diff options
Diffstat (limited to 'src/charon/plugins/stroke')
20 files changed, 0 insertions, 6965 deletions
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am deleted file mode 100644 index 94d311609..000000000 --- a/src/charon/plugins/stroke/Makefile.am +++ /dev/null @@ -1,22 +0,0 @@ - -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke - -AM_CFLAGS = \ --rdynamic \ --DIPSEC_CONFDIR=\"${sysconfdir}\" \ --DIPSEC_PIDDIR=\"${piddir}\" - -plugin_LTLIBRARIES = libstrongswan-stroke.la - -libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ - stroke_socket.h stroke_socket.c \ - stroke_config.h stroke_config.c \ - stroke_control.h stroke_control.c \ - stroke_cred.h stroke_cred.c \ - stroke_ca.h stroke_ca.c \ - stroke_attribute.h stroke_attribute.c \ - stroke_list.h stroke_list.c \ - stroke_shared_key.h stroke_shared_key.c - -libstrongswan_stroke_la_LDFLAGS = -module -avoid-version - diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in deleted file mode 100644 index 6e6b3b813..000000000 --- a/src/charon/plugins/stroke/Makefile.in +++ /dev/null @@ -1,590 +0,0 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/charon/plugins/stroke -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(plugin_LTLIBRARIES) -libstrongswan_stroke_la_LIBADD = -am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \ - stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \ - stroke_attribute.lo stroke_list.lo stroke_shared_key.lo -libstrongswan_stroke_la_OBJECTS = \ - $(am_libstrongswan_stroke_la_OBJECTS) -libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_stroke_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I.@am__isrc@ -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_stroke_la_SOURCES) -DIST_SOURCES = $(libstrongswan_stroke_la_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GPERF = @GPERF@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PTHREADLIB = @PTHREADLIB@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYINCLUDE = @RUBYINCLUDE@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -default_pkcs11 = @default_pkcs11@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ -ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -ipsecuser = @ipsecuser@ -libdir = @libdir@ -libexecdir = @libexecdir@ -libstrongswan_plugins = @libstrongswan_plugins@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -piddir = @piddir@ -plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -strongswan_conf = @strongswan_conf@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke -AM_CFLAGS = \ --rdynamic \ --DIPSEC_CONFDIR=\"${sysconfdir}\" \ --DIPSEC_PIDDIR=\"${piddir}\" - -plugin_LTLIBRARIES = libstrongswan-stroke.la -libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ - stroke_socket.h stroke_socket.c \ - stroke_config.h stroke_config.c \ - stroke_control.h stroke_control.c \ - stroke_cred.h stroke_cred.c \ - stroke_ca.h stroke_ca.c \ - stroke_attribute.h stroke_attribute.c \ - stroke_list.h stroke_list.c \ - stroke_shared_key.h stroke_shared_key.c - -libstrongswan_stroke_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) - $(libstrongswan_stroke_la_LINK) -rpath $(plugindir) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_attribute.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_ca.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_config.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_control.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< - -.c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - set x; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ - mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-pluginLTLIBRARIES ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-pluginLTLIBRARIES \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c deleted file mode 100644 index 7a5ce683e..000000000 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ /dev/null @@ -1,546 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_attribute.h" - -#include <daemon.h> -#include <utils/linked_list.h> -#include <utils/hashtable.h> -#include <threading/mutex.h> - -#define POOL_LIMIT (sizeof(uintptr_t)*8) - -typedef struct private_stroke_attribute_t private_stroke_attribute_t; - -/** - * private data of stroke_attribute - */ -struct private_stroke_attribute_t { - - /** - * public functions - */ - stroke_attribute_t public; - - /** - * list of pools, contains pool_t - */ - linked_list_t *pools; - - /** - * mutex to lock access to pools - */ - mutex_t *mutex; -}; - -typedef struct { - /** name of the pool */ - char *name; - /** base address of the pool */ - host_t *base; - /** size of the pool */ - int size; - /** next unused address */ - int unused; - /** hashtable [identity => offset], for online leases */ - hashtable_t *online; - /** hashtable [identity => offset], for offline leases */ - hashtable_t *offline; - /** hashtable [identity => identity], handles identity references */ - hashtable_t *ids; -} pool_t; - -/** - * hashtable hash function for identities - */ -static u_int id_hash(identification_t *id) -{ - return chunk_hash(id->get_encoding(id)); -} - -/** - * hashtable equals function for identities - */ -static bool id_equals(identification_t *a, identification_t *b) -{ - return a->equals(a, b); -} - -/** - * destroy a pool_t - */ -static void pool_destroy(pool_t *this) -{ - enumerator_t *enumerator; - identification_t *id; - - enumerator = this->ids->create_enumerator(this->ids); - while (enumerator->enumerate(enumerator, &id, NULL)) - { - id->destroy(id); - } - enumerator->destroy(enumerator); - this->ids->destroy(this->ids); - this->online->destroy(this->online); - this->offline->destroy(this->offline); - DESTROY_IF(this->base); - free(this->name); - free(this); -} - -/** - * find a pool by name - */ -static pool_t *find_pool(private_stroke_attribute_t *this, char *name) -{ - enumerator_t *enumerator; - pool_t *current, *found = NULL; - - enumerator = this->pools->create_enumerator(this->pools); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (streq(name, current->name)) - { - found = current; - break; - } - } - enumerator->destroy(enumerator); - return found; -} - -/** - * convert an pool offset to an address - */ -host_t* offset2host(pool_t *pool, int offset) -{ - chunk_t addr; - host_t *host; - u_int32_t *pos; - - offset--; - if (offset > pool->size) - { - return NULL; - } - - addr = chunk_clone(pool->base->get_address(pool->base)); - if (pool->base->get_family(pool->base) == AF_INET6) - { - pos = (u_int32_t*)(addr.ptr + 12); - } - else - { - pos = (u_int32_t*)addr.ptr; - } - *pos = htonl(offset + ntohl(*pos)); - host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0); - free(addr.ptr); - return host; -} - -/** - * convert a host to a pool offset - */ -int host2offset(pool_t *pool, host_t *addr) -{ - chunk_t host, base; - u_int32_t hosti, basei; - - if (addr->get_family(addr) != pool->base->get_family(pool->base)) - { - return -1; - } - host = addr->get_address(addr); - base = pool->base->get_address(pool->base); - if (addr->get_family(addr) == AF_INET6) - { - /* only look at last /32 block */ - if (!memeq(host.ptr, base.ptr, 12)) - { - return -1; - } - host = chunk_skip(host, 12); - base = chunk_skip(base, 12); - } - hosti = ntohl(*(u_int32_t*)(host.ptr)); - basei = ntohl(*(u_int32_t*)(base.ptr)); - if (hosti > basei + pool->size) - { - return -1; - } - return hosti - basei + 1; -} - -/** - * Implementation of attribute_provider_t.acquire_address - */ -static host_t* acquire_address(private_stroke_attribute_t *this, - char *name, identification_t *id, - host_t *requested) -{ - pool_t *pool; - uintptr_t offset = 0; - enumerator_t *enumerator; - identification_t *old_id; - - this->mutex->lock(this->mutex); - pool = find_pool(this, name); - while (pool) - { - /* handle %config case by mirroring requested address */ - if (pool->size == 0) - { - this->mutex->unlock(this->mutex); - return requested->clone(requested); - } - - if (!requested->is_anyaddr(requested) && - requested->get_family(requested) != - pool->base->get_family(pool->base)) - { - DBG1(DBG_CFG, "IP pool address family mismatch"); - break; - } - - /* check for a valid offline lease, refresh */ - offset = (uintptr_t)pool->offline->remove(pool->offline, id); - if (offset) - { - id = pool->ids->get(pool->ids, id); - if (id) - { - DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id); - pool->online->put(pool->online, id, (void*)offset); - break; - } - } - - /* check for a valid online lease, reassign */ - offset = (uintptr_t)pool->online->get(pool->online, id); - if (offset && offset == host2offset(pool, requested)) - { - DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); - break; - } - - if (pool->unused < pool->size) - { - /* assigning offset, starting by 1. Handling 0 in hashtable - * is difficult. */ - offset = ++pool->unused; - id = id->clone(id); - pool->ids->put(pool->ids, id, id); - pool->online->put(pool->online, id, (void*)offset); - DBG1(DBG_CFG, "assigning new lease to '%Y'", id); - break; - } - /* no more addresses, replace the first found offline lease */ - enumerator = pool->offline->create_enumerator(pool->offline); - if (enumerator->enumerate(enumerator, &old_id, &offset)) - { - offset = (uintptr_t)pool->offline->remove(pool->offline, old_id); - if (offset) - { - /* destroy reference to old ID */ - old_id = pool->ids->remove(pool->ids, old_id); - DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' to '%Y'", - old_id, id); - if (old_id) - { - old_id->destroy(old_id); - } - id = id->clone(id); - pool->ids->put(pool->ids, id, id); - pool->online->put(pool->online, id, (void*)offset); - enumerator->destroy(enumerator); - break; - } - } - enumerator->destroy(enumerator); - - DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name); - break; - } - this->mutex->unlock(this->mutex); - if (offset) - { - return offset2host(pool, offset); - } - return NULL; -} - -/** - * Implementation of attribute_provider_t.release_address - */ -static bool release_address(private_stroke_attribute_t *this, - char *name, host_t *address, identification_t *id) -{ - pool_t *pool; - bool found = FALSE; - uintptr_t offset; - - this->mutex->lock(this->mutex); - pool = find_pool(this, name); - if (pool) - { - if (pool->size != 0) - { - offset = (uintptr_t)pool->online->remove(pool->online, id); - if (offset) - { - id = pool->ids->get(pool->ids, id); - if (id) - { - DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id); - pool->offline->put(pool->offline, id, (void*)offset); - found = TRUE; - } - } - } - } - this->mutex->unlock(this->mutex); - return found; -} - -/** - * Implementation of stroke_attribute_t.add_pool. - */ -static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) -{ - if (msg->add_conn.other.sourceip_mask) - { - pool_t *pool; - - pool = malloc_thing(pool_t); - pool->base = NULL; - pool->size = 0; - pool->unused = 0; - pool->name = strdup(msg->add_conn.name); - pool->online = hashtable_create((hashtable_hash_t)id_hash, - (hashtable_equals_t)id_equals, 16); - pool->offline = hashtable_create((hashtable_hash_t)id_hash, - (hashtable_equals_t)id_equals, 16); - pool->ids = hashtable_create((hashtable_hash_t)id_hash, - (hashtable_equals_t)id_equals, 16); - - /* if %config, add an empty pool, otherwise */ - if (msg->add_conn.other.sourceip) - { - u_int32_t bits; - int family; - - DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d", - msg->add_conn.name, msg->add_conn.other.sourceip, - msg->add_conn.other.sourceip_mask); - - pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0); - if (!pool->base) - { - pool_destroy(pool); - DBG1(DBG_CFG, "virtual IP address invalid, discarded"); - return; - } - family = pool->base->get_family(pool->base); - bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_mask; - if (bits > POOL_LIMIT) - { - bits = POOL_LIMIT; - DBG1(DBG_CFG, "virtual IP pool to large, limiting to %s/%d", - msg->add_conn.other.sourceip, - (family == AF_INET ? 32 : 128) - bits); - } - pool->size = 1 << (bits); - - if (pool->size > 2) - { /* do not use first and last addresses of a block */ - pool->unused++; - pool->size--; - } - } - this->mutex->lock(this->mutex); - this->pools->insert_last(this->pools, pool); - this->mutex->unlock(this->mutex); - } -} - -/** - * Implementation of stroke_attribute_t.del_pool. - */ -static void del_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) -{ - enumerator_t *enumerator; - pool_t *pool; - - this->mutex->lock(this->mutex); - enumerator = this->pools->create_enumerator(this->pools); - while (enumerator->enumerate(enumerator, &pool)) - { - if (streq(msg->del_conn.name, pool->name)) - { - this->pools->remove_at(this->pools, enumerator); - pool_destroy(pool); - break; - } - } - enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); -} - -/** - * Pool enumerator filter function, converts pool_t to name, size, ... - */ -static bool pool_filter(void *mutex, pool_t **poolp, char **name, - void *d1, u_int *size, void *d2, u_int *online, - void *d3, u_int *offline) -{ - pool_t *pool = *poolp; - - *name = pool->name; - *size = pool->size; - *online = pool->online->get_count(pool->online); - *offline = pool->offline->get_count(pool->offline); - return TRUE; -} - -/** - * Implementation of stroke_attribute_t.create_pool_enumerator - */ -static enumerator_t* create_pool_enumerator(private_stroke_attribute_t *this) -{ - this->mutex->lock(this->mutex); - return enumerator_create_filter(this->pools->create_enumerator(this->pools), - (void*)pool_filter, - this->mutex, (void*)this->mutex->unlock); -} - -/** - * lease enumerator - */ -typedef struct { - /** implemented enumerator interface */ - enumerator_t public; - /** inner hash-table enumerator */ - enumerator_t *inner; - /** enumerated pool */ - pool_t *pool; - /** mutex to unlock on destruction */ - mutex_t *mutex; - /** currently enumerated lease address */ - host_t *current; -} lease_enumerator_t; - -/** - * Implementation of lease_enumerator_t.enumerate - */ -static bool lease_enumerate(lease_enumerator_t *this, identification_t **id_out, - host_t **addr_out, bool *online) -{ - identification_t *id; - uintptr_t offset; - - DESTROY_IF(this->current); - this->current = NULL; - - if (this->inner->enumerate(this->inner, &id, NULL)) - { - offset = (uintptr_t)this->pool->online->get(this->pool->online, id); - if (offset) - { - *id_out = id; - *addr_out = this->current = offset2host(this->pool, offset); - *online = TRUE; - return TRUE; - } - offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id); - if (offset) - { - *id_out = id; - *addr_out = this->current = offset2host(this->pool, offset); - *online = FALSE; - return TRUE; - } - } - return FALSE; -} - -/** - * Implementation of lease_enumerator_t.destroy - */ -static void lease_enumerator_destroy(lease_enumerator_t *this) -{ - DESTROY_IF(this->current); - this->inner->destroy(this->inner); - this->mutex->unlock(this->mutex); - free(this); -} - -/** - * Implementation of stroke_attribute_t.create_lease_enumerator - */ -static enumerator_t* create_lease_enumerator(private_stroke_attribute_t *this, - char *pool) -{ - lease_enumerator_t *enumerator; - - this->mutex->lock(this->mutex); - enumerator = malloc_thing(lease_enumerator_t); - enumerator->pool = find_pool(this, pool); - if (!enumerator->pool) - { - this->mutex->unlock(this->mutex); - free(enumerator); - return NULL; - } - enumerator->public.enumerate = (void*)lease_enumerate; - enumerator->public.destroy = (void*)lease_enumerator_destroy; - enumerator->inner = enumerator->pool->ids->create_enumerator(enumerator->pool->ids); - enumerator->mutex = this->mutex; - enumerator->current = NULL; - return &enumerator->public; -} - -/** - * Implementation of stroke_attribute_t.destroy - */ -static void destroy(private_stroke_attribute_t *this) -{ - this->mutex->destroy(this->mutex); - this->pools->destroy_function(this->pools, (void*)pool_destroy); - free(this); -} - -/* - * see header file - */ -stroke_attribute_t *stroke_attribute_create() -{ - private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t); - - this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address; - this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))enumerator_create_empty; - this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool; - this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool; - this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator; - this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator; - this->public.destroy = (void(*)(stroke_attribute_t*))destroy; - - this->pools = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h deleted file mode 100644 index cf6c950a6..000000000 --- a/src/charon/plugins/stroke/stroke_attribute.h +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_attribute stroke_attribute - * @{ @ingroup stroke - */ - -#ifndef STROKE_ATTRIBUTE_H_ -#define STROKE_ATTRIBUTE_H_ - -#include <stroke_msg.h> -#include <attributes/attribute_provider.h> - -typedef struct stroke_attribute_t stroke_attribute_t; - -/** - * Stroke IKEv2 cfg attribute provider - */ -struct stroke_attribute_t { - - /** - * Implements attribute provider interface - */ - attribute_provider_t provider; - - /** - * Add a virtual IP address. - * - * @param msg stroke message - * @param end end of stroke message that contains virtual IP. - */ - void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg); - - /** - * Remove a virtual IP address. - * - * @param msg stroke message - */ - void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg); - - /** - * Create an enumerator over installed pools. - * - * Enumerator enumerates over - * char *pool, u_int size, u_int offline, u_int online. - * - * @return enumerator - */ - enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this); - - /** - * Create an enumerator over the leases of a pool. - * - * Enumerator enumerates over - * identification_t *id, host_t *address, bool online - * - * @param pool name of the pool to enumerate - * @return enumerator, NULL if pool not found - */ - enumerator_t* (*create_lease_enumerator)(stroke_attribute_t *this, - char *pool); - /** - * Destroy a stroke_attribute instance. - */ - void (*destroy)(stroke_attribute_t *this); -}; - -/** - * Create a stroke_attribute instance. - */ -stroke_attribute_t *stroke_attribute_create(); - -#endif /** STROKE_ATTRIBUTE_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c deleted file mode 100644 index 49146f18b..000000000 --- a/src/charon/plugins/stroke/stroke_ca.c +++ /dev/null @@ -1,458 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_ca.h" -#include "stroke_cred.h" - -#include <threading/rwlock.h> -#include <utils/linked_list.h> -#include <crypto/hashers/hasher.h> - -#include <daemon.h> - -typedef struct private_stroke_ca_t private_stroke_ca_t; - -/** - * private data of stroke_ca - */ -struct private_stroke_ca_t { - - /** - * public functions - */ - stroke_ca_t public; - - /** - * read-write lock to lists - */ - rwlock_t *lock; - - /** - * list of starters CA sections and its certificates (ca_section_t) - */ - linked_list_t *sections; - - /** - * stroke credentials, stores our CA certificates - */ - stroke_cred_t *cred; -}; - -typedef struct ca_section_t ca_section_t; - -/** - * loaded ipsec.conf CA sections - */ -struct ca_section_t { - - /** - * name of the CA section - */ - char *name; - - /** - * reference to cert in trusted_credential_t - */ - certificate_t *cert; - - /** - * CRL URIs - */ - linked_list_t *crl; - - /** - * OCSP URIs - */ - linked_list_t *ocsp; - - /** - * Hashes of certificates issued by this CA - */ - linked_list_t *hashes; - - /** - * Base URI used for certificates from this CA - */ - char *certuribase; -}; - -/** - * create a new CA section - */ -static ca_section_t *ca_section_create(char *name, certificate_t *cert) -{ - ca_section_t *ca = malloc_thing(ca_section_t); - - ca->name = strdup(name); - ca->crl = linked_list_create(); - ca->ocsp = linked_list_create(); - ca->cert = cert; - ca->hashes = linked_list_create(); - ca->certuribase = NULL; - return ca; -} - -/** - * destroy a ca section entry - */ -static void ca_section_destroy(ca_section_t *this) -{ - this->crl->destroy_function(this->crl, free); - this->ocsp->destroy_function(this->ocsp, free); - this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); - free(this->certuribase); - free(this->name); - free(this); -} - -/** - * data to pass to create_inner_cdp - */ -typedef struct { - private_stroke_ca_t *this; - certificate_type_t type; - identification_t *id; -} cdp_data_t; - -/** - * destroy cdp enumerator data and unlock list - */ -static void cdp_data_destroy(cdp_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * inner enumerator constructor for CDP URIs - */ -static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data) -{ - public_key_t *public; - enumerator_t *enumerator = NULL; - linked_list_t *list; - - if (data->type == CERT_X509_OCSP_RESPONSE) - { - list = section->ocsp; - } - else - { - list = section->crl; - } - - public = section->cert->get_public_key(section->cert); - if (public) - { - if (!data->id) - { - enumerator = list->create_enumerator(list); - } - else - { - if (public->has_fingerprint(public, data->id->get_encoding(data->id))) - { - enumerator = list->create_enumerator(list); - } - } - public->destroy(public); - } - return enumerator; -} - -/** - * inner enumerator constructor for "Hash and URL" - */ -static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data_t *data) -{ - enumerator_t *enumerator = NULL, *hash_enum; - identification_t *current; - - if (!data->id || !section->certuribase) - { - return NULL; - } - - hash_enum = section->hashes->create_enumerator(section->hashes); - while (hash_enum->enumerate(hash_enum, ¤t)) - { - if (current->matches(current, data->id)) - { - char *url, *hash; - - url = malloc(strlen(section->certuribase) + 40 + 1); - strcpy(url, section->certuribase); - hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr; - strncat(url, hash, 40); - free(hash); - - enumerator = enumerator_create_single(url, free); - break; - } - } - hash_enum->destroy(hash_enum); - return enumerator; -} - -/** - * Implementation of credential_set_t.create_cdp_enumerator. - */ -static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, - certificate_type_t type, identification_t *id) -{ - cdp_data_t *data; - - switch (type) - { /* we serve CRLs, OCSP responders and URLs for "Hash and URL" */ - case CERT_X509: - case CERT_X509_CRL: - case CERT_X509_OCSP_RESPONSE: - case CERT_ANY: - break; - default: - return NULL; - } - data = malloc_thing(cdp_data_t); - data->this = this; - data->type = type; - data->id = id; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(this->sections->create_enumerator(this->sections), - (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp, - data, (void*)cdp_data_destroy); -} -/** - * Implementation of stroke_ca_t.add. - */ -static void add(private_stroke_ca_t *this, stroke_msg_t *msg) -{ - certificate_t *cert; - ca_section_t *ca; - - if (msg->add_ca.cacert == NULL) - { - DBG1(DBG_CFG, "missing cacert parameter"); - return; - } - cert = this->cred->load_ca(this->cred, msg->add_ca.cacert); - if (cert) - { - ca = ca_section_create(msg->add_ca.name, cert); - if (msg->add_ca.crluri) - { - ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri)); - } - if (msg->add_ca.crluri2) - { - ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri2)); - } - if (msg->add_ca.ocspuri) - { - ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri)); - } - if (msg->add_ca.ocspuri2) - { - ca->ocsp->insert_last(ca->ocsp, strdup(msg->add_ca.ocspuri2)); - } - if (msg->add_ca.certuribase) - { - ca->certuribase = strdup(msg->add_ca.certuribase); - } - this->lock->write_lock(this->lock); - this->sections->insert_last(this->sections, ca); - this->lock->unlock(this->lock); - DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name); - } -} - -/** - * Implementation of stroke_ca_t.del. - */ -static void del(private_stroke_ca_t *this, stroke_msg_t *msg) -{ - enumerator_t *enumerator; - ca_section_t *ca = NULL; - - this->lock->write_lock(this->lock); - enumerator = this->sections->create_enumerator(this->sections); - while (enumerator->enumerate(enumerator, &ca)) - { - if (streq(ca->name, msg->del_ca.name)) - { - this->sections->remove_at(this->sections, enumerator); - break; - } - ca = NULL; - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - if (ca == NULL) - { - DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name); - return; - } - ca_section_destroy(ca); - /* TODO: flush cached certs */ -} - -/** - * list crl or ocsp URIs - */ -static void list_uris(linked_list_t *list, char *label, FILE *out) -{ - bool first = TRUE; - char *uri; - enumerator_t *enumerator; - - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, (void**)&uri)) - { - if (first) - { - fprintf(out, label); - first = FALSE; - } - else - { - fprintf(out, " "); - } - fprintf(out, "'%s'\n", uri); - } - enumerator->destroy(enumerator); -} - -/** - * Implementation of stroke_ca_t.check_for_hash_and_url. - */ -static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert) -{ - ca_section_t *section; - enumerator_t *enumerator; - - hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - if (hasher == NULL) - { - DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported"); - return; - } - - this->lock->write_lock(this->lock); - enumerator = this->sections->create_enumerator(this->sections); - while (enumerator->enumerate(enumerator, (void**)§ion)) - { - if (section->certuribase && cert->issued_by(cert, section->cert)) - { - chunk_t hash, encoded = cert->get_encoding(cert); - hasher->allocate_hash(hasher, encoded, &hash); - section->hashes->insert_last(section->hashes, - identification_create_from_encoding(ID_KEY_ID, hash)); - chunk_free(&hash); - chunk_free(&encoded); - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - hasher->destroy(hasher); -} - -/** - * Implementation of stroke_ca_t.list. - */ -static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) -{ - bool first = TRUE; - ca_section_t *section; - enumerator_t *enumerator; - - this->lock->read_lock(this->lock); - enumerator = this->sections->create_enumerator(this->sections); - while (enumerator->enumerate(enumerator, (void**)§ion)) - { - certificate_t *cert = section->cert; - public_key_t *public = cert->get_public_key(cert); - chunk_t chunk; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of CA Information Sections:\n"); - first = FALSE; - } - fprintf(out, "\n"); - fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert)); - - /* list authkey and keyid */ - if (public) - { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - fprintf(out, " authkey: %#B\n", &chunk); - } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk)) - { - fprintf(out, " keyid: %#B\n", &chunk); - } - public->destroy(public); - } - list_uris(section->crl, " crluris: ", out); - list_uris(section->ocsp, " ocspuris: ", out); - if (section->certuribase) - { - fprintf(out, " certuribase: '%s'\n", section->certuribase); - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); -} - -/** - * Implementation of stroke_ca_t.destroy - */ -static void destroy(private_stroke_ca_t *this) -{ - this->sections->destroy_function(this->sections, (void*)ca_section_destroy); - this->lock->destroy(this->lock); - free(this); -} - -/* - * see header file - */ -stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) -{ - private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)return_null; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator; - this->public.set.cache_cert = (void*)nop; - this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add; - this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del; - this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list; - this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url; - this->public.destroy = (void(*)(stroke_ca_t*))destroy; - - this->sections = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - this->cred = cred; - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h deleted file mode 100644 index 21af912ea..000000000 --- a/src/charon/plugins/stroke/stroke_ca.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_ca stroke_ca - * @{ @ingroup stroke - */ - -#ifndef STROKE_CA_H_ -#define STROKE_CA_H_ - -#include <stroke_msg.h> - -#include "stroke_cred.h" - -typedef struct stroke_ca_t stroke_ca_t; - -/** - * ipsec.conf ca section handling. - */ -struct stroke_ca_t { - - /** - * Implements credential_set_t - */ - credential_set_t set; - - /** - * Add a CA to the set using a stroke_msg_t. - * - * @param msg stroke message containing CA info - */ - void (*add)(stroke_ca_t *this, stroke_msg_t *msg); - - /** - * Remove a CA from the set using a stroke_msg_t. - * - * @param msg stroke message containing CA info - */ - void (*del)(stroke_ca_t *this, stroke_msg_t *msg); - - /** - * List CA sections to stroke console. - * - * @param msg stroke message - */ - void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Check if a certificate can be made available through hash and URL. - * - * @param cert peer certificate - */ - void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert); - - /** - * Destroy a stroke_ca instance. - */ - void (*destroy)(stroke_ca_t *this); -}; - -/** - * Create a stroke_ca instance. - */ -stroke_ca_t *stroke_ca_create(stroke_cred_t *cred); - -#endif /** STROKE_CA_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c deleted file mode 100644 index 0752f3c93..000000000 --- a/src/charon/plugins/stroke/stroke_config.c +++ /dev/null @@ -1,949 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_config.h" - -#include <daemon.h> -#include <threading/mutex.h> -#include <utils/lexparser.h> - -typedef struct private_stroke_config_t private_stroke_config_t; - -/** - * private data of stroke_config - */ -struct private_stroke_config_t { - - /** - * public functions - */ - stroke_config_t public; - - /** - * list of peer_cfg_t - */ - linked_list_t *list; - - /** - * mutex to lock config list - */ - mutex_t *mutex; - - /** - * ca sections - */ - stroke_ca_t *ca; - - /** - * credentials - */ - stroke_cred_t *cred; -}; - -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this, - identification_t *me, - identification_t *other) -{ - this->mutex->lock(this->mutex); - return enumerator_create_cleaner(this->list->create_enumerator(this->list), - (void*)this->mutex->unlock, this->mutex); -} - -/** - * filter function for ike configs - */ -static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) -{ - *out = (*in)->get_ike_cfg(*in); - return TRUE; -} - -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this, - host_t *me, host_t *other) -{ - this->mutex->lock(this->mutex); - return enumerator_create_filter(this->list->create_enumerator(this->list), - (void*)ike_filter, this->mutex, - (void*)this->mutex->unlock); -} - -/** - * implements backend_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name) -{ - enumerator_t *e1, *e2; - peer_cfg_t *current, *found = NULL; - child_cfg_t *child; - - this->mutex->lock(this->mutex); - e1 = this->list->create_enumerator(this->list); - while (e1->enumerate(e1, ¤t)) - { - /* compare peer_cfgs name first */ - if (streq(current->get_name(current), name)) - { - found = current; - found->get_ref(found); - break; - } - /* compare all child_cfg names otherwise */ - e2 = current->create_child_cfg_enumerator(current); - while (e2->enumerate(e2, &child)) - { - if (streq(child->get_name(child), name)) - { - found = current; - found->get_ref(found); - break; - } - } - e2->destroy(e2); - if (found) - { - break; - } - } - e1->destroy(e1); - this->mutex->unlock(this->mutex); - return found; -} - -/** - * parse a proposal string, either into ike_cfg or child_cfg - */ -static void add_proposals(private_stroke_config_t *this, char *string, - ike_cfg_t *ike_cfg, child_cfg_t *child_cfg) -{ - if (string) - { - char *single; - char *strict; - proposal_t *proposal; - protocol_id_t proto = PROTO_ESP; - - if (ike_cfg) - { - proto = PROTO_IKE; - } - strict = string + strlen(string) - 1; - if (*strict == '!') - { - *strict = '\0'; - } - else - { - strict = NULL; - } - while ((single = strsep(&string, ","))) - { - proposal = proposal_create_from_string(proto, single); - if (proposal) - { - if (ike_cfg) - { - ike_cfg->add_proposal(ike_cfg, proposal); - } - else - { - child_cfg->add_proposal(child_cfg, proposal); - } - continue; - } - DBG1(DBG_CFG, "skipped invalid proposal string: %s", single); - } - if (strict) - { - return; - } - /* add default porposal to the end if not strict */ - } - if (ike_cfg) - { - ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - } - else - { - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); - } -} - -/** - * Build an IKE config from a stroke message - */ -static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg) -{ - stroke_end_t tmp_end; - ike_cfg_t *ike_cfg; - char *interface; - host_t *host; - - host = host_create_from_dns(msg->add_conn.other.address, 0, 0); - if (host) - { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, host); - host->destroy(host); - if (interface) - { - DBG2(DBG_CFG, "left is other host, swapping ends"); - tmp_end = msg->add_conn.me; - msg->add_conn.me = msg->add_conn.other; - msg->add_conn.other = tmp_end; - free(interface); - } - else - { - host = host_create_from_dns(msg->add_conn.me.address, 0, 0); - if (host) - { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, host); - host->destroy(host); - if (!interface) - { - DBG1(DBG_CFG, "left nor right host is our side, " - "assuming left=local"); - } - else - { - free(interface); - } - - } - } - } - ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND, - msg->add_conn.force_encap, - msg->add_conn.me.address, - msg->add_conn.other.address); - add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL); - return ike_cfg; -} - -/** - * Add CRL constraint to config - */ -static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy) -{ - /* CRL/OCSP policy, for remote config only */ - if (!local) - { - switch (policy) - { - case CRL_STRICT_YES: - /* if yes, we require a GOOD validation */ - cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); - break; - case CRL_STRICT_IFURI: - /* for ifuri, a SKIPPED validation is sufficient */ - cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED); - break; - default: - break; - } - } -} - -/** - * build authentication config - */ -static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, - stroke_msg_t *msg, bool local, bool primary) -{ - identification_t *identity; - certificate_t *certificate; - char *auth, *id, *cert, *ca; - stroke_end_t *end, *other_end; - auth_cfg_t *cfg; - char eap_buf[32]; - - /* select strings */ - if (local) - { - end = &msg->add_conn.me; - other_end = &msg->add_conn.other; - } - else - { - end = &msg->add_conn.other; - other_end = &msg->add_conn.me; - } - if (primary) - { - auth = end->auth; - id = end->id; - if (!id) - { /* leftid/rightid fallback to address */ - id = end->address; - } - cert = end->cert; - ca = end->ca; - if (ca && streq(ca, "%same")) - { - ca = other_end->ca; - } - } - else - { - auth = end->auth2; - id = end->id2; - if (local && !id) - { /* leftid2 falls back to leftid */ - id = end->id; - } - cert = end->cert2; - ca = end->ca2; - if (ca && streq(ca, "%same")) - { - ca = other_end->ca2; - } - } - - if (!auth) - { - if (primary) - { - if (local) - { /* "leftauth" not defined, fall back to deprecated "authby" */ - switch (msg->add_conn.auth_method) - { - default: - case AUTH_CLASS_PUBKEY: - auth = "pubkey"; - break; - case AUTH_CLASS_PSK: - auth = "psk"; - break; - case AUTH_CLASS_EAP: - auth = "eap"; - break; - } - } - else - { /* "rightauth" not defined, fall back to deprecated "eap" */ - if (msg->add_conn.eap_type) - { - if (msg->add_conn.eap_vendor) - { - snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d", - msg->add_conn.eap_type, - msg->add_conn.eap_vendor); - } - else - { - snprintf(eap_buf, sizeof(eap_buf), "eap-%d", - msg->add_conn.eap_type); - } - auth = eap_buf; - } - else - { /* not EAP => no constraints for this peer */ - auth = "any"; - } - } - } - else - { /* no second authentication round, fine */ - return NULL; - } - } - - cfg = auth_cfg_create(); - - /* add identity and peer certifcate */ - identity = identification_create_from_string(id); - if (cert) - { - certificate = this->cred->load_peer(this->cred, cert); - if (certificate) - { - if (local) - { - this->ca->check_for_hash_and_url(this->ca, certificate); - } - cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); - if (identity->get_type(identity) == ID_ANY || - !certificate->has_subject(certificate, identity)) - { - DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, " - "defaulting to '%Y'", identity, - certificate->get_subject(certificate)); - identity->destroy(identity); - identity = certificate->get_subject(certificate); - identity = identity->clone(identity); - } - } - } - cfg->add(cfg, AUTH_RULE_IDENTITY, identity); - - /* CA constraint */ - if (ca) - { - identity = identification_create_from_string(ca); - certificate = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, identity, TRUE); - identity->destroy(identity); - if (certificate) - { - cfg->add(cfg, AUTH_RULE_CA_CERT, certificate); - } - else - { - DBG1(DBG_CFG, "CA certificate %s not found, discarding CA " - "constraint", ca); - } - } - - /* AC groups */ - if (end->groups) - { - enumerator_t *enumerator; - char *group; - - enumerator = enumerator_create_token(end->groups, ",", " "); - while (enumerator->enumerate(enumerator, &group)) - { - identity = identification_create_from_encoding(ID_IETF_ATTR_STRING, - chunk_create(group, strlen(group))); - cfg->add(cfg, AUTH_RULE_AC_GROUP, identity); - } - enumerator->destroy(enumerator); - } - - /* authentication metod (class, actually) */ - if (streq(auth, "pubkey") || - streq(auth, "rsasig") || streq(auth, "rsa") || - streq(auth, "ecdsasig") || streq(auth, "ecdsa")) - { - cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); - build_crl_policy(cfg, local, msg->add_conn.crl_policy); - } - else if (streq(auth, "psk") || streq(auth, "secret")) - { - cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK); - } - else if (strneq(auth, "eap", 3)) - { - enumerator_t *enumerator; - char *str; - int i = 0, type = 0, vendor; - - cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); - - /* parse EAP string, format: eap[-type[-vendor]] */ - enumerator = enumerator_create_token(auth, "-", " "); - while (enumerator->enumerate(enumerator, &str)) - { - switch (i) - { - case 1: - type = eap_type_from_string(str); - if (!type) - { - type = atoi(str); - if (!type) - { - DBG1(DBG_CFG, "unknown EAP method: %s", str); - break; - } - } - cfg->add(cfg, AUTH_RULE_EAP_TYPE, type); - break; - case 2: - if (type) - { - vendor = atoi(str); - if (vendor) - { - cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor); - } - else - { - DBG1(DBG_CFG, "unknown EAP vendor: %s", str); - } - } - break; - default: - break; - } - i++; - } - enumerator->destroy(enumerator); - - if (msg->add_conn.eap_identity) - { - if (streq(msg->add_conn.eap_identity, "%identity")) - { - identity = identification_create_from_encoding(ID_ANY, - chunk_empty); - } - else - { - identity = identification_create_from_string( - msg->add_conn.eap_identity); - } - cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity); - } - } - else - { - if (!streq(auth, "any")) - { - DBG1(DBG_CFG, "authentication method %s unknown, fallback to any", - auth); - } - build_crl_policy(cfg, local, msg->add_conn.crl_policy); - } - return cfg; -} - -/** - * build a peer_cfg from a stroke msg - */ -static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, - stroke_msg_t *msg, ike_cfg_t *ike_cfg) -{ - identification_t *peer_id = NULL; - peer_cfg_t *mediated_by = NULL; - host_t *vip = NULL; - unique_policy_t unique; - u_int32_t rekey = 0, reauth = 0, over, jitter; - peer_cfg_t *peer_cfg; - auth_cfg_t *auth_cfg; - -#ifdef ME - if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by) - { - DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection " - "at the same time, aborting"); - return NULL; - } - - if (msg->add_conn.ikeme.mediation) - { - /* force unique connections for mediation connections */ - msg->add_conn.unique = 1; - } - - if (msg->add_conn.ikeme.mediated_by) - { - mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends, - msg->add_conn.ikeme.mediated_by); - if (!mediated_by) - { - DBG1(DBG_CFG, "mediation connection '%s' not found, aborting", - msg->add_conn.ikeme.mediated_by); - return NULL; - } - if (!mediated_by->is_mediation(mediated_by)) - { - DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is " - "no mediation connection, aborting", - msg->add_conn.ikeme.mediated_by, msg->add_conn.name); - mediated_by->destroy(mediated_by); - return NULL; - } - if (msg->add_conn.ikeme.peerid) - { - peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid); - } - else if (msg->add_conn.other.id) - { - peer_id = identification_create_from_string(msg->add_conn.other.id); - } - } -#endif /* ME */ - - jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100; - over = msg->add_conn.rekey.margin; - if (msg->add_conn.rekey.reauth) - { - reauth = msg->add_conn.rekey.ike_lifetime - over; - } - else - { - rekey = msg->add_conn.rekey.ike_lifetime - over; - } - if (msg->add_conn.me.sourceip_mask) - { - if (msg->add_conn.me.sourceip) - { - vip = host_create_from_string(msg->add_conn.me.sourceip, 0); - } - if (!vip) - { /* if it is set to something like %poolname, request an address */ - if (msg->add_conn.me.subnets) - { /* use the same address as in subnet, if any */ - if (strchr(msg->add_conn.me.subnets, '.')) - { - vip = host_create_any(AF_INET); - } - else - { - vip = host_create_any(AF_INET6); - } - } - else - { - if (strchr(ike_cfg->get_my_addr(ike_cfg), ':')) - { - vip = host_create_any(AF_INET6); - } - else - { - vip = host_create_any(AF_INET); - } - } - } - } - switch (msg->add_conn.unique) - { - case 1: /* yes */ - case 2: /* replace */ - unique = UNIQUE_REPLACE; - break; - case 3: /* keep */ - unique = UNIQUE_KEEP; - break; - default: /* no */ - unique = UNIQUE_NO; - break; - } - if (msg->add_conn.dpd.action == 0) - { /* dpdaction=none disables DPD */ - msg->add_conn.dpd.delay = 0; - } - - /* other.sourceip is managed in stroke_attributes. If it is set, we define - * the pool name as the connection name, which the attribute provider - * uses to serve pool addresses. */ - peer_cfg = peer_cfg_create(msg->add_conn.name, - msg->add_conn.ikev2 ? 2 : 1, ike_cfg, - msg->add_conn.me.sendcert, unique, - msg->add_conn.rekey.tries, rekey, reauth, jitter, over, - msg->add_conn.mobike, msg->add_conn.dpd.delay, - vip, msg->add_conn.other.sourceip_mask ? - msg->add_conn.name : msg->add_conn.other.sourceip, - msg->add_conn.ikeme.mediation, mediated_by, peer_id); - - /* build leftauth= */ - auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE); - if (auth_cfg) - { - peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE); - } - else - { /* we require at least one config on our side */ - peer_cfg->destroy(peer_cfg); - return NULL; - } - /* build leftauth2= */ - auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE); - if (auth_cfg) - { - peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE); - } - /* build rightauth= */ - auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE); - if (auth_cfg) - { - peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); - } - /* build rightauth2= */ - auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE); - if (auth_cfg) - { - peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); - } - return peer_cfg; -} - -/** - * build a traffic selector from a stroke_end - */ -static void add_ts(private_stroke_config_t *this, - stroke_end_t *end, child_cfg_t *child_cfg, bool local) -{ - traffic_selector_t *ts; - - if (end->tohost) - { - ts = traffic_selector_create_dynamic(end->protocol, - end->port ? end->port : 0, end->port ? end->port : 65535); - child_cfg->add_traffic_selector(child_cfg, local, ts); - } - else - { - host_t *net; - - if (!end->subnets) - { - net = host_create_from_string(end->address, IKEV2_UDP_PORT); - if (net) - { - ts = traffic_selector_create_from_subnet(net, 0, end->protocol, - end->port); - child_cfg->add_traffic_selector(child_cfg, local, ts); - } - } - else - { - char *del, *start, *bits; - - start = end->subnets; - do - { - int intbits = 0; - - del = strchr(start, ','); - if (del) - { - *del = '\0'; - } - bits = strchr(start, '/'); - if (bits) - { - *bits = '\0'; - intbits = atoi(bits + 1); - } - - net = host_create_from_string(start, IKEV2_UDP_PORT); - if (net) - { - ts = traffic_selector_create_from_subnet(net, intbits, - end->protocol, end->port); - child_cfg->add_traffic_selector(child_cfg, local, ts); - } - else - { - DBG1(DBG_CFG, "invalid subnet: %s, skipped", start); - } - start = del + 1; - } - while (del); - } - } -} - -/** - * build a child config from the stroke message - */ -static child_cfg_t *build_child_cfg(private_stroke_config_t *this, - stroke_msg_t *msg) -{ - child_cfg_t *child_cfg; - action_t dpd; - lifetime_cfg_t lifetime = { - .time = { - .life = msg->add_conn.rekey.ipsec_lifetime, - .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, - .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100 - }, - .bytes = { - .life = msg->add_conn.rekey.life_bytes, - .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes, - .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100 - }, - .packets = { - .life = msg->add_conn.rekey.life_packets, - .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets, - .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100 - } - }; - - switch (msg->add_conn.dpd.action) - { /* map startes magic values to our action type */ - case 2: /* =hold */ - dpd = ACTION_ROUTE; - break; - case 3: /* =restart */ - dpd = ACTION_RESTART; - break; - default: - dpd = ACTION_NONE; - break; - } - - child_cfg = child_cfg_create( - msg->add_conn.name, &lifetime, - msg->add_conn.me.updown, msg->add_conn.me.hostaccess, - msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, - msg->add_conn.inactivity); - child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, - msg->add_conn.install_policy); - add_ts(this, &msg->add_conn.me, child_cfg, TRUE); - add_ts(this, &msg->add_conn.other, child_cfg, FALSE); - - add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg); - - return child_cfg; -} - -/** - * Implementation of stroke_config_t.add. - */ -static void add(private_stroke_config_t *this, stroke_msg_t *msg) -{ - ike_cfg_t *ike_cfg, *existing_ike; - peer_cfg_t *peer_cfg, *existing; - child_cfg_t *child_cfg; - enumerator_t *enumerator; - bool use_existing = FALSE; - - ike_cfg = build_ike_cfg(this, msg); - if (!ike_cfg) - { - return; - } - peer_cfg = build_peer_cfg(this, msg, ike_cfg); - if (!peer_cfg) - { - ike_cfg->destroy(ike_cfg); - return; - } - - enumerator = create_peer_cfg_enumerator(this, NULL, NULL); - while (enumerator->enumerate(enumerator, &existing)) - { - existing_ike = existing->get_ike_cfg(existing); - if (existing->equals(existing, peer_cfg) && - existing_ike->equals(existing_ike, peer_cfg->get_ike_cfg(peer_cfg))) - { - use_existing = TRUE; - peer_cfg->destroy(peer_cfg); - peer_cfg = existing; - peer_cfg->get_ref(peer_cfg); - DBG1(DBG_CFG, "added child to existing configuration '%s'", - peer_cfg->get_name(peer_cfg)); - break; - } - } - enumerator->destroy(enumerator); - - child_cfg = build_child_cfg(this, msg); - if (!child_cfg) - { - peer_cfg->destroy(peer_cfg); - return; - } - peer_cfg->add_child_cfg(peer_cfg, child_cfg); - - if (use_existing) - { - peer_cfg->destroy(peer_cfg); - } - else - { - /* add config to backend */ - DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name); - this->mutex->lock(this->mutex); - this->list->insert_last(this->list, peer_cfg); - this->mutex->unlock(this->mutex); - } -} - -/** - * Implementation of stroke_config_t.del. - */ -static void del(private_stroke_config_t *this, stroke_msg_t *msg) -{ - enumerator_t *enumerator, *children; - peer_cfg_t *peer; - child_cfg_t *child; - bool deleted = FALSE; - - this->mutex->lock(this->mutex); - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, (void**)&peer)) - { - bool keep = FALSE; - - /* remove any child with such a name */ - children = peer->create_child_cfg_enumerator(peer); - while (children->enumerate(children, &child)) - { - if (streq(child->get_name(child), msg->del_conn.name)) - { - peer->remove_child_cfg(peer, children); - child->destroy(child); - deleted = TRUE; - } - else - { - keep = TRUE; - } - } - children->destroy(children); - - /* if peer config matches, or has no children anymore, remove it */ - if (!keep || streq(peer->get_name(peer), msg->del_conn.name)) - { - this->list->remove_at(this->list, enumerator); - peer->destroy(peer); - deleted = TRUE; - } - } - enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); - - if (deleted) - { - DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name); - } - else - { - DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name); - } -} - -/** - * Implementation of stroke_config_t.destroy - */ -static void destroy(private_stroke_config_t *this) -{ - this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy)); - this->mutex->destroy(this->mutex); - free(this); -} - -/* - * see header file - */ -stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) -{ - private_stroke_config_t *this = malloc_thing(private_stroke_config_t); - - this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; - this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; - this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; - this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add; - this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del; - this->public.destroy = (void(*)(stroke_config_t*))destroy; - - this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->ca = ca; - this->cred = cred; - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h deleted file mode 100644 index 05e4665ca..000000000 --- a/src/charon/plugins/stroke/stroke_config.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_config stroke_config - * @{ @ingroup stroke - */ - -#ifndef STROKE_CONFIG_H_ -#define STROKE_CONFIG_H_ - -#include <config/backend.h> -#include <stroke_msg.h> -#include "stroke_ca.h" -#include "stroke_cred.h" - -typedef struct stroke_config_t stroke_config_t; - -/** - * Stroke in-memory configuration backend - */ -struct stroke_config_t { - - /** - * Implements the backend_t interface - */ - backend_t backend; - - /** - * Add a configuration to the backend. - * - * @param msg received stroke message containing config - */ - void (*add)(stroke_config_t *this, stroke_msg_t *msg); - - /** - * Remove a configuration from the backend. - * - * @param msg received stroke message containing config name - */ - void (*del)(stroke_config_t *this, stroke_msg_t *msg); - - /** - * Destroy a stroke_config instance. - */ - void (*destroy)(stroke_config_t *this); -}; - -/** - * Create a stroke_config instance. - */ -stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred); - -#endif /** STROKE_CONFIG_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c deleted file mode 100644 index a03aef697..000000000 --- a/src/charon/plugins/stroke/stroke_control.c +++ /dev/null @@ -1,491 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_control.h" - -#include <daemon.h> -#include <processing/jobs/delete_ike_sa_job.h> - -typedef struct private_stroke_control_t private_stroke_control_t; - -/** - * private data of stroke_control - */ -struct private_stroke_control_t { - - /** - * public functions - */ - stroke_control_t public; -}; - - -typedef struct stroke_log_info_t stroke_log_info_t; - -/** - * helper struct to say what and where to log when using controller callback - */ -struct stroke_log_info_t { - - /** - * level to log up to - */ - level_t level; - - /** - * where to write log - */ - FILE* out; -}; - -/** - * logging to the stroke interface - */ -static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level, - ike_sa_t *ike_sa, char *format, va_list args) -{ - if (level <= info->level) - { - if (vfprintf(info->out, format, args) < 0 || - fprintf(info->out, "\n") < 0 || - fflush(info->out) != 0) - { - return FALSE; - } - } - return TRUE; -} - -/** - * get the child_cfg with the same name as the peer cfg - */ -static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) -{ - child_cfg_t *current, *found = NULL; - enumerator_t *enumerator; - - enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (streq(current->get_name(current), name)) - { - found = current; - found->get_ref(found); - break; - } - } - enumerator->destroy(enumerator); - return found; -} - -/** - * Implementation of stroke_control_t.initiate. - */ -static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) -{ - peer_cfg_t *peer_cfg; - child_cfg_t *child_cfg; - stroke_log_info_t info; - - peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, - msg->initiate.name); - if (peer_cfg == NULL) - { - DBG1(DBG_CFG, "no config named '%s'\n", msg->initiate.name); - return; - } - if (peer_cfg->get_ike_version(peer_cfg) != 2) - { - DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config", - peer_cfg->get_ike_version(peer_cfg)); - peer_cfg->destroy(peer_cfg); - return; - } - - child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name); - if (child_cfg == NULL) - { - DBG1(DBG_CFG, "no child config named '%s'\n", msg->initiate.name); - peer_cfg->destroy(peer_cfg); - return; - } - - if (msg->output_verbosity < 0) - { - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - NULL, NULL); - } - else - { - info.out = out; - info.level = msg->output_verbosity; - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - (controller_cb_t)stroke_log, &info); - } -} - -/** - * Implementation of stroke_control_t.terminate. - */ -static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) -{ - char *string, *pos = NULL, *name = NULL; - u_int32_t id = 0; - bool child, all = FALSE; - int len; - ike_sa_t *ike_sa; - enumerator_t *enumerator; - linked_list_t *ike_list, *child_list; - stroke_log_info_t info; - uintptr_t del; - - string = msg->terminate.name; - - len = strlen(string); - if (len < 1) - { - DBG1(DBG_CFG, "error parsing string"); - return; - } - switch (string[len-1]) - { - case '}': - child = TRUE; - pos = strchr(string, '{'); - break; - case ']': - child = FALSE; - pos = strchr(string, '['); - break; - default: - name = string; - child = FALSE; - break; - } - - if (name) - { - /* is a single name */ - } - else if (pos == string + len - 2) - { /* is name[] or name{} */ - string[len-2] = '\0'; - name = string; - } - else - { - if (*(pos + 1) == '*') - { /* is name[*] */ - all = TRUE; - *pos = '\0'; - name = string; - } - else - { /* is name[123] or name{23} */ - id = atoi(pos + 1); - if (id == 0) - { - DBG1(DBG_CFG, "error parsing string"); - return; - } - } - } - - info.out = out; - info.level = msg->output_verbosity; - - if (id) - { - if (child) - { - charon->controller->terminate_child(charon->controller, id, - (controller_cb_t)stroke_log, &info); - } - else - { - charon->controller->terminate_ike(charon->controller, id, - (controller_cb_t)stroke_log, &info); - } - return; - } - - ike_list = linked_list_create(); - child_list = linked_list_create(); - enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); - while (enumerator->enumerate(enumerator, &ike_sa)) - { - child_sa_t *child_sa; - iterator_t *children; - - if (child) - { - children = ike_sa->create_child_sa_iterator(ike_sa); - while (children->iterate(children, (void**)&child_sa)) - { - if (streq(name, child_sa->get_name(child_sa))) - { - child_list->insert_last(child_list, - (void*)(uintptr_t)child_sa->get_reqid(child_sa)); - if (!all) - { - break; - } - } - } - children->destroy(children); - if (child_list->get_count(child_list) && !all) - { - break; - } - } - else if (streq(name, ike_sa->get_name(ike_sa))) - { - ike_list->insert_last(ike_list, - (void*)(uintptr_t)ike_sa->get_unique_id(ike_sa)); - if (!all) - { - break; - } - } - } - enumerator->destroy(enumerator); - - enumerator = child_list->create_enumerator(child_list); - while (enumerator->enumerate(enumerator, &del)) - { - charon->controller->terminate_child(charon->controller, del, - (controller_cb_t)stroke_log, &info); - } - enumerator->destroy(enumerator); - - enumerator = ike_list->create_enumerator(ike_list); - while (enumerator->enumerate(enumerator, &del)) - { - charon->controller->terminate_ike(charon->controller, del, - (controller_cb_t)stroke_log, &info); - } - enumerator->destroy(enumerator); - - if (child_list->get_count(child_list) == 0 && - ike_list->get_count(ike_list) == 0) - { - DBG1(DBG_CFG, "no %s_SA named '%s' found", - child ? "CHILD" : "IKE", name); - } - ike_list->destroy(ike_list); - child_list->destroy(child_list); -} - -/** - * Implementation of stroke_control_t.terminate_srcip. - */ -static void terminate_srcip(private_stroke_control_t *this, - stroke_msg_t *msg, FILE *out) -{ - enumerator_t *enumerator; - ike_sa_t *ike_sa; - host_t *start = NULL, *end = NULL, *vip; - chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip; - - if (msg->terminate_srcip.start) - { - start = host_create_from_string(msg->terminate_srcip.start, 0); - } - if (!start) - { - DBG1(DBG_CFG, "invalid start address: %s", msg->terminate_srcip.start); - return; - } - chunk_start = start->get_address(start); - if (msg->terminate_srcip.end) - { - end = host_create_from_string(msg->terminate_srcip.end, 0); - if (!end) - { - DBG1(DBG_CFG, "invalid end address: %s", msg->terminate_srcip.end); - start->destroy(start); - return; - } - chunk_end = end->get_address(end); - } - - enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); - while (enumerator->enumerate(enumerator, &ike_sa)) - { - vip = ike_sa->get_virtual_ip(ike_sa, FALSE); - if (!vip) - { - continue; - } - if (!end) - { - if (!vip->ip_equals(vip, start)) - { - continue; - } - } - else - { - chunk_vip = vip->get_address(vip); - if (chunk_vip.len != chunk_start.len || - chunk_vip.len != chunk_end.len || - memcmp(chunk_vip.ptr, chunk_start.ptr, chunk_vip.len) < 0 || - memcmp(chunk_vip.ptr, chunk_end.ptr, chunk_vip.len) > 0) - { - continue; - } - } - - /* schedule delete asynchronously */ - charon->processor->queue_job(charon->processor, (job_t*) - delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE)); - } - enumerator->destroy(enumerator); - start->destroy(start); - DESTROY_IF(end); -} - -/** - * Implementation of stroke_control_t.purge_ike - */ -static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) -{ - enumerator_t *enumerator; - iterator_t *iterator; - ike_sa_t *ike_sa; - child_sa_t *child_sa; - linked_list_t *list; - uintptr_t del; - stroke_log_info_t info; - - info.out = out; - info.level = msg->output_verbosity; - - list = linked_list_create(); - enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); - while (enumerator->enumerate(enumerator, &ike_sa)) - { - iterator = ike_sa->create_child_sa_iterator(ike_sa); - if (!iterator->iterate(iterator, (void**)&child_sa)) - { - list->insert_last(list, - (void*)(uintptr_t)ike_sa->get_unique_id(ike_sa)); - } - iterator->destroy(iterator); - } - enumerator->destroy(enumerator); - - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &del)) - { - charon->controller->terminate_ike(charon->controller, del, - (controller_cb_t)stroke_log, &info); - } - enumerator->destroy(enumerator); - list->destroy(list); -} - -/** - * Implementation of stroke_control_t.route. - */ -static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) -{ - peer_cfg_t *peer_cfg; - child_cfg_t *child_cfg; - - peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, - msg->route.name); - if (peer_cfg == NULL) - { - fprintf(out, "no config named '%s'\n", msg->route.name); - return; - } - if (peer_cfg->get_ike_version(peer_cfg) != 2) - { - peer_cfg->destroy(peer_cfg); - return; - } - - child_cfg = get_child_from_peer(peer_cfg, msg->route.name); - if (child_cfg == NULL) - { - fprintf(out, "no child config named '%s'\n", msg->route.name); - peer_cfg->destroy(peer_cfg); - return; - } - - if (charon->traps->install(charon->traps, peer_cfg, child_cfg)) - { - fprintf(out, "configuration '%s' routed\n", msg->route.name); - } - else - { - fprintf(out, "routing configuration '%s' failed\n", msg->route.name); - } - peer_cfg->destroy(peer_cfg); - child_cfg->destroy(child_cfg); -} - -/** - * Implementation of stroke_control_t.unroute. - */ -static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) -{ - child_sa_t *child_sa; - enumerator_t *enumerator; - u_int32_t id; - - enumerator = charon->traps->create_enumerator(charon->traps); - while (enumerator->enumerate(enumerator, NULL, &child_sa)) - { - if (streq(msg->unroute.name, child_sa->get_name(child_sa))) - { - id = child_sa->get_reqid(child_sa); - enumerator->destroy(enumerator); - charon->traps->uninstall(charon->traps, id); - fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name); - return; - } - } - enumerator->destroy(enumerator); - fprintf(out, "configuration '%s' not found\n", msg->unroute.name); -} - -/** - * Implementation of stroke_control_t.destroy - */ -static void destroy(private_stroke_control_t *this) -{ - free(this); -} - -/* - * see header file - */ -stroke_control_t *stroke_control_create() -{ - private_stroke_control_t *this = malloc_thing(private_stroke_control_t); - - this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate; - this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate; - this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip; - this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike; - this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route; - this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute; - this->public.destroy = (void(*)(stroke_control_t*))destroy; - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h deleted file mode 100644 index 9b49bdc31..000000000 --- a/src/charon/plugins/stroke/stroke_control.h +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_control stroke_control - * @{ @ingroup stroke - */ - -#ifndef STROKE_CONTROL_H_ -#define STROKE_CONTROL_H_ - -#include <stroke_msg.h> -#include <library.h> -#include <stdio.h> - -typedef struct stroke_control_t stroke_control_t; - -/** - * Process stroke control messages - */ -struct stroke_control_t { - - /** - * Initiate a connection. - * - * @param msg stroke message - */ - void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Terminate a connection. - * - * @param msg stroke message - */ - void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Terminate a connection by peers virtual IP. - * - * @param msg stroke message - */ - void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Delete IKE_SAs without a CHILD_SA. - * - * @param msg stroke message - */ - void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Route a connection. - * - * @param msg stroke message - */ - void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Unroute a connection. - * - * @param msg stroke message - */ - void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Destroy a stroke_control instance. - */ - void (*destroy)(stroke_control_t *this); -}; - -/** - * Create a stroke_control instance. - */ -stroke_control_t *stroke_control_create(); - -#endif /** STROKE_CONTROL_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c deleted file mode 100644 index bc0b2f6fc..000000000 --- a/src/charon/plugins/stroke/stroke_cred.c +++ /dev/null @@ -1,1174 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/stat.h> -#include <limits.h> -#include <glob.h> -#include <libgen.h> - -#include "stroke_cred.h" -#include "stroke_shared_key.h" - -#include <credentials/certificates/x509.h> -#include <credentials/certificates/crl.h> -#include <credentials/certificates/ac.h> -#include <utils/linked_list.h> -#include <utils/lexparser.h> -#include <threading/rwlock.h> -#include <daemon.h> - -/* configuration directories and files */ -#define CONFIG_DIR IPSEC_CONFDIR -#define IPSEC_D_DIR CONFIG_DIR "/ipsec.d" -#define PRIVATE_KEY_DIR IPSEC_D_DIR "/private" -#define CERTIFICATE_DIR IPSEC_D_DIR "/certs" -#define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts" -#define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts" -#define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts" -#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts" -#define CRL_DIR IPSEC_D_DIR "/crls" -#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" - -#define MAX_SECRETS_RECURSION 10 - -typedef struct private_stroke_cred_t private_stroke_cred_t; - -/** - * private data of stroke_cred - */ -struct private_stroke_cred_t { - - /** - * public functions - */ - stroke_cred_t public; - - /** - * list of trusted peer/signer/CA certificates (certificate_t) - */ - linked_list_t *certs; - - /** - * list of shared secrets (private_shared_key_t) - */ - linked_list_t *shared; - - /** - * list of private keys (private_key_t) - */ - linked_list_t *private; - - /** - * read-write lock to lists - */ - rwlock_t *lock; - - /** - * cache CRLs to disk? - */ - bool cachecrl; -}; - -/** - * data to pass to various filters - */ -typedef struct { - private_stroke_cred_t *this; - identification_t *id; - certificate_type_t type; -} id_data_t; - -/** - * destroy id enumerator data and unlock list - */ -static void id_data_destroy(id_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * filter function for private key enumerator - */ -static bool private_filter(id_data_t *data, - private_key_t **in, private_key_t **out) -{ - private_key_t *key; - - key = *in; - if (data->id == NULL) - { - *out = key; - return TRUE; - } - if (key->has_fingerprint(key, data->id->get_encoding(data->id))) - { - *out = key; - return TRUE; - } - return FALSE; -} - -/** - * Implements credential_set_t.create_private_enumerator - */ -static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, - key_type_t type, identification_t *id) -{ - id_data_t *data; - - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->private->create_enumerator(this->private), - (void*)private_filter, data, - (void*)id_data_destroy); -} - -/** - * filter function for certs enumerator - */ -static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out) -{ - public_key_t *public; - certificate_t *cert = *in; - - if (data->type != CERT_ANY && data->type != cert->get_type(cert)) - { - return FALSE; - } - if (data->id == NULL || cert->has_subject(cert, data->id)) - { - *out = *in; - return TRUE; - } - - public = cert->get_public_key(cert); - if (public) - { - if (public->has_fingerprint(public, data->id->get_encoding(data->id))) - { - public->destroy(public); - *out = *in; - return TRUE; - } - public->destroy(public); - } - return FALSE; -} - -/** - * Implements credential_set_t.create_cert_enumerator - */ -static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - id_data_t *data; - - if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC)) - { - return NULL; - } - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - data->type = cert; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->certs->create_enumerator(this->certs), - (void*)certs_filter, data, - (void*)id_data_destroy); -} - -typedef struct { - private_stroke_cred_t *this; - identification_t *me; - identification_t *other; - shared_key_type_t type; -} shared_data_t; - -/** - * free shared key enumerator data and unlock list - */ -static void shared_data_destroy(shared_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * filter function for certs enumerator - */ -static bool shared_filter(shared_data_t *data, - stroke_shared_key_t **in, shared_key_t **out, - void **unused1, id_match_t *me, - void **unused2, id_match_t *other) -{ - id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE; - stroke_shared_key_t *stroke = *in; - shared_key_t *shared = &stroke->shared; - - if (data->type != SHARED_ANY && shared->get_type(shared) != data->type) - { - return FALSE; - } - - if (data->me) - { - my_match = stroke->has_owner(stroke, data->me); - } - if (data->other) - { - other_match = stroke->has_owner(stroke, data->other); - } - if ((data->me || data->other) && (!my_match && !other_match)) - { - return FALSE; - } - *out = shared; - if (me) - { - *me = my_match; - } - if (other) - { - *other = other_match; - } - return TRUE; -} - -/** - * Implements credential_set_t.create_shared_enumerator - */ -static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) -{ - shared_data_t *data = malloc_thing(shared_data_t); - - data->this = this; - data->me = me; - data->other = other; - data->type = type; - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->shared->create_enumerator(this->shared), - (void*)shared_filter, data, - (void*)shared_data_destroy); -} - -/** - * Add a certificate to chain - */ -static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) -{ - certificate_t *current; - enumerator_t *enumerator; - bool new = TRUE; - - this->lock->read_lock(this->lock); - enumerator = this->certs->create_enumerator(this->certs); - while (enumerator->enumerate(enumerator, (void**)¤t)) - { - if (current->equals(current, cert)) - { - /* cert already in queue */ - cert->destroy(cert); - cert = current; - new = FALSE; - break; - } - } - enumerator->destroy(enumerator); - - if (new) - { - this->certs->insert_last(this->certs, cert); - } - this->lock->unlock(this->lock); - return cert; -} - -/** - * Implementation of stroke_cred_t.load_ca. - */ -static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) -{ - certificate_t *cert; - char path[PATH_MAX]; - - if (*filename == '/') - { - snprintf(path, sizeof(path), "%s", filename); - } - else - { - snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); - } - - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, path, - BUILD_END); - if (cert) - { - x509_t *x509 = (x509_t*)cert; - - if (!