diff options
Diffstat (limited to 'src/charon/plugins/stroke')
20 files changed, 834 insertions, 606 deletions
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am index 79a63f2c2..94d311609 100644 --- a/src/charon/plugins/stroke/Makefile.am +++ b/src/charon/plugins/stroke/Makefile.am @@ -3,7 +3,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_ AM_CFLAGS = \ -rdynamic \ --DIPSEC_CONFDIR=\"${confdir}\" \ +-DIPSEC_CONFDIR=\"${sysconfdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-stroke.la diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in index 19822ebc8..6e6b3b813 100644 --- a/src/charon/plugins/stroke/Makefile.in +++ b/src/charon/plugins/stroke/Makefile.in @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10.2 from Makefile.am. +# Makefile.in generated by automake 1.11 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -35,19 +37,41 @@ host_triplet = @host@ subdir = src/charon/plugins/stroke DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" -pluginLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(plugin_LTLIBRARIES) libstrongswan_stroke_la_LIBADD = am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \ @@ -61,6 +85,7 @@ libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ @@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@ -IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ -LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ -LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ -LINUX_HEADERS = @LINUX_HEADERS@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ @@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ +RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ @@ -171,9 +196,9 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ -confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ libstrongswan_plugins = @libstrongswan_plugins@ -linuxdir = @linuxdir@ +linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ @@ -204,6 +229,7 @@ mandir = @mandir@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ @@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +random_device = @random_device@ resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ -simreader = @simreader@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -223,12 +251,13 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke AM_CFLAGS = \ -rdynamic \ --DIPSEC_CONFDIR=\"${confdir}\" \ +-DIPSEC_CONFDIR=\"${sysconfdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-stroke.la @@ -256,9 +285,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -276,23 +305,28 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" - @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } uninstall-pluginLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \ + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ done clean-pluginLTLIBRARIES: @@ -324,21 +358,21 @@ distclean-compile: .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< @@ -361,7 +395,7 @@ tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -369,29 +403,34 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -412,13 +451,17 @@ distdir: $(DISTFILES) if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -449,6 +492,7 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -470,6 +514,8 @@ dvi-am: html: html-am +html-am: + info: info-am info-am: @@ -478,18 +524,28 @@ install-data-am: install-pluginLTLIBRARIES install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -528,6 +584,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index d3211fd67..7a5ce683e 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -18,7 +18,7 @@ #include <daemon.h> #include <utils/linked_list.h> #include <utils/hashtable.h> -#include <utils/mutex.h> +#include <threading/mutex.h> #define POOL_LIMIT (sizeof(uintptr_t)*8) @@ -33,12 +33,12 @@ struct private_stroke_attribute_t { * public functions */ stroke_attribute_t public; - + /** * list of pools, contains pool_t */ linked_list_t *pools; - + /** * mutex to lock access to pools */ @@ -85,7 +85,7 @@ static void pool_destroy(pool_t *this) { enumerator_t *enumerator; identification_t *id; - + enumerator = this->ids->create_enumerator(this->ids); while (enumerator->enumerate(enumerator, &id, NULL)) { @@ -107,7 +107,7 @@ static pool_t *find_pool(private_stroke_attribute_t *this, char *name) { enumerator_t *enumerator; pool_t *current, *found = NULL; - + enumerator = this->pools->create_enumerator(this->pools); while (enumerator->enumerate(enumerator, ¤t)) { @@ -129,13 +129,13 @@ host_t* offset2host(pool_t *pool, int offset) chunk_t addr; host_t *host; u_int32_t *pos; - + offset--; if (offset > pool->size) { return NULL; } - + addr = chunk_clone(pool->base->get_address(pool->base)); if (pool->base->get_family(pool->base) == AF_INET6) { @@ -158,7 +158,7 @@ int host2offset(pool_t *pool, host_t *addr) { chunk_t host, base; u_int32_t hosti, basei; - + if (addr->get_family(addr) != pool->base->get_family(pool->base)) { return -1; @@ -195,7 +195,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, uintptr_t offset = 0; enumerator_t *enumerator; identification_t *old_id; - + this->mutex->lock(this->mutex); pool = find_pool(this, name); while (pool) @@ -206,7 +206,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, this->mutex->unlock(this->mutex); return requested->clone(requested); } - + if (!requested->is_anyaddr(requested) && requested->get_family(requested) != pool->base->get_family(pool->base)) @@ -214,7 +214,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, DBG1(DBG_CFG, "IP pool address family mismatch"); break; } - + /* check for a valid offline lease, refresh */ offset = (uintptr_t)pool->offline->remove(pool->offline, id); if (offset) @@ -227,7 +227,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, break; } } - + /* check for a valid online lease, reassign */ offset = (uintptr_t)pool->online->get(pool->online, id); if (offset && offset == host2offset(pool, requested)) @@ -235,7 +235,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); break; } - + if (pool->unused < pool->size) { /* assigning offset, starting by 1. Handling 0 in hashtable @@ -270,7 +270,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, } } enumerator->destroy(enumerator); - + DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name); break; } @@ -291,7 +291,7 @@ static bool release_address(private_stroke_attribute_t *this, pool_t *pool; bool found = FALSE; uintptr_t offset; - + this->mutex->lock(this->mutex); pool = find_pool(this, name); if (pool) @@ -320,10 +320,10 @@ static bool release_address(private_stroke_attribute_t *this, */ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) { - if (msg->add_conn.other.sourceip_size) + if (msg->add_conn.other.sourceip_mask) { pool_t *pool; - + pool = malloc_thing(pool_t); pool->base = NULL; pool->size = 0; @@ -335,17 +335,17 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) (hashtable_equals_t)id_equals, 16); pool->ids = hashtable_create((hashtable_hash_t)id_hash, (hashtable_equals_t)id_equals, 16); - + /* if %config, add an empty pool, otherwise */ if (msg->add_conn.other.sourceip) { u_int32_t bits; int family; - - DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d", - msg->add_conn.name, msg->add_conn.other.sourceip, - msg->add_conn.other.sourceip_size); - + + DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d", + msg->add_conn.name, msg->add_conn.other.sourceip, + msg->add_conn.other.sourceip_mask); + pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0); if (!pool->base) { @@ -354,7 +354,7 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) return; } family = pool->base->get_family(pool->base); - bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_size; + bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_mask; if (bits > POOL_LIMIT) { bits = POOL_LIMIT; @@ -363,7 +363,7 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) (family == AF_INET ? 32 : 128) - bits); } pool->size = 1 << (bits); - + if (pool->size > 2) { /* do not use first and last addresses of a block */ pool->unused++; @@ -383,7 +383,7 @@ static void del_pool(private_stroke_attribute_t *this, stroke_msg_t *msg) { enumerator_t *enumerator; pool_t *pool; - + this->mutex->lock(this->mutex); enumerator = this->pools->create_enumerator(this->pools); while (enumerator->enumerate(enumerator, &pool)) @@ -407,7 +407,7 @@ static bool pool_filter(void *mutex, pool_t **poolp, char **name, void *d3, u_int *offline) { pool_t *pool = *poolp; - + *name = pool->name; *size = pool->size; *online = pool->online->get_count(pool->online); @@ -450,10 +450,10 @@ static bool lease_enumerate(lease_enumerator_t *this, identification_t **id_out, { identification_t *id; uintptr_t offset; - + DESTROY_IF(this->current); this->current = NULL; - + if (this->inner->enumerate(this->inner, &id, NULL)) { offset = (uintptr_t)this->pool->online->get(this->pool->online, id); @@ -494,7 +494,7 @@ static enumerator_t* create_lease_enumerator(private_stroke_attribute_t *this, char *pool) { lease_enumerator_t *enumerator; - + this->mutex->lock(this->mutex); enumerator = malloc_thing(lease_enumerator_t); enumerator->pool = find_pool(this, pool); @@ -528,19 +528,19 @@ static void destroy(private_stroke_attribute_t *this) stroke_attribute_t *stroke_attribute_create() { private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t); - + this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address; this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty; + this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))enumerator_create_empty; this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool; this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool; this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator; this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator; this->public.destroy = (void(*)(stroke_attribute_t*))destroy; - + this->pools = linked_list_create(); this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h index fc273d1cb..cf6c950a6 100644 --- a/src/charon/plugins/stroke/stroke_attribute.h +++ b/src/charon/plugins/stroke/stroke_attribute.h @@ -22,7 +22,7 @@ #define STROKE_ATTRIBUTE_H_ #include <stroke_msg.h> -#include <config/attributes/attribute_provider.h> +#include <attributes/attribute_provider.h> typedef struct stroke_attribute_t stroke_attribute_t; @@ -30,12 +30,12 @@ typedef struct stroke_attribute_t stroke_attribute_t; * Stroke IKEv2 cfg attribute provider */ struct stroke_attribute_t { - + /** * Implements attribute provider interface */ attribute_provider_t provider; - + /** * Add a virtual IP address. * @@ -43,24 +43,24 @@ struct stroke_attribute_t { * @param end end of stroke message that contains virtual IP. */ void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg); - + /** * Remove a virtual IP address. * * @param msg stroke message */ void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg); - + /** * Create an enumerator over installed pools. * - * Enumerator enumerates over + * Enumerator enumerates over * char *pool, u_int size, u_int offline, u_int online. * * @return enumerator */ enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this); - + /** * Create an enumerator over the leases of a pool. * diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index c354d8cb8..49146f18b 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -17,7 +17,7 @@ #include "stroke_ca.h" #include "stroke_cred.h" -#include <utils/mutex.h> +#include <threading/rwlock.h> #include <utils/linked_list.h> #include <crypto/hashers/hasher.h> @@ -34,17 +34,17 @@ struct private_stroke_ca_t { * public functions */ stroke_ca_t public; - + /** * read-write lock to lists */ rwlock_t *lock; - + /** * list of starters CA sections and its certificates (ca_section_t) */ linked_list_t *sections; - + /** * stroke credentials, stores our CA certificates */ @@ -62,27 +62,27 @@ struct ca_section_t { * name of the CA section */ char *name; - + /** * reference to cert in trusted_credential_t */ certificate_t *cert; - + /** * CRL URIs */ linked_list_t *crl; - + /** * OCSP URIs */ linked_list_t *ocsp; - + /** * Hashes of certificates issued by this CA */ linked_list_t *hashes; - + /** * Base URI used for certificates from this CA */ @@ -90,12 +90,12 @@ struct ca_section_t { }; /** - * create a new CA section + * create a new CA section */ static ca_section_t *ca_section_create(char *name, certificate_t *cert) { ca_section_t *ca = malloc_thing(ca_section_t); - + ca->name = strdup(name); ca->crl = linked_list_create(); ca->ocsp = linked_list_create(); @@ -142,10 +142,9 @@ static void cdp_data_destroy(cdp_data_t *data) static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data) { public_key_t *public; - identification_t *keyid; enumerator_t *enumerator = NULL; linked_list_t *list; - + if (data->type == CERT_X509_OCSP_RESPONSE) { list = section->ocsp; @@ -164,10 +163,9 @@ static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data) } else { - keyid = public->get_id(public, data->id->get_type(data->id)); - if (keyid && keyid->matches(keyid, data->id)) + if (public->has_fingerprint(public, data->id->get_encoding(data->id))) { - enumerator = list->create_enumerator(list); + enumerator = list->create_enumerator(list); } } public->destroy(public); @@ -182,25 +180,25 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data { enumerator_t *enumerator = NULL, *hash_enum; identification_t *current; - + if (!data->id || !section->certuribase) { return NULL; } - + hash_enum = section->hashes->create_enumerator(section->hashes); while (hash_enum->enumerate(hash_enum, ¤t)) - { + { if (current->matches(current, data->id)) { char *url, *hash; - + url = malloc(strlen(section->certuribase) + 40 + 1); strcpy(url, section->certuribase); hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr; strncat(url, hash, 40); free(hash); - + enumerator = enumerator_create_single(url, free); break; } @@ -231,7 +229,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, data->this = this; data->type = type; data->id = id; - + this->lock->read_lock(this->lock); return enumerator_create_nested(this->sections->create_enumerator(this->sections), (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp, @@ -244,12 +242,12 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg) { certificate_t *cert; ca_section_t *ca; - + if (msg->add_ca.cacert == NULL) { DBG1(DBG_CFG, "missing cacert parameter"); return; - } + } cert = this->cred->load_ca(this->cred, msg->add_ca.cacert); if (cert) { @@ -288,7 +286,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg) { enumerator_t *enumerator; ca_section_t *ca = NULL; - + this->lock->write_lock(this->lock); enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, &ca)) @@ -344,14 +342,14 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer { ca_section_t *section; enumerator_t *enumerator; - + hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (hasher == NULL) { DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported"); return; } - + this->lock->write_lock(this->lock); enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, (void**)§ion)) @@ -361,7 +359,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer chunk_t hash, encoded = cert->get_encoding(cert); hasher->allocate_hash(hasher, encoded, &hash); section->hashes->insert_last(section->hashes, - identification_create_from_encoding(ID_CERT_DER_SHA1, hash)); + identification_create_from_encoding(ID_KEY_ID, hash)); chunk_free(&hash); chunk_free(&encoded); break; @@ -369,7 +367,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer } enumerator->destroy(enumerator); this->lock->unlock(this->lock); - + hasher->destroy(hasher); } @@ -381,13 +379,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) bool first = TRUE; ca_section_t *section; enumerator_t *enumerator; - + this->lock->read_lock(this->lock); enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, (void**)§ion)) { certificate_t *cert = section->cert; public_key_t *public = cert->get_public_key(cert); + chunk_t chunk; if (first) { @@ -401,10 +400,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) /* list authkey and keyid */ if (public) { - fprintf(out, " authkey: %Y\n", - public->get_id(public, ID_PUBKEY_SHA1)); - fprintf(out, " keyid: %Y\n", - public->get_id(public, ID_PUBKEY_INFO_SHA1)); + if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) + { + fprintf(out, " authkey: %#B\n", &chunk); + } + if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk)) + { + fprintf(out, " keyid: %#B\n", &chunk); + } public->destroy(public); } list_uris(section->crl, " crluris: ", out); @@ -434,7 +437,7 @@ static void destroy(private_stroke_ca_t *this) stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) { private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t); - + this->public.set.create_private_enumerator = (void*)return_null; this->public.set.create_cert_enumerator = (void*)return_null; this->public.set.create_shared_enumerator = (void*)return_null; @@ -445,11 +448,11 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list; this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url; this->public.destroy = (void(*)(stroke_ca_t*))destroy; - + this->sections = linked_list_create(); this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cred = cred; - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h index c882d7b4e..21af912ea 100644 --- a/src/charon/plugins/stroke/stroke_ca.h +++ b/src/charon/plugins/stroke/stroke_ca.h @@ -37,39 +37,39 @@ struct stroke_ca_t { * Implements credential_set_t */ credential_set_t set; - + /** * Add a CA to the set using a stroke_msg_t. * * @param msg stroke message containing CA info */ void (*add)(stroke_ca_t *this, stroke_msg_t *msg); - + /** * Remove a CA from the set using a stroke_msg_t. * * @param msg stroke message containing CA info */ void (*del)(stroke_ca_t *this, stroke_msg_t *msg); - + /** * List CA sections to stroke console. * * @param msg stroke message */ void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out); - + /** * Check if a certificate can be made available through hash and URL. - * + * * @param cert peer certificate */ void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert); - + /** - * Destroy a stroke_ca instance. - */ - void (*destroy)(stroke_ca_t *this); + * Destroy a stroke_ca instance. + */ + void (*destroy)(stroke_ca_t *this); }; /** diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 0b6a4ac31..0752f3c93 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -16,7 +16,7 @@ #include "stroke_config.h" #include <daemon.h> -#include <utils/mutex.h> +#include <threading/mutex.h> #include <utils/lexparser.h> typedef struct private_stroke_config_t private_stroke_config_t; @@ -30,22 +30,22 @@ struct private_stroke_config_t { * public functions */ stroke_config_t public; - + /** * list of peer_cfg_t */ linked_list_t *list; - + /** * mutex to lock config list */ mutex_t *mutex; - + /** * ca sections */ stroke_ca_t *ca; - + /** * credentials */ @@ -93,7 +93,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam enumerator_t *e1, *e2; peer_cfg_t *current, *found = NULL; child_cfg_t *child; - + this->mutex->lock(this->mutex); e1 = this->list->create_enumerator(this->list); while (e1->enumerate(e1, ¤t)) @@ -139,7 +139,7 @@ static void add_proposals(private_stroke_config_t *this, char *string, char *strict; proposal_t *proposal; protocol_id_t proto = PROTO_ESP; - + if (ike_cfg) { proto = PROTO_IKE; @@ -195,7 +195,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg ike_cfg_t *ike_cfg; char *interface; host_t *host; - + host = host_create_from_dns(msg->add_conn.other.address, 0, 0); if (host) { @@ -227,7 +227,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg { free(interface); } - + } } } @@ -236,7 +236,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg msg->add_conn.me.address, msg->add_conn.other.address); add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL); - return ike_cfg; + return ike_cfg; } /** @@ -275,7 +275,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, stroke_end_t *end, *other_end; auth_cfg_t *cfg; char eap_buf[32]; - + /* select strings */ if (local) { @@ -317,7 +317,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, ca = other_end->ca2; } } - + if (!auth) { if (primary) @@ -366,9 +366,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, return NULL; } } - + cfg = auth_cfg_create(); - + /* add identity and peer certifcate */ identity = identification_create_from_string(id); if (cert) @@ -380,12 +380,12 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, { this->ca->check_for_hash_and_url(this->ca, certificate); } - cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); + cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); if (identity->get_type(identity) == ID_ANY || !certificate->has_subject(certificate, identity)) { - DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, " - "defaulting to subject DN: %Y", identity, + DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, " + "defaulting to '%Y'", identity, certificate->get_subject(certificate)); identity->destroy(identity); identity = certificate->get_subject(certificate); @@ -394,7 +394,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } } cfg->add(cfg, AUTH_RULE_IDENTITY, identity); - + /* CA constraint */ if (ca) { @@ -412,13 +412,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, "constraint", ca); } } - + /* AC groups */ if (end->groups) { enumerator_t *enumerator; char *group; - + enumerator = enumerator_create_token(end->groups, ",", " "); while (enumerator->enumerate(enumerator, &group)) { @@ -428,7 +428,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } enumerator->destroy(enumerator); } - + /* authentication metod (class, actually) */ if (streq(auth, "pubkey") || streq(auth, "rsasig") || streq(auth, "rsa") || @@ -446,9 +446,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator_t *enumerator; char *str; int i = 0, type = 0, vendor; - + cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); - + /* parse EAP string, format: eap[-type[-vendor]] */ enumerator = enumerator_create_token(auth, "-", " "); while (enumerator->enumerate(enumerator, &str)) @@ -488,7 +488,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, i++; } enumerator->destroy(enumerator); - + if (msg->add_conn.eap_identity) { if (streq(msg->add_conn.eap_identity, "%identity")) @@ -529,37 +529,36 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, u_int32_t rekey = 0, reauth = 0, over, jitter; peer_cfg_t *peer_cfg; auth_cfg_t *auth_cfg; - + #ifdef ME if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by) { - DBG1(DBG_CFG, "a mediation connection cannot be a" - " mediated connection at the same time, aborting"); + DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection " + "at the same time, aborting"); return NULL; } - + if (msg->add_conn.ikeme.mediation) { /* force unique connections for mediation connections */ msg->add_conn.unique = 1; } - + if (msg->add_conn.ikeme.mediated_by) { mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends, - msg->add_conn.ikeme.mediated_by); + msg->add_conn.ikeme.mediated_by); if (!mediated_by) { DBG1(DBG_CFG, "mediation connection '%s' not found, aborting", msg->add_conn.ikeme.mediated_by); return NULL; } - if (!mediated_by->is_mediation(mediated_by)) { - DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is" - "no mediation connection, aborting", - msg->add_conn.ikeme.mediated_by, msg->add_conn.name); + DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is " + "no mediation connection, aborting", + msg->add_conn.ikeme.mediated_by, msg->add_conn.name); mediated_by->destroy(mediated_by); return NULL; } @@ -573,7 +572,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, } } #endif /* ME */ - + jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100; over = msg->add_conn.rekey.margin; if (msg->add_conn.rekey.reauth) @@ -583,8 +582,8 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, else { rekey = msg->add_conn.rekey.ike_lifetime - over; - } - if (msg->add_conn.me.sourceip_size) + } + if (msg->add_conn.me.sourceip_mask) { if (msg->add_conn.me.sourceip) { @@ -633,19 +632,19 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, { /* dpdaction=none disables DPD */ msg->add_conn.dpd.delay = 0; } - + /* other.sourceip is managed in stroke_attributes. If it is set, we define * the pool name as the connection name, which the attribute provider * uses to serve pool addresses. */ peer_cfg = peer_cfg_create(msg->add_conn.name, msg->add_conn.ikev2 ? 