator->destroy(enumerator); lastenum->destroy(lastenum); +>>>>>>> upstream/4.5.1 DESTROY_IF((certificate_t*)lastcrl); if (!crl) @@ -395,9 +432,13 @@ error: DESTROY_IF(ca); DESTROY_IF(crl); free(encoding.ptr); +<<<<<<< HEAD + list->destroy_function(list, (void*)revoked_destroy); +======= free(baseCrlNumber.ptr); list->destroy_function(list, (void*)revoked_destroy); cdps->destroy_function(cdps, (void*)cdp_destroy); +>>>>>>> upstream/4.5.1 if (error) { fprintf(stderr, "%s\n", error); @@ -407,7 +448,10 @@ error: usage: list->destroy_function(list, (void*)revoked_destroy); +<<<<<<< HEAD +======= cdps->destroy_function(cdps, (void*)cdp_destroy); +>>>>>>> upstream/4.5.1 return command_usage(error); } @@ -420,13 +464,30 @@ static void __attribute__ ((constructor))reg() sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", {"--cacert file --cakey file | --cakeyid hex --lifetime days", +<<<<<<< HEAD +======= "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+", +>>>>>>> upstream/4.5.1 "[ [--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp]", " --cert file | --serial hex ]*", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { +<<<<<<< HEAD + {"help", 'h', 0, "show usage information"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, + {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, + {"cert", 'z', 1, "certificate file to revoke"}, + {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, + {"reason", 'r', 1, "reason for certificate revocation"}, + {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, +======= {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, {"cakey", 'k', 1, "CA private key file"}, @@ -441,6 +502,7 @@ static void __attribute__ ((constructor))reg() {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, {"outform", 'f', 1, "encoding of generated crl, default: der"}, +>>>>>>> upstream/4.5.1 } }); } diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 1428854ee..eb7f2c28a 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -304,7 +304,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -343,8 +349,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pluto/ca.c b/src/pluto/ca.c index add85def8..713d56ef1 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -629,7 +629,11 @@ void add_ca_info(const whack_message_t *msg) if (strncasecmp(msg->ocspuri, "http", 4) == 0) ca->ocspuri = clone_str(msg->ocspuri); else +<<<<<<< HEAD + plog(" ignoring ocspuri with unkown protocol"); +======= plog(" ignoring ocspuri with unknown protocol"); +>>>>>>> upstream/4.5.1 } /* add crl uris */ diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 1c9c9a8cc..d8f962501 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -352,7 +352,11 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, x509crl_t *x509crl; ca_info_t *ca; enumerator_t *enumerator; +<<<<<<< HEAD + char *point; +======= x509_cdp_t *cdp; +>>>>>>> upstream/4.5.1 ca = get_ca_info(issuer, authKeyID); @@ -376,9 +380,15 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &point)) + { + add_distribution_point(crluris, point); +======= while (enumerator->enumerate(enumerator, &cdp)) { add_distribution_point(crluris, cdp->uri); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); @@ -416,9 +426,15 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &point)) + { + add_distribution_point(x509crl->distributionPoints, point); +======= while (enumerator->enumerate(enumerator, &cdp)) { add_distribution_point(x509crl->distributionPoints, cdp->uri); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index f01966c72..695035ea1 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -26,6 +26,16 @@ static struct encrypt_desc encrypt_desc_3des = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_3DES_CBC, + algo_next: NULL, + + enc_blocksize: DES_BLOCK_SIZE, + keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_3DES_CBC, plugin_name: NULL, @@ -35,6 +45,7 @@ static struct encrypt_desc encrypt_desc_3des = keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, +>>>>>>> upstream/4.5.1 }; #define AES_KEY_MIN_LEN 128 @@ -43,6 +54,16 @@ static struct encrypt_desc encrypt_desc_3des = static struct encrypt_desc encrypt_desc_aes = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_AES_CBC, + algo_next: NULL, + + enc_blocksize: AES_BLOCK_SIZE, + keyminlen: AES_KEY_MIN_LEN, + keydeflen: AES_KEY_DEF_LEN, + keymaxlen: AES_KEY_MAX_LEN, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_AES_CBC, plugin_name: NULL, @@ -52,6 +73,7 @@ static struct encrypt_desc encrypt_desc_aes = keyminlen: AES_KEY_MIN_LEN, keydeflen: AES_KEY_DEF_LEN, keymaxlen: AES_KEY_MAX_LEN, +>>>>>>> upstream/4.5.1 }; #define CAMELLIA_KEY_MIN_LEN 128 @@ -60,6 +82,16 @@ static struct encrypt_desc encrypt_desc_aes = static struct encrypt_desc encrypt_desc_camellia = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_CAMELLIA_CBC, + algo_next: NULL, + + enc_blocksize: CAMELLIA_BLOCK_SIZE, + keyminlen: CAMELLIA_KEY_MIN_LEN, + keydeflen: CAMELLIA_KEY_DEF_LEN, + keymaxlen: CAMELLIA_KEY_MAX_LEN, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_CAMELLIA_CBC, plugin_name: NULL, @@ -69,6 +101,7 @@ static struct encrypt_desc encrypt_desc_camellia = keyminlen: CAMELLIA_KEY_MIN_LEN, keydeflen: CAMELLIA_KEY_DEF_LEN, keymaxlen: CAMELLIA_KEY_MAX_LEN, +>>>>>>> upstream/4.5.1 }; #define BLOWFISH_KEY_MIN_LEN 128 @@ -76,6 +109,16 @@ static struct encrypt_desc encrypt_desc_camellia = static struct encrypt_desc encrypt_desc_blowfish = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_BLOWFISH_CBC, + algo_next: NULL, + + enc_blocksize: BLOWFISH_BLOCK_SIZE, + keyminlen: BLOWFISH_KEY_MIN_LEN, + keydeflen: BLOWFISH_KEY_MIN_LEN, + keymaxlen: BLOWFISH_KEY_MAX_LEN, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_BLOWFISH_CBC, plugin_name: NULL, @@ -85,6 +128,7 @@ static struct encrypt_desc encrypt_desc_blowfish = keyminlen: BLOWFISH_KEY_MIN_LEN, keydeflen: BLOWFISH_KEY_MIN_LEN, keymaxlen: BLOWFISH_KEY_MAX_LEN, +>>>>>>> upstream/4.5.1 }; #define SERPENT_KEY_MIN_LEN 128 @@ -93,6 +137,16 @@ static struct encrypt_desc encrypt_desc_blowfish = static struct encrypt_desc encrypt_desc_serpent = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_SERPENT_CBC, + algo_next: NULL, + + enc_blocksize: SERPENT_BLOCK_SIZE, + keyminlen: SERPENT_KEY_MIN_LEN, + keydeflen: SERPENT_KEY_DEF_LEN, + keymaxlen: SERPENT_KEY_MAX_LEN, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_SERPENT_CBC, plugin_name: NULL, @@ -102,6 +156,7 @@ static struct encrypt_desc encrypt_desc_serpent = keyminlen: SERPENT_KEY_MIN_LEN, keydeflen: SERPENT_KEY_DEF_LEN, keymaxlen: SERPENT_KEY_MAX_LEN, +>>>>>>> upstream/4.5.1 }; #define TWOFISH_KEY_MIN_LEN 128 @@ -110,6 +165,16 @@ static struct encrypt_desc encrypt_desc_serpent = static struct encrypt_desc encrypt_desc_twofish = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_TWOFISH_CBC, plugin_name: NULL, @@ -119,10 +184,21 @@ static struct encrypt_desc encrypt_desc_twofish = keydeflen: TWOFISH_KEY_MIN_LEN, keyminlen: TWOFISH_KEY_DEF_LEN, keymaxlen: TWOFISH_KEY_MAX_LEN, +>>>>>>> upstream/4.5.1 }; static struct encrypt_desc encrypt_desc_twofish_ssh = { +<<<<<<< HEAD + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC_SSH, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, +======= algo_type: IKE_ALG_ENCRYPT, algo_id: OAKLEY_TWOFISH_CBC_SSH, plugin_name: NULL, @@ -132,13 +208,17 @@ static struct encrypt_desc encrypt_desc_twofish_ssh = keydeflen: TWOFISH_KEY_MIN_LEN, keyminlen: TWOFISH_KEY_DEF_LEN, keymaxlen: TWOFISH_KEY_MAX_LEN, +>>>>>>> upstream/4.5.1 }; static struct hash_desc hash_desc_md5 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_MD5, +<<<<<<< HEAD +======= plugin_name: NULL, +>>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_MD5, }; @@ -147,7 +227,10 @@ static struct hash_desc hash_desc_sha1 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA, +<<<<<<< HEAD +======= plugin_name: NULL, +>>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA1, }; @@ -155,7 +238,10 @@ static struct hash_desc hash_desc_sha1 = static struct hash_desc hash_desc_sha2_256 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_256, +<<<<<<< HEAD +======= plugin_name: NULL, +>>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA256, }; @@ -163,7 +249,10 @@ static struct hash_desc hash_desc_sha2_256 = { static struct hash_desc hash_desc_sha2_384 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_384, +<<<<<<< HEAD +======= plugin_name: NULL, +>>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA384, }; @@ -171,12 +260,119 @@ static struct hash_desc hash_desc_sha2_384 = { static struct hash_desc hash_desc_sha2_512 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_512, +<<<<<<< HEAD +======= plugin_name: NULL, +>>>>>>> upstream/4.5.1 algo_next: NULL, hash_digest_size: HASH_SIZE_SHA512, }; const struct dh_desc unset_group = { +<<<<<<< HEAD + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_NONE, + algo_next: NULL, + ke_size: 0 +}; + +static struct dh_desc dh_desc_modp_1024 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1024_BIT, + algo_next: NULL, + ke_size: 1024 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_1536 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1536_BIT, + algo_next: NULL, + ke_size: 1536 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_2048 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_BIT, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_3072 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_3072_BIT, + algo_next: NULL, + ke_size: 3072 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_4096 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_4096_BIT, + algo_next: NULL, + ke_size: 4096 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_6144 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_6144_BIT, + algo_next: NULL, + ke_size: 6144 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_8192 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_8192_BIT, + algo_next: NULL, + ke_size: 8192 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_ecp_256 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_256_BIT, + algo_next: NULL, + ke_size: 2*256 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_ecp_384 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_384_BIT, + algo_next: NULL, + ke_size: 2*384 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_ecp_521 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_521_BIT, + algo_next: NULL, + ke_size: 2*528 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_1024_160 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1024_160, + algo_next: NULL, + ke_size: 1024 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_2048_224 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_224, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_modp_2048_256 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_256, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE +}; + +static struct dh_desc dh_desc_ecp_192 = { + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_192_BIT, + algo_next: NULL, + ke_size: 2*192 / BITS_PER_BYTE +======= algo_type: IKE_ALG_DH_GROUP, algo_id: MODP_NONE, plugin_name: NULL, @@ -293,14 +489,20 @@ static struct dh_desc dh_desc_ecp_192 = { plugin_name: NULL, algo_next: NULL, ke_size: 2*192 / BITS_PER_BYTE +>>>>>>> upstream/4.5.1 }; static struct dh_desc dh_desc_ecp_224 = { algo_type: IKE_ALG_DH_GROUP, algo_id: ECP_224_BIT, +<<<<<<< HEAD + algo_next: NULL, + ke_size: 2*224 / BITS_PER_BYTE +======= plugin_name: NULL, algo_next: NULL, ke_size: 2*224 / BITS_PER_BYTE +>>>>>>> upstream/4.5.1 }; bool init_crypto(void) @@ -309,12 +511,19 @@ bool init_crypto(void) encryption_algorithm_t encryption_alg; hash_algorithm_t hash_alg; diffie_hellman_group_t dh_group; +<<<<<<< HEAD +======= const char *plugin_name; +>>>>>>> upstream/4.5.1 bool no_md5 = TRUE; bool no_sha1 = TRUE; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &hash_alg)) +======= while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name)) +>>>>>>> upstream/4.5.1 { const struct hash_desc *desc; @@ -340,7 +549,11 @@ bool init_crypto(void) default: continue; } +<<<<<<< HEAD + ike_alg_add((struct ike_alg *)desc); +======= ike_alg_add((struct ike_alg *)desc, plugin_name); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); @@ -354,7 +567,11 @@ bool init_crypto(void) } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &encryption_alg)) +======= while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name)) +>>>>>>> upstream/4.5.1 { const struct encrypt_desc *desc; @@ -374,8 +591,12 @@ bool init_crypto(void) break; case ENCR_TWOFISH_CBC: desc = &encrypt_desc_twofish; +<<<<<<< HEAD + ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh); +======= ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh, plugin_name); +>>>>>>> upstream/4.5.1 break; case ENCR_SERPENT_CBC: desc = &encrypt_desc_serpent; @@ -383,12 +604,20 @@ bool init_crypto(void) default: continue; } +<<<<<<< HEAD + ike_alg_add((struct ike_alg *)desc); +======= ike_alg_add((struct ike_alg *)desc, plugin_name); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); +<<<<<<< HEAD + while (enumerator->enumerate(enumerator, &dh_group)) +======= while (enumerator->enumerate(enumerator, &dh_group, &plugin_name)) +>>>>>>> upstream/4.5.1 { const struct dh_desc *desc; @@ -442,7 +671,11 @@ bool init_crypto(void) default: continue; } +<<<<<<< HEAD + ike_alg_add((struct ike_alg *)desc); +======= ike_alg_add((struct ike_alg *)desc, plugin_name); +>>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); return TRUE; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 249e645ed..22976fe9a 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1147,7 +1147,11 @@ read_packet(struct msg_digest *md) } else if (from_ugh != NULL) { +<<<<<<< HEAD + plog("recvfrom on %s returned misformed source sockaddr: %s" +======= plog("recvfrom on %s returned malformed source sockaddr: %s" +>>>>>>> upstream/4.5.1 , ifp->rname, from_ugh); return FALSE; } diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index a36b5ce4e..eabe6c86e 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -72,7 +72,11 @@ static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id, /** * "raw" ike_alg list adding function */ +<<<<<<< HEAD +int ike_alg_add(struct ike_alg* a) +======= int ike_alg_add(struct ike_alg* a, const char *plugin_name) +>>>>>>> upstream/4.5.1 { if (a->algo_type > IKE_ALG_MAX) { @@ -96,7 +100,10 @@ int ike_alg_add(struct ike_alg* a, const char *plugin_name) e = *ep; } *ep = a; +<<<<<<< HEAD +======= a->plugin_name = plugin_name; +>>>>>>> upstream/4.5.1 a->algo_next = e; return 0; } @@ -305,6 +312,8 @@ fail: } /** +<<<<<<< HEAD +======= * Print the name of an algorithm plus the name of the plugin that registered it */ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, @@ -325,21 +334,74 @@ static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, } /** +>>>>>>> upstream/4.5.1 * Show registered IKE algorithms */ void ike_alg_list(void) { +<<<<<<< HEAD + char buf[BUF_LEN]; + char *pos; + int n, len; +======= rng_quality_t quality; enumerator_t *enumerator; const char *plugin_name; char buf[BUF_LEN]; int len; +>>>>>>> upstream/4.5.1 struct