(x509->get_flags(x509) & X509_CA)) - { - DBG1(DBG_CFG, " ca certificate \"%Y\" misses ca basic constraint, " - "discarded", cert->get_subject(cert)); - cert->destroy(cert); - return NULL; - } - return (certificate_t*)add_cert(this, cert); - } - return NULL; -} - -/** - * Add X.509 CRL to chain - */ -static bool add_crl(private_stroke_cred_t *this, crl_t* crl) -{ - certificate_t *current, *cert = &crl->certificate; - enumerator_t *enumerator; - bool new = TRUE, found = FALSE; - - this->lock->write_lock(this->lock); - enumerator = this->certs->create_enumerator(this->certs); - while (enumerator->enumerate(enumerator, (void**)¤t)) - { - if (current->get_type(current) == CERT_X509_CRL) - { - crl_t *crl_c = (crl_t*)current; - chunk_t authkey = crl->get_authKeyIdentifier(crl); - chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); - - /* if compare authorityKeyIdentifiers if available */ - if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c)) - { - found = TRUE; - } - else - { - identification_t *issuer = cert->get_issuer(cert); - identification_t *issuer_c = current->get_issuer(current); - - /* otherwise compare issuer distinguished names */ - if (issuer->equals(issuer, issuer_c)) - { - found = TRUE; - } - } - if (found) - { - new = cert->is_newer(cert, current); - if (new) - { - this->certs->remove_at(this->certs, enumerator); - } - else - { - cert->destroy(cert); - } - break; - } - } - } - enumerator->destroy(enumerator); - - if (new) - { - this->certs->insert_last(this->certs, cert); - } - this->lock->unlock(this->lock); - return new; -} - -/** - * Add X.509 attribute certificate to chain - */ -static bool add_ac(private_stroke_cred_t *this, ac_t* ac) -{ - certificate_t *cert = &ac->certificate; - - this->lock->write_lock(this->lock); - this->certs->insert_last(this->certs, cert); - this->lock->unlock(this->lock); - return TRUE; -} - -/** - * Implementation of stroke_cred_t.load_peer. - */ -static certificate_t* load_peer(private_stroke_cred_t *this, char *filename) -{ - certificate_t *cert; - char path[PATH_MAX]; - - if (*filename == '/') - { - snprintf(path, sizeof(path), "%s", filename); - } - else - { - snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename); - } - - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_ANY, - BUILD_FROM_FILE, path, - BUILD_END); - if (cert) - { - cert = add_cert(this, cert); - DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", - cert->get_subject(cert), filename); - return cert->get_ref(cert); - } - DBG1(DBG_CFG, " loading certificate from '%s' failed", filename); - return NULL; -} - -/** - * load trusted certificates from a directory - */ -static void load_certdir(private_stroke_cred_t *this, char *path, - certificate_type_t type, x509_flag_t flag) -{ - struct stat st; - char *file; - - enumerator_t *enumerator = enumerator_create_directory(path); - - if (!enumerator) - { - DBG1(DBG_CFG, " reading directory failed"); - return; - } - - while (enumerator->enumerate(enumerator, NULL, &file, &st)) - { - certificate_t *cert; - - if (!S_ISREG(st.st_mode)) - { - /* skip special file */ - continue; - } - switch (type) - { - case CERT_X509: - if (flag & X509_CA) - { /* for CA certificates, we strictly require - * the CA basic constraint to be set */ - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, BUILD_END); - if (cert) - { - x509_t *x509 = (x509_t*)cert; - - if (!(x509->get_flags(x509) & X509_CA)) - { - DBG1(DBG_CFG, " ca certificate \"%Y\" lacks " - "ca basic constraint, discarded", - cert->get_subject(cert)); - cert->destroy(cert); - cert = NULL; - } - else - { - DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", - cert->get_subject(cert), file); - } - } - else - { - DBG1(DBG_CFG, " loading ca certificate from '%s' " - "failed", file); - } - } - else - { /* for all other flags, we add them to the certificate. */ - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, - BUILD_X509_FLAG, flag, BUILD_END); - if (cert) - { - DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", - cert->get_subject(cert), file); - } - else - { - DBG1(DBG_CFG, " loading certificate from '%s' " - "failed", file); - } - } - if (cert) - { - add_cert(this, cert); - } - break; - case CERT_X509_CRL: - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_FROM_FILE, file, - BUILD_END); - if (cert) - { - add_crl(this, (crl_t*)cert); - DBG1(DBG_CFG, " loaded crl from '%s'", file); - } - else - { - DBG1(DBG_CFG, " loading crl from '%s' failed", file); - } - break; - case CERT_X509_AC: - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_AC, - BUILD_FROM_FILE, file, - BUILD_END); - if (cert) - { - add_ac(this, (ac_t*)cert); - DBG1(DBG_CFG, " loaded attribute certificate from '%s'", - file); - } - else - { - DBG1(DBG_CFG, " loading attribute certificate from '%s' " - "failed", file); - } - break; - default: - break; - } - } - enumerator->destroy(enumerator); -} - -/** - * Implementation of credential_set_t.cache_cert. - */ -static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) -{ - if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl) - { - /* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */ - crl_t *crl = (crl_t*)cert; - - cert->get_ref(cert); - if (add_crl(this, crl)) - { - char buf[BUF_LEN]; - chunk_t chunk, hex; - - chunk = crl->get_authKeyIdentifier(crl); - hex = chunk_to_hex(chunk, NULL, FALSE); - snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex); - free(hex.ptr); - - chunk = cert->get_encoding(cert); - chunk_write(chunk, buf, "crl", 022, TRUE); - free(chunk.ptr); - } - } -} - -/** - * Implementation of stroke_cred_t.cachecrl. - */ -static void cachecrl(private_stroke_cred_t *this, bool enabled) -{ - DBG1(DBG_CFG, "crl caching to %s %s", - CRL_DIR, enabled ? "enabled" : "disabled"); - this->cachecrl = enabled; -} - - -/** - * Convert a string of characters into a binary secret - * A string between single or double quotes is treated as ASCII characters - * A string prepended by 0x is treated as HEX and prepended by 0s as Base64 - */ -static err_t extract_secret(chunk_t *secret, chunk_t *line) -{ - chunk_t raw_secret; - char delimiter = ' '; - bool quotes = FALSE; - - if (!eat_whitespace(line)) - { - return "missing secret"; - } - - if (*line->ptr == '\'' || *line->ptr == '"') - { - quotes = TRUE; - delimiter = *line->ptr; - line->ptr++; line->len--; - } - - if (!extract_token(&raw_secret, delimiter, line)) - { - if (delimiter == ' ') - { - raw_secret = *line; - } - else - { - return "missing second delimiter"; - } - } - - if (quotes) - { - /* treat as an ASCII string */ - *secret = chunk_clone(raw_secret); - return NULL; - } - /* treat 0x as hex, 0s as base64 */ - if (raw_secret.len > 2) - { - if (strncasecmp("0x", raw_secret.ptr, 2) == 0) - { - *secret = chunk_from_hex(chunk_skip(raw_secret, 2), NULL); - return NULL; - } - if (strncasecmp("0s", raw_secret.ptr, 2) == 0) - { - *secret = chunk_from_base64(chunk_skip(raw_secret, 2), NULL); - return NULL; - } - } - *secret = chunk_clone(raw_secret); - return NULL; -} - -/** - * Data to pass to passphrase_cb - */ -typedef struct { - /** socket we use for prompting */ - FILE *prompt; - /** private key file */ - char *file; - /** buffer for passphrase */ - char buf[256]; -} passphrase_cb_data_t; - -/** - * Passphrase callback to read from whack fd - */ -chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) -{ - chunk_t secret = chunk_empty;; - - if (try > 5) - { - fprintf(data->prompt, "invalid passphrase, too many trials\n"); - return chunk_empty; - } - if (try == 1) - { - fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file); - } - else - { - fprintf(data->prompt, "invalid passphrase\n"); - } - fprintf(data->prompt, "Passphrase:\n"); - if (fgets(data->buf, sizeof(data->buf), data->prompt)) - { - secret = chunk_create(data->buf, strlen(data->buf)); - if (secret.len) - { /* trim appended \n */ - secret.len--; - } - } - return secret; -} - -/** - * reload ipsec.secrets - */ -static void load_secrets(private_stroke_cred_t *this, char *file, int level, - FILE *prompt) -{ - size_t bytes; - int line_nr = 0; - chunk_t chunk, src, line; - FILE *fd; - private_key_t *private; - shared_key_t *shared; - - DBG1(DBG_CFG, "loading secrets from '%s'", file); - - fd = fopen(file, "r"); - if (fd == NULL) - { - DBG1(DBG_CFG, "opening secrets file '%s' failed", file); - return; - } - - /* TODO: do error checks */ - fseek(fd, 0, SEEK_END); - chunk.len = ftell(fd); - rewind(fd); - chunk.ptr = malloc(chunk.len); - bytes = fread(chunk.ptr, 1, chunk.len, fd); - fclose(fd); - src = chunk; - - if (level == 0) - { - this->lock->write_lock(this->lock); - - /* flush secrets on non-recursive invocation */ - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) - { - shared->destroy(shared); - } - while (this->private->remove_last(this->private, - (void**)&private) == SUCCESS) - { - private->destroy(private); - } - } - - while (fetchline(&src, &line)) - { - chunk_t ids, token; - shared_key_type_t type; - - line_nr++; - - if (!eat_whitespace(&line)) - { - continue; - } - if (line.len > strlen("include ") && - strneq(line.ptr, "include ", strlen("include "))) - { - glob_t buf; - char **expanded, *dir, pattern[PATH_MAX]; - u_char *pos; - - if (level > MAX_SECRETS_RECURSION) - { - DBG1(DBG_CFG, "maximum level of %d includes reached, ignored", - MAX_SECRETS_RECURSION); - continue; - } - /* terminate filename by space */ - line = chunk_skip(line, strlen("include ")); - pos = memchr(line.ptr, ' ', line.len); - if (pos) - { - line.len = pos - line.ptr; - } - if (line.len && line.ptr[0] == '/') - { - if (line.len + 1 > sizeof(pattern)) - { - DBG1(DBG_CFG, "include pattern too long, ignored"); - continue; - } - snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr); - } - else - { /* use directory of current file if relative */ - dir = strdup(file); - dir = dirname(dir); - - if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern)) - { - DBG1(DBG_CFG, "include pattern too long, ignored"); - free(dir); - continue; - } - snprintf(pattern, sizeof(pattern), "%s/%.*s", - dir, line.len, line.ptr); - free(dir); - } - if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) - { - DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); - globfree(&buf); - } - else - { - for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) - { - load_secrets(this, *expanded, level + 1, prompt); - } - } - globfree(&buf); - continue; - } - - if (line.len > 2 && strneq(": ", line.ptr, 2)) - { - /* no ids, skip the ':' */ - ids = chunk_empty; - line.ptr++; - line.len--; - } - else if (extract_token_str(&ids, " : ", &line)) - { - /* NULL terminate the extracted id string */ - *(ids.ptr + ids.len) = '\0'; - } - else - { - DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr); - goto error; - } - - if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line)) - { - DBG1(DBG_CFG, "line %d: missing token", line_nr); - goto error; - } - if (match("RSA", &token) || match("ECDSA", &token)) - { - char path[PATH_MAX]; - chunk_t filename; - chunk_t secret = chunk_empty; - private_key_t *key = NULL; - key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA; - - err_t ugh = extract_value(&filename, &line); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (filename.len == 0) - { - DBG1(DBG_CFG, "line %d: empty filename", line_nr); - goto error; - } - if (*filename.ptr == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, - filename.len, filename.ptr); - } - - /* check for optional passphrase */ - if (eat_whitespace(&line)) - { - ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); - goto error; - } - } - if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) - { - if (prompt) - { - passphrase_cb_data_t data; - - data.prompt = prompt; - data.file = path; - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - key_type, BUILD_FROM_FILE, path, - BUILD_PASSPHRASE_CALLBACK, - passphrase_cb, &data, BUILD_END); - } - } - else - { - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, - BUILD_FROM_FILE, path, - BUILD_PASSPHRASE, secret, BUILD_END); - } - if (key) - { - DBG1(DBG_CFG, " loaded %N private key from '%s'", - key_type_names, key->get_type(key), path); - this->private->insert_last(this->private, key); - } - else - { - DBG1(DBG_CFG, " loading private key from '%s' failed", path); - } - chunk_clear(&secret); - } - else if (match("PIN", &token)) - { - chunk_t sc = chunk_empty, secret = chunk_empty; - char smartcard[32], keyid[22], pin[32]; - private_key_t *key; - u_int slot; - - err_t ugh = extract_value(&sc, &line); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (sc.len == 0) - { - DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr); - goto error; - } - snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr); - smartcard[sizeof(smartcard) - 1] = '\0'; - - /* parse slot and key id. only two formats are supported. - * first try %smartcard<slot>:<keyid> */ - if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2) - { - snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid); - } - /* then try %smartcard:<keyid> */ - else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1) - { - snprintf(smartcard, sizeof(smartcard), "%s", keyid); - } - else - { - DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not" - " supported or invalid", line_nr); - goto error; - } - - if (!eat_whitespace(&line)) - { - DBG1(DBG_CFG, "line %d: expected PIN", line_nr); - goto error; - } - ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh); - goto error; - } - snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr); - pin[sizeof(pin) - 1] = '\0'; - - /* we assume an RSA key */ - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_SMARTCARD_KEYID, smartcard, - BUILD_SMARTCARD_PIN, pin, BUILD_END); - - if (key) - { - DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); - this->private->insert_last(this->private, key); - } - memset(pin, 0, sizeof(pin)); - chunk_clear(&secret); - } - else if ((match("PSK", &token) && (type = SHARED_IKE)) || - (match("EAP", &token) && (type = SHARED_EAP)) || - (match("XAUTH", &token) && (type = SHARED_EAP))) - { - stroke_shared_key_t *shared_key; - chunk_t secret = chunk_empty; - bool any = TRUE; - - err_t ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); - goto error; - } - shared_key = stroke_shared_key_create(type, secret); - DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, - ids.len > 0 ? (char*)ids.ptr : "%any"); - DBG4(DBG_CFG, " secret: %#B", &secret); - - this->shared->insert_last(this->shared, shared_key); - while (ids.len > 0) - { - chunk_t id; - identification_t *peer_id; - - ugh = extract_value(&id, &ids); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (id.len == 0) - { - continue; - } - - /* NULL terminate the ID string */ - *(id.ptr + id.len) = '\0'; - peer_id = identification_create_from_string(id.ptr); - if (peer_id->get_type(peer_id) == ID_ANY) - { - peer_id->destroy(peer_id); - continue; - } - - shared_key->add_owner(shared_key, peer_id); - any = FALSE; - } - if (any) - { - shared_key->add_owner(shared_key, - identification_create_from_encoding(ID_ANY, chunk_empty)); - } - } - else - { - DBG1(DBG_CFG, "line %d: token must be either " - "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr); - goto error; - } - } -error: - if (level == 0) - { - this->lock->unlock(this->lock); - } - chunk_clear(&chunk); -} - -/** - * load all certificates from ipsec.d - */ -static void load_certs(private_stroke_cred_t *this) -{ - DBG1(DBG_CFG, "loading ca certificates from '%s'", - CA_CERTIFICATE_DIR); - load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA); - - DBG1(DBG_CFG, "loading aa certificates from '%s'", - AA_CERTIFICATE_DIR); - load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA); - - DBG1(DBG_CFG, "loading ocsp signer certificates from '%s'", - OCSP_CERTIFICATE_DIR); - load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, X509_OCSP_SIGNER); - - DBG1(DBG_CFG, "loading attribute certificates from '%s'", - ATTR_CERTIFICATE_DIR); - load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0); - - DBG1(DBG_CFG, "loading crls from '%s'", - CRL_DIR); - load_certdir(this, CRL_DIR, CERT_X509_CRL, 0); -} - -/** - * Implementation of stroke_cred_t.reread. - */ -static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt) -{ - if (msg->reread.flags & REREAD_SECRETS) - { - DBG1(DBG_CFG, "rereading secrets"); - load_secrets(this, SECRETS_FILE, 0, prompt); - } - if (msg->reread.flags & REREAD_CACERTS) - { - DBG1(DBG_CFG, "rereading ca certificates from '%s'", - CA_CERTIFICATE_DIR); - load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA); - } - if (msg->reread.flags & REREAD_OCSPCERTS) - { - DBG1(DBG_CFG, "rereading ocsp signer certificates from '%s'", - OCSP_CERTIFICATE_DIR); - load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, - X509_OCSP_SIGNER); - } - if (msg->reread.flags & REREAD_AACERTS) - { - DBG1(DBG_CFG, "rereading aa certificates from '%s'", - AA_CERTIFICATE_DIR); - load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA); - } - if (msg->reread.flags & REREAD_ACERTS) - { - DBG1(DBG_CFG, "rereading attribute certificates from '%s'", - ATTR_CERTIFICATE_DIR); - load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0); - } - if (msg->reread.flags & REREAD_CRLS) - { - DBG1(DBG_CFG, "rereading crls from '%s'", - CRL_DIR); - load_certdir(this, CRL_DIR, CERT_X509_CRL, 0); - } -} - -/** - * Implementation of stroke_cred_t.destroy - */ -static void destroy(private_stroke_cred_t *this) -{ - this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); - this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy)); - this->private->destroy_offset(this->private, offsetof(private_key_t, destroy)); - this->lock->destroy(this->lock); - free(this); -} - -/* - * see header file - */ -stroke_cred_t *stroke_cred_create() -{ - private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t); - - this->public.set.create_private_enumerator = (void*)create_private_enumerator; - this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; - this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)cache_cert; - this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread; - this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca; - this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer; - this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl; - this->public.destroy = (void(*)(stroke_cred_t*))destroy; - - this->certs = linked_list_create(); - this->shared = linked_list_create(); - this->private = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - - load_certs(this); - load_secrets(this, SECRETS_FILE, 0, NULL); - - this->cachecrl = FALSE; - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h deleted file mode 100644 index ccee7d87c..000000000 --- a/src/charon/plugins/stroke/stroke_cred.h +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_cred stroke_cred - * @{ @ingroup stroke - */ - -#ifndef STROKE_CRED_H_ -#define STROKE_CRED_H_ - -#include <stdio.h> - -#include <stroke_msg.h> -#include <credentials/credential_set.h> -#include <credentials/certificates/certificate.h> - -typedef struct stroke_cred_t stroke_cred_t; - -/** - * Stroke in-memory credential storage. - */ -struct stroke_cred_t { - - /** - * Implements credential_set_t - */ - credential_set_t set; - - /** - * Reread secrets from config files. - * - * @param msg stroke message - * @param prompt I/O channel to prompt for private key passhprase - */ - void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt); - - /** - * Load a CA certificate, and serve it through the credential_set. - * - * @param filename file to load CA cert from - * @return reference to loaded certificate, or NULL - */ - certificate_t* (*load_ca)(stroke_cred_t *this, char *filename); - - /** - * Load a peer certificate and serve it rhrough the credential_set. - * - * @param filename file to load peer cert from - * @return reference to loaded certificate, or NULL - */ - certificate_t* (*load_peer)(stroke_cred_t *this, char *filename); - - /** - * Enable/Disable CRL caching to disk. - * - * @param enabled TRUE to enable, FALSE to disable - */ - void (*cachecrl)(stroke_cred_t *this, bool enabled); - - /** - * Destroy a stroke_cred instance. - */ - void (*destroy)(stroke_cred_t *this); -}; - -/** - * Create a stroke_cred instance. - */ -stroke_cred_t *stroke_cred_create(); - -#endif /** STROKE_CRED_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c deleted file mode 100644 index c2a98da33..000000000 --- a/src/charon/plugins/stroke/stroke_list.c +++ /dev/null @@ -1,1230 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_list.h" - -#include <time.h> - -#include <daemon.h> -#include <utils/linked_list.h> -#include <credentials/certificates/x509.h> -#include <credentials/certificates/ac.h> -#include <credentials/certificates/crl.h> -#include <credentials/certificates/pgp_certificate.h> -#include <credentials/ietf_attributes/ietf_attributes.h> -#include <config/peer_cfg.h> - -/* warning intervals for list functions */ -#define CERT_WARNING_INTERVAL 30 /* days */ -#define CRL_WARNING_INTERVAL 7 /* days */ -#define AC_WARNING_INTERVAL 1 /* day */ - -typedef struct private_stroke_list_t private_stroke_list_t; - -/** - * private data of stroke_list - */ -struct private_stroke_list_t { - - /** - * public functions - */ - stroke_list_t public; - - /** - * timestamp of daemon start - */ - time_t uptime; - - /** - * strokes attribute provider - */ - stroke_attribute_t *attribute; -}; - -/** - * log an IKE_SA to out - */ -static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) -{ - ike_sa_id_t *id = ike_sa->get_id(ike_sa); - time_t now = time_monotonic(NULL); - - fprintf(out, "%12s[%d]: %N", - ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), - ike_sa_state_names, ike_sa->get_state(ike_sa)); - - if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) - { - time_t established; - - established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED); - fprintf(out, " %V ago", &now, &established); - } - - fprintf(out, ", %H[%Y]...