2 : 1, ike_cfg, - msg->add_conn.me.sendcert, unique, + msg->add_conn.me.sendcert, unique, msg->add_conn.rekey.tries, rekey, reauth, jitter, over, msg->add_conn.mobike, msg->add_conn.dpd.delay, - vip, msg->add_conn.other.sourceip_size ? + vip, msg->add_conn.other.sourceip_mask ? msg->add_conn.name : msg->add_conn.other.sourceip, msg->add_conn.ikeme.mediation, mediated_by, peer_id); - + /* build leftauth= */ auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE); if (auth_cfg) @@ -685,7 +684,7 @@ static void add_ts(private_stroke_config_t *this, stroke_end_t *end, child_cfg_t *child_cfg, bool local) { traffic_selector_t *ts; - + if (end->tohost) { ts = traffic_selector_create_dynamic(end->protocol, @@ -695,7 +694,7 @@ static void add_ts(private_stroke_config_t *this, else { host_t *net; - + if (!end->subnets) { net = host_create_from_string(end->address, IKEV2_UDP_PORT); @@ -709,12 +708,12 @@ static void add_ts(private_stroke_config_t *this, else { char *del, *start, *bits; - + start = end->subnets; do { int intbits = 0; - + del = strchr(start, ','); if (del) { @@ -726,7 +725,7 @@ static void add_ts(private_stroke_config_t *this, *bits = '\0'; intbits = atoi(bits + 1); } - + net = host_create_from_string(start, IKEV2_UDP_PORT); if (net) { @@ -753,7 +752,24 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, { child_cfg_t *child_cfg; action_t dpd; - + lifetime_cfg_t lifetime = { + .time = { + .life = msg->add_conn.rekey.ipsec_lifetime, + .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, + .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100 + }, + .bytes = { + .life = msg->add_conn.rekey.life_bytes, + .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes, + .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100 + }, + .packets = { + .life = msg->add_conn.rekey.life_packets, + .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets, + .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100 + } + }; + switch (msg->add_conn.dpd.action) { /* map startes magic values to our action type */ case 2: /* =hold */ @@ -766,19 +782,19 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, dpd = ACTION_NONE; break; } + child_cfg = child_cfg_create( - msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime, - msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, - msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, + msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, - msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp); + msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, + msg->add_conn.inactivity); child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); add_ts(this, &msg->add_conn.other, child_cfg, FALSE); - + add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg); - + return child_cfg; } @@ -804,7 +820,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg) ike_cfg->destroy(ike_cfg); return; } - + enumerator = create_peer_cfg_enumerator(this, NULL, NULL); while (enumerator->enumerate(enumerator, &existing)) { @@ -822,7 +838,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg) } } enumerator->destroy(enumerator); - + child_cfg = build_child_cfg(this, msg); if (!child_cfg) { @@ -830,7 +846,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg) return; } peer_cfg->add_child_cfg(peer_cfg, child_cfg); - + if (use_existing) { peer_cfg->destroy(peer_cfg); @@ -854,13 +870,13 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg) peer_cfg_t *peer; child_cfg_t *child; bool deleted = FALSE; - + this->mutex->lock(this->mutex); enumerator = this->list->create_enumerator(this->list); while (enumerator->enumerate(enumerator, (void**)&peer)) { bool keep = FALSE; - + /* remove any child with such a name */ children = peer->create_child_cfg_enumerator(peer); while (children->enumerate(children, &child)) @@ -877,7 +893,7 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg) } } children->destroy(children); - + /* if peer config matches, or has no children anymore, remove it */ if (!keep || streq(peer->get_name(peer), msg->del_conn.name)) { @@ -888,7 +904,7 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg) } enumerator->destroy(enumerator); this->mutex->unlock(this->mutex); - + if (deleted) { DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name); @@ -915,19 +931,19 @@ static void destroy(private_stroke_config_t *this) stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) { private_stroke_config_t *this = malloc_thing(private_stroke_config_t); - + this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add; this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del; this->public.destroy = (void(*)(stroke_config_t*))destroy; - + this->list = linked_list_create(); this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->ca = ca; this->cred = cred; - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h index 270795e4a..05e4665ca 100644 --- a/src/charon/plugins/stroke/stroke_config.h +++ b/src/charon/plugins/stroke/stroke_config.h @@ -37,25 +37,25 @@ struct stroke_config_t { * Implements the backend_t interface */ backend_t backend; - + /** * Add a configuration to the backend. * * @param msg received stroke message containing config */ void (*add)(stroke_config_t *this, stroke_msg_t *msg); - + /** * Remove a configuration from the backend. * * @param msg received stroke message containing config name */ void (*del)(stroke_config_t *this, stroke_msg_t *msg); - + /** - * Destroy a stroke_config instance. - */ - void (*destroy)(stroke_config_t *this); + * Destroy a stroke_config instance. + */ + void (*destroy)(stroke_config_t *this); }; /** diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c index c572117a2..a03aef697 100644 --- a/src/charon/plugins/stroke/stroke_control.c +++ b/src/charon/plugins/stroke/stroke_control.c @@ -43,7 +43,7 @@ struct stroke_log_info_t { * level to log up to */ level_t level; - + /** * where to write log */ @@ -75,7 +75,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) { child_cfg_t *current, *found = NULL; enumerator_t *enumerator; - + enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); while (enumerator->enumerate(enumerator, ¤t)) { @@ -98,7 +98,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; stroke_log_info_t info; - + peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, msg->initiate.name); if (peer_cfg == NULL) @@ -113,7 +113,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou peer_cfg->destroy(peer_cfg); return; } - + child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name); if (child_cfg == NULL) { @@ -121,7 +121,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou peer_cfg->destroy(peer_cfg); return; } - + if (msg->output_verbosity < 0) { charon->controller->initiate(charon->controller, peer_cfg, child_cfg, @@ -150,9 +150,9 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o linked_list_t *ike_list, *child_list; stroke_log_info_t info; uintptr_t del; - + string = msg->terminate.name; - + len = strlen(string); if (len < 1) { @@ -174,7 +174,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o child = FALSE; break; } - + if (name) { /* is a single name */ @@ -202,10 +202,10 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o } } } - + info.out = out; info.level = msg->output_verbosity; - + if (id) { if (child) @@ -220,7 +220,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o } return; } - + ike_list = linked_list_create(); child_list = linked_list_create(); enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); @@ -228,7 +228,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o { child_sa_t *child_sa; iterator_t *children; - + if (child) { children = ike_sa->create_child_sa_iterator(ike_sa); @@ -261,7 +261,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o } } enumerator->destroy(enumerator); - + enumerator = child_list->create_enumerator(child_list); while (enumerator->enumerate(enumerator, &del)) { @@ -269,7 +269,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o (controller_cb_t)stroke_log, &info); } enumerator->destroy(enumerator); - + enumerator = ike_list->create_enumerator(ike_list); while (enumerator->enumerate(enumerator, &del)) { @@ -277,7 +277,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o (controller_cb_t)stroke_log, &info); } enumerator->destroy(enumerator); - + if (child_list->get_count(child_list) == 0 && ike_list->get_count(ike_list) == 0) { @@ -298,7 +298,7 @@ static void terminate_srcip(private_stroke_control_t *this, ike_sa_t *ike_sa; host_t *start = NULL, *end = NULL, *vip; chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip; - + if (msg->terminate_srcip.start) { start = host_create_from_string(msg->terminate_srcip.start, 0); @@ -320,7 +320,7 @@ static void terminate_srcip(private_stroke_control_t *this, } chunk_end = end->get_address(end); } - + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); while (enumerator->enumerate(enumerator, &ike_sa)) { @@ -369,10 +369,10 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o linked_list_t *list; uintptr_t del; stroke_log_info_t info; - + info.out = out; info.level = msg->output_verbosity; - + list = linked_list_create(); enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); while (enumerator->enumerate(enumerator, &ike_sa)) @@ -386,7 +386,7 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o iterator->destroy(iterator); } enumerator->destroy(enumerator); - + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &del)) { @@ -404,7 +404,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; - + peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, msg->route.name); if (peer_cfg == NULL) @@ -417,7 +417,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) peer_cfg->destroy(peer_cfg); return; } - + child_cfg = get_child_from_peer(peer_cfg, msg->route.name); if (child_cfg == NULL) { @@ -425,7 +425,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) peer_cfg->destroy(peer_cfg); return; } - + if (charon->traps->install(charon->traps, peer_cfg, child_cfg)) { fprintf(out, "configuration '%s' routed\n", msg->route.name); @@ -446,7 +446,7 @@ static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out child_sa_t *child_sa; enumerator_t *enumerator; u_int32_t id; - + enumerator = charon->traps->create_enumerator(charon->traps); while (enumerator->enumerate(enumerator, NULL, &child_sa)) { @@ -477,7 +477,7 @@ static void destroy(private_stroke_control_t *this) stroke_control_t *stroke_control_create() { private_stroke_control_t *this = malloc_thing(private_stroke_control_t); - + this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate; this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate; this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip; @@ -485,7 +485,7 @@ stroke_control_t *stroke_control_create() this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route; this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute; this->public.destroy = (void(*)(stroke_control_t*))destroy; - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h index 5a61a90a4..9b49bdc31 100644 --- a/src/charon/plugins/stroke/stroke_control.h +++ b/src/charon/plugins/stroke/stroke_control.h @@ -38,42 +38,42 @@ struct stroke_control_t { * @param msg stroke message */ void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - + /** * Terminate a connection. * * @param msg stroke message */ void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - + /** * Terminate a connection by peers virtual IP. * * @param msg stroke message */ void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - + /** * Delete IKE_SAs without a CHILD_SA. * * @param msg stroke message */ void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - + /** * Route a connection. * * @param msg stroke message */ void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - + /** * Unroute a connection. * * @param msg stroke message */ void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); - + /** * Destroy a stroke_control instance. */ diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index 31bcfe9f4..bc0b2f6fc 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -27,8 +27,7 @@ #include <credentials/certificates/ac.h> #include <utils/linked_list.h> #include <utils/lexparser.h> -#include <utils/mutex.h> -#include <asn1/pem.h> +#include <threading/rwlock.h> #include <daemon.h> /* configuration directories and files */ @@ -56,7 +55,7 @@ struct private_stroke_cred_t { * public functions */ stroke_cred_t public; - + /** * list of trusted peer/signer/CA certificates (certificate_t) */ @@ -71,12 +70,12 @@ struct private_stroke_cred_t { * list of private keys (private_key_t) */ linked_list_t *private; - + /** * read-write lock to lists */ rwlock_t *lock; - + /** * cache CRLs to disk? */ @@ -89,6 +88,7 @@ struct private_stroke_cred_t { typedef struct { private_stroke_cred_t *this; identification_t *id; + certificate_type_t type; } id_data_t; /** @@ -106,25 +106,17 @@ static void id_data_destroy(id_data_t *data) static bool private_filter(id_data_t *data, private_key_t **in, private_key_t **out) { - identification_t *candidate; - id_type_t type; - + private_key_t *key; + + key = *in; if (data->id == NULL) { - *out = *in; + *out = key; return TRUE; } - type = data->id->get_type(data->id); - if (type == ID_KEY_ID) - { /* handle ID_KEY_ID as a ID_PUBKEY_SHA1 */ - type = ID_PUBKEY_SHA1; - } - candidate = (*in)->get_id(*in, type); - if (candidate && - chunk_equals(candidate->get_encoding(candidate), - data->id->get_encoding(data->id))) + if (key->has_fingerprint(key, data->id->get_encoding(data->id))) { - *out = *in; + *out = key; return TRUE; } return FALSE; @@ -141,7 +133,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, data = malloc_thing(id_data_t); data->this = this; data->id = id; - + this->lock->read_lock(this->lock); return enumerator_create_filter(this->private->create_enumerator(this->private), (void*)private_filter, data, @@ -154,26 +146,22 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out) { public_key_t *public; - identification_t *candidate; certificate_t *cert = *in; - certificate_type_t type = cert->get_type(cert); - if (type == CERT_X509_CRL || type == CERT_X509_AC) + if (data->type != CERT_ANY && data->type != cert->get_type(cert)) { return FALSE; } - if (data->id == NULL || cert->has_subject(cert, data->id)) { *out = *in; return TRUE; } - - public = (cert)->get_public_key(cert); + + public = cert->get_public_key(cert); if (public) { - candidate = public->get_id(public, data->id->get_type(data->id)); - if (candidate && data->id->equals(data->id, candidate)) + if (public->has_fingerprint(public, data->id->get_encoding(data->id))) { public->destroy(public); *out = *in; @@ -185,46 +173,6 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou } /** - * filter function for crl enumerator - */ -static bool crl_filter(id_data_t *data, certificate_t **in, certificate_t **out) -{ - certificate_t *cert = *in; - - if (cert->get_type(cert) != CERT_X509_CRL) - { - return FALSE; - } - - if (data->id == NULL || cert->has_issuer(cert, data->id)) - { - *out = *in; - return TRUE; - } - return FALSE; -} - -/** - * filter function for attribute certificate enumerator - */ -static bool ac_filter(id_data_t *data, certificate_t **in, certificate_t **out) -{ - certificate_t *cert = *in; - - if (cert->get_type(cert) != CERT_X509_AC) - { - return FALSE; - } - - if (data->id == NULL || cert->has_subject(cert, data->id)) - { - *out = *in; - return TRUE; - } - return FALSE; -} - -/** * Implements credential_set_t.create_cert_enumerator */ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, @@ -232,30 +180,16 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, identification_t *id, bool trusted) { id_data_t *data; - - if (cert == CERT_X509_CRL || cert == CERT_X509_AC) + + if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC)) { - if (trusted) - { - return NULL; - } - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->certs->create_enumerator(this->certs), - (cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter, - data, (void*)id_data_destroy); - } - if (cert != CERT_X509 && cert != CERT_ANY) - { /* we only have X509 certificates. TODO: ACs? */ return NULL; } data = malloc_thing(id_data_t); data->this = this; data->id = id; - + data->type = cert; + this->lock->read_lock(this->lock); return enumerator_create_filter(this->certs->create_enumerator(this->certs), (void*)certs_filter, data, @@ -286,7 +220,7 @@ static bool shared_filter(shared_data_t *data, void **unused1, id_match_t *me, void **unused2, id_match_t *other) { - id_match_t my_match, other_match; + id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE; stroke_shared_key_t *stroke = *in; shared_key_t *shared = &stroke->shared; @@ -294,10 +228,16 @@ static bool shared_filter(shared_data_t *data, { return FALSE; } - - my_match = stroke->has_owner(stroke, data->me); - other_match = stroke->has_owner(stroke, data->other); - if (!my_match && !other_match) + + if (data->me) + { + my_match = stroke->has_owner(stroke, data->me); + } + if (data->other) + { + other_match = stroke->has_owner(stroke, data->other); + } + if ((data->me || data->other) && (!my_match && !other_match)) { return FALSE; } @@ -316,12 +256,12 @@ static bool shared_filter(shared_data_t *data, /** * Implements credential_set_t.create_shared_enumerator */ -static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, +static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, shared_key_type_t type, identification_t *me, identification_t *other) { shared_data_t *data = malloc_thing(shared_data_t); - + data->this = this; data->me = me; data->other = other; @@ -339,7 +279,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) { certificate_t *current; enumerator_t *enumerator; - bool new = TRUE; + bool new = TRUE; this->lock->read_lock(this->lock); enumerator = this->certs->create_enumerator(this->certs); @@ -363,7 +303,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) this->lock->unlock(this->lock); return cert; } - + /** * Implementation of stroke_cred_t.load_ca. */ @@ -371,7 +311,7 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) { certificate_t *cert; char path[PATH_MAX]; - + if (*filename == '/') { snprintf(path, sizeof(path), "%s", filename); @@ -380,7 +320,7 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) { snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); } - + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, @@ -388,12 +328,12 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) if (cert) { x509_t *x509 = (x509_t*)cert; - + if (!(x509->get_flags(x509) & X509_CA)) { + DBG1(DBG_CFG, " ca certificate \"%Y\" misses ca basic constraint, " + "discarded", cert->get_subject(cert)); cert->destroy(cert); - DBG1(DBG_CFG, " ca certificate must have ca basic constraint set, " - "discarded"); return NULL; } return (certificate_t*)add_cert(this, cert); @@ -408,7 +348,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) { certificate_t *current, *cert = &crl->certificate; enumerator_t *enumerator; - bool new = TRUE, found = FALSE; + bool new = TRUE, found = FALSE; this->lock->write_lock(this->lock); enumerator = this->certs->create_enumerator(this->certs); @@ -417,12 +357,11 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) if (current->get_type(current) == CERT_X509_CRL) { crl_t *crl_c = (crl_t*)current; - identification_t *authkey = crl->get_authKeyIdentifier(crl); - identification_t *authkey_c = crl_c->get_authKeyIdentifier(crl_c); + chunk_t authkey = crl->get_authKeyIdentifier(crl); + chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); /* if compare authorityKeyIdentifiers if available */ - if (authkey != NULL && authkey_c != NULL && - authkey->equals(authkey, authkey_c)) + if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c)) { found = TRUE; } @@ -491,17 +430,19 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename) { snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename); } - + cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, + CRED_CERTIFICATE, CERT_ANY, BUILD_FROM_FILE, path, - BUILD_X509_FLAG, 0, BUILD_END); if (cert) { cert = add_cert(this, cert); + DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", + cert->get_subject(cert), filename); return cert->get_ref(cert); } + DBG1(DBG_CFG, " loading certificate from '%s' failed", filename); return NULL; } @@ -513,7 +454,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, { struct stat st; char *file; - + enumerator_t *enumerator = enumerator_create_directory(path); if (!enumerator) @@ -535,22 +476,33 @@ static void load_certdir(private_stroke_cred_t *this, char *path, { case CERT_X509: if (flag & X509_CA) - { /* for CA certificates, we strictly require CA - * basicconstraints to be set */ + { /* for CA certificates, we strictly require + * the CA basic constraint to be set */ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, file, BUILD_END); if (cert) { x509_t *x509 = (x509_t*)cert; - + if (!