ike_alg *a; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:"); whack_log(RC_COMMENT, " "); +<<<<<<< HEAD + pos = buf; + *pos = '\0'; + len = BUF_LEN; + for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) + { + n = snprintf(pos, len, " %s", enum_name(&oakley_enc_names, a->algo_id)); + pos += n; + len -= n; + if (len <= 0) + { + break; + } + } + whack_log(RC_COMMENT, " encryption:%s", buf); + + pos = buf; + *pos = '\0'; + len = BUF_LEN; + for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next) + { + n = snprintf(pos, len, " %s", enum_name(&oakley_hash_names, a->algo_id)); + pos += n; + len -= n; + if (len <= 0) + { + break; + } + } + whack_log(RC_COMMENT, " integrity: %s", buf); + + pos = buf; + *pos = '\0'; + len = BUF_LEN; + for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next) + { + n = snprintf(pos, len, " %s", enum_name(&oakley_group_names, a->algo_id)); + pos += n; + len -= n; + if (len <= 0) + { + break; + } + } + whack_log(RC_COMMENT, " dh-group: %s", buf); +======= len = sprintf(buf, " encryption:"); for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) { @@ -370,6 +432,7 @@ void ike_alg_list(void) } enumerator->destroy(enumerator); whack_log(RC_COMMENT, "%s", buf); +>>>>>>> upstream/4.5.1 } /** diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h index c3ce8bb38..7ee2ca808 100644 --- a/src/pluto/ike_alg.h +++ b/src/pluto/ike_alg.h @@ -22,14 +22,20 @@ struct ike_alg { u_int16_t algo_type; u_int16_t algo_id; +<<<<<<< HEAD +======= const char *plugin_name; +>>>>>>> upstream/4.5.1 struct ike_alg *algo_next; }; struct encrypt_desc { u_int16_t algo_type; u_int16_t algo_id; +<<<<<<< HEAD +======= const char *plugin_name; +>>>>>>> upstream/4.5.1 struct ike_alg *algo_next; size_t enc_blocksize; @@ -41,7 +47,10 @@ struct encrypt_desc { struct hash_desc { u_int16_t algo_type; u_int16_t algo_id; +<<<<<<< HEAD +======= const char *plugin_name; +>>>>>>> upstream/4.5.1 struct ike_alg *algo_next; size_t hash_digest_size; @@ -50,7 +59,10 @@ struct hash_desc { struct dh_desc { u_int16_t algo_type; u_int16_t algo_id; +<<<<<<< HEAD +======= const char *plugin_name; +>>>>>>> upstream/4.5.1 struct ike_alg *algo_next; size_t ke_size; @@ -61,7 +73,11 @@ struct dh_desc { #define IKE_ALG_DH_GROUP 2 #define IKE_ALG_MAX IKE_ALG_DH_GROUP +<<<<<<< HEAD +extern int ike_alg_add(struct ike_alg *a); +======= extern int ike_alg_add(struct ike_alg *a, const char *plugin_name); +>>>>>>> upstream/4.5.1 extern struct hash_desc *ike_alg_get_hasher(u_int alg); extern struct encrypt_desc *ike_alg_get_crypter(u_int alg); extern struct dh_desc *ike_alg_get_dh_group(u_int alg); diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index 104b6c2d4..7d54b9e8e 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1183,7 +1183,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ipcomp_spi, said_next->proto, c->spd.reqid, +<<<<<<< HEAD + mark, <_none, ENCR_UNDEFINED, chunk_empty, +======= mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, +>>>>>>> upstream/4.5.1 AUTH_UNDEFINED, chunk_empty, mode, st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, inbound, NULL, NULL) != SUCCESS) @@ -1292,7 +1296,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, esp_spi, said_next->proto, c->spd.reqid, +<<<<<<< HEAD + mark, <_none, enc_alg, enc_key, +======= mark, 0, <_none, enc_alg, enc_key, +>>>>>>> upstream/4.5.1 auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, encap, inbound, NULL, NULL) != SUCCESS) { @@ -1325,7 +1333,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ah_spi, said_next->proto, c->spd.reqid, +<<<<<<< HEAD + mark, <_none, ENCR_UNDEFINED, chunk_empty, +======= mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, +>>>>>>> upstream/4.5.1 auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, FALSE, inbound, NULL, NULL) != SUCCESS) { diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index c82c376f8..41155c619 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -397,6 +397,13 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id) return sadb_alg; } +<<<<<<< HEAD +void kernel_alg_list(void) +{ + char buf[BUF_LEN]; + char *pos; + int n, len; +======= /** * Print the name of a kernel algorithm */ @@ -419,33 +426,71 @@ void kernel_alg_list(void) { char buf[BUF_LEN]; int len; +>>>>>>> upstream/4.5.1 u_int sadb_id; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered ESP Algorithms:"); whack_log(RC_COMMENT, " "); +<<<<<<< HEAD + pos = buf; + *pos = '\0'; + len = BUF_LEN; +======= len = sprintf(buf, " encryption:"); +>>>>>>> upstream/4.5.1 for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++) { if (ESP_EALG_PRESENT(sadb_id)) { +<<<<<<< HEAD + n = snprintf(pos, len, " %s", + enum_name(&esp_transform_names, sadb_id)); + pos += n; + len -= n; + if (len <= 0) + { + break; + } + } + } + whack_log(RC_COMMENT, " encryption:%s", buf); + + pos = buf; + *pos = '\0'; + len = BUF_LEN; +======= print_alg(buf, &len, &esp_transform_names, sadb_id); } } whack_log(RC_COMMENT, "%s", buf); len = sprintf(buf, " integrity: "); +>>>>>>> upstream/4.5.1 for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++) { if (ESP_AALG_PRESENT(sadb_id)) { u_int aaid = alg_info_esp_sadb2aa(sadb_id); +<<<<<<< HEAD + n = snprintf(pos, len, " %s", enum_name(&auth_alg_names, aaid)); + pos += n; + len -= n; + if (len <= 0) + { + break; + } + } + } + whack_log(RC_COMMENT, " integrity: %s", buf); +======= print_alg(buf, &len, &auth_alg_names, aaid); } } whack_log(RC_COMMENT, "%s", buf); +>>>>>>> upstream/4.5.1 } void kernel_alg_show_connection(connection_t *c, const char *instance) diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 86b46c6c1..e2c52fab0 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -902,7 +902,10 @@ static void process_secret(secret_t *s, int whackfd) { loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s" , flp->filename, flp->lino, ugh); +<<<<<<< HEAD +======= s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); +>>>>>>> upstream/4.5.1 free(s); } else if (flushline("expected record boundary in key")) @@ -1011,11 +1014,16 @@ static void process_secret_records(int whackfd) if (!shift()) { /* unexpected Record Boundary or EOF */ +<<<<<<< HEAD + loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list" + , flp->filename, flp->lino); +======= loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end" " of id list", flp->filename, flp->lino); s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); free(s); +>>>>>>> upstream/4.5.1 break; } } diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index a3694b7b5..14e5cbb96 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1045,8 +1045,13 @@ static bool valid_ocsp_response(response_t *res) ) /* check path length constraint */ +<<<<<<< HEAD + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && +======= pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && +>>>>>>> upstream/4.5.1 pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index 358805cc4..793a0e88d 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -218,7 +218,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -257,8 +263,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8 index 9ac537bd9..1efb1a6f7 100644 --- a/src/pluto/pluto.8 +++ b/src/pluto/pluto.8 @@ -1,8 +1,14 @@ .TH IPSEC_PLUTO 8 "28 March 1999" .SH NAME +<<<<<<< HEAD +ipsec pluto \- IPsec IKE keying daemon +.br +ipsec whack \- control interface for IPSEC keying daemon +======= pluto \- IPsec IKE keying daemon and control interface .PP whack \- control interface for IKE keying daemon +>>>>>>> upstream/4.5.1 .SH SYNOPSIS .na .nh @@ -1009,7 +1015,11 @@ specifies