diff options
Diffstat (limited to 'src/libcharon/plugins')
162 files changed, 8935 insertions, 11475 deletions
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 4cb047929..426d1a689 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c index 1c407035d..5fdb36c5c 100644 --- a/src/libcharon/plugins/addrblock/addrblock_plugin.c +++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c @@ -61,7 +61,11 @@ plugin_t *addrblock_plugin_create() private_addrblock_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .validator = addrblock_validator_create(), .narrower = addrblock_narrow_create(), ); diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index 6e4903ee1..d80868798 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c index e2c8572ef..3d82d8f60 100644 --- a/src/libcharon/plugins/android/android_plugin.c +++ b/src/libcharon/plugins/android/android_plugin.c @@ -79,8 +79,10 @@ plugin_t *android_plugin_create() private_android_plugin_t *this; INIT(this, - .public.plugin = { - .destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, }, .logger = android_logger_create(), .handler = android_handler_create(), diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index 538c4a9a2..f9a8e1ea1 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -141,7 +141,7 @@ METHOD(listener_t, child_updown, bool, * callback, but from a different thread. we also delay it to avoid * a race condition during a regular shutdown */ job = callback_job_create(shutdown_callback, NULL, NULL, NULL); - charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1); + lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1); return FALSE; } } @@ -378,7 +378,7 @@ android_service_t *android_service_create(android_creds_t *creds) charon->bus->add_listener(charon->bus, &this->public.listener); this->job = callback_job_create((callback_job_cb_t)initiate, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index b34654fb7..e843c42e8 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c index 829fd6356..fccc99ba5 100644 --- a/src/libcharon/plugins/dhcp/dhcp_plugin.c +++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c @@ -62,7 +62,11 @@ plugin_t *dhcp_plugin_create() private_dhcp_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .socket = dhcp_socket_create(), ); diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index f61b3a60e..e1e83d648 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -31,6 +31,7 @@ #include <threading/condvar.h> #include <threading/thread.h> +#include <hydra.h> #include <daemon.h> #include <processing/jobs/callback_job.h> @@ -205,8 +206,8 @@ static int prepare_dhcp(private_dhcp_socket_t *this, else { /* act as relay agent */ - src = charon->kernel_interface->get_source_addr( - charon->kernel_interface, this->dst, NULL); + src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, + this->dst, NULL); if (src) { memcpy(&dhcp->gateway_address, src->get_address(src).ptr, @@ -462,8 +463,6 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); - server = host_create_from_chunk(AF_INET, - chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT); this->mutex->lock(this->mutex); enumerator = this->discover->create_enumerator(this->discover); @@ -471,11 +470,8 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) { if (transaction->get_id(transaction) == dhcp->transaction_id) { - DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); this->discover->remove_at(this->discover, enumerator); this->request->insert_last(this->request, transaction); - transaction->set_address(transaction, offer->clone(offer)); - transaction->set_server(transaction, server->clone(server)); break; } } @@ -504,9 +500,22 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) chunk_create((char*)&option->data[pos], 4)); } } + if (option->type == DHCP_SERVER_ID && option->len == 4) + { + server = host_create_from_chunk(AF_INET, + chunk_create(option->data, 4), DHCP_SERVER_PORT); + } optlen -= optsize; optpos += optsize; } + if (!server) + { + server = host_create_from_chunk(AF_INET, + chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT); + } + DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); + transaction->set_address(transaction, offer->clone(offer)); + transaction->set_server(transaction, server->clone(server)); } this->mutex->unlock(this->mutex); this->condvar->broadcast(this->condvar); @@ -751,7 +760,7 @@ dhcp_socket_t *dhcp_socket_create() this->job = callback_job_create((callback_job_cb_t)receive_dhcp, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 14bf3f15d..c0750786d 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index b41b59616..41f69546e 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 57952f621..02d659197 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index d78957438..46011694a 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c index ab082a955..03066b2f8 100644 --- a/src/libcharon/plugins/eap_identity/eap_identity.c +++ b/src/libcharon/plugins/eap_identity/eap_identity.c @@ -59,11 +59,8 @@ struct eap_identity_header_t { u_int8_t data[]; } __attribute__((__packed__)); -/** - * Implementation of eap_method_t.process for the peer - */ -static status_t process_peer(private_eap_identity_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_peer, status_t, + private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t id; eap_identity_header_t *hdr; @@ -74,7 +71,7 @@ static status_t process_peer(private_eap_identity_t *this, hdr = alloca(len); hdr->code = EAP_RESPONSE; - hdr->identifier = in->get_identifier(in); + hdr->identifier = in ? in->get_identifier(in) : 0; hdr->length = htons(len); hdr->type = EAP_IDENTITY; memcpy(hdr->data, id.ptr, id.len); @@ -83,20 +80,15 @@ static status_t process_peer(private_eap_identity_t *this, return SUCCESS; } -/** - * Implementation of eap_method_t.initiate for the peer - */ -static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_peer, status_t, + private_eap_identity_t *this, eap_payload_t **out) { /* peer never initiates */ return FAILED; } -/** - * Implementation of eap_method_t.process for the server - */ -static status_t process_server(private_eap_identity_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_server, status_t, + private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t data; @@ -108,10 +100,8 @@ static status_t process_server(private_eap_identity_t *this, return SUCCESS; } -/** - * Implementation of eap_method_t.initiate for the server - */ -static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_server, status_t, + private_eap_identity_t *this, eap_payload_t **out) { eap_identity_header_t hdr; @@ -125,19 +115,15 @@ static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **ou return NEED_MORE; } -/** - * Implementation of eap_method_t.get_type. - */ -static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor) +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_identity_t *this, u_int32_t *vendor) { *vendor = 0; return EAP_IDENTITY; } -/** - * Implementation of eap_method_t.get_msk. - */ -static status_t get_msk(private_eap_identity_t *this, chunk_t *msk) +METHOD(eap_method_t, get_msk, status_t, + private_eap_identity_t *this, chunk_t *msk) { if (this->identity.ptr) { @@ -147,56 +133,42 @@ static status_t get_msk(private_eap_identity_t *this, chunk_t *msk) return FAILED; } -/** - * Implementation of eap_method_t.is_mutual. - */ -static bool is_mutual(private_eap_identity_t *this) +METHOD(eap_method_t, is_mutual, bool, + private_eap_identity_t *this) { return FALSE; } -/** - * Implementation of eap_method_t.destroy. - */ -static void destroy(private_eap_identity_t *this) +METHOD(eap_method_t, destroy, void, + private_eap_identity_t *this) { this->peer->destroy(this->peer); free(this->identity.ptr); free(this); } -/** - * Generic constructor - */ -static private_eap_identity_t *eap_identity_create(identification_t *server, - identification_t *peer) -{ - private_eap_identity_t *this = malloc_thing(private_eap_identity_t); - - this->public.eap_method_interface.initiate = NULL; - this->public.eap_method_interface.process = NULL; - this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; - this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; - this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; - this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - - this->peer = peer->clone(peer); - this->identity = chunk_empty; - - return this; -} - /* * Described in header. */ eap_identity_t *eap_identity_create_peer(identification_t *server, identification_t *peer) { - private_eap_identity_t *this = eap_identity_create(server, peer); - - /* public functions */ - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer; + private_eap_identity_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_peer, + .process = _process_peer, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .identity = chunk_empty, + ); return &this->public; } @@ -207,11 +179,22 @@ eap_identity_t *eap_identity_create_peer(identification_t *server, eap_identity_t *eap_identity_create_server(identification_t *server, identification_t *peer) { - private_eap_identity_t *this = eap_identity_create(server, peer); - - /* public functions */ - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server; + private_eap_identity_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_server, + .process = _process_server, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .identity = chunk_empty, + ); return &this->public; } diff --git a/src/libcharon/plugins/eap_identity/eap_identity.h b/src/libcharon/plugins/eap_identity/eap_identity.h index 7364a8bda..9a7f28574 100644 --- a/src/libcharon/plugins/eap_identity/eap_identity.h +++ b/src/libcharon/plugins/eap_identity/eap_identity.h @@ -33,7 +33,7 @@ struct eap_identity_t { /** * Implemented eap_method_t interface. */ - eap_method_t eap_method_interface; + eap_method_t eap_method; }; /** diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c index 082997154..079c27909 100644 --- a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c +++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c @@ -14,15 +14,12 @@ */ #include "eap_identity_plugin.h" - #include "eap_identity.h" #include <daemon.h> -/** - * Implementation of plugin_t.destroy - */ -static void destroy(eap_identity_plugin_t *this) +METHOD(plugin_t, destroy, void, + eap_identity_plugin_t *this) { charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_identity_create_server); @@ -36,9 +33,13 @@ static void destroy(eap_identity_plugin_t *this) */ plugin_t *eap_identity_plugin_create() { - eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t); + eap_identity_plugin_t *this; - this->plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER, (eap_constructor_t)eap_identity_create_server); diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 5bfc59fa4..2e307147f 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index 3554ae12e..f70754abb 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -47,7 +47,7 @@ struct private_eap_md5_t { chunk_t challenge; /** - * EAP message identififier + * EAP message identifier */ u_int8_t identifier; }; @@ -105,19 +105,15 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response, return SUCCESS; } -/** - * Implementation of eap_method_t.initiate for the peer - */ -static status_t initiate_peer(private_eap_md5_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_peer, status_t, + private_eap_md5_t *this, eap_payload_t **out) { /* peer never initiates */ return FAILED; } -/** - * Implementation of eap_method_t.initiate for the server - */ -static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate_server, status_t, + private_eap_md5_t *this, eap_payload_t **out) { rng_t *rng; eap_md5_header_t *req; @@ -142,11 +138,8 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out) return NEED_MORE; } -/** - * Implementation of eap_method_t.process for the peer - */ -static status_t process_peer(private_eap_md5_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_peer, status_t, + private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t response; chunk_t data; @@ -177,11 +170,8 @@ static status_t process_peer(private_eap_md5_t *this, return NEED_MORE; } -/** - * Implementation of eap_method_t.process for the server - */ -static status_t process_server(private_eap_md5_t *this, - eap_payload_t *in, eap_payload_t **out) +METHOD(eap_method_t, process_server, status_t, + private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out) { chunk_t response, expected; chunk_t data; @@ -209,35 +199,27 @@ static status_t process_server(private_eap_md5_t *this, return SUCCESS; } -/** - * Implementation of eap_method_t.get_type. - */ -static eap_type_t get_type(private_eap_md5_t *this, u_int32_t *vendor) +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_md5_t *this, u_int32_t *vendor) { *vendor = 0; return EAP_MD5; } -/** - * Implementation of eap_method_t.get_msk. - */ -static status_t get_msk(private_eap_md5_t *this, chunk_t *msk) +METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) { return FAILED; } -/** - * Implementation of eap_method_t.is_mutual. - */ -static bool is_mutual(private_eap_md5_t *this) +METHOD(eap_method_t, is_mutual, bool, + private_eap_md5_t *this) { return FALSE; } -/** - * Implementation of eap_method_t.destroy. - */ -static void destroy(private_eap_md5_t *this) +METHOD(eap_method_t, destroy, void, + private_eap_md5_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); @@ -245,39 +227,27 @@ static void destroy(private_eap_md5_t *this) free(this); } -/** - * Generic constructor - */ -static private_eap_md5_t *eap_md5_create_generic(identification_t *server, - identification_t *peer) -{ - private_eap_md5_t *this = malloc_thing(private_eap_md5_t); - - this->public.eap_method_interface.initiate = NULL; - this->public.eap_method_interface.process = NULL; - this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; - this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; - this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; - this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - - /* private data */ - this->peer = peer->clone(peer); - this->server = server->clone(server); - this->challenge = chunk_empty; - this->identifier = 0; - - return this; -} - /* - * see header + * See header */ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer) { - private_eap_md5_t *this = eap_md5_create_generic(server, peer); - - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server; + private_eap_md5_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_server, + .process = _process_server, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .server = server->clone(server), + ); /* generate a non-zero identifier */ do { @@ -288,14 +258,26 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee } /* - * see header + * See header */ eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer) { - private_eap_md5_t *this = eap_md5_create_generic(server, peer); - - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer; + private_eap_md5_t *this; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate_peer, + .process = _process_peer, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .server = server->clone(server), + ); return &this->public; } diff --git a/src/libcharon/plugins/eap_md5/eap_md5.h b/src/libcharon/plugins/eap_md5/eap_md5.h index 3cff0dd79..c6687149a 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.h +++ b/src/libcharon/plugins/eap_md5/eap_md5.h @@ -33,7 +33,7 @@ struct eap_md5_t { /** * Implemented eap_method_t interface. */ - eap_method_t eap_method_interface; + eap_method_t eap_method; }; /** diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c index e716dc6e8..39a6f5731 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c +++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c @@ -14,15 +14,12 @@ */ #include "eap_md5_plugin.h" - #include "eap_md5.h" #include <daemon.h> -/** - * Implementation of plugin_t.destroy - */ -static void destroy(eap_md5_plugin_t *this) +METHOD(plugin_t, destroy, void, + eap_md5_plugin_t *this) { charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_md5_create_server); @@ -36,9 +33,13 @@ static void destroy(eap_md5_plugin_t *this) */ plugin_t *eap_md5_plugin_create() { - eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t); + eap_md5_plugin_t *this; - this->plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER, (eap_constructor_t)eap_md5_create_server); diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index d61cc9e5d..635cfe6ec 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index 3cd8d994c..4f39c8608 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -818,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, eap_mschapv2_header_t *eap; chunk_t data; char *message, *token, *msg = NULL; - int message_len, error = 0, retryable; + int message_len, error = 0, retriable; chunk_t challenge = chunk_empty; data = in->get_data(in); @@ -847,7 +847,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, else if (strneq(token, "R=", 2)) { token += 2; - retryable = atoi(token); + retriable = atoi(token); } else if (strneq(token, "C=", 2)) { @@ -880,17 +880,17 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, mschapv2_error_names, error, sanitize(msg)); /** - * at this point, if the error is retryable, we MAY retry the authentication + * at this point, if the error is retriable, we MAY retry the authentication * or MAY send a Change Password packet. * - * if the error is not retryable (or if we do neither of the above), we + * if the error is not retriable (or if we do neither of the above), we * SHOULD send a Failure Response packet. * windows clients don't do that, and since windows server 2008 r2 behaves * pretty odd if we do send a Failure Response, we just don't send one * either. windows 7 actually sends a delete notify (which, according to the * logs, results in an error on windows server 2008 r2). * - * btw, windows server 2008 r2 does not send non-retryable errors for e.g. + * btw, windows server 2008 r2 does not send non-retriable errors for e.g. * a disabled account but returns the windows error code in a notify payload * of type 12345. */ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index bb372d13c..1d771d9a4 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index 65b868bc6..157034fe5 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -20,6 +20,8 @@ #include <daemon.h> +#define TUNNEL_TYPE_ESP 9 + typedef struct private_eap_radius_t private_eap_radius_t; /** @@ -71,6 +73,11 @@ struct private_eap_radius_t { * Handle the Class attribute as group membership information? */ bool class_group; + + /** + * Handle the Filter-Id attribute as IPsec CHILD_SA name? + */ + bool filter_id; }; /** @@ -211,6 +218,62 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg) enumerator->destroy(enumerator); } +/** + * Handle the Filter-Id attribute as IPsec CHILD_SA name + */ +static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg) +{ + enumerator_t *enumerator; + int type; + u_int8_t tunnel_tag; + u_int32_t tunnel_type; + chunk_t filter_id = chunk_empty, data; + bool is_esp_tunnel = FALSE; + + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) + { + switch (type) + { + case RAT_TUNNEL_TYPE: + if (data.len != 4) + { + continue; + } + tunnel_tag = *data.ptr; + *data.ptr = 0x00; + tunnel_type = untoh32(data.ptr); + DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: " + "tag = %u, value = %u", tunnel_tag, tunnel_type); + is_esp_tunnel = (tunnel_type == TUNNEL_TYPE_ESP); + break; + case RAT_FILTER_ID: + filter_id = data; + DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: " + "'%.*s'", filter_id.len, filter_id.ptr); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (is_esp_tunnel && filter_id.len) + { + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_data(filter_id); + auth->add(auth, AUTH_RULE_GROUP, id); + } + } +} + METHOD(eap_method_t, process, status_t, private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out) { @@ -247,12 +310,17 @@ METHOD(eap_method_t, process, status_t, { process_class(this, response); } + if (this->filter_id) + { + process_filter_id(this, response); + } + DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful", + this->peer); status = SUCCESS; break; case RMC_ACCESS_REJECT: default: - DBG1(DBG_CFG, "received %N from RADIUS server", - radius_message_code_names, response->get_code(response)); + DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer); status = FAILED; break; } @@ -313,13 +381,15 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer private_eap_radius_t *this; INIT(this, - .public.eap_method_interface = { - .initiate = _initiate, - .process = _process, - .get_type = _get_type, - .is_mutual = _is_mutual, - .get_msk = _get_msk, - .destroy = _destroy, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, }, /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ .type = EAP_RADIUS, @@ -329,6 +399,9 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer "charon.plugins.eap-radius.id_prefix", ""), .class_group = lib->settings->get_bool(lib->settings, "charon.plugins.eap-radius.class_group", FALSE), + .filter_id = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-radius.filter_id", FALSE), + ); this->client = radius_client_create(); if (!this->client) diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h index 8eb9e8c2d..e98cb06e3 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.h +++ b/src/libcharon/plugins/eap_radius/eap_radius.h @@ -33,7 +33,7 @@ struct eap_radius_t { /** * Implemented eap_method_t interface. */ - eap_method_t eap_method_interface; + eap_method_t eap_method; }; /** diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 91aae2f62..1c24d77d5 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -151,7 +151,11 @@ plugin_t *eap_radius_plugin_create() private_eap_radius_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .servers = linked_list_create(), ); diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h index b820cb583..ba4c94619 100644 --- a/src/libcharon/plugins/eap_radius/radius_server.h +++ b/src/libcharon/plugins/eap_radius/radius_server.h @@ -79,6 +79,7 @@ struct radius_server_t { * @param server server address * @param port server port * @param nas_identifier NAS-Identifier to use with this server + * @param secret secret to use with this server * @param sockets number of sockets to create in pool * @param preference preference boost for this server */ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index d0f44e925..d05930bbd 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 2aa0ac832..46a584265 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 7d80f8019..2d8556a59 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -201,14 +204,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -248,7 +261,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index fc26f4497..e59015f82 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +203,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +260,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index f2e82df0a..3c66d2f36 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c index 0f5319792..1cc5352d8 100644 --- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c @@ -85,8 +85,10 @@ plugin_t *eap_simaka_sql_plugin_create() "charon.plugins.eap-simaka-sql.remove_used", FALSE); INIT(this, - .public.plugin = { - .destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, }, .db = db, .provider = eap_simaka_sql_provider_create(db, remove_used), diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am new file mode 100644 index 000000000..29ddd822b --- /dev/null +++ b/src/libcharon/plugins/eap_tls/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-tls.la +else +plugin_LTLIBRARIES = libstrongswan-eap-tls.la +libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_eap_tls_la_SOURCES = \ + eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c + +libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in new file mode 100644 index 000000000..e4b78faf8 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -0,0 +1,605 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_tls +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_eap_tls_la_OBJECTS = eap_tls_plugin.lo eap_tls.lo +libstrongswan_eap_tls_la_OBJECTS = \ + $(am_libstrongswan_eap_tls_la_OBJECTS) +libstrongswan_eap_tls_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_tls_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_tls_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_tls_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_tls_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tls.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tls.la +@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_eap_tls_la_SOURCES = \ + eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c + +libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) + $(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c new file mode 100644 index 000000000..efe72c437 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls.c @@ -0,0 +1,155 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tls.h" + +#include <tls_eap.h> + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_tls_t private_eap_tls_t; + +/** + * Private data of an eap_tls_t object. + */ +struct private_eap_tls_t { + + /** + * Public interface. + */ + eap_tls_t public; + + /** + * TLS stack, wrapped by EAP helper + */ + tls_eap_t *tls_eap; +}; + +/** Maximum number of EAP-TLS messages/fragments allowed */ +#define MAX_MESSAGE_COUNT 32 +/** Default size of a EAP-TLS fragment */ +#define MAX_FRAGMENT_LEN 1024 + +METHOD(eap_method_t, initiate, status_t, + private_eap_tls_t *this, eap_payload_t **out) +{ + chunk_t data; + + if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + return NEED_MORE; + } + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_tls_t *this, eap_payload_t *in, eap_payload_t **out) +{ + status_t status; + chunk_t data; + + data = in->get_data(in); + status = this->tls_eap->process(this->tls_eap, data, &data); + if (status == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + } + return status; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_tls_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TLS; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_tls_t *this, chunk_t *msk) +{ + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_tls_t *this) +{ + return TRUE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_tls_t *this) +{ + this->tls_eap->destroy(this->tls_eap); + free(this); +} + +/** + * Generic private constructor + */ +static eap_tls_t *eap_tls_create(identification_t *server, + identification_t *peer, bool is_server) +{ + private_eap_tls_t *this; + size_t frag_size; + int max_msg_count; + tls_t *tls; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + ); + + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN); + max_msg_count = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT); + tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL); + this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count); + if (!this->tls_eap) + { + free(this); + return NULL; + } + return &this->public; +} + +eap_tls_t *eap_tls_create_server(identification_t *server, + identification_t *peer) +{ + return eap_tls_create(server, peer, TRUE); +} + +eap_tls_t *eap_tls_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_tls_create(server, peer, FALSE); +} diff --git a/src/libcharon/plugins/eap_tls/eap_tls.h b/src/libcharon/plugins/eap_tls/eap_tls.h new file mode 100644 index 000000000..7e080230a --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tls_i eap_tls + * @{ @ingroup eap_tls + */ + +#ifndef EAP_TLS_H_ +#define EAP_TLS_H_ + +typedef struct eap_tls_t eap_tls_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of eap_method_t using EAP-TLS. + */ +struct eap_tls_t { + + /** + * Implements eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TLS acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tls_t object + */ +eap_tls_t *eap_tls_create_server(identification_t *server, + identification_t *peer); + +/** + * Creates the EAP method EAP-TLS acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tls_t object + */ +eap_tls_t *eap_tls_create_peer(identification_t *server, + identification_t *peer); + +#endif /** EAP_TLS_H_ @}*/ diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.c b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c new file mode 100644 index 000000000..a7c040bf4 --- /dev/null +++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tls_plugin.h" + +#include "eap_tls.h" + +#include <daemon.h> + + +METHOD(plugin_t, destroy, void, + eap_tls_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tls_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tls_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_tls_plugin_create() +{ + eap_tls_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_SERVER, + (eap_constructor_t)eap_tls_create_server); + charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_PEER, + (eap_constructor_t)eap_tls_create_peer); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h index 74c9ae24f..5ea719603 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h +++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -14,24 +14,24 @@ */ /** - * @defgroup kernel_netlink kernel_netlink + * @defgroup eap_tls eap_tls * @ingroup cplugins * - * @defgroup kernel_netlink_plugin kernel_netlink_plugin - * @{ @ingroup kernel_netlink + * @defgroup eap_tls_plugin eap_tls_plugin + * @{ @ingroup eap_tls */ -#ifndef KERNEL_NETLINK_PLUGIN_H_ -#define KERNEL_NETLINK_PLUGIN_H_ +#ifndef EAP_TLS_PLUGIN_H_ +#define EAP_TLS_PLUGIN_H_ #include <plugins/plugin.h> -typedef struct kernel_netlink_plugin_t kernel_netlink_plugin_t; +typedef struct eap_tls_plugin_t eap_tls_plugin_t; /** - * netlink kernel interface plugin + * EAP-TLS plugin */ -struct kernel_netlink_plugin_t { +struct eap_tls_plugin_t { /** * implements plugin interface @@ -39,4 +39,9 @@ struct kernel_netlink_plugin_t { plugin_t plugin; }; -#endif /** KERNEL_NETLINK_PLUGIN_H_ @}*/ +/** + * Create a eap_tls_plugin instance. + */ +plugin_t *eap_tls_plugin_create(); + +#endif /** EAP_TLS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am new file mode 100644 index 000000000..9c5a445c5 --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-tnc.la +else +plugin_LTLIBRARIES = libstrongswan-eap-tnc.la +libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_eap_tnc_la_SOURCES = \ + eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c + +libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in new file mode 100644 index 000000000..fb7108a8a --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -0,0 +1,605 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_tnc +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_eap_tnc_la_OBJECTS = eap_tnc_plugin.lo eap_tnc.lo +libstrongswan_eap_tnc_la_OBJECTS = \ + $(am_libstrongswan_eap_tnc_la_OBJECTS) +libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_tnc_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_tnc_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_tnc_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_tnc_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tnc.