(x509->get_flags(x509) & X509_CA)) { - DBG1(DBG_CFG, " ca certificate must have ca " - "basic constraint set, discarded"); + DBG1(DBG_CFG, " ca certificate \"%Y\" lacks " + "ca basic constraint, discarded", + cert->get_subject(cert)); cert->destroy(cert); cert = NULL; } + else + { + DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); + } + } + else + { + DBG1(DBG_CFG, " loading ca certificate from '%s' " + "failed", file); } } else @@ -559,6 +511,16 @@ static void load_certdir(private_stroke_cred_t *this, char *path, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, file, BUILD_X509_FLAG, flag, BUILD_END); + if (cert) + { + DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); + } + else + { + DBG1(DBG_CFG, " loading certificate from '%s' " + "failed", file); + } } if (cert) { @@ -573,6 +535,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path, if (cert) { add_crl(this, (crl_t*)cert); + DBG1(DBG_CFG, " loaded crl from '%s'", file); + } + else + { + DBG1(DBG_CFG, " loading crl from '%s' failed", file); } break; case CERT_X509_AC: @@ -583,10 +550,17 @@ static void load_certdir(private_stroke_cred_t *this, char *path, if (cert) { add_ac(this, (ac_t*)cert); + DBG1(DBG_CFG, " loaded attribute certificate from '%s'", + file); + } + else + { + DBG1(DBG_CFG, " loading attribute certificate from '%s' " + "failed", file); } break; default: - break; + break; } } enumerator->destroy(enumerator); @@ -601,20 +575,18 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) { /* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */ crl_t *crl = (crl_t*)cert; - + cert->get_ref(cert); if (add_crl(this, crl)) { char buf[BUF_LEN]; chunk_t chunk, hex; - identification_t *id; - - id = crl->get_authKeyIdentifier(crl); - chunk = id->get_encoding(id); + + chunk = crl->get_authKeyIdentifier(crl); hex = chunk_to_hex(chunk, NULL, FALSE); snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex); free(hex.ptr); - + chunk = cert->get_encoding(cert); chunk_write(chunk, buf, "crl", 022, TRUE); free(chunk.ptr); @@ -669,7 +641,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) } if (quotes) - { + { /* treat as an ASCII string */ *secret = chunk_clone(raw_secret); return NULL; @@ -693,9 +665,54 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) } /** + * Data to pass to passphrase_cb + */ +typedef struct { + /** socket we use for prompting */ + FILE *prompt; + /** private key file */ + char *file; + /** buffer for passphrase */ + char buf[256]; +} passphrase_cb_data_t; + +/** + * Passphrase callback to read from whack fd + */ +chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) +{ + chunk_t secret = chunk_empty;; + + if (try > 5) + { + fprintf(data->prompt, "invalid passphrase, too many trials\n"); + return chunk_empty; + } + if (try == 1) + { + fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file); + } + else + { + fprintf(data->prompt, "invalid passphrase\n"); + } + fprintf(data->prompt, "Passphrase:\n"); + if (fgets(data->buf, sizeof(data->buf), data->prompt)) + { + secret = chunk_create(data->buf, strlen(data->buf)); + if (secret.len) + { /* trim appended \n */ + secret.len--; + } + } + return secret; +} + +/** * reload ipsec.secrets */ -static void load_secrets(private_stroke_cred_t *this, char *file, int level) +static void load_secrets(private_stroke_cred_t *this, char *file, int level, + FILE *prompt) { size_t bytes; int line_nr = 0; @@ -709,7 +726,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) fd = fopen(file, "r"); if (fd == NULL) { - DBG1(DBG_CFG, "opening secrets file '%s' failed"); + DBG1(DBG_CFG, "opening secrets file '%s' failed", file); return; } @@ -722,9 +739,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) fclose(fd); src = chunk; - this->lock->write_lock(this->lock); if (level == 0) { + this->lock->write_lock(this->lock); + /* flush secrets on non-recursive invocation */ while (this->shared->remove_last(this->shared, (void**)&shared) == SUCCESS) @@ -737,7 +755,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) private->destroy(private); } } - + while (fetchline(&src, &line)) { chunk_t ids, token; @@ -755,7 +773,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) glob_t buf; char **expanded, *dir, pattern[PATH_MAX]; u_char *pos; - + if (level > MAX_SECRETS_RECURSION) { DBG1(DBG_CFG, "maximum level of %d includes reached, ignored", @@ -782,7 +800,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) { /* use directory of current file if relative */ dir = strdup(file); dir = dirname(dir); - + if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern)) { DBG1(DBG_CFG, "include pattern too long, ignored"); @@ -802,13 +820,13 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) { for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) { - load_secrets(this, *expanded, level + 1); + load_secrets(this, *expanded, level + 1, prompt); } } globfree(&buf); continue; } - + if (line.len > 2 && strneq(": ", line.ptr, 2)) { /* no ids, skip the ':' */ @@ -837,9 +855,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) char path[PATH_MAX]; chunk_t filename; chunk_t secret = chunk_empty; - private_key_t *key; - bool pgp = FALSE; - chunk_t chunk = chunk_empty; + private_key_t *key = NULL; key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA; err_t ugh = extract_value(&filename, &line); @@ -862,7 +878,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) else { /* relative path name */ - snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, + snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, filename.len, filename.ptr); } @@ -876,18 +892,36 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) goto error; } } - - if (pem_asn1_load_file(path, &secret, &chunk, &pgp)) + if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) { - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, - BUILD_BLOB_ASN1_DER, chunk, BUILD_END); - free(chunk.ptr); - if (key) + if (prompt) { - DBG1(DBG_CFG, " loaded private key file '%s'", path); - this->private->insert_last(this->private, key); + passphrase_cb_data_t data; + + data.prompt = prompt; + data.file = path; + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + key_type, BUILD_FROM_FILE, path, + BUILD_PASSPHRASE_CALLBACK, + passphrase_cb, &data, BUILD_END); } } + else + { + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, + BUILD_PASSPHRASE, secret, BUILD_END); + } + if (key) + { + DBG1(DBG_CFG, " loaded %N private key from '%s'", + key_type_names, key->get_type(key), path); + this->private->insert_last(this->private, key); + } + else + { + DBG1(DBG_CFG, " loading private key from '%s' failed", path); + } chunk_clear(&secret); } else if (match("PIN", &token)) @@ -896,9 +930,9 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) char smartcard[32], keyid[22], pin[32]; private_key_t *key; u_int slot; - + err_t ugh = extract_value(&sc, &line); - + if (ugh != NULL) { DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); @@ -911,7 +945,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) } snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr); smartcard[sizeof(smartcard) - 1] = '\0'; - + /* parse slot and key id. only two formats are supported. * first try %smartcard<slot>:<keyid> */ if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2) @@ -929,7 +963,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) " supported or invalid", line_nr); goto error; } - + if (!eat_whitespace(&line)) { DBG1(DBG_CFG, "line %d: expected PIN", line_nr); @@ -943,12 +977,12 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) } snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr); pin[sizeof(pin) - 1] = '\0'; - + /* we assume an RSA key */ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, BUILD_SMARTCARD_KEYID, smartcard, BUILD_SMARTCARD_PIN, pin, BUILD_END); - + if (key) { DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); @@ -975,7 +1009,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, ids.len > 0 ? (char*)ids.ptr : "%any"); DBG4(DBG_CFG, " secret: %#B", &secret); - + this->shared->insert_last(this->shared, shared_key); while (ids.len > 0) { @@ -992,7 +1026,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) { continue; } - + /* NULL terminate the ID string */ *(id.ptr + id.len) = '\0'; peer_id = identification_create_from_string(id.ptr); @@ -1001,7 +1035,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) peer_id->destroy(peer_id); continue; } - + shared_key->add_owner(shared_key, peer_id); any = FALSE; } @@ -1019,7 +1053,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) } } error: - this->lock->unlock(this->lock); + if (level == 0) + { + this->lock->unlock(this->lock); + } chunk_clear(&chunk); } @@ -1052,12 +1089,12 @@ static void load_certs(private_stroke_cred_t *this) /** * Implementation of stroke_cred_t.reread. */ -static void reread(private_stroke_cred_t *this, stroke_msg_t *msg) +static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt) { if (msg->reread.flags & REREAD_SECRETS) { DBG1(DBG_CFG, "rereading secrets"); - load_secrets(this, SECRETS_FILE, 0); + load_secrets(this, SECRETS_FILE, 0, prompt); } if (msg->reread.flags & REREAD_CACERTS) { @@ -1110,28 +1147,28 @@ static void destroy(private_stroke_cred_t *this) stroke_cred_t *stroke_cred_create() { private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t); - + this->public.set.create_private_enumerator = (void*)create_private_enumerator; this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; this->public.set.create_cdp_enumerator = (void*)return_null; this->public.set.cache_cert = (void*)cache_cert; - this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread; + this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread; this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca; this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer; this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl; this->public.destroy = (void(*)(stroke_cred_t*))destroy; - + this->certs = linked_list_create(); this->shared = linked_list_create(); this->private = linked_list_create(); this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); load_certs(this); - load_secrets(this, SECRETS_FILE, 0); - + load_secrets(this, SECRETS_FILE, 0, NULL); + this->cachecrl = FALSE; - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h index 8bc042f13..ccee7d87c 100644 --- a/src/charon/plugins/stroke/stroke_cred.h +++ b/src/charon/plugins/stroke/stroke_cred.h @@ -21,6 +21,8 @@ #ifndef STROKE_CRED_H_ #define STROKE_CRED_H_ +#include <stdio.h> + #include <stroke_msg.h> #include <credentials/credential_set.h> #include <credentials/certificates/certificate.h> @@ -36,14 +38,15 @@ struct stroke_cred_t { * Implements credential_set_t */ credential_set_t set; - + /** * Reread secrets from config files. * * @param msg stroke message + * @param prompt I/O channel to prompt for private key passhprase */ - void (*reread)(stroke_cred_t *this, stroke_msg_t *msg); - + void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt); + /** * Load a CA certificate, and serve it through the credential_set. * @@ -51,7 +54,7 @@ struct stroke_cred_t { * @return reference to loaded certificate, or NULL */ certificate_t* (*load_ca)(stroke_cred_t *this, char *filename); - + /** * Load a peer certificate and serve it rhrough the credential_set. * @@ -59,18 +62,18 @@ struct stroke_cred_t { * @return reference to loaded certificate, or NULL */ certificate_t* (*load_peer)(stroke_cred_t *this, char *filename); - + /** * Enable/Disable CRL caching to disk. * * @param enabled TRUE to enable, FALSE to disable */ void (*cachecrl)(stroke_cred_t *this, bool enabled); - + /** - * Destroy a stroke_cred instance. - */ - void (*destroy)(stroke_cred_t *this); + * Destroy a stroke_cred instance. + */ + void (*destroy)(stroke_cred_t *this); }; /** diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 6f421bd30..c2a98da33 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -22,6 +22,8 @@ #include <credentials/certificates/x509.h> #include <credentials/certificates/ac.h> #include <credentials/certificates/crl.h> +#include <credentials/certificates/pgp_certificate.h> +#include <credentials/ietf_attributes/ietf_attributes.h> #include <config/peer_cfg.h> /* warning intervals for list functions */ @@ -40,12 +42,12 @@ struct private_stroke_list_t { * public functions */ stroke_list_t public; - + /** * timestamp of daemon start */ time_t uptime; - + /** * strokes attribute provider */ @@ -58,45 +60,45 @@ struct private_stroke_list_t { static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) { ike_sa_id_t *id = ike_sa->get_id(ike_sa); - time_t now = time(NULL); - + time_t now = time_monotonic(NULL); + fprintf(out, "%12s[%d]: %N", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), ike_sa_state_names, ike_sa->get_state(ike_sa)); - + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) { time_t established; - + established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED); fprintf(out, " %V ago", &now, &established); } - + fprintf(out, ", %H[%Y]...