%H[%Y]\n", - ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), - ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); - - if (all) - { - proposal_t *ike_proposal; - - ike_proposal = ike_sa->get_proposal(ike_sa); - - fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s", - ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), - id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "", - id->get_responder_spi(id), id->is_initiator(id) ? "" : "*"); - - - if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) - { - time_t rekey, reauth; - peer_cfg_t *peer_cfg; - - rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY); - reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH); - peer_cfg = ike_sa->get_peer_cfg(ike_sa); - - if (rekey) - { - fprintf(out, ", rekeying in %V", &rekey, &now); - } - if (reauth) - { - bool first = TRUE; - enumerator_t *enumerator; - auth_cfg_t *auth; - - fprintf(out, ", "); - enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE); - while (enumerator->enumerate(enumerator, &auth)) - { - if (!first) - { - fprintf(out, "+"); - } - first = FALSE; - fprintf(out, "%N", auth_class_names, - auth->get(auth, AUTH_RULE_AUTH_CLASS)); - } - enumerator->destroy(enumerator); - fprintf(out, " reauthentication in %V", &reauth, &now); - } - if (!rekey && !reauth) - { - fprintf(out, ", rekeying disabled"); - } - } - fprintf(out, "\n"); - - if (ike_proposal) - { - char buf[BUF_LEN]; - - snprintf(buf, BUF_LEN, "%P", ike_proposal); - fprintf(out, "%12s[%d]: IKE proposal: %s\n", - ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), - buf+4); - } - } -} - -/** - * log an CHILD_SA to out - */ -static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) -{ - time_t use_in, use_out, rekey, now; - u_int64_t bytes_in, bytes_out; - proposal_t *proposal; - child_cfg_t *config = child_sa->get_config(child_sa); - - - fprintf(out, "%12s{%d}: %N, %N%s", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), - child_sa_state_names, child_sa->get_state(child_sa), - ipsec_mode_names, child_sa->get_mode(child_sa), - config->use_proxy_mode(config) ? "_PROXY" : ""); - - if (child_sa->get_state(child_sa) == CHILD_INSTALLED) - { - fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o", - protocol_id_names, child_sa->get_protocol(child_sa), - child_sa->has_encap(child_sa) ? " in UDP" : "", - ntohl(child_sa->get_spi(child_sa, TRUE)), - ntohl(child_sa->get_spi(child_sa, FALSE))); - - if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE) - { - fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o", - ntohs(child_sa->get_cpi(child_sa, TRUE)), - ntohs(child_sa->get_cpi(child_sa, FALSE))); - } - - if (all) - { - fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa), - child_sa->get_reqid(child_sa)); - - proposal = child_sa->get_proposal(child_sa); - if (proposal) - { - u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED; - u_int16_t encr_size = 0, int_size = 0; - - proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, - &encr_alg, &encr_size); - proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, - &int_alg, &int_size); - - if (encr_alg != ENCR_UNDEFINED) - { - fprintf(out, "%N", encryption_algorithm_names, encr_alg); - if (encr_size) - { - fprintf(out, "_%u", encr_size); - } - } - if (int_alg != AUTH_UNDEFINED) - { - fprintf(out, "/%N", integrity_algorithm_names, int_alg); - if (int_size) - { - fprintf(out, "_%u", int_size); - } - } - } - - now = time_monotonic(NULL); - child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in); - fprintf(out, ", %llu bytes_i", bytes_in); - if (use_in) - { - fprintf(out, " (%ds ago)", now - use_in); - } - - child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out); - fprintf(out, ", %llu bytes_o", bytes_out); - if (use_out) - { - fprintf(out, " (%ds ago)", now - use_out); - } - fprintf(out, ", rekeying "); - - rekey = child_sa->get_lifetime(child_sa, FALSE); - if (rekey) - { - if (now > rekey) - { - fprintf(out, "active"); - } - else - { - fprintf(out, "in %V", &now, &rekey); - } - } - else - { - fprintf(out, "disabled"); - } - - } - } - - fprintf(out, "\n%12s{%d}: %#R=== %#R\n", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), - child_sa->get_traffic_selectors(child_sa, TRUE), - child_sa->get_traffic_selectors(child_sa, FALSE)); -} - -/** - * Log a configs local or remote authentication config to out - */ -static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) -{ - enumerator_t *enumerator, *rules; - auth_rule_t rule; - auth_cfg_t *auth; - auth_class_t auth_class; - identification_t *id; - certificate_t *cert; - cert_validation_t valid; - char *name; - - name = peer_cfg->get_name(peer_cfg); - - enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); - while (enumerator->enumerate(enumerator, &auth)) - { - fprintf(out, "%12s: %s [%Y] uses ", name, local ? "local: " : "remote:", - auth->get(auth, AUTH_RULE_IDENTITY)); - - auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); - if (auth_class != AUTH_CLASS_EAP) - { - fprintf(out, "%N authentication\n", auth_class_names, auth_class); - } - else - { - if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE) == EAP_NAK) - { - fprintf(out, "EAP authentication"); - } - else - { - if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR)) - { - fprintf(out, "EAP_%d-%d authentication", - (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE), - (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR)); - } - else - { - fprintf(out, "%N authentication", eap_type_names, - (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE)); - } - } - id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); - if (id) - { - fprintf(out, " with EAP identity '%Y'", id); - } - fprintf(out, "\n"); - } - - cert = auth->get(auth, AUTH_RULE_CA_CERT); - if (cert) - { - fprintf(out, "%12s: ca: \"%Y\"\n", name, cert->get_subject(cert)); - } - - cert = auth->get(auth, AUTH_RULE_IM_CERT); - if (cert) - { - fprintf(out, "%12s: im-ca: \"%Y\"\n", name, cert->get_subject(cert)); - } - - cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (cert) - { - fprintf(out, "%12s: cert: \"%Y\"\n", name, - cert->get_subject(cert)); - } - - valid = (uintptr_t)auth->get(auth, AUTH_RULE_OCSP_VALIDATION); - if (valid != VALIDATION_FAILED) - { - fprintf(out, "%12s: ocsp: status must be GOOD%s\n", name, - (valid == VALIDATION_SKIPPED) ? " or SKIPPED" : ""); - } - - valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION); - if (valid != VALIDATION_FAILED) - { - fprintf(out, "%12s: crl: status must be GOOD%s\n", name, - (valid == VALIDATION_SKIPPED) ? " or SKIPPED" : ""); - } - - rules = auth->create_enumerator(auth); - while (rules->enumerate(rules, &rule, &id)) - { - if (rule == AUTH_RULE_AC_GROUP) - { - fprintf(out, "%12s: group: %Y\n", name, id); - } - } - rules->destroy(rules); - } - enumerator->destroy(enumerator); -} - -/** - * Implementation of stroke_list_t.status. - */ -static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) -{ - enumerator_t *enumerator, *children; - ike_cfg_t *ike_cfg; - child_cfg_t *child_cfg; - child_sa_t *child_sa; - ike_sa_t *ike_sa; - bool first, found = FALSE; - char *name = msg->status.name; - - if (all) - { - peer_cfg_t *peer_cfg; - char *plugin, *pool; - host_t *host; - u_int32_t dpd; - time_t since, now; - u_int size, online, offline; - - now = time_monotonic(NULL); - since = time(NULL) - (now - this->uptime); - - fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n"); - fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE); - fprintf(out, " worker threads: %d idle of %d,", - charon->processor->get_idle_threads(charon->processor), - charon->processor->get_total_threads(charon->processor)); - fprintf(out, " job queue load: %d,", - charon->processor->get_job_load(charon->processor)); - fprintf(out, " scheduled events: %d\n", - charon->scheduler->get_job_load(charon->scheduler)); - fprintf(out, " loaded plugins: "); - enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); - while (enumerator->enumerate(enumerator, &plugin)) - { - fprintf(out, "%s ", plugin); - } - enumerator->destroy(enumerator); - fprintf(out, "\n"); - - first = TRUE; - enumerator = this->attribute->create_pool_enumerator(this->attribute); - while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline)) - { - if (name && !streq(name, pool)) - { - continue; - } - if (first) - { - first = FALSE; - fprintf(out, "Virtual IP pools (size/online/offline):\n"); - } - fprintf(out, " %s: %u/%u/%u\n", pool, size, online, offline); - } - enumerator->destroy(enumerator); - - enumerator = charon->kernel_interface->create_address_enumerator( - charon->kernel_interface, FALSE, FALSE); - fprintf(out, "Listening IP addresses:\n"); - while (enumerator->enumerate(enumerator, (void**)&host)) - { - fprintf(out, " %H\n", host); - } - enumerator->destroy(enumerator); - - fprintf(out, "Connections:\n"); - enumerator = charon->backends->create_peer_cfg_enumerator( - charon->backends, NULL, NULL, NULL, NULL); - while (enumerator->enumerate(enumerator, &peer_cfg)) - { - if (peer_cfg->get_ike_version(peer_cfg) != 2 || - (name && !streq(name, peer_cfg->get_name(peer_cfg)))) - { - continue; - } - - ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); - fprintf(out, "%12s: %s...%s", peer_cfg->get_name(peer_cfg), - ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg)); - - dpd = peer_cfg->get_dpd(peer_cfg); - if (dpd) - { - fprintf(out, ", dpddelay=%us", dpd); - } - fprintf(out, "\n"); - - log_auth_cfgs(out, peer_cfg, TRUE); - log_auth_cfgs(out, peer_cfg, FALSE); - - children = peer_cfg->create_child_cfg_enumerator(peer_cfg); - while (children->enumerate(children, &child_cfg)) - { - linked_list_t *my_ts, *other_ts; - - my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); - other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); - fprintf(out, "%12s: child: %#R=== %#R", child_cfg->get_name(child_cfg), - my_ts, other_ts); - my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); - other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); - - if (dpd) - { - fprintf(out, ", dpdaction=%N", action_names, - child_cfg->get_dpd_action(child_cfg)); - } - fprintf(out, "\n"); - } - children->destroy(children); - } - enumerator->destroy(enumerator); - } - - first = TRUE; - enumerator = charon->traps->create_enumerator(charon->traps); - while (enumerator->enumerate(enumerator, NULL, &child_sa)) - { - if (first) - { - fprintf(out, "Routed Connections:\n"); - first = FALSE; - } - log_child_sa(out, child_sa, all); - } - enumerator->destroy(enumerator); - - fprintf(out, "Security Associations:\n"); - enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); - while (enumerator->enumerate(enumerator, &ike_sa)) - { - bool ike_printed = FALSE; - iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); - - if (name == NULL || streq(name, ike_sa->get_name(ike_sa))) - { - log_ike_sa(out, ike_sa, all); - found = TRUE; - ike_printed = TRUE; - } - - while (children->iterate(children, (void**)&child_sa)) - { - if (name == NULL || streq(name, child_sa->get_name(child_sa))) - { - if (!ike_printed) - { - log_ike_sa(out, ike_sa, all); - found = TRUE; - ike_printed = TRUE; - } - log_child_sa(out, child_sa, all); - } - } - children->destroy(children); - } - enumerator->destroy(enumerator); - - if (!found) - { - if (name) - { - fprintf(out, " no match\n"); - } - else - { - fprintf(out, " none\n"); - } - } -} - -/** - * create a unique certificate list without duplicates - * certicates having the same issuer are grouped together. - */ -static linked_list_t* create_unique_cert_list(certificate_type_t type) -{ - linked_list_t *list = linked_list_create(); - enumerator_t *enumerator = charon->credentials->create_cert_enumerator( - charon->credentials, type, KEY_ANY, - NULL, FALSE); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - iterator_t *iterator = list->create_iterator(list, TRUE); - identification_t *issuer = cert->get_issuer(cert); - bool previous_same, same = FALSE, last = TRUE; - certificate_t *list_cert; - - while (iterator->iterate(iterator, (void**)&list_cert)) - { - /* exit if we have a duplicate? */ - if (list_cert->equals(list_cert, cert)) - { - last = FALSE; - break; - } - /* group certificates with same issuer */ - previous_same = same; - same = list_cert->has_issuer(list_cert, issuer); - if (previous_same && !same) - { - iterator->insert_before(iterator, (void *)cert->get_ref(cert)); - last = FALSE; - break; - } - } - iterator->destroy(iterator); - - if (last) - { - list->insert_last(list, (void *)cert->get_ref(cert)); - } - } - enumerator->destroy(enumerator); - return list; -} - -/** - * Print a single public key. - */ -static void list_public_key(public_key_t *public, FILE *out) -{ - private_key_t *private = NULL; - chunk_t keyid; - identification_t *id; - auth_cfg_t *auth; - - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) - { - id = identification_create_from_encoding(ID_KEY_ID, keyid); - auth = auth_cfg_create(); - private = charon->credentials->get_private(charon->credentials, - public->get_type(public), id, auth); - auth->destroy(auth); - id->destroy(id); - } - - fprintf(out, " pubkey: %N %d bits%s\n", - key_type_names, public->get_type(public), - public->get_keysize(public) * 8, - private ? ", has private key" : ""); - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) - { - fprintf(out, " keyid: %#B\n", &keyid); - } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) - { - fprintf(out, " subjkey: %#B\n", &keyid); - } - DESTROY_IF(private); -} - -/** - * list all raw public keys - */ -static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - public_key_t *public = cert->get_public_key(cert); - - if (public) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of Raw Public Keys:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - list_public_key(public, out); - public->destroy(public); - } - } - enumerator->destroy(enumerator); -} - -/** - * list OpenPGP certificates - */ -static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) -{ - bool first = TRUE; - time_t now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - time_t created, until; - public_key_t *public; - pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; - chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); - - if (first) - { - - fprintf(out, "\n"); - fprintf(out, "List of PGP End Entity Certificates:\n"); - first = FALSE; - } - fprintf(out, "\n"); - fprintf(out, " userid: '%Y'\n", cert->get_subject(cert)); - - fprintf(out, " digest: %#B\n", &fingerprint); - - /* list validity */ - cert->get_validity(cert, &now, &created, &until); - fprintf(out, " created: %T\n", &created, utc); - fprintf(out, " until: %T%s\n", &until, utc, - (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":""); - - public = cert->get_public_key(cert); - if (public) - { - list_public_key(public, out); - public->destroy(public); - } - } - enumerator->destroy(enumerator); -} - -/** - * list all X.509 certificates matching the flags - */ -static void stroke_list_certs(linked_list_t *list, char *label, - x509_flag_t flags, bool utc, FILE *out) -{ - bool first = TRUE; - time_t now = time(NULL); - enumerator_t *enumerator; - certificate_t *cert; - x509_flag_t flag_mask; - - /* mask all auxiliary flags */ - flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | - X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS ); - - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - x509_t *x509 = (x509_t*)cert; - x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask; - - /* list only if flag is set or flag == 0 */ - if ((x509_flags & flags) || (x509_flags == flags)) - { - enumerator_t *enumerator; - identification_t *altName; - bool first_altName = TRUE; - int pathlen; - chunk_t serial, authkey; - time_t notBefore, notAfter; - public_key_t *public; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of %s:\n", label); - first = FALSE; - } - fprintf(out, "\n"); - - /* list subjectAltNames */ - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, (void**)&altName)) - { - if (first_altName) - { - fprintf(out, " altNames: "); - first_altName = FALSE; - } - else - { - fprintf(out, ", "); - } - fprintf(out, "%Y", altName); - } - if (!first_altName) - { - fprintf(out, "\n"); - } - enumerator->destroy(enumerator); - - fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - serial = x509->get_serial(x509); - fprintf(out, " serial: %#B\n", &serial); - - /* list validity */ - cert->get_validity(cert, &now, ¬Before, ¬After); - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - - public = cert->get_public_key(cert); - if (public) - { - list_public_key(public, out); - public->destroy(public); - } - - /* list optional authorityKeyIdentifier */ - authkey = x509->get_authKeyIdentifier(x509); - if (authkey.ptr) - { - fprintf(out, " authkey: %#B\n", &authkey); - } - - /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) - { - fprintf(out, " pathlen: %d\n", pathlen); - } - - /* list optional ipAddrBlocks */ - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - traffic_selector_t *ipAddrBlock; - bool first_ipAddrBlock = TRUE; - - fprintf(out, " addresses: "); - enumerator = x509->create_ipAddrBlock_enumerator(x509); - while (enumerator->enumerate(enumerator, &ipAddrBlock)) - { - if (first_ipAddrBlock) - { - first_ipAddrBlock = FALSE; - } - else - { - fprintf(out, ", "); - } - fprintf(out, "%R", ipAddrBlock); - } - enumerator->destroy(enumerator); - fprintf(out, "\n"); - } - } - } - enumerator->destroy(enumerator); -} - -/** - * list all X.509 attribute certificates - */ -static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - time_t thisUpdate, nextUpdate, now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - ac_t *ac = (ac_t*)cert; - identification_t *id; - ietf_attributes_t *groups; - chunk_t chunk; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 Attribute Certificates:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - id = cert->get_subject(cert); - if (id) - { - fprintf(out, " holder: \"%Y\"\n", id); - } - id = ac->get_holderIssuer(ac); - if (id) - { - fprintf(out, " hissuer: \"%Y\"\n", id); - } - chunk = ac->get_holderSerial(ac); - if (chunk.ptr) - { - fprintf(out, " hserial: %#B\n", &chunk); - } - groups = ac->get_groups(ac); - if (groups) - { - fprintf(out, " groups: %s\n", groups->get_string(groups)); - groups->destroy(groups); - } - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - chunk = ac->get_serial(ac); - fprintf(out, " serial: %#B\n", &chunk); - - /* list validity */ - cert->get_validity(cert, &now, &thisUpdate, &nextUpdate); - fprintf(out, " updates: this %T\n", &thisUpdate, utc); - fprintf(out, " next %T, ", &nextUpdate, utc); - if (now > nextUpdate) - { - fprintf(out, "expired (%V ago)\n", &now, &nextUpdate); - } - else - { - fprintf(out, "ok"); - if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, &nextUpdate); - } - fprintf(out, " \n"); - } - - /* list optional authorityKeyIdentifier */ - chunk = ac->get_authKeyIdentifier(ac); - if (chunk.ptr) - { - fprintf(out, " authkey: %#B\n", &chunk); - } - } - enumerator->destroy(enumerator); -} - -/** - * list all X.509 CRLs - */ -static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - time_t thisUpdate, nextUpdate, now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - crl_t *crl = (crl_t*)cert; - chunk_t chunk; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CRLs:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - - /* list optional crlNumber */ - chunk = crl->get_serial(crl); - if (chunk.ptr) - { - fprintf(out, " serial: %#B\n", &chunk); - } - - /* count the number of revoked certificates */ - { - int count = 0; - enumerator_t *enumerator = crl->create_enumerator(crl); - - while (enumerator->enumerate(enumerator, NULL, NULL, NULL)) - { - count++; - } - fprintf(out, " revoked: %d certificate%s\n", count, - (count == 1)? "" : "s"); - enumerator->destroy(enumerator); - } - - /* list validity */ - cert->get_validity(cert, &now, &thisUpdate, &nextUpdate); - fprintf(out, " updates: this %T\n", &thisUpdate, utc); - fprintf(out, " next %T, ", &nextUpdate, utc); - if (now > nextUpdate) - { - fprintf(out, "expired (%V ago)\n", &now, &nextUpdate); - } - else - { - fprintf(out, "ok"); - if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, &nextUpdate); - } - fprintf(out, " \n"); - } - - /* list optional authorityKeyIdentifier */ - chunk = crl->get_authKeyIdentifier(crl); - if (chunk.ptr) - { - fprintf(out, " authkey: %#B\n", &chunk); - } - } - enumerator->destroy(enumerator); -} - -/** - * list all OCSP responses - */ -static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) -{ - bool first = TRUE; - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of OCSP responses:\n"); - fprintf(out, "\n"); - first = FALSE; - } - - fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); - } - enumerator->destroy(enumerator); -} - -/** - * List of registered cryptographical algorithms - */ -static void list_algs(FILE *out) -{ - enumerator_t *enumerator; - encryption_algorithm_t encryption; - integrity_algorithm_t integrity; - hash_algorithm_t hash; - pseudo_random_function_t prf; - diffie_hellman_group_t group; - - fprintf(out, "\n"); - fprintf(out, "List of registered IKEv2 Algorithms:\n"); - fprintf(out, "\n encryption: "); - enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) - { - fprintf(out, "%N ", encryption_algorithm_names, encryption); - } - enumerator->destroy(enumerator); - fprintf(out, "\n integrity: "); - enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity)) - { - fprintf(out, "%N ", integrity_algorithm_names, integrity); - } - enumerator->destroy(enumerator); - fprintf(out, "\n hasher: "); - enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &hash)) - { - fprintf(out, "%N ", hash_algorithm_names, hash); - } - enumerator->destroy(enumerator); - fprintf(out, "\n prf: "); - enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf)) - { - fprintf(out, "%N ", pseudo_random_function_names, prf); - } - enumerator->destroy(enumerator); - fprintf(out, "\n dh-group: "); - enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group)) - { - fprintf(out, "%N ", diffie_hellman_group_names, group); - } - enumerator->destroy(enumerator); - fprintf(out, "\n"); -} - -/** - * Implementation of stroke_list_t.list. - */ -static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) -{ - linked_list_t *cert_list = NULL; - - if (msg->list.flags & LIST_PUBKEYS) - { - linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY); - - stroke_list_pubkeys(pubkey_list, msg->list.utc, out); - pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); - } - if (msg->list.flags & LIST_CERTS) - { - linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG); - - stroke_list_pgp(pgp_list, msg->list.utc, out); - pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy)); - } - if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS)) - { - cert_list = create_unique_cert_list(CERT_X509); - } - if (msg->list.flags & LIST_CERTS) - { - stroke_list_certs(cert_list, "X.509 End Entity Certificates", - X509_NONE, msg->list.utc, out); - } - if (msg->list.flags & LIST_CACERTS) - { - stroke_list_certs(cert_list, "X.509 CA Certificates", - X509_CA, msg->list.utc, out); - } - if (msg->list.flags & LIST_OCSPCERTS) - { - stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates", - X509_OCSP_SIGNER, msg->list.utc, out); - } - if (msg->list.flags & LIST_AACERTS) - { - stroke_list_certs(cert_list, "X.509 AA Certificates", - X509_AA, msg->list.utc, out); - } - DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); - - if (msg->list.flags & LIST_ACERTS) - { - linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC); - - stroke_list_acerts(ac_list, msg->list.utc, out); - ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); - } - if (msg->list.flags & LIST_CRLS) - { - linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL); - - stroke_list_crls(crl_list, msg->list.utc, out); - crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); - } - if (msg->list.flags & LIST_OCSP) - { - linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE); - - stroke_list_ocsp(ocsp_list, msg->list.utc, out); - - ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); - } - if (msg->list.flags & LIST_ALGS) - { - list_algs(out); - } -} - -/** - * Print leases of a single pool - */ -static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, - host_t *address, u_int size, u_int online, u_int offline) -{ - enumerator_t *enumerator; - identification_t *id; - host_t *lease; - bool on; - int found = 0; - - fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n", - pool, online + offline, size, online); - enumerator = this->attribute->create_lease_enumerator(this->attribute, pool); - while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on)) - { - if (!address || address->ip_equals(address, lease)) - { - fprintf(out, " %15H %s '%Y'\n", - lease, on ? "online" : "offline", id); - found++; - } - } - enumerator->destroy(enumerator); - if (!found) - { - fprintf(out, " no matching leases found\n"); - } -} - -/** - * Implementation of stroke_list_t.leases - */ -static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) -{ - enumerator_t *enumerator; - u_int size, offline, online; - host_t *address = NULL; - char *pool; - int found = 0; - - if (msg->leases.address) - { - address = host_create_from_string(msg->leases.address, 0); - } - - enumerator = this->attribute->create_pool_enumerator(this->attribute); - while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline)) - { - if (!msg->leases.pool || streq(msg->leases.pool, pool)) - { - pool_leases(this, out, pool, address, size, online, offline); - found++; - } - } - enumerator->destroy(enumerator); - if (!found) - { - if (msg->leases.pool) - { - fprintf(out, "pool '%s' not found\n", msg->leases.pool); - } - else - { - fprintf(out, "no pools found\n"); - } - } - DESTROY_IF(address); -} - -/** - * Implementation of stroke_list_t.destroy - */ -static void destroy(private_stroke_list_t *this) -{ - free(this); -} - -/* - * see header file - */ -stroke_list_t *stroke_list_create(stroke_attribute_t *attribute) -{ - private_stroke_list_t *this = malloc_thing(private_stroke_list_t); - - this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list; - this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status; - this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases; - this->public.destroy = (void(*)(stroke_list_t*))destroy; - - this->uptime = time_monotonic(NULL); - this->attribute = attribute; - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h deleted file mode 100644 index b5bedc6c2..000000000 --- a/src/charon/plugins/stroke/stroke_list.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_list stroke_list - * @{ @ingroup stroke - */ - -#ifndef STROKE_LIST_H_ -#define STROKE_LIST_H_ - -#include "stroke_attribute.h" - -#include <stroke_msg.h> -#include <library.h> - -typedef struct stroke_list_t stroke_list_t; - -/** - * Log status information to stroke console - */ -struct stroke_list_t { - - /** - * List certificate information to stroke console. - * - * @param msg stroke message - * @param out stroke console stream - */ - void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Log status information to stroke console. - * - * @param msg stroke message - * @param out stroke console stream - * @param all TRUE for "statusall" - */ - void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all); - - /** - * Log pool leases to stroke console. - * - * @param msg stroke message - * @param out stroke console stream - */ - void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out); - - /** - * Destroy a stroke_list instance. - */ - void (*destroy)(stroke_list_t *this); -}; - -/** - * Create a stroke_list instance. - * - * @param attribute strokes attribute provider - */ -stroke_list_t *stroke_list_create(stroke_attribute_t *attribute); - -#endif /** STROKE_LIST_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c deleted file mode 100644 index 61ae10953..000000000 --- a/src/charon/plugins/stroke/stroke_plugin.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_plugin.h" - -#include <library.h> -#include "stroke_socket.h" - -typedef struct private_stroke_plugin_t private_stroke_plugin_t; - -/** - * private data of stroke_plugin - */ -struct private_stroke_plugin_t { - - /** - * public functions - */ - stroke_plugin_t public; - - /** - * stroke socket, receives strokes - */ - stroke_socket_t *socket; -}; - -/** - * Implementation of stroke_plugin_t.destroy - */ -static void destroy(private_stroke_plugin_t *this) -{ - this->socket->destroy(this->socket); - free(this); -} - -/* - * see header file - */ -plugin_t *plugin_create() -{ - private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - this->socket = stroke_socket_create(); - if (this->socket == NULL) - { - free(this); - return NULL; - } - return &this->public.plugin; -} - diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h deleted file mode 100644 index 3a1e81df6..000000000 --- a/src/charon/plugins/stroke/stroke_plugin.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke stroke - * @ingroup cplugins - * - * @defgroup stroke_plugin stroke_plugin - * @{ @ingroup stroke - */ - -#ifndef STROKE_PLUGIN_H_ -#define STROKE_PLUGIN_H_ - -#include <plugins/plugin.h> - -typedef struct stroke_plugin_t stroke_plugin_t; - -/** - * strongSwan 2.x style configuration and control interface. - * - * Stroke is a home-brewed communication interface inspired by whack. It - * uses a unix socket (/var/run/charon.ctl). - */ -struct stroke_plugin_t { - - /** - * implements plugin interface - */ - plugin_t plugin; -}; - -/** - * Instanciate stroke plugin. - */ -plugin_t *plugin_create(); - -#endif /** STROKE_PLUGIN_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c deleted file mode 100644 index 4f716e83a..000000000 --- a/src/charon/plugins/stroke/stroke_shared_key.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_shared_key.h" - -#include <utils/linked_list.h> - -typedef struct private_stroke_shared_key_t private_stroke_shared_key_t; - -/** - * private data of shared_key - */ -struct private_stroke_shared_key_t { - - /** - * implements shared_key_t - */ - stroke_shared_key_t public; - - /** - * type of this key - */ - shared_key_type_t type; - - /** - * data of the key - */ - chunk_t key; - - /** - * list of key owners, as identification_t - */ - linked_list_t *owners; - - /** - * reference counter - */ - refcount_t ref; -}; - -/** - * Implementation of shared_key_t.get_type. - */ -static shared_key_type_t get_type(private_stroke_shared_key_t *this) -{ - return this->type; -} - -/** - * Implementation of shared_key_t.get_ref. - */ -static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this) -{ - ref_get(&this->ref); - return this; -} - -/** - * Implementation of shared_key_t.get_key. - */ -static chunk_t get_key(private_stroke_shared_key_t *this) -{ - return this->key; -} - -/** - * Implementation of stroke_shared_key_t.has_owner. - */ -static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner) -{ - enumerator_t *enumerator; - id_match_t match, best = ID_MATCH_NONE; - identification_t *current; - - enumerator = this->owners->create_enumerator(this->owners); - while (enumerator->enumerate(enumerator, ¤t)) - { - match = owner->matches(owner, current); - if (match > best) - { - best = match; - } - } - enumerator->destroy(enumerator); - return best; -} -/** - * Implementation of stroke_shared_key_t.add_owner. - */ -static void add_owner(private_stroke_shared_key_t *this, identification_t *owner) -{ - this->owners->insert_last(this->owners, owner); -} - -/** - * Implementation of stroke_shared_key_t.destroy - */ -static void destroy(private_stroke_shared_key_t *this) -{ - if (ref_put(&this->ref)) - { - this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy)); - chunk_free(&this->key); - free(this); - } -} - -/** - * create a shared key - */ -stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key) -{ - private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t); - - this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type; - this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key; - this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref; - this->public.shared.destroy = (void(*)(shared_key_t*))destroy; - this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner; - this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner; - - this->owners = linked_list_create(); - this->type = type; - this->key = key; - this->ref = 1; - - return &this->public; -} diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h deleted file mode 100644 index 05ad55083..000000000 --- a/src/charon/plugins/stroke/stroke_shared_key.