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tnc.la +@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_eap_tnc_la_SOURCES = \ + eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c + +libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) + $(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c new file mode 100644 index 000000000..f0bff0e1f --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -0,0 +1,156 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tnc.h" + +#include <tls_eap.h> + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_tnc_t private_eap_tnc_t; + +/** + * Private data of an eap_tnc_t object. + */ +struct private_eap_tnc_t { + + /** + * Public authenticator_t interface. + */ + eap_tnc_t public; + + /** + * TLS stack, wrapped by EAP helper + */ + tls_eap_t *tls_eap; +}; + + +/** Maximum number of EAP-TNC messages/fragments allowed */ +#define MAX_MESSAGE_COUNT 10 +/** Default size of a EAP-TNC fragment */ +#define MAX_FRAGMENT_LEN 50000 + +METHOD(eap_method_t, initiate, status_t, + private_eap_tnc_t *this, eap_payload_t **out) +{ + chunk_t data; + + if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + return NEED_MORE; + } + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out) +{ + status_t status; + chunk_t data; + + data = in->get_data(in); + status = this->tls_eap->process(this->tls_eap, data, &data); + if (status == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + } + return status; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_tnc_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TNC; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_tnc_t *this, chunk_t *msk) +{ + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_tnc_t *this) +{ + return FALSE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_tnc_t *this) +{ + this->tls_eap->destroy(this->tls_eap); + free(this); +} + +/** + * Generic private constructor + */ +static eap_tnc_t *eap_tnc_create(identification_t *server, + identification_t *peer, bool is_server) +{ + private_eap_tnc_t *this; + size_t frag_size; + int max_msg_count; + tnccs_t *tnccs; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + ); + + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN); + max_msg_count = lib->settings->get_int(lib->settings, + "charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT); + tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server); + this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count); + if (!this->tls_eap) + { + free(this); + return NULL; + } + return &this->public; +} + +eap_tnc_t *eap_tnc_create_server(identification_t *server, + identification_t *peer) +{ + return eap_tnc_create(server, peer, TRUE); +} + +eap_tnc_t *eap_tnc_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_tnc_create(server, peer, FALSE); +} diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h new file mode 100644 index 000000000..7e166fb60 --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tnc_i eap_tnc + * @{ @ingroup eap_tnc + */ + +#ifndef EAP_TNC_H_ +#define EAP_TNC_H_ + +typedef struct eap_tnc_t eap_tnc_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of the eap_method_t interface using EAP-TNC. + */ +struct eap_tnc_t { + + /** + * Implemented eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TNC acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tnc_t object + */ +eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer); + +/** + * Creates the EAP method EAP-TNC acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tnc_t object + */ +eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer); + +#endif /** EAP_TNC_H_ @}*/ diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c new file mode 100644 index 000000000..7430e4cac --- /dev/null +++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tnc_plugin.h" +#include "eap_tnc.h" + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + eap_tnc_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tnc_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tnc_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_tnc_plugin_create() +{ + eap_tnc_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_SERVER, + (eap_constructor_t)eap_tnc_create_server); + charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_PEER, + (eap_constructor_t)eap_tnc_create_peer); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h index ecccc6303..97298eb5c 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h +++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2010 Andreas Steffen * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -14,24 +14,24 @@ */ /** - * @defgroup kernel_pfkey kernel_pfkey + * @defgroup eap_tnc eap_tnc * @ingroup cplugins * - * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin - * @{ @ingroup kernel_pfkey + * @defgroup eap_tnc_plugin eap_tnc_plugin + * @{ @ingroup eap_tnc */ -#ifndef KERNEL_PFKEY_PLUGIN_H_ -#define KERNEL_PFKEY_PLUGIN_H_ +#ifndef EAP_TNC_PLUGIN_H_ +#define EAP_TNC_PLUGIN_H_ #include <plugins/plugin.h> -typedef struct kernel_pfkey_plugin_t kernel_pfkey_plugin_t; +typedef struct eap_tnc_plugin_t eap_tnc_plugin_t; /** - * PF_KEY kernel interface plugin + * EAP-TNC plugin */ -struct kernel_pfkey_plugin_t { +struct eap_tnc_plugin_t { /** * implements plugin interface @@ -39,4 +39,4 @@ struct kernel_pfkey_plugin_t { plugin_t plugin; }; -#endif /** KERNEL_PFKEY_PLUGIN_H_ @}*/ +#endif /** EAP_TNC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am new file mode 100644 index 000000000..94ce5cc1e --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-ttls.la +else +plugin_LTLIBRARIES = libstrongswan-eap-ttls.la +libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_eap_ttls_la_SOURCES = \ + eap_ttls_plugin.h eap_ttls_plugin.c \ + eap_ttls_avp.h eap_ttls_avp.c \ + eap_ttls.h eap_ttls.c \ + eap_ttls_peer.h eap_ttls_peer.c \ + eap_ttls_server.h eap_ttls_server.c + +libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in new file mode 100644 index 000000000..2cdd7701d --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -0,0 +1,615 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_ttls +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_eap_ttls_la_OBJECTS = eap_ttls_plugin.lo \ + eap_ttls_avp.lo eap_ttls.lo eap_ttls_peer.lo \ + eap_ttls_server.lo +libstrongswan_eap_ttls_la_OBJECTS = \ + $(am_libstrongswan_eap_ttls_la_OBJECTS) +libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_ttls_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_ttls_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_ttls_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_ttls_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-ttls.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-ttls.la +@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_eap_ttls_la_SOURCES = \ + eap_ttls_plugin.h eap_ttls_plugin.c \ + eap_ttls_avp.h eap_ttls_avp.c \ + eap_ttls.h eap_ttls.c \ + eap_ttls_peer.h eap_ttls_peer.c \ + eap_ttls_server.h eap_ttls_server.c + +libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) + $(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_avp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_peer.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_server.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c new file mode 100644 index 000000000..a62af6ea4 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c @@ -0,0 +1,165 @@ +/* + * Copyright (C) 2010 Martin Willi, revosec AG + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls.h" +#include "eap_ttls_peer.h" +#include "eap_ttls_server.h" + +#include <tls_eap.h> + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_ttls_t private_eap_ttls_t; + +/** + * Private data of an eap_ttls_t object. + */ +struct private_eap_ttls_t { + + /** + * Public interface. + */ + eap_ttls_t public; + + /** + * TLS stack, wrapped by EAP helper + */ + tls_eap_t *tls_eap; +}; + +/** Maximum number of EAP-TTLS messages/fragments allowed */ +#define MAX_MESSAGE_COUNT 32 +/** Default size of a EAP-TTLS fragment */ +#define MAX_FRAGMENT_LEN 1024 + +METHOD(eap_method_t, initiate, status_t, + private_eap_ttls_t *this, eap_payload_t **out) +{ + chunk_t data; + + if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + return NEED_MORE; + } + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_ttls_t *this, eap_payload_t *in, eap_payload_t **out) +{ + status_t status; + chunk_t data; + + data = in->get_data(in); + status = this->tls_eap->process(this->tls_eap, data, &data); + if (status == NEED_MORE) + { + *out = eap_payload_create_data(data); + free(data.ptr); + } + return status; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_ttls_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TTLS; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_ttls_t *this, chunk_t *msk) +{ + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_ttls_t *this) +{ + return TRUE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_ttls_t *this) +{ + this->tls_eap->destroy(this->tls_eap); + free(this); +} + +/** + * Generic private constructor + */ +static eap_ttls_t *eap_ttls_create(identification_t *server, + identification_t *peer, bool is_server, + tls_application_t *application) +{ + private_eap_ttls_t *this; + size_t frag_size; + int max_msg_count; + tls_t *tls; + + INIT(this, + .public = { + .eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + }, + ); + if (is_server && !lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.request_peer_auth", FALSE)) + { + peer = NULL; + } + frag_size = lib->settings->get_int(lib->settings, + "charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN); + max_msg_count = lib->settings->get_int(lib->settings, + "charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT); + tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application); + this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count); + if (!this->tls_eap) + { + application->destroy(application); + free(this); + return NULL; + } + return &this->public; +} + +eap_ttls_t *eap_ttls_create_server(identification_t *server, + identification_t *peer) +{ + return eap_ttls_create(server, peer, TRUE, + &eap_ttls_server_create(server, peer)->application); +} + +eap_ttls_t *eap_ttls_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_ttls_create(server, peer, FALSE, + &eap_ttls_peer_create(server, peer)->application); +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.h b/src/libcharon/plugins/eap_ttls/eap_ttls.h new file mode 100644 index 000000000..6e3bf2ceb --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_i eap_ttls + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_H_ +#define EAP_TTLS_H_ + +typedef struct eap_ttls_t eap_ttls_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of eap_method_t using EAP-TTLS. + */ +struct eap_ttls_t { + + /** + * Implements eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TTLS acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_ttls_t object + */ +eap_ttls_t *eap_ttls_create_server(identification_t *server, + identification_t *peer); + +/** + * Creates the EAP method EAP-TTLS acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_ttls_t object + */ +eap_ttls_t *eap_ttls_create_peer(identification_t *server, + identification_t *peer); + +#endif /** EAP_TTLS_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c new file mode 100644 index 000000000..0eb5e94be --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c @@ -0,0 +1,187 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_avp.h" + +#include <debug.h> + +#define AVP_EAP_MESSAGE 79 +#define AVP_HEADER_LEN 8 + +typedef struct private_eap_ttls_avp_t private_eap_ttls_avp_t; + +/** + * Private data of an eap_ttls_avp_t object. + */ +struct private_eap_ttls_avp_t { + + /** + * Public eap_ttls_avp_t interface. + */ + eap_ttls_avp_t public; + + /** + * AVP input buffer + */ + chunk_t input; + + /** + * Position in input buffer + */ + size_t inpos; + + /** + * process header (TRUE) or body (FALSE) + */ + bool process_header; + + /** + * Size of AVP data + */ + size_t data_len; +}; + +METHOD(eap_ttls_avp_t, build, void, + private_eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data) +{ + char zero_padding[] = { 0x00, 0x00, 0x00 }; + chunk_t avp_padding; + u_int8_t avp_flags; + u_int32_t avp_len; + + avp_flags = 0x40; + avp_len = 8 + data.len; + avp_padding = chunk_create(zero_padding, (4 - data.len) % 4); + + writer->write_uint32(writer, AVP_EAP_MESSAGE); + writer->write_uint8(writer, avp_flags); + writer->write_uint24(writer, avp_len); + writer->write_data(writer, data); + writer->write_data(writer, avp_padding); +} + +METHOD(eap_ttls_avp_t, process, status_t, + private_eap_ttls_avp_t* this, tls_reader_t *reader, chunk_t *data) +{ + size_t len; + chunk_t buf; + + if (this->process_header) + { + tls_reader_t *header; + u_int32_t avp_code; + u_int8_t avp_flags; + u_int32_t avp_len; + bool success; + + len = min(reader->remaining(reader), AVP_HEADER_LEN - this->inpos); + if (!reader->read_data(reader, len, &buf)) + { + return FAILED; + } + if (this->input.len == 0) + { + /* start of a new AVP header */ + this->input = chunk_alloc(AVP_HEADER_LEN); + memcpy(this->input.ptr, buf.ptr, len); + this->inpos = len; + } + else + { + memcpy(this->input.ptr + this->inpos, buf.ptr, len); + this->inpos += len; + } + + if (this->inpos < AVP_HEADER_LEN) + { + return NEED_MORE; + } + + /* parse AVP header */ + header = tls_reader_create(this->input); + success = header->read_uint32(header, &avp_code) && + header->read_uint8(header, &avp_flags) && + header->read_uint24(header, &avp_len); + header->destroy(header); + chunk_free(&this->input); + this->inpos = 0; + + if (!success) + { + DBG1(DBG_IKE, "received invalid AVP header"); + return FAILED; + } + if (avp_code != AVP_EAP_MESSAGE) + { + DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code); + return FAILED; + } + this->process_header = FALSE; + this->data_len = avp_len - 8; + this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4); + } + + /* process AVP data */ + len = min(reader->remaining(reader), this->input.len - this->inpos); + if (!reader->read_data(reader, len, &buf)) + { + return FAILED; + } + memcpy(this->input.ptr + this->inpos, buf.ptr, len); + this->inpos += len; + if (this->inpos < this->input.len) + { + return NEED_MORE; + } + + *data = this->input; + data->len = this->data_len; + + /* preparing for next AVP */ + this->input = chunk_empty; + this->inpos = 0; + this->process_header = TRUE; + + return SUCCESS; +} + +METHOD(eap_ttls_avp_t, destroy, void, + private_eap_ttls_avp_t *this) +{ + chunk_free(&this->input); + free(this); +} + +/** + * See header + */ +eap_ttls_avp_t *eap_ttls_avp_create(void) +{ + private_eap_ttls_avp_t *this; + + INIT(this, + .public= { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + .input = chunk_empty, + .inpos = 0, + .process_header = TRUE, + .data_len = 0, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h new file mode 100644 index 000000000..cad1d9c56 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_avp eap_ttls_avp + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_AVP_H_ +#define EAP_TTLS_AVP_H_ + +typedef struct eap_ttls_avp_t eap_ttls_avp_t; + +#include <library.h> + +#include <tls_reader.h> +#include <tls_writer.h> + +/** + * EAP-TTLS Attribute-Value Pair (AVP) handler. + */ +struct eap_ttls_avp_t { + + /** + * Process received EAP-TTLS EAP Message AVP. + * + * @param reader TLS data buffer + * @param data received EAP Message + * @return + * - SUCCESS if AVP processing succeeded + * - FAILED if AVP processing failed + * - NEED_MORE if another invocation of process/build needed + */ + status_t (*process)(eap_ttls_avp_t *this, tls_reader_t *reader, + chunk_t *data); + + /** + * Build EAP-TTLS EAP Message AVP to send out. + * + * @param writer TLS data buffer to write to + * @param data EAP Message to send + */ + void (*build)(eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data); + + /** + * Destroy a eap_ttls_application_t. + */ + void (*destroy)(eap_ttls_avp_t *this); +}; + +/** + * Create an eap_ttls_avp instance. + */ +eap_ttls_avp_t *eap_ttls_avp_create(void); + +#endif /** EAP_TTLS_AVP_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c new file mode 100644 index 000000000..10d08ca2a --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -0,0 +1,316 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_peer.h" +#include "eap_ttls_avp.h" + +#include <debug.h> +#include <daemon.h> + +#include <sa/authenticators/eap/eap_method.h> + +typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t; + +/** + * Private data of an eap_ttls_peer_t object. + */ +struct private_eap_ttls_peer_t { + + /** + * Public eap_ttls_peer_t interface. + */ + eap_ttls_peer_t public; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity + */ + identification_t *peer; + + /** + * Current EAP-TTLS state + */ + bool start_phase2; + + /** + * Current phase 2 EAP method + */ + eap_method_t *method; + + /** + * Pending outbound EAP message + */ + eap_payload_t *out; + + /** + * AVP handler + */ + eap_ttls_avp_t *avp; +}; + +/** + * EAP packet format + */ +typedef struct __attribute__((packed)) { + u_int8_t code; + u_int8_t identifier; + u_int16_t length; + u_int8_t type; + u_int8_t data; +} eap_packet_t; + +#define MAX_RADIUS_ATTRIBUTE_SIZE 253 + +METHOD(tls_application_t, process, status_t, + private_eap_ttls_peer_t *this, tls_reader_t *reader) +{ + chunk_t avp_data = chunk_empty; + chunk_t eap_data = chunk_empty; + status_t status; + payload_t *payload; + eap_payload_t *in; + eap_packet_t *pkt; + eap_code_t code; + eap_type_t type, received_type; + u_int32_t vendor, received_vendor; + u_int16_t eap_len; + size_t eap_pos = 0; + bool concatenated = FALSE; + + do + { + status = this->avp->process(this->avp, reader, &avp_data); + switch (status) + { + case SUCCESS: + break; + case NEED_MORE: + DBG1(DBG_IKE, "need more AVP data"); + return NEED_MORE; + case FAILED: + default: + return FAILED; + } + + if (eap_data.len == 0) + { + if (avp_data.len < 4) + { + DBG1(DBG_IKE, "AVP size to small to contain EAP header"); + chunk_free(&avp_data); + return FAILED; + } + pkt = (eap_packet_t*)avp_data.ptr; + eap_len = untoh16(&pkt->length); + + if (eap_len <= avp_data.len) + { + /* standard: EAP packet contained in a single AVP */ + eap_data = avp_data; + break; + } + else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE) + { + /* non-standard: EAP packet segmented into multiple AVPs */ + eap_data = chunk_alloc(eap_len); + concatenated = TRUE; + } + else + { + DBG1(DBG_IKE, "non-radius segmentation of EAP packet into AVPs"); + chunk_free(&avp_data); + return FAILED; + } + } + + if (avp_data.len > eap_data.len - eap_pos) + { + DBG1(DBG_IKE, "AVP size to large to fit into EAP packet"); + chunk_free(&avp_data); + chunk_free(&eap_data); + return FAILED; + } + memcpy(eap_data.ptr + eap_pos, avp_data.ptr, avp_data.len); + eap_pos += avp_data.len; + chunk_free(&avp_data); + } + while (eap_pos < eap_data.len); + + in = eap_payload_create_data(eap_data); + chunk_free(&eap_data); + payload = (payload_t*)in; + + if (payload->verify(payload) != SUCCESS) + { + in->destroy(in); + return FAILED; + } + code = in->get_code(in); + received_type = in->get_type(in, &received_vendor); + DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP%s [EAP/%N/%N]", + concatenated ? "s" : "", + eap_code_short_names, code, + eap_type_short_names, received_type); + if (code != EAP_REQUEST) + { + DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST); + in->destroy(in); + return FAILED; + } + + if (this->method == NULL) + { + if (received_vendor) + { + DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d", + received_type, received_vendor); + } + else + { + DBG1(DBG_IKE, "server requested %N authentication", + eap_type_names, received_type); + } + this->method = charon->eap->create_instance(charon->eap, + received_type, received_vendor, + EAP_PEER, this->server, this->peer); + if (!this->method) + { + DBG1(DBG_IKE, "EAP method not supported"); + this->out = eap_payload_create_nak(in->get_identifier(in)); + in->destroy(in); + return NEED_MORE; + } + } + + type = this->method->get_type(this->method, &vendor); + + if (type != received_type || vendor != received_vendor) + { + DBG1(DBG_IKE, "received invalid EAP request"); + in->destroy(in); + return FAILED; + } + + status = this->method->process(this->method, in, &this->out); + in->destroy(in); + + switch (status) + { + case SUCCESS: + this->method->destroy(this->method); + this->method = NULL; + return NEED_MORE; + case NEED_MORE: + if (type != EAP_TNC) + { + this->method->destroy(this->method); + this->method = NULL; + } + return NEED_MORE; + case FAILED: + default: + if (vendor) + { + DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", + type, vendor); + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); + } + return FAILED; + } +} + +METHOD(tls_application_t, build, status_t, + private_eap_ttls_peer_t *this, tls_writer_t *writer) +{ + chunk_t data; + eap_code_t code; + eap_type_t type; + u_int32_t vendor; + + if (this->method == NULL && this->start_phase2) + { + /* generate an EAP Identity response */ + this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, + 0, EAP_PEER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "EAP_IDENTITY method not available"); + return FAILED; + } + this->method->process(this->method, NULL, &this->out); + this->method->destroy(this->method); + this->method = NULL; + this->start_phase2 = FALSE; + } + + if (this->out) + { + code = this->out->get_code(this->out); + type = this->out->get_type(this->out, &vendor); + DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]", + eap_code_short_names, code, eap_type_short_names, type); + + /* get the raw EAP message data */ + data = this->out->get_data(this->out); + this->avp->build(this->avp, writer, data); + + this->out->destroy(this->out); + this->out = NULL; + } + return INVALID_STATE; +} + +METHOD(tls_application_t, destroy, void, + private_eap_ttls_peer_t *this) +{ + this->server->destroy(this->server); + this->peer->destroy(this->peer); + DESTROY_IF(this->method); + DESTROY_IF(this->out); + this->avp->destroy(this->avp); + free(this); +} + +/** + * See header + */ +eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server, + identification_t *peer) +{ + private_eap_ttls_peer_t *this; + + INIT(this, + .public = { + .application = { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + }, + .server = server->clone(server), + .peer = peer->clone(peer), + .start_phase2 = TRUE, + .avp = eap_ttls_avp_create(), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h new file mode 100644 index 000000000..31fc0d9db --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_peer eap_ttls_peer + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_PEER_H_ +#define EAP_TTLS_PEER_H_ + +typedef struct eap_ttls_peer_t eap_ttls_peer_t; + +#include "tls_application.h" + +#include <library.h> + +/** + * TLS application data handler as peer. + */ +struct eap_ttls_peer_t { + + /** + * Implements the TLS application data handler. + */ + tls_application_t application; +}; + +/** + * Create an eap_ttls_peer instance. + */ +eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server, + identification_t *peer); + +#endif /** EAP_TTLS_PEER_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c new file mode 100644 index 000000000..48e759dcc --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_plugin.h" + +#include "eap_ttls.h" + +#include <daemon.h> + + +METHOD(plugin_t, destroy, void, + eap_ttls_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_ttls_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_ttls_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *eap_ttls_plugin_create() +{ + eap_ttls_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_SERVER, + (eap_constructor_t)eap_ttls_create_server); + charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_PEER, + (eap_constructor_t)eap_ttls_create_peer); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h new file mode 100644 index 000000000..2abc82931 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls eap_ttls + * @ingroup cplugins + * + * @defgroup eap_ttls_plugin eap_ttls_plugin + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_PLUGIN_H_ +#define EAP_TTLS_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_ttls_plugin_t eap_ttls_plugin_t; + +/** + * EAP-TTLS plugin + */ +struct eap_ttls_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a eap_ttls_plugin instance. + */ +plugin_t *eap_ttls_plugin_create(); + +#endif /** EAP_TTLS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c new file mode 100644 index 000000000..835cd7306 --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c @@ -0,0 +1,365 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_ttls_server.h" +#include "eap_ttls_avp.h" + +#include <debug.h> +#include <daemon.h> + +#include <sa/authenticators/eap/eap_method.h> + +typedef struct private_eap_ttls_server_t private_eap_ttls_server_t; + +/** + * Private data of an eap_ttls_server_t object. + */ +struct private_eap_ttls_server_t { + + /** + * Public eap_ttls_server_t interface. + */ + eap_ttls_server_t public; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity + */ + identification_t *peer; + + /** + * Current EAP-TTLS phase2 state + */ + bool start_phase2; + + /** + * Current EAP-TTLS phase2 TNC state + */ + bool start_phase2_tnc; + + /** + * Current phase 2 EAP method + */ + eap_method_t *method; + + /** + * Pending outbound EAP message + */ + eap_payload_t *out; + + /** + * AVP handler + */ + eap_ttls_avp_t *avp; +}; + +/** + * Start EAP client authentication protocol + */ +static status_t start_phase2_auth(private_eap_ttls_server_t *this) +{ + char *eap_type_str; + eap_type_t type; + + eap_type_str = lib->settings->get_str(lib->settings, + "charon.plugins.eap-ttls.phase2_method", "md5"); + type = eap_type_from_string(eap_type_str); + if (type == 0) + { + DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str); + return FAILED; + } + DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type); + this->method = charon->eap->create_instance(charon->eap, type, 0, + EAP_SERVER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", eap_type_names, type); + return FAILED; + } + if (this->method->initiate(this->method, &this->out) == NEED_MORE) + { + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); + return FAILED; + } +} + +/** + * If configured, start EAP-TNC protocol + */ +static status_t start_phase2_tnc(private_eap_ttls_server_t *this) +{ + if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.phase2_tnc", FALSE)) + { + DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC); + this->method = charon->eap->create_instance(charon->eap, EAP_TNC, + 0, EAP_SERVER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC); + return FAILED; + } + this->start_phase2_tnc = FALSE; + if (this->method->initiate(this->method, &this->out) == NEED_MORE) + { + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC); + return FAILED; + } + } + return SUCCESS; +} + +METHOD(tls_application_t, process, status_t, + private_eap_ttls_server_t *this, tls_reader_t *reader) +{ + chunk_t data = chunk_empty; + status_t status; + payload_t *payload; + eap_payload_t *in; + eap_code_t code; + eap_type_t type = EAP_NAK, received_type; + u_int32_t vendor, received_vendor; + + status = this->avp->process(this->avp, reader, &data); + switch (status) + { + case SUCCESS: + break; + case NEED_MORE: + return NEED_MORE; + case FAILED: + default: + return FAILED; + } + in = eap_payload_create_data(data); + chunk_free(&data); + payload = (payload_t*)in; + + if (payload->verify(payload) != SUCCESS) + { + in->destroy(in); + return FAILED; + } + code = in->get_code(in); + received_type = in->get_type(in, &received_vendor); + DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]", + eap_code_short_names, code, + eap_type_short_names, received_type); + if (code != EAP_RESPONSE) + { + DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE); + in->destroy(in); + return FAILED; + } + + if (this->method) + { + type = this->method->get_type(this->method, &vendor); + + if (type != received_type || vendor != received_vendor) + { + if (received_vendor == 0 && received_type == EAP_NAK) + { + DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type); + } + else + { + DBG1(DBG_IKE, "received invalid EAP response"); + } + in->destroy(in); + return FAILED; + } + } + + if (!received_vendor && received_type == EAP_IDENTITY) + { + chunk_t eap_id; + + if (this->method == NULL) + { + /* Received an EAP Identity response without a matching request */ + this->method = charon->eap->create_instance(charon->eap, + EAP_IDENTITY, 0, EAP_SERVER, + this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", + eap_type_names, EAP_IDENTITY); + return FAILED; + } + } + + if (this->method->process(this->method, in, &this->out) != SUCCESS) + { + + DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY); + return FAILED; + } + + if (this->method->get_msk(this->method, &eap_id) == SUCCESS) + { + this->peer->destroy(this->peer); + this->peer = identification_create_from_data(eap_id); + DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer); + } + + in->destroy(in); + this->method->destroy(this->method); + this->method = NULL; + + /* Start Phase 2 of EAP-TTLS authentication */ + if (lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.request_peer_auth", FALSE)) + { + return start_phase2_tnc(this); + } + else + { + return start_phase2_auth(this); + } + } + + if (this->method == 0) + { + DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS); + in->destroy(in); + return FAILED; + } + + status = this->method->process(this->method, in, &this->out); + in->destroy(in); + + switch (status) + { + case SUCCESS: + DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful", + eap_type_names, EAP_TTLS, this->peer, + eap_type_names, type); + this->method->destroy(this->method); + this->method = NULL; + + /* continue phase2 with EAP-TNC? */ + return start_phase2_tnc(this); + case NEED_MORE: + break; + case FAILED: + default: + if (vendor) + { + DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", + type, vendor); + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); + } + return FAILED; + } + return status; +} + +METHOD(tls_application_t, build, status_t, + private_eap_ttls_server_t *this, tls_writer_t *writer) +{ + chunk_t data; + eap_code_t code; + eap_type_t type; + u_int32_t vendor; + + if (this->method == NULL && this->start_phase2 && + lib->settings->get_bool(lib->settings, + "charon.plugins.eap-ttls.phase2_piggyback", FALSE)) + { + /* generate an EAP Identity request which will be piggybacked right + * onto the TLS Finished message thus initiating EAP-TTLS phase2 + */ + this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, + 0, EAP_SERVER, this->server, this->peer); + if (this->method == NULL) + { + DBG1(DBG_IKE, "%N method not available", + eap_type_names, EAP_IDENTITY); + return FAILED; + } + this->method->initiate(this->method, &this->out); + this->start_phase2 = FALSE; + } + + if (this->out) + { + code = this->out->get_code(this->out); + type = this->out->get_type(this->out, &vendor); + DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]", + eap_code_short_names, code, eap_type_short_names, type); + + /* get the raw EAP message data */ + data = this->out->get_data(this->out); + this->avp->build(this->avp, writer, data); + + this->out->destroy(this->out); + this->out = NULL; + } + return INVALID_STATE; +} + +METHOD(tls_application_t, destroy, void, + private_eap_ttls_server_t *this) +{ + this->server->destroy(this->server); + this->peer->destroy(this->peer); + DESTROY_IF(this->method); + DESTROY_IF(this->out); + this->avp->destroy(this->avp); + free(this); +} + +/** + * See header + */ +eap_ttls_server_t *eap_ttls_server_create(identification_t *server, + identification_t *peer) +{ + private_eap_ttls_server_t *this; + + INIT(this, + .public = { + .application = { + .process = _process, + .build = _build, + .destroy = _destroy, + }, + }, + .server = server->clone(server), + .peer = peer->clone(peer), + .start_phase2 = TRUE, + .start_phase2_tnc = TRUE, + .avp = eap_ttls_avp_create(), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.h b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h new file mode 100644 index 000000000..a66a813ec --- /dev/null +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_ttls_server eap_ttls_server + * @{ @ingroup eap_ttls + */ + +#ifndef EAP_TTLS_SERVER_H_ +#define EAP_TTLS_SERVER_H_ + +typedef struct eap_ttls_server_t eap_ttls_server_t; + +#include "tls_application.h" + +#include <library.h> + +/** + * TLS application data handler as server. + */ +struct eap_ttls_server_t { + + /** + * Implements the TLS application data handler. + */ + tls_application_t application; +}; + +/** + * Create an eap_ttls_server instance. + */ +eap_ttls_server_t *eap_ttls_server_create(identification_t *server, + identification_t *peer); + +#endif /** EAP_TTLS_SERVER_H_ @}*/ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 47952b99e..bfd50d6da 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c index 01c2a39c8..d83bc1fd2 100644 --- a/src/libcharon/plugins/farp/farp_plugin.c +++ b/src/libcharon/plugins/farp/farp_plugin.c @@ -60,7 +60,11 @@ plugin_t *farp_plugin_create() private_farp_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, .listener = farp_listener_create(), ); diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c index 20bb44fd3..a904a6538 100644 --- a/src/libcharon/plugins/farp/farp_spoofer.c +++ b/src/libcharon/plugins/farp/farp_spoofer.c @@ -191,7 +191,7 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener) this->job = callback_job_create((callback_job_cb_t)receive_arp, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 5ca9b464b..3600eb7c6 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c index 1ebc33ca4..9ff3fd5ff 100644 --- a/src/libcharon/plugins/ha/ha_cache.c +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -354,7 +354,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, if (sync) { /* request a resync as soon as we are up */ - charon->scheduler->schedule_job(charon->scheduler, (job_t*) + lib->scheduler->schedule_job(lib->scheduler, (job_t*) callback_job_create((callback_job_cb_t)request_resync, this, NULL, NULL), 1); } diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index e188a8484..980c0551a 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -114,6 +114,7 @@ METHOD(ha_ctl_t, destroy, void, ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) { private_ha_ctl_t *this; + mode_t old; INIT(this, .public = { @@ -125,16 +126,23 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) if (access(HA_FIFO, R_OK|W_OK) != 0) { - if (mkfifo(HA_FIFO, 600) != 0) + old = umask(~(S_IRWXU | S_IRWXG)); + if (mkfifo(HA_FIFO, S_IRUSR | S_IWUSR) != 0) { DBG1(DBG_CFG, "creating HA FIFO %s failed: %s", HA_FIFO, strerror(errno)); } + umask(old); + } + if (chown(HA_FIFO, charon->uid, charon->gid) != 0) + { + DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s", + strerror(errno)); } this->job = callback_job_create((callback_job_cb_t)dispatch_fifo, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 3bc426ea0..b46a221bd 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -136,7 +136,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message diffie_hellman_t dh = { .get_shared_secret = get_shared_secret, .destroy = (void*)&secret }; - proposal = proposal_create(PROTO_IKE); + proposal = proposal_create(PROTO_IKE, 0); keymat = ike_sa->get_keymat(ike_sa); if (integ) { @@ -549,7 +549,7 @@ static void process_child_add(private_ha_dispatcher_t *this, child_sa->set_protocol(child_sa, PROTO_ESP); child_sa->set_ipcomp(child_sa, ipcomp); - proposal = proposal_create(PROTO_ESP); + proposal = proposal_create(PROTO_ESP, 0); if (integ) { proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0); @@ -869,7 +869,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, ); this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index 10a63453a..56bdbf454 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -216,6 +216,11 @@ static void disable_all(private_ha_kernel_t *this) enumerator = enumerator_create_directory(CLUSTERIP_DIR); while (enumerator->enumerate(enumerator, NULL, &file, NULL)) { + if (chown(file, charon->uid, charon->gid) != 0) + { + DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s", + strerror(errno)); + } active = get_active(this, file); for (i = 1; i <= this->count; i++) { diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index e722b4f3a..581294e60 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -142,7 +142,11 @@ plugin_t *ha_plugin_create() } INIT(this, - .public.plugin.destroy = _destroy, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); if (secret) diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index be2d7e428..19e0f692e 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -283,7 +283,7 @@ static void start_watchdog(private_ha_segments_t *this) { this->job = callback_job_create((callback_job_cb_t)watchdog, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); } METHOD(ha_segments_t, handle_status, void, @@ -345,7 +345,7 @@ static job_requeue_t send_status(private_ha_segments_t *this) message->destroy(message); /* schedule next invocation */ - charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*) + lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*) callback_job_create((callback_job_cb_t) send_status, this, NULL, NULL), this->heartbeat_delay); @@ -382,7 +382,9 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, INIT(this, .public = { - .listener.alert = _alert_hook, + .listener = { + .alert = _alert_hook, + }, .activate = _activate, .deactivate = _deactivate, .handle_status = _handle_status, diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index 21e6eb6d5..614c70ed3 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -107,7 +107,7 @@ METHOD(ha_socket_t, push, void, job = callback_job_create((callback_job_cb_t)send_message, data, (void*)job_data_destroy, NULL); - charon->processor->queue_job(charon->processor, (job_t*)job); + lib->processor->queue_job(lib->processor, (job_t*)job); return; } DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/kernel_klips/Makefile.am b/src/libcharon/plugins/kernel_klips/Makefile.am deleted file mode 100644 index 540bbe106..000000000 --- a/src/libcharon/plugins/kernel_klips/Makefile.am +++ /dev/null @@ -1,17 +0,0 @@ - -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-kernel-klips.la -else -plugin_LTLIBRARIES = libstrongswan-kernel-klips.la -endif - -libstrongswan_kernel_klips_la_SOURCES = \ - kernel_klips_plugin.h kernel_klips_plugin.c \ - kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h - -libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c deleted file mode 100644 index 6b5aeb342..000000000 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c +++ /dev/null @@ -1,2660 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <stdint.h> -#include "pfkeyv2.h" -#include <linux/udp.h> -#include <net/if.h> -#include <unistd.h> -#include <stdio.h> -#include <string.h> -#include <time.h> -#include <errno.h> - -#include "kernel_klips_ipsec.h" - -#include <daemon.h> -#include <threading/thread.h> -#include <threading/mutex.h> -#include <processing/jobs/callback_job.h> -#include <processing/jobs/acquire_job.h> -#include <processing/jobs/rekey_child_sa_job.h> -#include <processing/jobs/delete_child_sa_job.h> -#include <processing/jobs/update_sa_job.h> - -/** default timeout for generated SPIs (in seconds) */ -#define SPI_TIMEOUT 30 - -/** buffer size for PF_KEY messages */ -#define PFKEY_BUFFER_SIZE 2048 - -/** PF_KEY messages are 64 bit aligned */ -#define PFKEY_ALIGNMENT 8 -/** aligns len to 64 bits */ -#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1)) -/** calculates the properly padded length in 64 bit chunks */ -#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT)) -/** calculates user mode length i.e. in bytes */ -#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT) - -/** given a PF_KEY message header and an extension this updates the length in the header */ -#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len) -/** given a PF_KEY message header this returns a pointer to the next extension */ -#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len))) -/** copy an extension and append it to a PF_KEY message */ -#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))) -/** given a PF_KEY extension this returns a pointer to the next extension */ -#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))) -/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */ -#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext)) -/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */ -#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \ - (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \ - (ext)->sadb_ext_len <= (len)) - -/** special SPI values used for policies in KLIPS */ -#define SPI_PASS 256 -#define SPI_DROP 257 -#define SPI_REJECT 258 -#define SPI_HOLD 259 -#define SPI_TRAP 260 -#define SPI_TRAPSUBNET 261 - -/** the prefix of the name of KLIPS ipsec devices */ -#define IPSEC_DEV_PREFIX "ipsec" -/** this is the default number of ipsec devices */ -#define DEFAULT_IPSEC_DEV_COUNT 4 -/** TRUE if the given name matches an ipsec device */ -#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1)) - -/** the following stuff is from ipsec_tunnel.h */ -struct ipsectunnelconf -{ - __u32 cf_cmd; - union - { - char cfu_name[12]; - } cf_u; -#define cf_name cf_u.cfu_name -}; - -#define IPSEC_SET_DEV (SIOCDEVPRIVATE) -#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1) -#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2) - -typedef struct private_kernel_klips_ipsec_t private_kernel_klips_ipsec_t; - -/** - * Private variables and functions of kernel_klips class. - */ -struct private_kernel_klips_ipsec_t -{ - /** - * Public part of the kernel_klips_t object. - */ - kernel_klips_ipsec_t public; - - /** - * mutex to lock access to various lists - */ - mutex_t *mutex; - - /** - * List of installed policies (policy_entry_t) - */ - linked_list_t *policies; - - /** - * List of allocated SPIs without installed SA (sa_entry_t) - */ - linked_list_t *allocated_spis; - - /** - * List of installed SAs (sa_entry_t) - */ - linked_list_t *installed_sas; - - /** - * whether to install routes along policies - */ - bool install_routes; - - /** - * List of ipsec devices (ipsec_dev_t) - */ - linked_list_t *ipsec_devices; - - /** - * job receiving PF_KEY events - */ - callback_job_t *job; - - /** - * mutex to lock access to the PF_KEY socket - */ - mutex_t *mutex_pfkey; - - /** - * PF_KEY socket to communicate with the kernel - */ - int socket; - - /** - * PF_KEY socket to receive acquire and expire events - */ - int socket_events; - - /** - * sequence number for messages sent to the kernel - */ - int seq; - -}; - - -typedef struct ipsec_dev_t ipsec_dev_t; - -/** - * ipsec device - */ -struct ipsec_dev_t { - /** name of the virtual ipsec interface */ - char name[IFNAMSIZ]; - - /** name of the physical interface */ - char phys_name[IFNAMSIZ]; - - /** by how many CHILD_SA's this ipsec device is used */ - u_int refcount; -}; - -/** - * compare the given name with the virtual device name - */ -static inline bool ipsec_dev_match_byname(ipsec_dev_t *current, char *name) -{ - return name && streq(current->name, name); -} - -/** - * compare the given name with the physical device name - */ -static inline bool ipsec_dev_match_byphys(ipsec_dev_t *current, char *name) -{ - return name && streq(current->phys_name, name); -} - -/** - * matches free ipsec devices - */ -static inline bool ipsec_dev_match_free(ipsec_dev_t *current) -{ - return current->refcount == 0; -} - -/** - * tries to find an ipsec_dev_t object by name - */ -static status_t find_ipsec_dev(private_kernel_klips_ipsec_t *this, char *name, - ipsec_dev_t **dev) -{ - linked_list_match_t match = (linked_list_match_t)(IS_IPSEC_DEV(name) ? - ipsec_dev_match_byname : ipsec_dev_match_byphys); - return this->ipsec_devices->find_first(this->ipsec_devices, match, - (void**)dev, name); -} - -/** - * attach an ipsec device to a physical interface - */ -static status_t attach_ipsec_dev(char* name, char *phys_name) -{ - int sock; - struct ifreq req; - struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data; - short phys_flags; - int mtu; - - DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name); - - if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0) - { - return FAILED; - } - - strncpy(req.ifr_name, phys_name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) < 0) - { - close(sock); - return FAILED; - } - phys_flags = req.ifr_flags; - - strncpy(req.ifr_name, name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) < 0) - { - close(sock); - return FAILED; - } - - if (req.ifr_flags & IFF_UP) - { - /* if it's already up, it is already attached, detach it first */ - ioctl(sock, IPSEC_DEL_DEV, &req); - } - - /* attach it */ - strncpy(req.ifr_name, name, IFNAMSIZ); - strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name)); - ioctl(sock, IPSEC_SET_DEV, &req); - - /* copy address from physical to virtual */ - strncpy(req.ifr_name, phys_name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFADDR, &req) == 0) - { - strncpy(req.ifr_name, name, IFNAMSIZ); - ioctl(sock, SIOCSIFADDR, &req); - } - - /* copy net mask from physical to virtual */ - strncpy(req.ifr_name, phys_name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFNETMASK, &req) == 0) - { - strncpy(req.ifr_name, name, IFNAMSIZ); - ioctl(sock, SIOCSIFNETMASK, &req); - } - - /* copy other flags and addresses */ - strncpy(req.ifr_name, name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) == 0) - { - if (phys_flags & IFF_POINTOPOINT) - { - req.ifr_flags |= IFF_POINTOPOINT; - req.ifr_flags &= ~IFF_BROADCAST; - ioctl(sock, SIOCSIFFLAGS, &req); - - strncpy(req.ifr_name, phys_name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0) - { - strncpy(req.ifr_name, name, IFNAMSIZ); - ioctl(sock, SIOCSIFDSTADDR, &req); - } - } - else if (phys_flags & IFF_BROADCAST) - { - req.ifr_flags &= ~IFF_POINTOPOINT; - req.ifr_flags |= IFF_BROADCAST; - ioctl(sock, SIOCSIFFLAGS, &req); - - strncpy(req.ifr_name, phys_name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFBRDADDR, &req)==0) - { - strncpy(req.ifr_name, name, IFNAMSIZ); - ioctl(sock, SIOCSIFBRDADDR, &req); - } - } - else - { - req.ifr_flags &= ~IFF_POINTOPOINT; - req.ifr_flags &= ~IFF_BROADCAST; - ioctl(sock, SIOCSIFFLAGS, &req); - } - } - - mtu = lib->settings->get_int(lib->settings, - "charon.plugins.kernel-klips.ipsec_dev_mtu", 0); - if (mtu <= 0) - { - /* guess MTU as physical MTU - ESP overhead [- NAT-T overhead] - * ESP overhead : 73 bytes - * NAT-T overhead : 8 bytes ==> 81 bytes - * - * assuming tunnel mode with AES encryption and integrity - * outer IP header : 20 bytes - * (NAT-T UDP header: 8 bytes) - * ESP header : 8 bytes - * IV : 16 bytes - * padding : 15 bytes (worst-case) - * pad len / NH : 2 bytes - * auth data : 12 bytes - */ - strncpy(req.ifr_name, phys_name, IFNAMSIZ); - ioctl(sock, SIOCGIFMTU, &req); - mtu = req.ifr_mtu - 81; - } - - /* set MTU */ - strncpy(req.ifr_name, name, IFNAMSIZ); - req.ifr_mtu = mtu; - ioctl(sock, SIOCSIFMTU, &req); - - /* bring ipsec device UP */ - if (ioctl(sock, SIOCGIFFLAGS, &req) == 0) - { - req.ifr_flags |= IFF_UP; - ioctl(sock, SIOCSIFFLAGS, &req); - } - - close(sock); - return SUCCESS; -} - -/** - * detach an ipsec device from a physical interface - */ -static status_t detach_ipsec_dev(char* name, char *phys_name) -{ - int sock; - struct ifreq req; - - DBG2(DBG_KNL, "detaching virtual interface %s from %s", name, - strlen(phys_name) ? phys_name : "any physical interface"); - - if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0) - { - return FAILED; - } - - strncpy(req.ifr_name, name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) < 0) - { - close(sock); - return FAILED; - } - - /* shutting interface down */ - if (req.ifr_flags & IFF_UP) - { - req.ifr_flags &= ~IFF_UP; - ioctl(sock, SIOCSIFFLAGS, &req); - } - - /* unset address */ - memset(&req.ifr_addr, 0, sizeof(req.ifr_addr)); - req.ifr_addr.sa_family = AF_INET; - ioctl(sock, SIOCSIFADDR, &req); - - /* detach interface */ - ioctl(sock, IPSEC_DEL_DEV, &req); - - close(sock); - return SUCCESS; -} - -/** - * destroy an ipsec_dev_t object - */ -static void ipsec_dev_destroy(ipsec_dev_t *this) -{ - detach_ipsec_dev(this->name, this->phys_name); - free(this); -} - - -typedef struct route_entry_t route_entry_t; - -/** - * installed routing entry - */ -struct route_entry_t { - /** Name of the interface the route is bound to */ - char *if_name; - - /** Source ip of the route */ - host_t *src_ip; - - /** Gateway for this route */ - host_t *gateway; - - /** Destination net */ - chunk_t dst_net; - - /** Destination net prefixlen */ - u_int8_t prefixlen; -}; - -/** - * destroy an route_entry_t object - */ -static void route_entry_destroy(route_entry_t *this) -{ - free(this->if_name); - this->src_ip->destroy(this->src_ip); - this->gateway->destroy(this->gateway); - chunk_free(&this->dst_net); - free(this); -} - -typedef struct policy_entry_t policy_entry_t; - -/** - * installed kernel policy. - */ -struct policy_entry_t { - - /** reqid of this policy, if setup as trap */ - u_int32_t reqid; - - /** direction of this policy: in, out, forward */ - u_int8_t direction; - - /** parameters of installed policy */ - struct { - /** subnet and port */ - host_t *net; - /** subnet mask */ - u_int8_t mask; - /** protocol */ - u_int8_t proto; - } src, dst; - - /** associated route installed for this policy */ - route_entry_t *route; - - /** by how many CHILD_SA's this policy is actively used */ - u_int activecount; - - /** by how many CHILD_SA's this policy is trapped */ - u_int trapcount; -}; - -/** - * convert a numerical netmask to a host_t - */ -static host_t *mask2host(int family, u_int8_t mask) -{ - static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; - chunk_t chunk = chunk_alloca(family == AF_INET ? 