the name of the operation to be performed \fBup-host\fP, \fBup-client\fP, \fBdown-host\fP, or \fBdown-client\fP). If the address family for security gateway to security gateway communications is IPv6, then +<<<<<<< HEAD +a suffix of -v6 is added to the verb. +======= a suffix of \-v6 is added to the verb. +>>>>>>> upstream/4.5.1 .TP \fBPLUTO_CONNECTION\fP is the name of the connection for which we are routing. @@ -1571,7 +1581,11 @@ rejected with ECONNREFUSED (kernel supplied no details)''. John Denker suggests that this command is useful for tracking down the source of these problems: .br +<<<<<<< HEAD + tcpdump -i eth0 icmp[0] != 8 and icmp[0] != 0 +======= tcpdump \-i eth0 icmp[0] != 8 and icmp[0] != 0 +>>>>>>> upstream/4.5.1 .br Substitute your public interface for eth0 if it is different. .LP diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 7e2aca862..b76f02845 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -255,8 +255,13 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until) unlock_authcert_list("verify_x509cert"); /* check path length constraint */ +<<<<<<< HEAD + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && +======= pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen_constraint != X509_NO_CONSTRAINT && +>>>>>>> upstream/4.5.1 pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", @@ -450,8 +455,13 @@ void list_x509cert_chain(const char *caption, cert_t* cert, } /* list optional pathLenConstraint */ +<<<<<<< HEAD + pathlen = x509->get_pathLenConstraint(x509); + if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) +======= pathlen = x509->get_constraint(x509, X509_PATH_LEN); if (pathlen != X509_NO_CONSTRAINT) +>>>>>>> upstream/4.5.1 { whack_log(RC_COMMENT, " pathlen: %d", pathlen); } diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 623585f65..880715697 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -228,7 +228,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,8 +273,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index 72750e155..d717ba309 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -239,12 +239,20 @@ Log raw hex dumps. .PP .B \-C, \-\-debug\-control .RS 4 +<<<<<<< HEAD +Log informations about control flow. +======= Log information about control flow. +>>>>>>> upstream/4.5.1 .RE .PP .B \-M, \-\-debug\-controlmore .RS 4 +<<<<<<< HEAD +Log more detailed informations about control flow. +======= Log more detailed information about control flow. +>>>>>>> upstream/4.5.1 .RE .PP .B \-X, \-\-debug\-private diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index f05aeca22..29cdccbed 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -25,6 +25,10 @@ AM_CFLAGS = \ starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +<<<<<<< HEAD +dist_man_MANS = starter.8 +======= +>>>>>>> upstream/4.5.1 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -58,6 +62,18 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : +<<<<<<< HEAD + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true +======= test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true @@ -68,4 +84,5 @@ install-exec-local : test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true +>>>>>>> upstream/4.5.1 diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index f1c370ad9..e38324f4a 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -39,7 +39,12 @@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON @USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING subdir = src/starter +<<<<<<< HEAD +DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +======= DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +>>>>>>> upstream/4.5.1 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -55,7 +60,11 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +<<<<<<< HEAD +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +======= am__installdirs = "$(DESTDIR)$(ipsecdir)" +>>>>>>> upstream/4.5.1 PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ @@ -84,6 +93,33 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(starter_SOURCES) DIST_SOURCES = $(starter_SOURCES) +<<<<<<< HEAD +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) +======= +>>>>>>> upstream/4.5.1 ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -206,7 +242,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -245,8 +287,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -279,6 +324,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +<<<<<<< HEAD +dist_man_MANS = starter.8 +======= +>>>>>>> upstream/4.5.1 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -412,6 +461,47 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +<<<<<<< HEAD +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } +======= +>>>>>>> upstream/4.5.1 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -466,6 +556,22 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) +<<<<<<< HEAD + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi +======= +>>>>>>> upstream/4.5.1 @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -497,9 +603,15 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am +<<<<<<< HEAD +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ +======= all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(ipsecdir)"; do \ +>>>>>>> upstream/4.5.1 test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -551,7 +663,11 @@ info: info-am info-am: +<<<<<<< HEAD +install-data-am: install-ipsecPROGRAMS install-man +======= install-data-am: install-ipsecPROGRAMS +>>>>>>> upstream/4.5.1 install-dvi: install-dvi-am @@ -567,7 +683,11 @@ install-info: install-info-am install-info-am: +<<<<<<< HEAD +install-man: install-man8 +======= install-man: +>>>>>>> upstream/4.5.1 install-pdf: install-pdf-am @@ -597,7 +717,13 @@ ps: ps-am ps-am: +<<<<<<< HEAD +uninstall-am: uninstall-ipsecPROGRAMS uninstall-man + +uninstall-man: uninstall-man8 +======= uninstall-am: uninstall-ipsecPROGRAMS +>>>>>>> upstream/4.5.1 .MAKE: install-am install-strip @@ -608,12 +734,22 @@ uninstall-am: uninstall-ipsecPROGRAMS install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-exec-local \ install-html install-html-am install-info install-info-am \ +<<<<<<< HEAD + install-ipsecPROGRAMS install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ + uninstall-man uninstall-man8 +======= install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags uninstall uninstall-am uninstall-ipsecPROGRAMS +>>>>>>> upstream/4.5.1 lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h @@ -632,6 +768,18 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : +<<<<<<< HEAD + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true +======= test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true @@ -642,6 +790,7 @@ install-exec-local : test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true +>>>>>>> upstream/4.5.1 # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/starter/args.c b/src/starter/args.c index 87307f1aa..0c1a835ae 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -239,7 +239,10 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_MARK */ }, { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, +<<<<<<< HEAD +======= { ARG_MISC, 0, NULL /* KW_TFC */ }, +>>>>>>> upstream/4.5.1 /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, @@ -273,7 +276,10 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, rsakey), NULL }, { ARG_STR, offsetof(starter_end_t, cert), NULL }, { ARG_STR, offsetof(starter_end_t, cert2), NULL }, +<<<<<<< HEAD +======= { ARG_STR, offsetof(starter_end_t, cert_policy), NULL }, +>>>>>>> upstream/4.5.1 { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert }, { ARG_STR, offsetof(starter_end_t, ca), NULL }, { ARG_STR, offsetof(starter_end_t, ca2), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 1e7daa6a9..f48843750 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -705,6 +705,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg cfg->err++; } break; +<<<<<<< HEAD +======= case KW_TFC: if (streq(kw->value, "%mtu")) { @@ -722,6 +724,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } } break; +>>>>>>> upstream/4.5.1 case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 4f9c5f7d0..ba17d0b9a 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -64,7 +64,10 @@ struct starter_end { char *ca; char *ca2; char *groups; +<<<<<<< HEAD +======= char *cert_policy; +>>>>>>> upstream/4.5.1 char *iface; ip_address addr; u_int ikeport; @@ -126,7 +129,10 @@ struct starter_conn { u_int32_t reqid; mark_t mark_in; mark_t mark_out; +<<<<<<< HEAD +======= u_int32_t tfc; +>>>>>>> upstream/4.5.1 sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 340b7131d..78c243f7e 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,21 @@ struct kw_entry { kw_token_t token; }; +<<<<<<< HEAD +#define TOTAL_KEYWORDS 127 +#define MIN_WORD_LENGTH 3 +#define MAX_WORD_LENGTH 17 +#define MIN_HASH_VALUE 12 +#define MAX_HASH_VALUE 238 +/* maximum key range = 227, duplicates = 0 */ +======= #define TOTAL_KEYWORDS 130 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 #define MIN_HASH_VALUE 18 #define MAX_HASH_VALUE 249 /* maximum key range = 232, duplicates = 0 */ +>>>>>>> upstream/4.5.1 #ifdef __GNUC__ __inline @@ -75,6 +84,34 @@ hash (str, len) { static const unsigned char asso_values[] = { +<<<<<<< HEAD + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 2, + 104, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 15, 239, 20, 14, 58, + 51, 1, 7, 1, 81, 1, 239, 132, 47, 4, + 1, 49, 10, 9, 23, 1, 20, 48, 4, 239, + 239, 35, 1, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239 +======= 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, @@ -101,6 +138,7 @@ hash (str, len) 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, 250 +>>>>>>> upstream/4.5.1 }; register int hval = len; @@ -124,6 +162,134 @@ hash (str, len) static const struct kw_entry wordlist[] = { {"pfs", KW_PFS}, +<<<<<<< HEAD + {"uniqueids", KW_UNIQUEIDS}, + {"rightgroups", KW_RIGHTGROUPS}, + {"lifetime", KW_KEYLIFE}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"rightnatip", KW_RIGHTNATIP}, + {"esp", KW_ESP}, + {"rightnexthop", KW_RIGHTNEXTHOP}, + {"rightsourceip", KW_RIGHTSOURCEIP}, + {"right", KW_RIGHT}, + {"leftupdown", KW_LEFTUPDOWN}, + {"leftnexthop", KW_LEFTNEXTHOP}, + {"left", KW_LEFT}, + {"keep_alive", KW_KEEP_ALIVE}, + {"rightsubnet", KW_RIGHTSUBNET}, + {"rightikeport", KW_RIGHTIKEPORT}, + {"rightsendcert", KW_RIGHTSENDCERT}, + {"leftcert", KW_LEFTCERT,}, + {"interfaces", KW_INTERFACES}, + {"lifepackets", KW_LIFEPACKETS}, + {"leftsendcert", KW_LEFTSENDCERT}, + {"leftgroups", KW_LEFTGROUPS}, + {"eap", KW_EAP}, + {"rightprotoport", KW_RIGHTPROTOPORT}, + {"leftnatip", KW_LEFTNATIP}, + {"keyingtries", KW_KEYINGTRIES}, + {"type", KW_TYPE}, + {"keylife", KW_KEYLIFE}, + {"mark_in", KW_MARK_IN}, + {"lifebytes", KW_LIFEBYTES}, + {"leftca", KW_LEFTCA}, + {"margintime", KW_REKEYMARGIN}, + {"marginbytes", KW_MARGINBYTES}, + {"leftrsasigkey", KW_LEFTRSASIGKEY}, + {"marginpackets", KW_MARGINPACKETS}, + {"certuribase", KW_CERTURIBASE}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"rightid", KW_RIGHTID}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"compress", KW_COMPRESS}, + {"leftprotoport", KW_LEFTPROTOPORT}, + {"overridemtu", KW_OVERRIDEMTU}, + {"reqid", KW_REQID}, + {"inactivity", KW_INACTIVITY}, + {"leftfirewall", KW_LEFTFIREWALL}, + {"rightfirewall", KW_RIGHTFIREWALL}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"mobike", KW_MOBIKE}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"pfsgroup", KW_PFSGROUP}, + {"me_peerid", KW_ME_PEERID}, + {"crluri", KW_CRLURI}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {"crluri1", KW_CRLURI}, + {"mediation", KW_MEDIATION}, + {"dumpdir", KW_DUMPDIR}, + {"forceencaps", KW_FORCEENCAPS}, + {"leftsubnet", KW_LEFTSUBNET}, + {"rightca", KW_RIGHTCA}, + {"rightcert", KW_RIGHTCERT}, + {"ocspuri", KW_OCSPURI}, + {"dpdaction", KW_DPDACTION}, + {"ocspuri1", KW_OCSPURI}, + {"dpdtimeout", KW_DPDTIMEOUT}, + {"installpolicy", KW_INSTALLPOLICY}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"ldapbase", KW_LDAPBASE}, + {"also", KW_ALSO}, + {"leftallowany", KW_LEFTALLOWANY}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, + {"keyexchange", KW_KEYEXCHANGE}, + {"hidetos", KW_HIDETOS}, + {"klipsdebug", KW_KLIPSDEBUG}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, + {"rightauth", KW_RIGHTAUTH}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"charondebug", KW_CHARONDEBUG}, + {"rightid2", KW_RIGHTID2}, + {"leftid", KW_LEFTID}, + {"mediated_by", KW_MEDIATED_BY}, + {"fragicmp", KW_FRAGICMP}, + {"mark_out", KW_MARK_OUT}, + {"auto", KW_AUTO}, + {"leftcert2", KW_LEFTCERT2,}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"cacert", KW_CACERT}, + {"plutostart", KW_PLUTOSTART}, + {"eap_identity", KW_EAP_IDENTITY}, + {"prepluto", KW_PREPLUTO}, + {"packetdefault", KW_PACKETDEFAULT}, + {"xauth_identity", KW_XAUTH_IDENTITY}, + {"charonstart", KW_CHARONSTART}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"rightauth2", KW_RIGHTAUTH2}, + {"ike", KW_IKE}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"leftca2", KW_LEFTCA2}, + {"authby", KW_AUTHBY}, + {"leftauth", KW_LEFTAUTH}, + {"cachecrls", KW_CACHECRLS}, + {"ldaphost", KW_LDAPHOST}, + {"rekeymargin", KW_REKEYMARGIN}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"dpddelay", KW_DPDDELAY}, + {"ikelifetime", KW_IKELIFETIME}, + {"auth", KW_AUTH}, + {"xauth", KW_XAUTH}, + {"postpluto", KW_POSTPLUTO}, + {"plutodebug", KW_PLUTODEBUG}, + {"modeconfig", KW_MODECONFIG}, + {"nocrsend", KW_NOCRSEND}, + {"leftauth2", KW_LEFTAUTH2}, + {"leftid2", KW_LEFTID2}, + {"leftikeport", KW_LEFTIKEPORT}, + {"rightca2", KW_RIGHTCA2}, + {"rekey", KW_REKEY}, + {"rightcert2", KW_RIGHTCERT2}, + {"mark", KW_MARK}, + {"crluri2", KW_CRLURI2}, + {"reauth", KW_REAUTH}, + {"ocspuri2", KW_OCSPURI2}, + {"pkcs11module", KW_PKCS11MODULE}, + {"pkcs11initargs", KW_PKCS11INITARGS}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"pkcs11proxy", KW_PKCS11PROXY} +======= {"right", KW_RIGHT}, {"rightgroups", KW_RIGHTGROUPS}, {"left", KW_LEFT}, @@ -253,11 +419,37 @@ static const struct kw_entry wordlist[] = {"pkcs11proxy", KW_PKCS11PROXY}, {"modeconfig", KW_MODECONFIG}, {"postpluto", KW_POSTPLUTO} +>>>>>>> upstream/4.5.1 }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, +<<<<<<< HEAD + -1, -1, 0, 1, -1, 2, -1, -1, 3, -1, + -1, 4, -1, 5, 6, 7, 8, 9, -1, 10, + 11, -1, 12, 13, 14, 15, 16, 17, -1, 18, + 19, 20, 21, 22, -1, -1, 23, 24, -1, 25, + 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, + 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, + 46, 47, 48, 49, 50, 51, -1, 52, 53, 54, + 55, -1, 56, 57, -1, 58, 59, 60, -1, 61, + 62, 63, 64, -1, -1, 65, -1, 66, -1, 67, + 68, 69, 70, 71, -1, -1, 72, -1, -1, 73, + 74, 75, 76, 77, 78, 79, 80, -1, 81, 82, + 83, 84, 85, 86, 87, -1, 88, -1, 89, 90, + -1, 91, 92, 93, 94, -1, 95, 96, 97, 98, + -1, -1, -1, -1, 99, 100, 101, -1, 102, 103, + 104, 105, 106, 107, 108, 109, -1, 110, -1, -1, + 111, -1, -1, -1, -1, -1, -1, 112, -1, 113, + 114, 115, 116, 117, 118, -1, -1, -1, -1, 119, + -1, -1, 120, -1, -1, -1, -1, -1, -1, 121, + -1, -1, -1, -1, 122, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, 123, -1, 124, 125, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, 126 +======= -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, -1, -1, -1, 2, 3, -1, 4, -1, 5, 6, 7, 8, 9, -1, 10, 11, 12, 13, 14, -1, @@ -282,6 +474,7 @@ static const short lookup[] = -1, -1, -1, 122, -1, -1, 123, -1, 124, -1, 125, 126, -1, -1, -1, -1, 127, -1, 128, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 129 +>>>>>>> upstream/4.5.1 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 9f46a8b4b..23f6fd24b 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -102,10 +102,16 @@ typedef enum { KW_MARK, KW_MARK_IN, KW_MARK_OUT, +<<<<<<< HEAD + +#define KW_CONN_FIRST KW_CONN_SETUP +#define KW_CONN_LAST KW_MARK_OUT +======= KW_TFC, #define KW_CONN_FIRST KW_CONN_SETUP #define KW_CONN_LAST KW_TFC +>>>>>>> upstream/4.5.1 /* ca section keywords */ KW_CA_NAME, @@ -142,7 +148,10 @@ typedef enum { KW_RSASIGKEY, KW_CERT, KW_CERT2, +<<<<<<< HEAD +======= KW_CERTPOLICY, +>>>>>>> upstream/4.5.1 KW_SENDCERT, KW_CA, KW_CA2, @@ -172,7 +181,10 @@ typedef enum { KW_LEFTRSASIGKEY, KW_LEFTCERT, KW_LEFTCERT2, +<<<<<<< HEAD +======= KW_LEFTCERTPOLICY, +>>>>>>> upstream/4.5.1 KW_LEFTSENDCERT, KW_LEFTCA, KW_LEFTCA2, @@ -201,7 +213,10 @@ typedef enum { KW_RIGHTRSASIGKEY, KW_RIGHTCERT, KW_RIGHTCERT2, +<<<<<<< HEAD +======= KW_RIGHTCERTPOLICY, +>>>>>>> upstream/4.5.1 KW_RIGHTSENDCERT, KW_RIGHTCA, KW_RIGHTCA2, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 2c0e5de3d..608981472 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -93,7 +93,10 @@ reqid, KW_REQID mark, KW_MARK mark_in, KW_MARK_IN mark_out, KW_MARK_OUT +<<<<<<< HEAD +======= tfc, KW_TFC +>>>>>>> upstream/4.5.1 cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE @@ -121,9 +124,14 @@ leftid2, KW_LEFTID2 leftauth, KW_LEFTAUTH leftauth2, KW_LEFTAUTH2 leftrsasigkey, KW_LEFTRSASIGKEY +<<<<<<< HEAD +leftcert, KW_LEFTCERT, +leftcert2, KW_LEFTCERT2, +======= leftcert, KW_LEFTCERT leftcert2, KW_LEFTCERT2 leftcertpolicy, KW_LEFTCERTPOLICY +>>>>>>> upstream/4.5.1 leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA leftca2, KW_LEFTCA2 @@ -147,7 +155,10 @@ rightauth2, KW_RIGHTAUTH2 rightrsasigkey, KW_RIGHTRSASIGKEY rightcert, KW_RIGHTCERT rightcert2, KW_RIGHTCERT2 +<<<<<<< HEAD +======= rightcertpolicy, KW_RIGHTCERTPOLICY +>>>>>>> upstream/4.5.1 rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA rightca2, KW_RIGHTCA2 diff --git a/src/starter/starter.8 b/src/starter/starter.8 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/src/starter/starter.8 diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index f251667c7..45d407384 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -171,7 +171,10 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->id2 = push_string(msg, conn_end->id2); msg_end->cert = push_string(msg, conn_end->cert); msg_end->cert2 = push_string(msg, conn_end->cert2); +<<<<<<< HEAD +======= msg_end->cert_policy = push_string(msg, conn_end->cert_policy); +>>>>>>> upstream/4.5.1 msg_end->ca = push_string(msg, conn_end->ca); msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); @@ -267,7 +270,10 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.mark_in.mask = conn->mark_in.mask; msg.add_conn.mark_out.value = conn->mark_out.value; msg.add_conn.mark_out.mask = conn->mark_out.mask; +<<<<<<< HEAD +======= msg.add_conn.tfc = conn->tfc; +>>>>>>> upstream/4.5.1 starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index d621f21ca..978841438 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -197,7 +197,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -236,8 +242,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index a88fa10d7..4d1b8e7db 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -197,6 +197,8 @@ static int terminate_connection_srcip(char *start, char *end) return send_stroke_msg(&msg); } +<<<<<<< HEAD +======= static int rekey_connection(char *name) { stroke_msg_t msg; @@ -207,6 +209,7 @@ static int rekey_connection(char *name) return send_stroke_msg(&msg); } +>>>>>>> upstream/4.5.1 static int route_connection(char *name) { stroke_msg_t msg; @@ -286,8 +289,11 @@ static int reread(stroke_keyword_t kw) static int purge_flags[] = { PURGE_OCSP, PURGE_IKE, +<<<<<<< HEAD +======= PURGE_CRLS, PURGE_CERTS, +>>>>>>> upstream/4.5.1 }; static int purge(stroke_keyword_t kw) @@ -385,10 +391,13 @@ static void exit_usage(char *error) printf(" stroke rereadsecrets|rereadcrls|rereadall\n"); printf(" Purge ocsp cache entries:\n"); printf(" stroke purgeocsp\n"); +<<<<<<< HEAD +======= printf(" Purge CRL cache entries:\n"); printf(" stroke purgecrls\n"); printf(" Purge X509 cache entries:\n"); printf(" stroke purgecerts\n"); +>>>>>>> upstream/4.5.1 printf(" Purge IKE_SAs without a CHILD_SA:\n"); printf(" stroke purgeike\n"); printf(" Export credentials to the console:\n"); @@ -459,6 +468,8 @@ int main(int argc, char *argv[]) } res = terminate_connection_srcip(argv[2], argc > 3 ? argv[3] : NULL); break; +<<<<<<< HEAD +======= case STROKE_REKEY: if (argc < 3) { @@ -466,6 +477,7 @@ int main(int argc, char *argv[]) } res = rekey_connection(argv[2]); break; +>>>>>>> upstream/4.5.1 case STROKE_ROUTE: if (argc < 3) { @@ -514,8 +526,11 @@ int main(int argc, char *argv[]) res = reread(token->kw); break; case STROKE_PURGE_OCSP: +<<<<<<< HEAD +======= case STROKE_PURGE_CRLS: case STROKE_PURGE_CERTS: +>>>>>>> upstream/4.5.1 case STROKE_PURGE_IKE: res = purge(token->kw); break; diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c index b43f4b475..3b2426a42 100644 --- a/src/stroke/stroke_keywords.c +++ b/src/stroke/stroke_keywords.c @@ -54,12 +54,21 @@ struct stroke_token { stroke_keyword_t kw; }; +<<<<<<< HEAD +#define TOTAL_KEYWORDS 34 +#define MIN_WORD_LENGTH 2 +#define MAX_WORD_LENGTH 15 +#define MIN_HASH_VALUE 3 +#define MAX_HASH_VALUE 39 +/* maximum key range = 37, duplicates = 0 */ +======= #define TOTAL_KEYWORDS 37 #define MIN_WORD_LENGTH 2 #define MAX_WORD_LENGTH 15 #define MIN_HASH_VALUE 2 #define MAX_HASH_VALUE 42 /* maximum key range = 41, duplicates = 0 */ +>>>>>>> upstream/4.5.1 #ifdef __GNUC__ __inline @@ -75,6 +84,34 @@ hash (str, len) { static const unsigned char asso_values[] = { +<<<<<<< HEAD + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 18, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 0, 4, 1, + 1, 0, 40, 17, 40, 20, 40, 3, 0, 40, + 40, 12, 19, 40, 6, 3, 20, 12, 40, 40, + 10, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 40, 40, 40, 40, 40, 40 +======= 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, @@ -101,6 +138,7 @@ hash (str, len) 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43 +>>>>>>> upstream/4.5.1 }; register int hval = len; @@ -125,6 +163,20 @@ hash (str, len) static const struct stroke_token wordlist[] = { +<<<<<<< HEAD + {"add", STROKE_ADD}, + {"del", STROKE_DEL}, + {"down", STROKE_DOWN}, + {"leases", STROKE_LEASES}, + {"listall", STROKE_LIST_ALL}, + {"loglevel", STROKE_LOGLEVEL}, + {"listcrls", STROKE_LIST_CRLS}, + {"listacerts", STROKE_LIST_ACERTS}, + {"route", STROKE_ROUTE}, + {"listaacerts", STROKE_LIST_AACERTS}, + {"listcacerts", STROKE_LIST_CACERTS}, + {"up", STROKE_UP}, +======= {"up", STROKE_UP}, {"add", STROKE_ADD}, {"del", STROKE_DEL}, @@ -136,12 +188,31 @@ static const struct stroke_token wordlist[] = {"listaacerts", STROKE_LIST_AACERTS}, {"listcacerts", STROKE_LIST_CACERTS}, {"statusall", STROKE_STATUSALL}, +>>>>>>> upstream/4.5.1 {"rereadall", STROKE_REREAD_ALL}, {"listcerts", STROKE_LIST_CERTS}, {"rereadcrls", STROKE_REREAD_CRLS}, {"rereadacerts", STROKE_REREAD_ACERTS}, {"rereadaacerts", STROKE_REREAD_AACERTS}, {"rereadcacerts", STROKE_REREAD_CACERTS}, +<<<<<<< HEAD + {"status", STROKE_STATUS}, + {"rereadsecrets", STROKE_REREAD_SECRETS}, + {"listocsp", STROKE_LIST_OCSP}, + {"statusall", STROKE_STATUSALL}, + {"listalgs", STROKE_LIST_ALGS}, + {"exportx509", STROKE_EXPORT_X509}, + {"delete", STROKE_DELETE}, + {"listocspcerts", STROKE_LIST_OCSPCERTS}, + {"purgeocsp", STROKE_PURGE_OCSP}, + {"purgeike", STROKE_PURGE_IKE}, + {"unroute", STROKE_UNROUTE}, + {"listcainfos", STROKE_LIST_CAINFOS}, + {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, + {"listpubkeys", STROKE_LIST_PUBKEYS}, + {"down-srcip", STROKE_DOWN_SRCIP}, + {"listgroups", STROKE_LIST_GROUPS} +======= {"leases", STROKE_LEASES}, {"unroute", STROKE_UNROUTE}, {"listocsp", STROKE_LIST_OCSP}, @@ -162,14 +233,21 @@ static const struct stroke_token wordlist[] = {"loglevel", STROKE_LOGLEVEL}, {"listgroups", STROKE_LIST_GROUPS}, {"purgecerts", STROKE_PURGE_CERTS} +>>>>>>> upstream/4.5.1 }; static const short lookup[] = { +<<<<<<< HEAD + -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, + 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, + 25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33 +======= -1, -1, 0, 1, 2, 3, -1, 4, 5, 6, -1, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, -1, -1, 35, 36 +>>>>>>> upstream/4.5.1 }; #ifdef __GNUC__ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index ff2ba36ef..76f6c1be3 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -25,7 +25,10 @@ typedef enum { STROKE_UP, STROKE_DOWN, STROKE_DOWN_SRCIP, +<<<<<<< HEAD +======= STROKE_REKEY, +>>>>>>> upstream/4.5.1 STROKE_LOGLEVEL, STROKE_STATUS, STROKE_STATUSALL, @@ -49,8 +52,11 @@ typedef enum { STROKE_REREAD_CRLS, STROKE_REREAD_ALL, STROKE_PURGE_OCSP, +<<<<<<< HEAD +======= STROKE_PURGE_CRLS, STROKE_PURGE_CERTS, +>>>>>>> upstream/4.5.1 STROKE_PURGE_IKE, STROKE_EXPORT_X509, STROKE_LEASES, diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt index dafd1ab08..fcc2ba558 100644 --- a/src/stroke/stroke_keywords.txt +++ b/src/stroke/stroke_keywords.txt @@ -32,7 +32,10 @@ unroute, STROKE_UNROUTE up, STROKE_UP down, STROKE_DOWN down-srcip, STROKE_DOWN_SRCIP +<<<<<<< HEAD +======= rekey, STROKE_REKEY +>>>>>>> upstream/4.5.1 loglevel, STROKE_LOGLEVEL status, STROKE_STATUS statusall, STROKE_STATUSALL @@ -56,8 +59,11 @@ rereadacerts, STROKE_REREAD_ACERTS rereadcrls, STROKE_REREAD_CRLS rereadall, STROKE_REREAD_ALL purgeocsp, STROKE_PURGE_OCSP +<<<<<<< HEAD +======= purgecrls, STROKE_PURGE_CRLS purgecerts, STROKE_PURGE_CERTS +>>>>>>> upstream/4.5.1 purgeike, STROKE_PURGE_IKE exportx509, STROKE_EXPORT_X509 leases, STROKE_LEASES diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 3af2b7042..b5fdacc00 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -107,10 +107,13 @@ enum purge_flag_t { PURGE_OCSP = 0x0001, /** purge IKE_SAs without a CHILD_SA */ PURGE_IKE = 0x0002, +<<<<<<< HEAD +======= /** purge CRL cache entries */ PURGE_CRLS = 0x0004, /** purge X509 cache entries */ PURGE_CERTS = 0x0008, +>>>>>>> upstream/4.5.1 }; typedef enum export_flag_t export_flag_t; @@ -149,7 +152,10 @@ struct stroke_end_t { char *ca; char *ca2; char *groups; +<<<<<<< HEAD +======= char *cert_policy; +>>>>>>> upstream/4.5.1 char *updown; char *address; u_int16_t ikeport; @@ -188,8 +194,11 @@ struct stroke_msg_t { STR_TERMINATE, /* terminate connection by peers srcip/virtual ip */ STR_TERMINATE_SRCIP, +<<<<<<< HEAD +======= /* rekey a connection */ STR_REKEY, +>>>>>>> upstream/4.5.1 /* show connection status */ STR_STATUS, /* show verbose connection status */ @@ -222,7 +231,11 @@ struct stroke_msg_t { /* data for STR_INITIATE, STR_ROUTE, STR_UP, STR_DOWN, ... */ struct { char *name; +<<<<<<< HEAD + } initiate, route, unroute, terminate, status, del_conn, del_ca; +======= } initiate, route, unroute, terminate, rekey, status, del_conn, del_ca; +>>>>>>> upstream/4.5.1 /* data for STR_TERMINATE_SRCIP */ struct { @@ -248,7 +261,10 @@ struct stroke_msg_t { int proxy_mode; int install_policy; u_int32_t reqid; +<<<<<<< HEAD +======= u_int32_t tfc; +>>>>>>> upstream/4.5.1 crl_policy_t crl_policy; int unique; diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index b51056a38..7bab6b6e8 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -196,7 +196,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -235,8 +241,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/Makefile.in b/testing/Makefile.in index cbb7555f0..6158a7358 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -175,7 +175,13 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +<<<<<<< HEAD +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +======= +ipsecgroup = @ipsecgroup@ +>>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -214,8 +220,11 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +<<<<<<< HEAD +======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ +>>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 27ad200fb..28a35eabd 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -343,7 +343,10 @@ do # $DIR/scripts/load-testconfig $testname +<<<<<<< HEAD +======= unset RADIUSHOSTS +>>>>>>> upstream/4.5.1 source $TESTDIR/test.conf diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index 2917fc3fc..beb87e9d1 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -18,11 +18,17 @@ CREATE TABLE child_configs ( updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', mode INTEGER NOT NULL DEFAULT '2', +<<<<<<< HEAD + dpd_action INTEGER NOT NULL DEFAULT '0', + close_action INTEGER NOT NULL DEFAULT '0', + ipcomp INTEGER NOT NULL DEFAULT '0' +======= start_action INTEGER NOT NULL DEFAULT '0', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', ipcomp INTEGER NOT NULL DEFAULT '0', reqid INTEGER NOT NULL DEFAULT '0' +>>>>>>> upstream/4.5.1 ); DROP INDEX IF EXISTS child_configs_name; CREATE INDEX child_configs_name ON child_configs ( @@ -40,6 +46,8 @@ CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector child_cfg, traffic_selector ); +<<<<<<< HEAD +======= DROP TABLE IF EXISTS proposals; CREATE TABLE proposals ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -53,6 +61,7 @@ CREATE TABLE child_config_proposal ( prop INTEGER NOT NULL ); +>>>>>>> upstream/4.5.1 DROP TABLE IF EXISTS ike_configs; CREATE TABLE ike_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -62,6 +71,8 @@ CREATE TABLE ike_configs ( remote TEXT NOT NULL ); +<<<<<<< HEAD +======= DROP TABLE IF EXISTS ike_config_proposal; CREATE TABLE ike_config_proposal ( ike_cfg INTEGER NOT NULL, @@ -69,6 +80,7 @@ CREATE TABLE ike_config_proposal ( prop INTEGER NOT NULL ); +>>>>>>> upstream/4.5.1 DROP TABLE IF EXISTS peer_configs; CREATE TABLE peer_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -161,6 +173,8 @@ CREATE TABLE shared_secret_identity ( PRIMARY KEY (shared_secret, identity) ); +<<<<<<< HEAD +======= DROP TABLE IF EXISTS certificate_authorities; CREATE TABLE certificate_authorities ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -175,6 +189,7 @@ CREATE TABLE certificate_distribution_points ( uri TEXT NOT NULL ); +>>>>>>> upstream/4.5.1 DROP TABLE IF EXISTS pools; CREATE TABLE pools ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 8bc2e8688..d9a514623 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,7 +1,12 @@ moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +<<<<<<< HEAD +moon::sleep 35::no output expected::NO +carol::iptables -D INPUT 1::no output expected::NO +======= carol::sleep 35::no output expected::NO carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +>>>>>>> upstream/4.5.1 moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index 92681011f..9818a6503 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -10,4 +10,8 @@ carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon +<<<<<<< HEAD +dave::sleep 1 +======= dave::sleep 2 +>>>>>>> upstream/4.5.1 diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index c0f166ff4..983e0a47c 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -10,4 +10,8 @@ moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon +<<<<<<< HEAD +dave::sleep 1 +======= dave::sleep 2 +>>>>>>> upstream/4.5.1 diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat index f0c5bcec6..ed8f39316 100644 --- a/testing/tests/ikev1/net2net-start/pretest.dat +++ b/testing/tests/ikev1/net2net-start/pretest.dat @@ -2,4 +2,4 @@ moon::/etc/init.d/iptables start 2> /dev/null sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start -alice::sleep 20 +alice::sleep 12 diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt index 98d85f30b..ed0fd3640 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/description.txt +++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt @@ -2,4 +2,8 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) based on user name and password. Because user <b>carol</b> presents a wrong +<<<<<<< HEAD +XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted. +======= XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted. +>>>>>>> upstream/4.5.1 diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt index a6fe82330..00ef6927c 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt +++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt @@ -2,5 +2,9 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) based on user name and password. Because user <b>carol</b> cannot find her +<<<<<<< HEAD +XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the +======= XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the +>>>>>>> upstream/4.5.1 ISAKMP SA is deleted. diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index 47dab951f..d1c018dfa 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { +<<<<<<< HEAD + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default +======= load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default +>>>>>>> upstream/4.5.1 } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index 8335e51f6..f526e193d 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { +<<<<<<< HEAD + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default +======= load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default +>>>>>>> upstream/4.5.1 } diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt new file mode 100644 index 000000000..51423177a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b> +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements +<b>carol</b> is authenticated successfully and is granted access to the subnet behind +<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat new file mode 100644 index 000000000..2304df23e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6747b4a4a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f8700d3c5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt new file mode 100644 index 000000000..350aefc60 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to +the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b> +is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas +<b>dave</b> fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat new file mode 100644 index 000000000..517ea9ab2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..2d4961288 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,23 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fc8f84638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d2d3058d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat new file mode 100644 index 000000000..dc7d5934e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf new file mode 100644 index 000000000..bb6b68687 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt new file mode 100644 index 000000000..7eebd3d4d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to +the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the +clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat new file mode 100644 index 000000000..d0ea22ba9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..f91bccc72 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate
\ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33dcdcfb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4e456bbe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat new file mode 100644 index 000000000..8dd865819 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf new file mode 100644 index 000000000..2a52df203 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt new file mode 100644 index 000000000..762b839ee --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>, +bothe ends doing certificate-based EAP-TLS authentication only. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the +clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, +respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat new file mode 100644 index 000000000..cebfff25f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1b6274215 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..54c06b12e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate
\ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8898a63ba --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt new file mode 100644 index 000000000..4b4808c94 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/description.txt @@ -0,0 +1,9 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b> +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the +clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, +respectively. + diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat new file mode 100644 index 000000000..a02755148 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate
\ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f8700d3c5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index 08b95659f..4eca932ec 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,7 +2,10 @@ config setup crlcheckinterval=180 +<<<<<<< HEAD +======= uniqueids=no +>>>>>>> upstream/4.5.1 strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index f1e33dc39..e17456f7a 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -11,4 +11,8 @@ carol::sleep 1 alice::ipsec start alice::sleep 1 venus::ipsec start +<<<<<<< HEAD +venus::sleep 2 +======= venus::sleep 4 +>>>>>>> upstream/4.5.1 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index fba7be01d..8ce29fcd5 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -16,4 +16,8 @@ carol::sleep 1 bob::ipsec start bob::sleep 1 alice::ipsec start +<<<<<<< HEAD +alice::sleep 2 +======= alice::sleep 4 +>>>>>>> upstream/4.5.1 diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index ef6849c11..0deb68188 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -109,9 +109,15 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( +<<<<<<< HEAD + name, ike_cfg, local_id, remote_id, mobike +) VALUES ( + 'net-net', 1, 4, 5, 0 +======= name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( 'net-net', 1, 4, 5, 0, 0 +>>>>>>> upstream/4.5.1 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index 79a35ef68..245dd9694 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -109,9 +109,15 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( +<<<<<<< HEAD + name, ike_cfg, local_id, remote_id, mobike +) VALUES ( + 'net-net', 1, 5, 4, 0 +======= name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( 'net-net', 1, 5, 4, 0, 0 +>>>>>>> upstream/4.5.1 ); INSERT INTO child_configs ( |