%H[%Y]\n", ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); - + if (all) { proposal_t *ike_proposal; - + ike_proposal = ike_sa->get_proposal(ike_sa); - + fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "", id->get_responder_spi(id), id->is_initiator(id) ? "" : "*"); - - + + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) { time_t rekey, reauth; peer_cfg_t *peer_cfg; - + rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY); reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH); peer_cfg = ike_sa->get_peer_cfg(ike_sa); - + if (rekey) { fprintf(out, ", rekeying in %V", &rekey, &now); @@ -106,7 +108,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) bool first = TRUE; enumerator_t *enumerator; auth_cfg_t *auth; - + fprintf(out, ", "); enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE); while (enumerator->enumerate(enumerator, &auth)) @@ -128,11 +130,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) } } fprintf(out, "\n"); - + if (ike_proposal) { char buf[BUF_LEN]; - + snprintf(buf, BUF_LEN, "%P", ike_proposal); fprintf(out, "%12s[%d]: IKE proposal: %s\n", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), @@ -146,17 +148,18 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) */ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { - time_t use_in, use_out, rekey, now = time(NULL); + time_t use_in, use_out, rekey, now; u_int64_t bytes_in, bytes_out; proposal_t *proposal; child_cfg_t *config = child_sa->get_config(child_sa); - - fprintf(out, "%12s{%d}: %N, %N%s", + + + fprintf(out, "%12s{%d}: %N, %N%s", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), child_sa_state_names, child_sa->get_state(child_sa), ipsec_mode_names, child_sa->get_mode(child_sa), config->use_proxy_mode(config) ? "_PROXY" : ""); - + if (child_sa->get_state(child_sa) == CHILD_INSTALLED) { fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o", @@ -164,30 +167,30 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) child_sa->has_encap(child_sa) ? " in UDP" : "", ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE))); - + if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE) { fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o", ntohs(child_sa->get_cpi(child_sa, TRUE)), ntohs(child_sa->get_cpi(child_sa, FALSE))); } - + if (all) { - fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa), + fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa)); - + proposal = child_sa->get_proposal(child_sa); if (proposal) { u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED; u_int16_t encr_size = 0, int_size = 0; - + proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &encr_alg, &encr_size); proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, &int_size); - + if (encr_alg != ENCR_UNDEFINED) { fprintf(out, "%N", encryption_algorithm_names, encr_alg); @@ -206,6 +209,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) } } + now = time_monotonic(NULL); child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in); fprintf(out, ", %llu bytes_i", bytes_in); if (use_in) @@ -220,7 +224,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) fprintf(out, " (%ds ago)", now - use_out); } fprintf(out, ", rekeying "); - + rekey = child_sa->get_lifetime(child_sa, FALSE); if (rekey) { @@ -237,10 +241,10 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { fprintf(out, "disabled"); } - + } } - + fprintf(out, "\n%12s{%d}: %#R=== %#R\n", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), child_sa->get_traffic_selectors(child_sa, TRUE), @@ -260,9 +264,9 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) certificate_t *cert; cert_validation_t valid; char *name; - + name = peer_cfg->get_name(peer_cfg); - + enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); while (enumerator->enumerate(enumerator, &auth)) { @@ -327,7 +331,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) fprintf(out, "%12s: ocsp: status must be GOOD%s\n", name, (valid == VALIDATION_SKIPPED) ? " or SKIPPED" : ""); } - + valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION); if (valid != VALIDATION_FAILED) { @@ -360,18 +364,21 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo ike_sa_t *ike_sa; bool first, found = FALSE; char *name = msg->status.name; - + if (all) { peer_cfg_t *peer_cfg; char *plugin, *pool; host_t *host; u_int32_t dpd; - time_t now = time(NULL); + time_t since, now; u_int size, online, offline; - + + now = time_monotonic(NULL); + since = time(NULL) - (now - this->uptime); + fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n"); - fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE); + fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE); fprintf(out, " worker threads: %d idle of %d,", charon->processor->get_idle_threads(charon->processor), charon->processor->get_total_threads(charon->processor)); @@ -387,7 +394,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo } enumerator->destroy(enumerator); fprintf(out, "\n"); - + first = TRUE; enumerator = this->attribute->create_pool_enumerator(this->attribute); while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline)) @@ -404,7 +411,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo fprintf(out, " %s: %u/%u/%u\n", pool, size, online, offline); } enumerator->destroy(enumerator); - + enumerator = charon->kernel_interface->create_address_enumerator( charon->kernel_interface, FALSE, FALSE); fprintf(out, "Listening IP addresses:\n"); @@ -413,7 +420,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo fprintf(out, " %H\n", host); } enumerator->destroy(enumerator); - + fprintf(out, "Connections:\n"); enumerator = charon->backends->create_peer_cfg_enumerator( charon->backends, NULL, NULL, NULL, NULL); @@ -424,33 +431,33 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo { continue; } - + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); fprintf(out, "%12s: %s...%s", peer_cfg->get_name(peer_cfg), ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg)); - + dpd = peer_cfg->get_dpd(peer_cfg); if (dpd) { fprintf(out, ", dpddelay=%us", dpd); } fprintf(out, "\n"); - + log_auth_cfgs(out, peer_cfg, TRUE); log_auth_cfgs(out, peer_cfg, FALSE); - + children = peer_cfg->create_child_cfg_enumerator(peer_cfg); while (children->enumerate(children, &child_cfg)) { linked_list_t *my_ts, *other_ts; - + my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); fprintf(out, "%12s: child: %#R=== %#R", child_cfg->get_name(child_cfg), my_ts, other_ts); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); - + if (dpd) { fprintf(out, ", dpdaction=%N", action_names, @@ -463,7 +470,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo enumerator->destroy(enumerator); } - first = TRUE; + first = TRUE; enumerator = charon->traps->create_enumerator(charon->traps); while (enumerator->enumerate(enumerator, NULL, &child_sa)) { @@ -475,14 +482,14 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo log_child_sa(out, child_sa, all); } enumerator->destroy(enumerator); - + fprintf(out, "Security Associations:\n"); enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); while (enumerator->enumerate(enumerator, &ike_sa)) { bool ike_printed = FALSE; iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); - + if (name == NULL || streq(name, ike_sa->get_name(ike_sa))) { log_ike_sa(out, ike_sa, all); @@ -501,12 +508,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo ike_printed = TRUE; } log_child_sa(out, child_sa, all); - } + } } children->destroy(children); } enumerator->destroy(enumerator); - + if (!found) { if (name) @@ -531,14 +538,14 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type) charon->credentials, type, KEY_ANY, NULL, FALSE); certificate_t *cert; - + while (enumerator->enumerate(enumerator, (void**)&cert)) { iterator_t *iterator = list->create_iterator(list, TRUE); identification_t *issuer = cert->get_issuer(cert); bool previous_same, same = FALSE, last = TRUE; certificate_t *list_cert; - + while (iterator->iterate(iterator, (void**)&list_cert)) { /* exit if we have a duplicate? */ @@ -569,6 +576,41 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type) } /** + * Print a single public key. + */ +static void list_public_key(public_key_t *public, FILE *out) +{ + private_key_t *private = NULL; + chunk_t keyid; + identification_t *id; + auth_cfg_t *auth; + + if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) + { + id = identification_create_from_encoding(ID_KEY_ID, keyid); + auth = auth_cfg_create(); + private = charon->credentials->get_private(charon->credentials, + public->get_type(public), id, auth); + auth->destroy(auth); + id->destroy(id); + } + + fprintf(out, " pubkey: %N %d bits%s\n", + key_type_names, public->get_type(public), + public->get_keysize(public) * 8, + private ? ", has private key" : ""); + if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + { + fprintf(out, " keyid: %#B\n", &keyid); + } + if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) + { + fprintf(out, " subjkey: %#B\n", &keyid); + } + DESTROY_IF(private); +} + +/** * list all raw public keys */ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) @@ -584,9 +626,6 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) if (public) { - private_key_t *private = NULL; - identification_t *id, *keyid; - if (first) { fprintf(out, "\n"); @@ -595,20 +634,52 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) } fprintf(out, "\n"); - /* list public key information */ - id = public->get_id(public, ID_PUBKEY_SHA1); - keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); - - private = charon->credentials->get_private( - charon->credentials, - public->get_type(public), keyid, NULL); - fprintf(out, " pubkey: %N %d bits%s\n", - key_type_names, public->get_type(public), - public->get_keysize(public) * 8, - private ? ", has private key" : ""); - fprintf(out, " keyid: %Y\n", keyid); - fprintf(out, " subjkey: %Y\n", id); - DESTROY_IF(private); + list_public_key(public, out); + public->destroy(public); + } + } + enumerator->destroy(enumerator); +} + +/** + * list OpenPGP certificates + */ +static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) +{ + bool first = TRUE; + time_t now = time(NULL); + enumerator_t *enumerator = list->create_enumerator(list); + certificate_t *cert; + + while (enumerator->enumerate(enumerator, (void**)&cert)) + { + time_t created, until; + public_key_t *public; + pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; + chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); + + if (first) + { + + fprintf(out, "\n"); + fprintf(out, "List of PGP End Entity Certificates:\n"); + first = FALSE; + } + fprintf(out, "\n"); + fprintf(out, " userid: '%Y'\n", cert->get_subject(cert)); + + fprintf(out, " digest: %#B\n", &fingerprint); + + /* list validity */ + cert->get_validity(cert, &now, &created, &until); + fprintf(out, " created: %T\n", &created, utc); + fprintf(out, " until: %T%s\n", &until, utc, + (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":""); + + public = cert->get_public_key(cert); + if (public) + { + list_public_key(public, out); public->destroy(public); } } @@ -618,29 +689,35 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) /** * list all X.509 certificates matching the flags */ -static void stroke_list_certs(linked_list_t *list, char *label, +static void stroke_list_certs(linked_list_t *list, char *label, x509_flag_t flags, bool utc, FILE *out) { bool first = TRUE; time_t now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); + enumerator_t *enumerator; certificate_t *cert; + x509_flag_t flag_mask; + + /* mask all auxiliary flags */ + flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | + X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS ); + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, (void**)&cert)) { x509_t *x509 = (x509_t*)cert; - x509_flag_t x509_flags = x509->get_flags(x509); + x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask; - /* list only if flag is set, or flags == 0 (ignoring self-signed) */ - if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED))) + /* list only if flag is set or flag == 0 */ + if ((x509_flags & flags) || (x509_flags == flags)) { enumerator_t *enumerator; identification_t *altName; bool first_altName = TRUE; - chunk_t serial = x509->get_serial(x509); - identification_t *authkey = x509->get_authKeyIdentifier(x509); + int pathlen; + chunk_t serial, authkey; time_t notBefore, notAfter; - public_key_t *public = cert->get_public_key(cert); + public_key_t *public; if (first) { @@ -673,6 +750,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); + serial = x509->get_serial(x509); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -700,33 +778,50 @@ static void stroke_list_certs(linked_list_t *list, char *label, } fprintf(out, " \n"); } - - /* list public key information */ + + public = cert->get_public_key(cert); if (public) { - private_key_t *private = NULL; - identification_t *id, *keyid; - - id = public->get_id(public, ID_PUBKEY_SHA1); - keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); - - private = charon->credentials->get_private( - charon->credentials, - public->get_type(public), keyid, NULL); - fprintf(out, " pubkey: %N %d bits%s\n", - key_type_names, public->get_type(public), - public->get_keysize(public) * 8, - private ? ", has private key" : ""); - fprintf(out, " keyid: %Y\n", keyid); - fprintf(out, " subjkey: %Y\n", id); - DESTROY_IF(private); + list_public_key(public, out); public->destroy(public); } - + /* list optional authorityKeyIdentifier */ - if (authkey) + authkey = x509->get_authKeyIdentifier(x509); + if (authkey.ptr) { - fprintf(out, " authkey: %Y\n", authkey); + fprintf(out, " authkey: %#B\n", &authkey); + } + + /* list optional pathLenConstraint */ + pathlen = x509->get_pathLenConstraint(x509); + if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) + { + fprintf(out, " pathlen: %d\n", pathlen); + } + + /* list optional ipAddrBlocks */ + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + traffic_selector_t *ipAddrBlock; + bool first_ipAddrBlock = TRUE; + + fprintf(out, " addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &ipAddrBlock)) + { + if (first_ipAddrBlock) + { + first_ipAddrBlock = FALSE; + } + else + { + fprintf(out, ", "); + } + fprintf(out, "%R", ipAddrBlock); + } + enumerator->destroy(enumerator); + fprintf(out, "\n"); } } } @@ -746,11 +841,9 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) while (enumerator->enumerate(enumerator, (void**)&cert)) { ac_t *ac = (ac_t*)cert; - chunk_t serial = ac->get_serial(ac); - chunk_t holderSerial = ac->get_holderSerial(ac); - identification_t *holderIssuer = ac->get_holderIssuer(ac); - identification_t *authkey = ac->get_authKeyIdentifier(ac); - identification_t *entityName = cert->get_subject(cert); + identification_t *id; + ietf_attributes_t *groups; + chunk_t chunk; if (first) { @@ -760,20 +853,30 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) } fprintf(out, "\n"); - if (entityName) + id = cert->get_subject(cert); + if (id) { - fprintf(out, " holder: \"%Y\"\n", entityName); + fprintf(out, " holder: \"%Y\"\n", id); } - if (holderIssuer) + id = ac->get_holderIssuer(ac); + if (id) { - fprintf(out, " hissuer: \"%Y\"\n", holderIssuer); + fprintf(out, " hissuer: \"%Y\"\n", id); } - if (holderSerial.ptr) + chunk = ac->get_holderSerial(ac); + if (chunk.ptr) { - fprintf(out, " hserial: %#B\n", &holderSerial); + fprintf(out, " hserial: %#B\n", &chunk); + } + groups = ac->get_groups(ac); + if (groups) + { + fprintf(out, " groups: %s\n", groups->get_string(groups)); + groups->destroy(groups); } fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - fprintf(out, " serial: %#B\n", &serial); + chunk = ac->get_serial(ac); + fprintf(out, " serial: %#B\n", &chunk); /* list validity */ cert->get_validity(cert, &now, &thisUpdate, &nextUpdate); @@ -794,9 +897,10 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) } /* list optional authorityKeyIdentifier */ - if (authkey) + chunk = ac->get_authKeyIdentifier(ac); + if (chunk.ptr) { - fprintf(out, " authkey: %Y\n", authkey); + fprintf(out, " authkey: %#B\n", &chunk); } } enumerator->destroy(enumerator); @@ -811,12 +915,11 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) time_t thisUpdate, nextUpdate, now = time(NULL); enumerator_t *enumerator = list->create_enumerator(list); certificate_t *cert; - + while (enumerator->enumerate(enumerator, (void**)&cert)) { crl_t *crl = (crl_t*)cert; - chunk_t serial = crl->get_serial(crl); - identification_t *authkey = crl->get_authKeyIdentifier(crl); + chunk_t chunk; if (first) { @@ -829,9 +932,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); /* list optional crlNumber */ - if (serial.ptr) + chunk = crl->get_serial(crl); + if (chunk.ptr) { - fprintf(out, " serial: %#B\n", &serial); + fprintf(out, " serial: %#B\n", &chunk); } /* count the number of revoked certificates */ @@ -867,9 +971,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) } /* list optional authorityKeyIdentifier */ - if (authkey) + chunk = crl->get_authKeyIdentifier(crl); + if (chunk.ptr) { - fprintf(out, " authkey: %Y\n", authkey); + fprintf(out, " authkey: %#B\n", &chunk); } } enumerator->destroy(enumerator); @@ -883,7 +988,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) bool first = TRUE; enumerator_t *enumerator = list->create_enumerator(list); certificate_t *cert; - + while (enumerator->enumerate(enumerator, (void**)&cert)) { if (first) @@ -910,7 +1015,7 @@ static void list_algs(FILE *out) hash_algorithm_t hash; pseudo_random_function_t prf; diffie_hellman_group_t group; - + fprintf(out, "\n"); fprintf(out, "List of registered IKEv2 Algorithms:\n"); fprintf(out, "\n encryption: "); @@ -963,7 +1068,14 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY); stroke_list_pubkeys(pubkey_list, msg->list.utc, out); - pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); + pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); + } + if (msg->list.flags & LIST_CERTS) + { + linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG); + + stroke_list_pgp(pgp_list, msg->list.utc, out); + pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS)) { @@ -972,7 +1084,7 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) if (msg->list.flags & LIST_CERTS) { stroke_list_certs(cert_list, "X.509 End Entity Certificates", - 0, msg->list.utc, out); + X509_NONE, msg->list.utc, out); } if (msg->list.flags & LIST_CACERTS) { @@ -989,33 +1101,34 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) stroke_list_certs(cert_list, "X.509 AA Certificates", X509_AA, msg->list.utc, out); } + DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); + if (msg->list.flags & LIST_ACERTS) { linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC); stroke_list_acerts(ac_list, msg->list.utc, out); - ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); + ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_CRLS) { linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL); stroke_list_crls(crl_list, msg->list.utc, out); - crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); + crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_OCSP) { linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE); stroke_list_ocsp(ocsp_list, msg->list.utc, out); - - ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); + + ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); } if (msg->list.flags & LIST_ALGS) { list_algs(out); } - DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); } /** @@ -1029,7 +1142,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, host_t *lease; bool on; int found = 0; - + fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n", pool, online + offline, size, online); enumerator = this->attribute->create_lease_enumerator(this->attribute, pool); @@ -1059,12 +1172,12 @@ static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) host_t *address = NULL; char *pool; int found = 0; - + if (msg->leases.address) { address = host_create_from_string(msg->leases.address, 0); } - + enumerator = this->attribute->create_pool_enumerator(this->attribute); while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline)) { @@ -1103,15 +1216,15 @@ static void destroy(private_stroke_list_t *this) stroke_list_t *stroke_list_create(stroke_attribute_t *attribute) { private_stroke_list_t *this = malloc_thing(private_stroke_list_t); - + this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list; this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status; this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases; this->public.destroy = (void(*)(stroke_list_t*))destroy; - - this->uptime = time(NULL); + + this->uptime = time_monotonic(NULL); this->attribute = attribute; - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h index 2430abfbb..b5bedc6c2 100644 --- a/src/charon/plugins/stroke/stroke_list.h +++ b/src/charon/plugins/stroke/stroke_list.h @@ -40,7 +40,7 @@ struct stroke_list_t { * @param out stroke console stream */ void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out); - + /** * Log status information to stroke console. * @@ -49,7 +49,7 @@ struct stroke_list_t { * @param all TRUE for "statusall" */ void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all); - + /** * Log pool leases to stroke console. * @@ -57,7 +57,7 @@ struct stroke_list_t { * @param out stroke console stream */ void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out); - + /** * Destroy a stroke_list instance. */ diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c index 22c1125a1..61ae10953 100644 --- a/src/charon/plugins/stroke/stroke_plugin.c +++ b/src/charon/plugins/stroke/stroke_plugin.c @@ -29,7 +29,7 @@ struct private_stroke_plugin_t { * public functions */ stroke_plugin_t public; - + /** * stroke socket, receives strokes */ @@ -51,9 +51,9 @@ static void destroy(private_stroke_plugin_t *this) plugin_t *plugin_create() { private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t); - + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + this->socket = stroke_socket_create(); if (this->socket == NULL) { diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h index 6e9d556ad..3a1e81df6 100644 --- a/src/charon/plugins/stroke/stroke_plugin.h +++ b/src/charon/plugins/stroke/stroke_plugin.h @@ -20,7 +20,7 @@ * @defgroup stroke_plugin stroke_plugin * @{ @ingroup stroke */ - + #ifndef STROKE_PLUGIN_H_ #define STROKE_PLUGIN_H_ diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c index 8f53f509d..4f716e83a 100644 --- a/src/charon/plugins/stroke/stroke_shared_key.c +++ b/src/charon/plugins/stroke/stroke_shared_key.c @@ -28,7 +28,7 @@ struct private_stroke_shared_key_t { * implements shared_key_t */ stroke_shared_key_t public; - + /** * type of this key */ @@ -43,7 +43,7 @@ struct private_stroke_shared_key_t { * list of key owners, as identification_t */ linked_list_t *owners; - + /** * reference counter */ @@ -73,8 +73,8 @@ static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this) static chunk_t get_key(private_stroke_shared_key_t *this) { return this->key; -} - +} + /** * Implementation of stroke_shared_key_t.has_owner. */ @@ -83,7 +83,7 @@ static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t enumerator_t *enumerator; id_match_t match, best = ID_MATCH_NONE; identification_t *current; - + enumerator = this->owners->create_enumerator(this->owners); while (enumerator->enumerate(enumerator, ¤t)) { @@ -135,6 +135,6 @@ stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t ke this->type = type; this->key = key; this->ref = 1; - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h index 224062100..05ad55083 100644 --- a/src/charon/plugins/stroke/stroke_shared_key.h +++ b/src/charon/plugins/stroke/stroke_shared_key.h @@ -35,21 +35,21 @@ struct stroke_shared_key_t { * Implements the shared_key_t interface. */ shared_key_t shared; - + /** * Add an owner to the key. * * @param owner owner to add */ void (*add_owner)(stroke_shared_key_t *this, identification_t *owner); - + /** * Check if a key has a specific owner. * * @param owner owner to check * @return best match found */ - id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner); + id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner); }; /** diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index 9b6a8a3a7..820e097f1 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -23,11 +23,10 @@ #include <sys/fcntl.h> #include <unistd.h> #include <errno.h> -#include <pthread.h> #include <processing/jobs/callback_job.h> #include <daemon.h> -#include <utils/mutex.h> /* for Mac OS X compatible accept */ +#include <threading/thread.h> #include "stroke_config.h" #include "stroke_control.h" @@ -48,42 +47,42 @@ struct private_stroke_socket_t { * public functions */ stroke_socket_t public; - + /** * Unix socket to listen for strokes */ int socket; - + /** * job accepting stroke messages */ callback_job_t *job; - + /** * configuration backend */ stroke_config_t *config; - + /** * attribute provider */ stroke_attribute_t *attribute; - + /** * controller to control daemon */ stroke_control_t *control; - + /** * credential set */ stroke_cred_t *cred; - + /** * CA sections */ stroke_ca_t *ca; - + /** * Status information logging */ @@ -99,7 +98,7 @@ struct stroke_job_context_t { * file descriptor to read from */ int fd; - + /** * global stroke interface */ @@ -152,7 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) pop_string(msg, &end->ca2); pop_string(msg, &end->groups); pop_string(msg, &end->updown); - + DBG2(DBG_CFG, " %s=%s", label, end->address); DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnets); DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip); @@ -202,7 +201,7 @@ static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg) { pop_string(msg, &msg->del_conn.name); DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name); - + this->config->del(this->config, msg); this->attribute->del_pool(this->attribute, msg); } @@ -214,7 +213,7 @@ static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FI { pop_string(msg, &msg->initiate.name); DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); - + this->control->initiate(this->control, msg, out); } @@ -227,7 +226,7 @@ static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, F DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name); this->control->terminate(this->control, msg, out); -} +} /** * terminate a connection by peers virtual IP @@ -250,7 +249,7 @@ static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE { pop_string(msg, &msg->route.name); DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name); - + this->control->route(this->control, msg, out); } @@ -261,7 +260,7 @@ static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FIL { pop_string(msg, &msg->terminate.name); DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name); - + this->control->unroute(this->control, msg, out); } @@ -287,7 +286,7 @@ static void stroke_add_ca(private_stroke_socket_t *this, DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri); DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2); DBG2(DBG_CFG, " certuribase=%s", msg->add_ca.certuribase); - + this->ca->add(this->ca, msg); } @@ -299,7 +298,7 @@ static void stroke_del_ca(private_stroke_socket_t *this, { pop_string(msg, &msg->del_ca.name); DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name); - + this->ca->del(this->ca, msg); } @@ -311,7 +310,7 @@ static void stroke_status(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out, bool all) { pop_string(msg, &(msg->status.name)); - + this->list->status(this->list, msg, out, all); } @@ -333,7 +332,7 @@ static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE * static void stroke_reread(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) { - this->cred->reread(this->cred, msg); + this->cred->reread(this->cred, msg, out); } /** @@ -361,7 +360,7 @@ static void stroke_leases(private_stroke_socket_t *this, { pop_string(msg, &msg->leases.pool); pop_string(msg, &msg->leases.address); - + this->list->leases(this->list, msg, out); } @@ -390,11 +389,11 @@ static void stroke_loglevel(private_stroke_socket_t *this, sys_logger_t *sys_logger; file_logger_t *file_logger; debug_t group; - + pop_string(msg, &(msg->loglevel.type)); DBG1(DBG_CFG, "received stroke: loglevel %d for %s", msg->loglevel.level, msg->loglevel.type); - + group = get_group_from_name(msg->loglevel.type); if (group < 0) { @@ -448,7 +447,7 @@ static job_requeue_t process(stroke_job_context_t *ctx) FILE *out; private_stroke_socket_t *this = ctx->this; int strokefd = ctx->fd; - + /* peek the length */ bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK); if (bytes_read != sizeof(msg_length)) @@ -457,7 +456,7 @@ static job_requeue_t process(stroke_job_context_t *ctx) strerror(errno)); return JOB_REQUEUE_NONE; } - + /* read message */ msg = alloca(msg_length); bytes_read = recv(strokefd, msg, msg_length, 0); @@ -466,16 +465,16 @@ static job_requeue_t process(stroke_job_context_t *ctx) DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno)); return JOB_REQUEUE_NONE; } - - out = fdopen(strokefd, "w"); + + out = fdopen(strokefd, "w+"); if (out == NULL) { DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno)); return JOB_REQUEUE_NONE; } - + DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length); - + switch (msg->type) { case STR_INITIATE: @@ -547,27 +546,27 @@ static job_requeue_t receive(private_stroke_socket_t *this) struct sockaddr_un strokeaddr; int strokeaddrlen = sizeof(strokeaddr); int strokefd; - int oldstate; + bool oldstate; callback_job_t *job; stroke_job_context_t *ctx; - - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + + oldstate = thread_cancelability(TRUE); strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen); - pthread_setcancelstate(oldstate, NULL); - + thread_cancelability(oldstate); + if (strokefd < 0) { DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno)); return JOB_REQUEUE_FAIR; } - + ctx = malloc_thing(stroke_job_context_t); ctx->fd = strokefd; ctx->this = this; job = callback_job_create((callback_job_cb_t)process, ctx, (void*)stroke_job_context_destroy, this->job); charon->processor->queue_job(charon->processor, (job_t*)job); - + return JOB_REQUEUE_FAIR; } @@ -582,7 +581,7 @@ static bool open_socket(private_stroke_socket_t *this) socket_addr.sun_family = AF_UNIX; strcpy(socket_addr.sun_path, STROKE_SOCKET); - + /* set up unix socket */ this->socket = socket(AF_UNIX, SOCK_STREAM, 0); if (this->socket == -1) @@ -590,7 +589,7 @@ static bool open_socket(private_stroke_socket_t *this) DBG1(DBG_CFG, "could not create stroke socket"); return FALSE; } - + unlink(socket_addr.sun_path); old = umask(~(S_IRWXU | S_IRWXG)); if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) @@ -605,7 +604,7 @@ static bool open_socket(private_stroke_socket_t *this) DBG1(DBG_CFG, "changing stroke socket permissions failed: %s", strerror(errno)); } - + if (listen(this->socket, 10) < 0) { DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno)); @@ -625,7 +624,7 @@ static void destroy(private_stroke_socket_t *this) charon->credentials->remove_set(charon->credentials, &this->ca->set); charon->credentials->remove_set(charon->credentials, &this->cred->set); charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->attributes->remove_provider(charon->attributes, &this->attribute->provider); + lib->attributes->remove_provider(lib->attributes, &this->attribute->provider); this->cred->destroy(this->cred); this->ca->destroy(this->ca); this->config->destroy(this->config); @@ -641,31 +640,31 @@ static void destroy(private_stroke_socket_t *this) stroke_socket_t *stroke_socket_create() { private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t); - + this->public.destroy = (void(*)(stroke_socket_t*))destroy; - + if (!open_socket(this)) { free(this); return NULL; } - + this->cred = stroke_cred_create(); this->attribute = stroke_attribute_create(); this->ca = stroke_ca_create(this->cred); this->config = stroke_config_create(this->ca, this->cred); this->control = stroke_control_create(); this->list = stroke_list_create(this->attribute); - + charon->credentials->add_set(charon->credentials, &this->ca->set); charon->credentials->add_set(charon->credentials, &this->cred->set); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->attributes->add_provider(charon->attributes, &this->attribute->provider); - + lib->attributes->add_provider(lib->attributes, &this->attribute->provider); + this->job = callback_job_create((callback_job_cb_t)receive, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); - + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h index 6073f5133..2aac8be9b 100644 --- a/src/charon/plugins/stroke/stroke_socket.h +++ b/src/charon/plugins/stroke/stroke_socket.h @@ -27,11 +27,11 @@ typedef struct stroke_socket_t stroke_socket_t; * Stroke socket, opens UNIX communication socket, reads and dispatches. */ struct stroke_socket_t { - + /** - * Destroy a stroke_socket instance. - */ - void (*destroy)(stroke_socket_t *this); + * Destroy a stroke_socket instance. + */ + void (*destroy)(stroke_socket_t *this); }; /** |