4 : 16); - int bytes = mask / 8, bits = mask % 8; - memset(chunk.ptr, 0xFF, bytes); - memset(chunk.ptr + bytes, 0, chunk.len - bytes); - if (bits) - { - chunk.ptr[bytes] = bitmask[bits]; - } - return host_create_from_chunk(family, chunk, 0); -} - -/** - * check if a host is in a subnet (host with netmask in bits) - */ -static bool is_host_in_net(host_t *host, host_t *net, u_int8_t mask) -{ - static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; - chunk_t host_chunk, net_chunk; - int bytes = mask / 8, bits = mask % 8; - - host_chunk = host->get_address(host); - net_chunk = net->get_address(net); - - if (host_chunk.len != net_chunk.len) - { - return FALSE; - } - - if (memeq(host_chunk.ptr, net_chunk.ptr, bytes)) - { - return (bits == 0) || - (host_chunk.ptr[bytes] & bitmask[bits]) == - (net_chunk.ptr[bytes] & bitmask[bits]); - } - - return FALSE; -} - -/** - * create a policy_entry_t object - */ -static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t dir) -{ - policy_entry_t *policy = malloc_thing(policy_entry_t); - policy->reqid = 0; - policy->direction = dir; - policy->route = NULL; - policy->activecount = 0; - policy->trapcount = 0; - - src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask); - dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask); - - /* src or dest proto may be "any" (0), use more restrictive one */ - policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); - policy->src.proto = policy->src.proto ? policy->src.proto : 0; - policy->dst.proto = policy->src.proto; - - return policy; -} - -/** - * destroy a policy_entry_t object - */ -static void policy_entry_destroy(policy_entry_t *this) -{ - DESTROY_IF(this->src.net); - DESTROY_IF(this->dst.net); - if (this->route) - { - route_entry_destroy(this->route); - } - free(this); -} - -/** - * compares two policy_entry_t - */ -static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy) -{ - return current->direction == policy->direction && - current->src.proto == policy->src.proto && - current->dst.proto == policy->dst.proto && - current->src.mask == policy->src.mask && - current->dst.mask == policy->dst.mask && - current->src.net->equals(current->src.net, policy->src.net) && - current->dst.net->equals(current->dst.net, policy->dst.net); -} - -static inline bool policy_entry_match_byaddrs(policy_entry_t *current, host_t *src, - host_t *dst) -{ - return is_host_in_net(src, current->src.net, current->src.mask) && - is_host_in_net(dst, current->dst.net, current->dst.mask); -} - -typedef struct sa_entry_t sa_entry_t; - -/** - * used for two things: - * - allocated SPIs that have not yet resulted in an installed SA - * - installed inbound SAs with enabled UDP encapsulation - */ -struct sa_entry_t { - - /** protocol of this SA */ - protocol_id_t protocol; - - /** reqid of this SA */ - u_int32_t reqid; - - /** SPI of this SA */ - u_int32_t spi; - - /** src address of this SA */ - host_t *src; - - /** dst address of this SA */ - host_t *dst; - - /** TRUE if this SA uses UDP encapsulation */ - bool encap; - - /** TRUE if this SA is inbound */ - bool inbound; -}; - -/** - * create an sa_entry_t object - */ -static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi, - u_int32_t reqid, host_t *src, host_t *dst, - bool encap, bool inbound) -{ - sa_entry_t *sa = malloc_thing(sa_entry_t); - sa->protocol = protocol; - sa->reqid = reqid; - sa->spi = spi; - sa->src = src ? src->clone(src) : NULL; - sa->dst = dst ? dst->clone(dst) : NULL; - sa->encap = encap; - sa->inbound = inbound; - return sa; -} - -/** - * destroy an sa_entry_t object - */ -static void sa_entry_destroy(sa_entry_t *this) -{ - DESTROY_IF(this->src); - DESTROY_IF(this->dst); - free(this); -} - -/** - * match an sa_entry_t for an inbound SA that uses UDP encapsulation by spi and src (remote) address - */ -static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi, - host_t *src) -{ - return current->encap && current->inbound && - current->spi == *spi && src->ip_equals(src, current->src); -} - -/** - * match an sa_entry_t by protocol, spi and dst address (as the kernel does it) - */ -static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol, - u_int32_t *spi, host_t *dst) -{ - return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst); -} - -/** - * match an sa_entry_t by protocol, reqid and spi - */ -static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol, - u_int32_t *spi, u_int32_t *reqid) -{ - return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid; -} - -typedef struct pfkey_msg_t pfkey_msg_t; - -struct pfkey_msg_t -{ - /** - * PF_KEY message base - */ - struct sadb_msg *msg; - - - /** - * PF_KEY message extensions - */ - union { - struct sadb_ext *ext[SADB_EXT_MAX + 1]; - struct { - struct sadb_ext *reserved; /* SADB_EXT_RESERVED */ - struct sadb_sa *sa; /* SADB_EXT_SA */ - struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */ - struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */ - struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */ - struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */ - struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */ - struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */ - struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */ - struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */ - struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */ - struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */ - struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */ - struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */ - struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */ - struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */ - struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */ - struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */ - struct sadb_ext *x_policy; /* SADB_X_EXT_SATYPE2 */ - struct sadb_ext *x_sa2; /* SADB_X_EXT_SA2 */ - struct sadb_address *x_dst2; /* SADB_X_EXT_ADDRESS_DST2 */ - struct sadb_address *x_src_flow; /* SADB_X_EXT_ADDRESS_SRC_FLOW */ - struct sadb_address *x_dst_flow; /* SADB_X_EXT_ADDRESS_DST_FLOW */ - struct sadb_address *x_src_mask; /* SADB_X_EXT_ADDRESS_SRC_MASK */ - struct sadb_address *x_dst_mask; /* SADB_X_EXT_ADDRESS_DST_MASK */ - struct sadb_x_debug *x_debug; /* SADB_X_EXT_DEBUG */ - struct sadb_protocol *x_protocol; /* SADB_X_EXT_PROTOCOL */ - struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */ - struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */ - struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */ - struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */ - } __attribute__((__packed__)); - }; -}; - -/** - * convert a IKEv2 specific protocol identifier to the PF_KEY sa type - */ -static u_int8_t proto_ike2satype(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return SADB_SATYPE_ESP; - case PROTO_AH: - return SADB_SATYPE_AH; - case IPPROTO_COMP: - return SADB_X_SATYPE_COMP; - default: - return proto; - } -} - -/** - * convert a PF_KEY sa type to a IKEv2 specific protocol identifier - */ -static protocol_id_t proto_satype2ike(u_int8_t proto) -{ - switch (proto) - { - case SADB_SATYPE_ESP: - return PROTO_ESP; - case SADB_SATYPE_AH: - return PROTO_AH; - case SADB_X_SATYPE_COMP: - return IPPROTO_COMP; - default: - return proto; - } -} - -typedef struct kernel_algorithm_t kernel_algorithm_t; - -/** - * Mapping of IKEv2 algorithms to PF_KEY algorithms - */ -struct kernel_algorithm_t { - /** - * Identifier specified in IKEv2 - */ - int ikev2; - - /** - * Identifier as defined in pfkeyv2.h - */ - int kernel; -}; - -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, 0 }, */ - {ENCR_DES, SADB_EALG_DESCBC }, - {ENCR_3DES, SADB_EALG_3DESCBC }, -/* {ENCR_RC5, 0 }, */ -/* {ENCR_IDEA, 0 }, */ -/* {ENCR_CAST, 0 }, */ - {ENCR_BLOWFISH, SADB_EALG_BFCBC }, -/* {ENCR_3IDEA, 0 }, */ -/* {ENCR_DES_IV32, 0 }, */ - {ENCR_NULL, SADB_EALG_NULL }, - {ENCR_AES_CBC, SADB_EALG_AESCBC }, -/* {ENCR_AES_CTR, 0 }, */ -/* {ENCR_AES_CCM_ICV8, 0 }, */ -/* {ENCR_AES_CCM_ICV12, 0 }, */ -/* {ENCR_AES_CCM_ICV16, 0 }, */ -/* {ENCR_AES_GCM_ICV8, 0 }, */ -/* {ENCR_AES_GCM_ICV12, 0 }, */ -/* {ENCR_AES_GCM_ICV16, 0 }, */ - {END_OF_LIST, 0 }, -}; - -/** - * Algorithms for integrity protection - */ -static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, - {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC }, - {AUTH_HMAC_SHA2_256_128, SADB_AALG_SHA256_HMAC }, - {AUTH_HMAC_SHA2_384_192, SADB_AALG_SHA384_HMAC }, - {AUTH_HMAC_SHA2_512_256, SADB_AALG_SHA512_HMAC }, -/* {AUTH_DES_MAC, 0, }, */ -/* {AUTH_KPDK_MD5, 0, }, */ -/* {AUTH_AES_XCBC_96, 0, }, */ - {END_OF_LIST, 0, }, -}; - -#if 0 -/** - * Algorithms for IPComp, unused yet - */ -static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, 0 }, */ - {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE }, - {IPCOMP_LZS, SADB_X_CALG_LZS }, -/* {IPCOMP_LZJH, 0 }, */ - {END_OF_LIST, 0 }, -}; -#endif - -/** - * Look up a kernel algorithm ID and its key size - */ -static int lookup_algorithm(kernel_algorithm_t *list, int ikev2) -{ - while (list->ikev2 != END_OF_LIST) - { - if (ikev2 == list->ikev2) - { - return list->kernel; - } - list++; - } - return 0; -} - -/** - * add a host behind a sadb_address extension - */ -static void host2ext(host_t *host, struct sadb_address *ext) -{ - sockaddr_t *host_addr = host->get_sockaddr(host); - socklen_t *len = host->get_sockaddr_len(host); - memcpy((char*)(ext + 1), host_addr, *len); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); -} - -/** - * add a host to the given sadb_msg - */ -static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type) -{ - struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg); - addr->sadb_address_exttype = type; - host2ext(host, addr); - PFKEY_EXT_ADD(msg, addr); -} - -/** - * adds an empty address extension to the given sadb_msg - */ -static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type) -{ - socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6); - struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg); - addr->sadb_address_exttype = type; - sockaddr_t *saddr = (sockaddr_t*)(addr + 1); - saddr->sa_family = family; - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); - PFKEY_EXT_ADD(msg, addr); -} - -/** - * add udp encap extensions to a sadb_msg - */ -static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst, - bool ports_only) -{ - struct sadb_x_nat_t_type* nat_type; - struct sadb_x_nat_t_port* nat_port; - - if (!ports_only) - { - nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg); - nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; - nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type)); - nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP; - PFKEY_EXT_ADD(msg, nat_type); - } - - nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg); - nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT; - nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port)); - nat_port->sadb_x_nat_t_port_port = src->get_port(src); - PFKEY_EXT_ADD(msg, nat_port); - - nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg); - nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT; - nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port)); - nat_port->sadb_x_nat_t_port_port = dst->get_port(dst); - PFKEY_EXT_ADD(msg, nat_port); -} - -/** - * build an SADB_X_ADDFLOW msg - */ -static void build_addflow(struct sadb_msg *msg, u_int8_t satype, u_int32_t spi, - host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask, - host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace) -{ - struct sadb_sa *sa; - struct sadb_protocol *proto; - host_t *host; - - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_ADDFLOW; - msg->sadb_msg_satype = satype; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_spi = spi; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0; - PFKEY_EXT_ADD(msg, sa); - - if (!src) - { - add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC); - } - else - { - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC); - } - - if (!dst) - { - add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST); - } - else - { - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST); - } - - add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW); - add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW); - - host = mask2host(src_net->get_family(src_net), src_mask); - add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK); - host->destroy(host); - - host = mask2host(dst_net->get_family(dst_net), dst_mask); - add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK); - host->destroy(host); - - proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg); - proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol)); - proto->sadb_protocol_proto = protocol; - PFKEY_EXT_ADD(msg, proto); -} - -/** - * build an SADB_X_DELFLOW msg - */ -static void build_delflow(struct sadb_msg *msg, u_int8_t satype, - host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask, - u_int8_t protocol) -{ - struct sadb_protocol *proto; - host_t *host; - - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_DELFLOW; - msg->sadb_msg_satype = satype; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW); - add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW); - - host = mask2host(src_net->get_family(src_net), - src_mask); - add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK); - host->destroy(host); - - host = mask2host(dst_net->get_family(dst_net), - dst_mask); - add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK); - host->destroy(host); - - proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg); - proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol)); - proto->sadb_protocol_proto = protocol; - PFKEY_EXT_ADD(msg, proto); -} - -/** - * Parses a pfkey message received from the kernel - */ -static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) -{ - struct sadb_ext* ext; - size_t len; - - memset(out, 0, sizeof(pfkey_msg_t)); - out->msg = msg; - - len = msg->sadb_msg_len; - len -= PFKEY_LEN(sizeof(struct sadb_msg)); - - ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg)); - - while (len >= PFKEY_LEN(sizeof(struct sadb_ext))) - { - if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) || - ext->sadb_ext_len > len) - { - DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type); - break; - } - - if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type)) - { - DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type); - break; - } - - if (out->ext[ext->sadb_ext_type]) - { - DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type); - break; - } - - out->ext[ext->sadb_ext_type] = ext; - ext = PFKEY_EXT_NEXT_LEN(ext, len); - } - - if (len) - { - DBG1(DBG_KNL, "PF_KEY message length is invalid"); - return FAILED; - } - - return SUCCESS; -} - -/** - * Send a message to a specific PF_KEY socket and handle the response. - */ -static status_t pfkey_send_socket(private_kernel_klips_ipsec_t *this, int socket, - struct sadb_msg *in, struct sadb_msg **out, size_t *out_len) -{ - unsigned char buf[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg; - int in_len, len; - - this->mutex_pfkey->lock(this->mutex_pfkey); - - in->sadb_msg_seq = ++this->seq; - in->sadb_msg_pid = getpid(); - - in_len = PFKEY_USER_LEN(in->sadb_msg_len); - - while (TRUE) - { - len = send(socket, in, in_len, 0); - - if (len != in_len) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - continue; - case EINVAL: - case EEXIST: - case ESRCH: - /* we should also get a response for these from KLIPS */ - break; - default: - this->mutex_pfkey->unlock(this->mutex_pfkey); - DBG1(DBG_KNL, "error sending to PF_KEY socket: %s (%d)", - strerror(errno), errno); - return FAILED; - } - } - break; - } - - while (TRUE) - { - msg = (struct sadb_msg*)buf; - - len = recv(socket, buf, sizeof(buf), 