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_shared_key stroke_shared_key - * @{ @ingroup stroke - */ - -#ifndef STROKE_SHARED_KEY_H_ -#define STROKE_SHARED_KEY_H_ - -#include <utils/identification.h> -#include <credentials/keys/shared_key.h> - -typedef struct stroke_shared_key_t stroke_shared_key_t; - -/** - * Shared key implementation for keys read from ipsec.secrets - */ -struct stroke_shared_key_t { - - /** - * Implements the shared_key_t interface. - */ - shared_key_t shared; - - /** - * Add an owner to the key. - * - * @param owner owner to add - */ - void (*add_owner)(stroke_shared_key_t *this, identification_t *owner); - - /** - * Check if a key has a specific owner. - * - * @param owner owner to check - * @return best match found - */ - id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner); -}; - -/** - * Create a stroke_shared_key instance. - */ -stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key); - -#endif /** STROKE_SHARED_KEY_H_ @}*/ diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c deleted file mode 100644 index 820e097f1..000000000 --- a/src/charon/plugins/stroke/stroke_socket.c +++ /dev/null @@ -1,670 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_socket.h" - -#include <stdlib.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <sys/un.h> -#include <sys/fcntl.h> -#include <unistd.h> -#include <errno.h> - -#include <processing/jobs/callback_job.h> -#include <daemon.h> -#include <threading/thread.h> - -#include "stroke_config.h" -#include "stroke_control.h" -#include "stroke_cred.h" -#include "stroke_ca.h" -#include "stroke_attribute.h" -#include "stroke_list.h" - -typedef struct stroke_job_context_t stroke_job_context_t; -typedef struct private_stroke_socket_t private_stroke_socket_t; - -/** - * private data of stroke_socket - */ -struct private_stroke_socket_t { - - /** - * public functions - */ - stroke_socket_t public; - - /** - * Unix socket to listen for strokes - */ - int socket; - - /** - * job accepting stroke messages - */ - callback_job_t *job; - - /** - * configuration backend - */ - stroke_config_t *config; - - /** - * attribute provider - */ - stroke_attribute_t *attribute; - - /** - * controller to control daemon - */ - stroke_control_t *control; - - /** - * credential set - */ - stroke_cred_t *cred; - - /** - * CA sections - */ - stroke_ca_t *ca; - - /** - * Status information logging - */ - stroke_list_t *list; -}; - -/** - * job context to pass to processing thread - */ -struct stroke_job_context_t { - - /** - * file descriptor to read from - */ - int fd; - - /** - * global stroke interface - */ - private_stroke_socket_t *this; -}; - -/** - * Helper function which corrects the string pointers - * in a stroke_msg_t. Strings in a stroke_msg sent over "wire" - * contains RELATIVE addresses (relative to the beginning of the - * stroke_msg). They must be corrected if they reach our address - * space... - */ -static void pop_string(stroke_msg_t *msg, char **string) -{ - if (*string == NULL) - { - return; - } - - /* check for sanity of string pointer and string */ - if (string < (char**)msg || - string > (char**)msg + sizeof(stroke_msg_t) || - (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) || - (unsigned long)*string > msg->length) - { - *string = "(invalid pointer in stroke msg)"; - } - else - { - *string = (char*)msg + (unsigned long)*string; - } -} - -/** - * Pop the strings of a stroke_end_t struct and log them for debugging purposes - */ -static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) -{ - pop_string(msg, &end->address); - pop_string(msg, &end->subnets); - pop_string(msg, &end->sourceip); - pop_string(msg, &end->auth); - pop_string(msg, &end->auth2); - pop_string(msg, &end->id); - pop_string(msg, &end->id2); - pop_string(msg, &end->cert); - pop_string(msg, &end->cert2); - pop_string(msg, &end->ca); - pop_string(msg, &end->ca2); - pop_string(msg, &end->groups); - pop_string(msg, &end->updown); - - DBG2(DBG_CFG, " %s=%s", label, end->address); - DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnets); - DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip); - DBG2(DBG_CFG, " %sauth=%s", label, end->auth); - DBG2(DBG_CFG, " %sauth2=%s", label, end->auth2); - DBG2(DBG_CFG, " %sid=%s", label, end->id); - DBG2(DBG_CFG, " %sid2=%s", label, end->id2); - DBG2(DBG_CFG, " %scert=%s", label, end->cert); - DBG2(DBG_CFG, " %scert2=%s", label, end->cert2); - DBG2(DBG_CFG, " %sca=%s", label, end->ca); - DBG2(DBG_CFG, " %sca2=%s", label, end->ca2); - DBG2(DBG_CFG, " %sgroups=%s", label, end->groups); - DBG2(DBG_CFG, " %supdown=%s", label, end->updown); -} - -/** - * Add a connection to the configuration list - */ -static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg) -{ - pop_string(msg, &msg->add_conn.name); - DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name); - - DBG2(DBG_CFG, "conn %s", msg->add_conn.name); - pop_end(msg, "left", &msg->add_conn.me); - pop_end(msg, "right", &msg->add_conn.other); - pop_string(msg, &msg->add_conn.eap_identity); - pop_string(msg, &msg->add_conn.algorithms.ike); - pop_string(msg, &msg->add_conn.algorithms.esp); - pop_string(msg, &msg->add_conn.ikeme.mediated_by); - pop_string(msg, &msg->add_conn.ikeme.peerid); - DBG2(DBG_CFG, " eap_identity=%s", msg->add_conn.eap_identity); - DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); - DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); - DBG2(DBG_CFG, " mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no"); - DBG2(DBG_CFG, " mediated_by=%s", msg->add_conn.ikeme.mediated_by); - DBG2(DBG_CFG, " me_peerid=%s", msg->add_conn.ikeme.peerid); - - this->config->add(this->config, msg); - this->attribute->add_pool(this->attribute, msg); -} - -/** - * Delete a connection from the list - */ -static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg) -{ - pop_string(msg, &msg->del_conn.name); - DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name); - - this->config->del(this->config, msg); - this->attribute->del_pool(this->attribute, msg); -} - -/** - * initiate a connection by name - */ -static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->initiate.name); - DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); - - this->control->initiate(this->control, msg, out); -} - -/** - * terminate a connection by name - */ -static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->terminate.name); - DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name); - - this->control->terminate(this->control, msg, out); -} - -/** - * terminate a connection by peers virtual IP - */ -static void stroke_terminate_srcip(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->terminate_srcip.start); - pop_string(msg, &msg->terminate_srcip.end); - DBG1(DBG_CFG, "received stroke: terminate-srcip %s-%s", - msg->terminate_srcip.start, msg->terminate_srcip.end); - - this->control->terminate_srcip(this->control, msg, out); -} - -/** - * route a policy (install SPD entries) - */ -static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->route.name); - DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name); - - this->control->route(this->control, msg, out); -} - -/** - * unroute a policy - */ -static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->terminate.name); - DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name); - - this->control->unroute(this->control, msg, out); -} - -/** - * Add a ca information record to the cainfo list - */ -static void stroke_add_ca(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->add_ca.name); - DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name); - - pop_string(msg, &msg->add_ca.cacert); - pop_string(msg, &msg->add_ca.crluri); - pop_string(msg, &msg->add_ca.crluri2); - pop_string(msg, &msg->add_ca.ocspuri); - pop_string(msg, &msg->add_ca.ocspuri2); - pop_string(msg, &msg->add_ca.certuribase); - DBG2(DBG_CFG, "ca %s", msg->add_ca.name); - DBG2(DBG_CFG, " cacert=%s", msg->add_ca.cacert); - DBG2(DBG_CFG, " crluri=%s", msg->add_ca.crluri); - DBG2(DBG_CFG, " crluri2=%s", msg->add_ca.crluri2); - DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri); - DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2); - DBG2(DBG_CFG, " certuribase=%s", msg->add_ca.certuribase); - - this->ca->add(this->ca, msg); -} - -/** - * Delete a ca information record from the cainfo list - */ -static void stroke_del_ca(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->del_ca.name); - DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name); - - this->ca->del(this->ca, msg); -} - - -/** - * show status of daemon - */ -static void stroke_status(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out, bool all) -{ - pop_string(msg, &(msg->status.name)); - - this->list->status(this->list, msg, out, all); -} - -/** - * list various information - */ -static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) -{ - if (msg->list.flags & LIST_CAINFOS) - { - this->ca->list(this->ca, msg, out); - } - this->list->list(this->list, msg, out); -} - -/** - * reread various information - */ -static void stroke_reread(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - this->cred->reread(this->cred, msg, out); -} - -/** - * purge various information - */ -static void stroke_purge(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - if (msg->purge.flags & PURGE_OCSP) - { - charon->credentials->flush_cache(charon->credentials, - CERT_X509_OCSP_RESPONSE); - } - if (msg->purge.flags & PURGE_IKE) - { - this->control->purge_ike(this->control, msg, out); - } -} - -/** - * list pool leases - */ -static void stroke_leases(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - pop_string(msg, &msg->leases.pool); - pop_string(msg, &msg->leases.address); - - this->list->leases(this->list, msg, out); -} - -debug_t get_group_from_name(char *type) -{ - if (strcaseeq(type, "any")) return DBG_ANY; - else if (strcaseeq(type, "mgr")) return DBG_MGR; - else if (strcaseeq(type, "ike")) return DBG_IKE; - else if (strcaseeq(type, "chd")) return DBG_CHD; - else if (strcaseeq(type, "job")) return DBG_JOB; - else if (strcaseeq(type, "cfg")) return DBG_CFG; - else if (strcaseeq(type, "knl")) return DBG_KNL; - else if (strcaseeq(type, "net")) return DBG_NET; - else if (strcaseeq(type, "enc")) return DBG_ENC; - else if (strcaseeq(type, "lib")) return DBG_LIB; - else return -1; -} - -/** - * set the verbosity debug output - */ -static void stroke_loglevel(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - enumerator_t *enumerator; - sys_logger_t *sys_logger; - file_logger_t *file_logger; - debug_t group; - - pop_string(msg, &(msg->loglevel.type)); - DBG1(DBG_CFG, "received stroke: loglevel %d for %s", - msg->loglevel.level, msg->loglevel.type); - - group = get_group_from_name(msg->loglevel.type); - if (group < 0) - { - fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); - return; - } - /* we set the loglevel on ALL sys- and file-loggers */ - enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers); - while (enumerator->enumerate(enumerator, &sys_logger)) - { - sys_logger->set_level(sys_logger, group, msg->loglevel.level); - } - enumerator->destroy(enumerator); - enumerator = charon->file_loggers->create_enumerator(charon->file_loggers); - while (enumerator->enumerate(enumerator, &file_logger)) - { - file_logger->set_level(file_logger, group, msg->loglevel.level); - } - enumerator->destroy(enumerator); -} - -/** - * set various config options - */ -static void stroke_config(private_stroke_socket_t *this, - stroke_msg_t *msg, FILE *out) -{ - this->cred->cachecrl(this->cred, msg->config.cachecrl); -} - -/** - * destroy a job context - */ -static void stroke_job_context_destroy(stroke_job_context_t *this) -{ - if (this->fd) - { - close(this->fd); - } - free(this); -} - -/** - * process a stroke request from the socket pointed by "fd" - */ -static job_requeue_t process(stroke_job_context_t *ctx) -{ - stroke_msg_t *msg; - u_int16_t msg_length; - ssize_t bytes_read; - FILE *out; - private_stroke_socket_t *this = ctx->this; - int strokefd = ctx->fd; - - /* peek the length */ - bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK); - if (bytes_read != sizeof(msg_length)) - { - DBG1(DBG_CFG, "reading length of stroke message failed: %s", - strerror(errno)); - return JOB_REQUEUE_NONE; - } - - /* read message */ - msg = alloca(msg_length); - bytes_read = recv(strokefd, msg, msg_length, 0); - if (bytes_read != msg_length) - { - DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno)); - return JOB_REQUEUE_NONE; - } - - out = fdopen(strokefd, "w+"); - if (out == NULL) - { - DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno)); - return JOB_REQUEUE_NONE; - } - - DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length); - - switch (msg->type) - { - case STR_INITIATE: - stroke_initiate(this, msg, out); - break; - case STR_ROUTE: - stroke_route(this, msg, out); - break; - case STR_UNROUTE: - stroke_unroute(this, msg, out); - break; - case STR_TERMINATE: - stroke_terminate(this, msg, out); - break; - case STR_TERMINATE_SRCIP: - stroke_terminate_srcip(this, msg, out); - break; - case STR_STATUS: - stroke_status(this, msg, out, FALSE); - break; - case STR_STATUS_ALL: - stroke_status(this, msg, out, TRUE); - break; - case STR_ADD_CONN: - stroke_add_conn(this, msg); - break; - case STR_DEL_CONN: - stroke_del_conn(this, msg); - break; - case STR_ADD_CA: - stroke_add_ca(this, msg, out); - break; - case STR_DEL_CA: - stroke_del_ca(this, msg, out); - break; - case STR_LOGLEVEL: - stroke_loglevel(this, msg, out); - break; - case STR_CONFIG: - stroke_config(this, msg, out); - break; - case STR_LIST: - stroke_list(this, msg, out); - break; - case STR_REREAD: - stroke_reread(this, msg, out); - break; - case STR_PURGE: - stroke_purge(this, msg, out); - break; - case STR_LEASES: - stroke_leases(this, msg, out); - break; - default: - DBG1(DBG_CFG, "received unknown stroke"); - break; - } - fclose(out); - /* fclose() closes underlying FD */ - ctx->fd = 0; - return JOB_REQUEUE_NONE; -} - -/** - * Implementation of private_stroke_socket_t.stroke_receive. - */ -static job_requeue_t receive(private_stroke_socket_t *this) -{ - struct sockaddr_un strokeaddr; - int strokeaddrlen = sizeof(strokeaddr); - int strokefd; - bool oldstate; - callback_job_t *job; - stroke_job_context_t *ctx; - - oldstate = thread_cancelability(TRUE); - strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen); - thread_cancelability(oldstate); - - if (strokefd < 0) - { - DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno)); - return JOB_REQUEUE_FAIR; - } - - ctx = malloc_thing(stroke_job_context_t); - ctx->fd = strokefd; - ctx->this = this; - job = callback_job_create((callback_job_cb_t)process, - ctx, (void*)stroke_job_context_destroy, this->job); - charon->processor->queue_job(charon->processor, (job_t*)job); - - return JOB_REQUEUE_FAIR; -} - - -/** - * initialize and open stroke socket - */ -static bool open_socket(private_stroke_socket_t *this) -{ - struct sockaddr_un socket_addr; - mode_t old; - - socket_addr.sun_family = AF_UNIX; - strcpy(socket_addr.sun_path, STROKE_SOCKET); - - /* set up unix socket */ - this->socket = socket(AF_UNIX, SOCK_STREAM, 0); - if (this->socket == -1) - { - DBG1(DBG_CFG, "could not create stroke socket"); - return FALSE; - } - - unlink(socket_addr.sun_path); - old = umask(~(S_IRWXU | S_IRWXG)); - if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) - { - DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno)); - close(this->socket); - return FALSE; - } - umask(old); - if (chown(socket_addr.sun_path, charon->uid, charon->gid) != 0) - { - DBG1(DBG_CFG, "changing stroke socket permissions failed: %s", - strerror(errno)); - } - - if (listen(this->socket, 10) < 0) - { - DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno)); - close(this->socket); - unlink(socket_addr.sun_path); - return FALSE; - } - return TRUE; -} - -/** - * Implementation of stroke_socket_t.destroy - */ -static void destroy(private_stroke_socket_t *this) -{ - this->job->cancel(this->job); - charon->credentials->remove_set(charon->credentials, &this->ca->set); - charon->credentials->remove_set(charon->credentials, &this->cred->set); - charon->backends->remove_backend(charon->backends, &this->config->backend); - lib->attributes->remove_provider(lib->attributes, &this->attribute->provider); - this->cred->destroy(this->cred); - this->ca->destroy(this->ca); - this->config->destroy(this->config); - this->attribute->destroy(this->attribute); - this->control->destroy(this->control); - this->list->destroy(this->list); - free(this); -} - -/* - * see header file - */ -stroke_socket_t *stroke_socket_create() -{ - private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t); - - this->public.destroy = (void(*)(stroke_socket_t*))destroy; - - if (!open_socket(this)) - { - free(this); - return NULL; - } - - this->cred = stroke_cred_create(); - this->attribute = stroke_attribute_create(); - this->ca = stroke_ca_create(this->cred); - this->config = stroke_config_create(this->ca, this->cred); - this->control = stroke_control_create(); - this->list = stroke_list_create(this->attribute); - - charon->credentials->add_set(charon->credentials, &this->ca->set); - charon->credentials->add_set(charon->credentials, &this->cred->set); - charon->backends->add_backend(charon->backends, &this->config->backend); - lib->attributes->add_provider(lib->attributes, &this->attribute->provider); - - this->job = callback_job_create((callback_job_cb_t)receive, - this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); - - return &this->public; -} - diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h deleted file mode 100644 index 2aac8be9b..000000000 --- a/src/charon/plugins/stroke/stroke_socket.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_socket stroke_socket - * @{ @ingroup stroke - */ - -#ifndef STROKE_SOCKET_H_ -#define STROKE_SOCKET_H_ - -typedef struct stroke_socket_t stroke_socket_t; - -/** - * Stroke socket, opens UNIX communication socket, reads and dispatches. - */ -struct stroke_socket_t { - - /** - * Destroy a stroke_socket instance. - */ - void (*destroy)(stroke_socket_t *this); -}; - -/** - * Create a stroke_socket instance. - */ -stroke_socket_t *stroke_socket_create(); - -#endif /** STROKE_SOCKET_H_ @}*/ |