0); - - if (len < 0) - { - if (errno == EINTR) - { - DBG1(DBG_KNL, "got interrupted"); - /* interrupted, try again */ - continue; - } - this->mutex_pfkey->unlock(this->mutex_pfkey); - DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno)); - return FAILED; - } - if (len < sizeof(struct sadb_msg) || - msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg))) - { - this->mutex_pfkey->unlock(this->mutex_pfkey); - DBG1(DBG_KNL, "received corrupted PF_KEY message"); - return FAILED; - } - if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT) - { - this->mutex_pfkey->unlock(this->mutex_pfkey); - DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message"); - return FAILED; - } - if (msg->sadb_msg_pid != in->sadb_msg_pid) - { - DBG2(DBG_KNL, "received PF_KEY message is not intended for us"); - continue; - } - if (msg->sadb_msg_seq != this->seq) - { - DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number," - " was %d expected %d", msg->sadb_msg_seq, this->seq); - if (msg->sadb_msg_seq < this->seq) - { - continue; - } - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (msg->sadb_msg_type != in->sadb_msg_type) - { - DBG2(DBG_KNL, "received PF_KEY message of wrong type," - " was %d expected %d, ignoring", - msg->sadb_msg_type, in->sadb_msg_type); - } - break; - } - - *out_len = len; - *out = (struct sadb_msg*)malloc(len); - memcpy(*out, buf, len); - - this->mutex_pfkey->unlock(this->mutex_pfkey); - - return SUCCESS; -} - -/** - * Send a message to the default PF_KEY socket. - */ -static status_t pfkey_send(private_kernel_klips_ipsec_t *this, - struct sadb_msg *in, struct sadb_msg **out, size_t *out_len) -{ - return pfkey_send_socket(this, this->socket, in, out, out_len); -} - -/** - * Send a message to the default PF_KEY socket and handle the response. - */ -static status_t pfkey_send_ack(private_kernel_klips_ipsec_t *this, struct sadb_msg *in) -{ - struct sadb_msg *out; - size_t len; - - if (pfkey_send(this, in, &out, &len) != SUCCESS) - { - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "PF_KEY error: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - return SUCCESS; -} - -/** - * Add an eroute to KLIPS - */ -static status_t add_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype, - u_int32_t spi, host_t *src, host_t *dst, host_t *src_net, u_int8_t src_mask, - host_t *dst_net, u_int8_t dst_mask, u_int8_t protocol, bool replace) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg = (struct sadb_msg*)request; - - memset(&request, 0, sizeof(request)); - - build_addflow(msg, satype, spi, src, dst, src_net, src_mask, - dst_net, dst_mask, protocol, replace); - - return pfkey_send_ack(this, msg); -} - -/** - * Delete an eroute fom KLIPS - */ -static status_t del_eroute(private_kernel_klips_ipsec_t *this, u_int8_t satype, - host_t *src_net, u_int8_t src_mask, host_t *dst_net, u_int8_t dst_mask, - u_int8_t protocol) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg = (struct sadb_msg*)request; - - memset(&request, 0, sizeof(request)); - - build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol); - - return pfkey_send_ack(this, msg); -} - -/** - * Process a SADB_ACQUIRE message from the kernel - */ -static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg) -{ - pfkey_msg_t response; - host_t *src, *dst; - u_int32_t reqid; - u_int8_t proto; - policy_entry_t *policy; - job_t *job; - - switch (msg->sadb_msg_satype) - { - case SADB_SATYPE_UNSPEC: - case SADB_SATYPE_ESP: - case SADB_SATYPE_AH: - break; - default: - /* acquire for AH/ESP only */ - return; - } - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed"); - return; - } - - /* KLIPS provides us only with the source and destination address, - * and the transport protocol of the packet that triggered the policy. - * we use this information to find a matching policy in our cache. - * because KLIPS installs a narrow %hold eroute covering only this information, - * we replace both the %trap and this %hold eroutes with a broader %hold - * eroute covering the whole policy */ - src = host_create_from_sockaddr((sockaddr_t*)(response.src + 1)); - dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1)); - proto = response.src->sadb_address_proto; - if (!src || !dst || src->get_family(src) != dst->get_family(dst)) - { - DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts"); - return; - } - - DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto); - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_match_byaddrs, - (void**)&policy, src, dst) != SUCCESS) - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy"); - return; - } - if ((reqid = policy->reqid) == 0) - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore"); - return; - } - - /* add a broad %hold eroute that replaces the %trap eroute */ - add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL, - policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask, - policy->src.proto, TRUE); - - /* remove the narrow %hold eroute installed by KLIPS */ - del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto); - - this->mutex->unlock(this->mutex); - - DBG2(DBG_KNL, "received an SADB_ACQUIRE"); - DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid); - job = (job_t*)acquire_job_create(reqid, NULL, NULL); - charon->processor->queue_job(charon->processor, job); -} - -/** - * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel - */ -static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg* msg) -{ - pfkey_msg_t response; - u_int32_t spi, reqid; - host_t *old_src, *new_src; - job_t *job; - - DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed"); - return; - } - - spi = response.sa->sadb_sa_spi; - - if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP) - { - sa_entry_t *sa; - sockaddr_t *addr = (sockaddr_t*)(response.src + 1); - old_src = host_create_from_sockaddr(addr); - - this->mutex->lock(this->mutex); - if (!old_src || this->installed_sas->find_first(this->installed_sas, - (linked_list_match_t)sa_entry_match_encapbysrc, - (void**)&sa, &spi, old_src) != SUCCESS) - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING, but found no matching SA"); - return; - } - reqid = sa->reqid; - this->mutex->unlock(this->mutex); - - addr = (sockaddr_t*)(response.dst + 1); - switch (addr->sa_family) - { - case AF_INET: - { - struct sockaddr_in *sin = (struct sockaddr_in*)addr; - sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port); - } - case AF_INET6: - { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr; - sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port); - } - default: - break; - } - new_src = host_create_from_sockaddr(addr); - if (new_src) - { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and" - " reqid {%d} changed, queuing update job", ntohl(spi), reqid); - job = (job_t*)update_sa_job_create(reqid, new_src); - charon->processor->queue_job(charon->processor, job); - } - } -} - -/** - * Receives events from kernel - */ -static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this) -{ - unsigned char buf[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg = (struct sadb_msg*)buf; - int len; - bool oldstate; - - oldstate = thread_cancelability(TRUE); - len = recv(this->socket_events, buf, sizeof(buf), 0); - thread_cancelability(oldstate); - - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return JOB_REQUEUE_DIRECT; - case EAGAIN: - /* no data ready, select again */ - return JOB_REQUEUE_DIRECT; - default: - DBG1(DBG_KNL, "unable to receive from PF_KEY event socket"); - sleep(1); - return JOB_REQUEUE_FAIR; - } - } - - if (len < sizeof(struct sadb_msg) || - msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg))) - { - DBG2(DBG_KNL, "received corrupted PF_KEY message"); - return JOB_REQUEUE_DIRECT; - } - if (msg->sadb_msg_pid != 0) - { /* not from kernel. not interested, try another one */ - return JOB_REQUEUE_DIRECT; - } - if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT) - { - DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message"); - return JOB_REQUEUE_DIRECT; - } - - switch (msg->sadb_msg_type) - { - case SADB_ACQUIRE: - process_acquire(this, msg); - break; - case SADB_EXPIRE: - /* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for - * the time based limits). So if there is no traffic for a longer - * period than configured as hard limit, we wouldn't be able to rekey - * the SA and just receive the hard expire and thus delete the SA. - * To avoid this behavior and to make charon behave as with the other - * kernel plugins, we implement the expiration of SAs ourselves. */ - break; - case SADB_X_NAT_T_NEW_MAPPING: - process_mapping(this, msg); - break; - default: - break; - } - - return JOB_REQUEUE_DIRECT; -} - -typedef enum { - /** an SPI has expired */ - EXPIRE_TYPE_SPI, - /** a CHILD_SA has to be rekeyed */ - EXPIRE_TYPE_SOFT, - /** a CHILD_SA has to be deleted */ - EXPIRE_TYPE_HARD -} expire_type_t; - -typedef struct sa_expire_t sa_expire_t; - -struct sa_expire_t { - /** kernel interface */ - private_kernel_klips_ipsec_t *this; - /** the SPI of the expiring SA */ - u_int32_t spi; - /** the protocol of the expiring SA */ - protocol_id_t protocol; - /** the reqid of the expiring SA*/ - u_int32_t reqid; - /** what type of expire this is */ - expire_type_t type; -}; - -/** - * Called when an SA expires - */ -static job_requeue_t sa_expires(sa_expire_t *expire) -{ - private_kernel_klips_ipsec_t *this = expire->this; - protocol_id_t protocol = expire->protocol; - u_int32_t spi = expire->spi, reqid = expire->reqid; - bool hard = expire->type != EXPIRE_TYPE_SOFT; - sa_entry_t *cached_sa; - linked_list_t *list; - job_t *job; - - /* for an expired SPI we first check whether the CHILD_SA got installed - * in the meantime, for expired SAs we check whether they are still installed */ - list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas; - - this->mutex->lock(this->mutex); - if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid, - (void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS) - { - /* we found no entry: - * - for SPIs, a CHILD_SA has been installed - * - for SAs, the CHILD_SA has already been deleted */ - this->mutex->unlock(this->mutex); - return JOB_REQUEUE_NONE; - } - else - { - list->remove(list, cached_sa, NULL); - sa_entry_destroy(cached_sa); - } - this->mutex->unlock(this->mutex); - - DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired", - protocol_id_names, protocol, ntohl(spi), reqid); - - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}", - hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->processor->queue_job(charon->processor, job); - return JOB_REQUEUE_NONE; -} - -/** - * Schedule an expire job for an SA. Time is in seconds. - */ -static void schedule_expire(private_kernel_klips_ipsec_t *this, - protocol_id_t protocol, u_int32_t spi, - u_int32_t reqid, expire_type_t type, u_int32_t time) -{ - callback_job_t *job; - sa_expire_t *expire = malloc_thing(sa_expire_t); - expire->this = this; - expire->protocol = protocol; - expire->spi = spi; - expire->reqid = reqid; - expire->type = type; - job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL); - charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time); -} - -METHOD(kernel_ipsec_t, get_spi, status_t, - private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) -{ - /* we cannot use SADB_GETSPI because KLIPS does not allow us to set the - * NAT-T type in an SADB_UPDATE which we would have to use to update the - * implicitly created SA. - */ - rng_t *rng; - u_int32_t spi_gen; - - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng) - { - DBG1(DBG_KNL, "allocating SPI failed: no RNG"); - return FAILED; - } - rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen); - rng->destroy(rng); - - /* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */ - spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF); - - DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H", - spi_gen, protocol_id_names, protocol, src, dst); - - *spi = htonl(spi_gen); - - this->mutex->lock(this->mutex); - this->allocated_spis->insert_last(this->allocated_spis, - create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE)); - this->mutex->unlock(this->mutex); - schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, get_cpi, status_t, - private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) -{ - return FAILED; -} - -/** - * Add a pseudo IPIP SA for tunnel mode with KLIPS. - */ -static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this, - host_t *src, host_t *dst, u_int32_t spi, u_int32_t reqid) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_ADD; - msg->sadb_msg_satype = SADB_X_SATYPE_IPIP; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - sa->sadb_sa_state = SADB_SASTATE_MATURE; - PFKEY_EXT_ADD(msg, sa); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - - free(out); - return SUCCESS; -} - -/** - * group the IPIP SA required for tunnel mode with the outer SA - */ -static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - struct sadb_x_satype *satype; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_GRPSA; - msg->sadb_msg_satype = SADB_X_SATYPE_IPIP; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - sa->sadb_sa_state = SADB_SASTATE_MATURE; - PFKEY_EXT_ADD(msg, sa); - - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST); - - satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg); - satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2; - satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype)); - satype->sadb_x_satype_satype = proto_ike2satype(protocol); - PFKEY_EXT_ADD(msg, satype); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_X_EXT_SA2; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - sa->sadb_sa_state = SADB_SASTATE_MATURE; - PFKEY_EXT_ADD(msg, sa); - - add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to group SAs with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_sa, status_t, - private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - struct sadb_key *key; - size_t len; - - if (inbound) - { - /* for inbound SAs we allocated an SPI via get_spi, so we first check - * whether that SPI has already expired (race condition) */ - sa_entry_t *alloc_spi; - this->mutex->lock(this->mutex); - if (this->allocated_spis->find_first(this->allocated_spis, - (linked_list_match_t)sa_entry_match_byid, (void**)&alloc_spi, - &protocol, &spi, &reqid) != SUCCESS) - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "allocated SPI %.8x has already expired", ntohl(spi)); - return FAILED; - } - else - { - this->allocated_spis->remove(this->allocated_spis, alloc_spi, NULL); - sa_entry_destroy(alloc_spi); - } - this->mutex->unlock(this->mutex); - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_ADD; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - sa->sadb_sa_state = SADB_SASTATE_MATURE; - sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32; - sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg); - sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg); - PFKEY_EXT_ADD(msg, sa); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST); - - if (enc_alg != ENCR_UNDEFINED) - { - if (!sa->sadb_sa_encrypt) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg, enc_key.len * 8); - - key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg); - key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - key->sadb_key_bits = enc_key.len * 8; - key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len); - memcpy(key + 1, enc_key.ptr, enc_key.len); - - PFKEY_EXT_ADD(msg, key); - } - - if (int_alg != AUTH_UNDEFINED) - { - if (!sa->sadb_sa_auth) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - integrity_algorithm_names, int_alg); - return FAILED; - } - DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", - integrity_algorithm_names, int_alg, int_key.len * 8); - - key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg); - key->sadb_key_exttype = SADB_EXT_KEY_AUTH; - key->sadb_key_bits = int_key.len * 8; - key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len); - memcpy(key + 1, int_key.ptr, int_key.len); - - PFKEY_EXT_ADD(msg, key); - } - - if (ipcomp != IPCOMP_NONE) - { - /*TODO*/ - } - - if (encap) - { - add_encap_ext(msg, src, dst, FALSE); - } - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - /* for tunnel mode SAs we have to install an additional IPIP SA and - * group the two SAs together */ - if (mode == MODE_TUNNEL) - { - if (add_ipip_sa(this, src, dst, spi, reqid) != SUCCESS || - group_ipip_sa(this, src, dst, spi, protocol, reqid) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - } - - this->mutex->lock(this->mutex); - /* we cache this SA for two reasons: - * - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then) - * - to decide if an expired SA is still installed */ - this->installed_sas->insert_last(this->installed_sas, - create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound)); - this->mutex->unlock(this->mutex); - - /* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime - * of SAs manually in the plugin. Refer to the comments in receive_events() - * for details. */ - if (lifetime->time.rekey) - { - schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey); - } - - if (lifetime->time.life) - { - schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life); - } - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, - u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap, mark_t mark) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - size_t len; - - /* we can't update the SA if any of the ip addresses have changed. - * that's because we can't use SADB_UPDATE and by deleting and readding the - * SA the sequence numbers would get lost */ - if (!src->ip_equals(src, new_src) || - !dst->ip_equals(dst, new_dst)) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes" - " are not supported", ntohl(spi)); - return NOT_SUPPORTED; - } - - /* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE, - * we can't update the SA if the encap flag has changed since installing it */ - if (encap != new_encap) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: change of UDP" - " encapsulation is not supported", ntohl(spi)); - return NOT_SUPPORTED; - } - - DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", - ntohl(spi), src, dst, new_src, new_dst); - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - sa->sadb_sa_encrypt = SADB_EALG_AESCBC; /* ignored */ - sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */ - sa->sadb_sa_state = SADB_SASTATE_MATURE; - PFKEY_EXT_ADD(msg, sa); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST); - - add_encap_ext(msg, new_src, new_dst, TRUE); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_sa, status_t, - private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) -{ - return NOT_SUPPORTED; /* TODO */ -} - -METHOD(kernel_ipsec_t, del_sa, status_t, - private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - sa_entry_t *cached_sa; - size_t len; - - memset(&request, 0, sizeof(request)); - - /* all grouped SAs are automatically deleted by KLIPS as soon as - * one of them is deleted, therefore we delete only the main one */ - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - - this->mutex->lock(this->mutex); - /* this should not fail, but we don't care if it does, let the kernel decide - * whether this SA exists or not */ - if (this->installed_sas->find_first(this->installed_sas, - (linked_list_match_t)sa_entry_match_bydst, (void**)&cached_sa, - &protocol, &spi, dst) == SUCCESS) - { - this->installed_sas->remove(this->installed_sas, cached_sa, NULL); - sa_entry_destroy(cached_sa); - } - this->mutex->unlock(this->mutex); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though - * it is not used for anything. */ - add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_policy, status_t, - private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - policy_entry_t *policy, *found = NULL; - u_int8_t satype; - size_t len; - - if (direction == POLICY_FWD) - { - /* no forward policies for KLIPS */ - return SUCCESS; - } - - /* tunnel mode policies direct the packets into the pseudo IPIP SA */ - satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP : - proto_ike2satype(protocol); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS) - { - /* use existing policy */ - DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing" - " refcount", src_ts, dst_ts, - policy_dir_names, direction); - policy_entry_destroy(policy); - policy = found; - } - else - { - /* apply the new one, if we have no such policy */ - this->policies->insert_last(this->policies, policy); - } - - if (routed) - { - /* we install this as a %trap eroute in the kernel, later to be - * triggered by packets matching the policy (-> ACQUIRE). */ - spi = htonl(SPI_TRAP); - satype = SADB_X_SATYPE_INT; - - /* the reqid is always set to the latest child SA that trapped this - * policy. we will need this reqid upon receiving an acquire. */ - policy->reqid = reqid; - - /* increase the trap counter */ - policy->trapcount++; - - if (policy->activecount) - { - /* we do not replace the current policy in the kernel while a - * policy is actively used */ - this->mutex->unlock(this->mutex); - return SUCCESS; - } - } - else - { - /* increase the reference counter */ - policy->activecount++; - } - - DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - - /* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */ - build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst, - policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask, - policy->src.proto, found != NULL); - - this->mutex->unlock(this->mutex); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts, - policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - this->mutex->lock(this->mutex); - - /* we try to find the policy again and install the route if needed */ - if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS) - { - this->mutex->unlock(this->mutex); - DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring", - src_ts, dst_ts, policy_dir_names, direction); - return SUCCESS; - } - - /* KLIPS requires a special route that directs traffic that matches this - * policy to one of the virtual ipsec interfaces. The virtual interface - * has to be attached to the physical one the traffic runs over. - * This is a special case of the source route we install in other kernel - * interfaces. - * In the following cases we do NOT install a source route (but just a - * regular route): - * - we are not in tunnel mode - * - we are using IPv6 (does not work correctly yet!) - * - routing is disabled via strongswan.conf - */ - if (policy->route == NULL && direction == POLICY_OUT) - { - char *iface; - ipsec_dev_t *dev; - route_entry_t *route = malloc_thing(route_entry_t); - route->src_ip = NULL; - - if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 && - this->install_routes) - { - charon->kernel_interface->get_address_by_ts(charon->kernel_interface, - src_ts, &route->src_ip); - } - - if (!route->src_ip) - { - route->src_ip = host_create_any(src->get_family(src)); - } - - /* find the virtual interface */ - iface = charon->kernel_interface->get_interface(charon->kernel_interface, - src); - if (find_ipsec_dev(this, iface, &dev) == SUCCESS) - { - /* above, we got either the name of a virtual or a physical - * interface. for both cases it means we already have the devices - * properly attached (assuming that we are exclusively attaching - * ipsec devices). */ - dev->refcount++; - } - else - { - /* there is no record of a mapping with the returned interface. - * thus, we attach the first free virtual interface we find to - * it. As above we assume we are the only client fiddling with - * ipsec devices. */ - if (this->ipsec_devices->find_first(this->ipsec_devices, - (linked_list_match_t)ipsec_dev_match_free, - (void**)&dev) == SUCCESS) - { - if (attach_ipsec_dev(dev->name, iface) == SUCCESS) - { - strncpy(dev->phys_name, iface, IFNAMSIZ); - dev->refcount = 1; - } - else - { - DBG1(DBG_KNL, "failed to attach virtual interface %s" - " to %s", dev->name, iface); - this->mutex->unlock(this->mutex); - free(iface); - return FAILED; - } - } - else - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "failed to attach a virtual interface to %s: no" - " virtual interfaces left", iface); - free(iface); - return FAILED; - } - } - free(iface); - route->if_name = strdup(dev->name); - - /* get the nexthop to dst */ - route->gateway = charon->kernel_interface->get_nexthop( - charon->kernel_interface, dst); - route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)); - route->prefixlen = policy->dst.mask; - - switch (charon->kernel_interface->add_route(charon->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name)) - { - default: - DBG1(DBG_KNL, "unable to install route for policy %R === %R", - src_ts, dst_ts); - /* FALL */ - case ALREADY_DONE: - /* route exists, do not uninstall */ - route_entry_destroy(route); - break; - case SUCCESS: - /* cache the installed route */ - policy->route = route; - break; - } - } - - this->mutex->unlock(this->mutex); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_policy, status_t, - private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - u_int32_t *use_time) -{ - #define IDLE_PREFIX "idle=" - static const char *path_eroute = "/proc/net/ipsec_eroute"; - static const char *path_spi = "/proc/net/ipsec_spi"; - FILE *file; - char line[1024], src[INET6_ADDRSTRLEN + 9], dst[INET6_ADDRSTRLEN + 9]; - char *said = NULL, *pos; - policy_entry_t *policy, *found = NULL; - status_t status = FAILED; - - if (direction == POLICY_FWD) - { - /* we do not install forward policies */ - return FAILED; - } - - DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS) - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy); - return NOT_FOUND; - } - policy_entry_destroy(policy); - policy = found; - - /* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */ - snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask, - policy->src.proto); - src[sizeof(src) - 1] = '\0'; - snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask, - policy->dst.proto); - dst[sizeof(dst) - 1] = '\0'; - - this->mutex->unlock(this->mutex); - - /* we try to find the matching eroute first */ - file = fopen(path_eroute, "r"); - if (file == NULL) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, strerror(errno), errno); - return FAILED; - } - - /* read line by line where each line looks like: - * packets src -> dst => said */ - while (fgets(line, sizeof(line), file)) - { - enumerator_t *enumerator; - char *token; - int i = 0; - - enumerator = enumerator_create_token(line, " \t", " \t\n"); - while (enumerator->enumerate(enumerator, &token)) - { - switch (i++) - { - case 0: /* packets */ - continue; - case 1: /* src */ - if (streq(token, src)) - { - continue; - } - break; - case 2: /* -> */ - continue; - case 3: /* dst */ - if (streq(token, dst)) - { - continue; - } - break; - case 4: /* => */ - continue; - case 5: /* said */ - said = strdup(token); - break; - } - break; - } - enumerator->destroy(enumerator); - - if (i == 5) - { - /* eroute matched */ - break; - } - } - fclose(file); - - if (said == NULL) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching" - " eroute", src_ts, dst_ts, policy_dir_names, direction); - return FAILED; - } - - /* compared with the one in the spi entry the SA ID from the eroute entry - * has an additional ":PROTO" appended, which we need to cut off */ - pos = strrchr(said, ':'); - *pos = '\0'; - - /* now we try to find the matching spi entry */ - file = fopen(path_spi, "r"); - if (file == NULL) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, strerror(errno), errno); - return FAILED; - } - - while (fgets(line, sizeof(line), file)) - { - if (strneq(line, said, strlen(said))) - { - /* fine we found the correct line, now find the idle time */ - u_int32_t idle_time; - pos = strstr(line, IDLE_PREFIX); - if (pos == NULL) - { - /* no idle time, i.e. this SA has not been used yet */ - break; - } - if (sscanf(pos, IDLE_PREFIX"%u", &idle_time) <= 0) - { - /* idle time not valid */ - break; - } - - *use_time = time_monotonic(NULL) - idle_time; - status = SUCCESS; - break; - } - } - fclose(file); - free(said); - - return status; -} - -METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - bool unrouted) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg = (struct sadb_msg*)request, *out; - policy_entry_t *policy, *found = NULL; - route_entry_t *route; - size_t len; - - if (direction == POLICY_FWD) - { - /* no forward policies for KLIPS */ - return SUCCESS; - } - - DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS) - { - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy); - return NOT_FOUND; - } - policy_entry_destroy(policy); - - /* decrease appropriate counter */ - unrouted ? found->trapcount-- : found->activecount--; - - if (found->trapcount == 0) - { - /* if this policy is finally unrouted, we reset the reqid because it - * may still be actively used and there might be a pending acquire for - * this policy. */ - found->reqid = 0; - } - - if (found->activecount > 0) - { - /* is still used by SAs, keep in kernel */ - this->mutex->unlock(this->mutex); - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - return SUCCESS; - } - else if (found->activecount == 0 && found->trapcount > 0) - { - /* for a policy that is not used actively anymore, but is still trapped - * by another child SA we replace the current eroute with a %trap eroute */ - DBG2(DBG_KNL, "policy still routed by another CHILD_SA, not removed"); - memset(&request, 0, sizeof(request)); - build_addflow(msg, SADB_X_SATYPE_INT, htonl(SPI_TRAP), NULL, NULL, - found->src.net, found->src.mask, found->dst.net, - found->dst.mask, found->src.proto, TRUE); - this->mutex->unlock(this->mutex); - return pfkey_send_ack(this, msg); - } - - /* remove if last reference */ - this->policies->remove(this->policies, found, NULL); - policy = found; - - this->mutex->unlock(this->mutex); - - memset(&request, 0, sizeof(request)); - - build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net, - policy->dst.mask, policy->src.proto); - - route = policy->route; - policy->route = NULL; - policy_entry_destroy(policy); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - if (route) - { - ipsec_dev_t *dev; - - if (charon->kernel_interface->del_route(charon->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with" - " policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - } - - /* we have to detach the ipsec interface from the physical one over which - * this SA ran (if it is not used by any other) */ - this->mutex->lock(this->mutex); - - if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS) - { - /* fine, we found a matching device object, let's check if we have - * to detach it. */ - if (--dev->refcount == 0) - { - if (detach_ipsec_dev(dev->name, dev->phys_name) != SUCCESS) - { - DBG1(DBG_KNL, "failed to detach virtual interface %s" - " from %s", dev->name, dev->phys_name); - } - dev->phys_name[0] = '\0'; - } - } - - this->mutex->unlock(this->mutex); - - route_entry_destroy(route); - } - - return SUCCESS; -} - -/** - * Initialize the list of ipsec devices - */ -static void init_ipsec_devices(private_kernel_klips_ipsec_t *this) -{ - int i, count = lib->settings->get_int(lib->settings, - "charon.plugins.kernel-klips.ipsec_dev_count", - DEFAULT_IPSEC_DEV_COUNT); - - for (i = 0; i < count; ++i) - { - ipsec_dev_t *dev = malloc_thing(ipsec_dev_t); - snprintf(dev->name, IFNAMSIZ, IPSEC_DEV_PREFIX"%d", i); - dev->name[IFNAMSIZ - 1] = '\0'; - dev->phys_name[0] = '\0'; - dev->refcount = 0; - this->ipsec_devices->insert_last(this->ipsec_devices, dev); - - /* detach any previously attached ipsec device */ - detach_ipsec_dev(dev->name, dev->phys_name); - } -} - -/** - * Register a socket for AQUIRE/EXPIRE messages - */ -static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8_t satype) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - size_t len; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_REGISTER; - msg->sadb_msg_satype = satype; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to register PF_KEY socket"); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, bypass_socket, bool, - private_kernel_klips_ipsec_t *this, int fd, int family) -{ - /* KLIPS does not need a bypass policy for IKE */ - return TRUE; -} - -METHOD(kernel_ipsec_t, destroy, void, - private_kernel_klips_ipsec_t *this) -{ - if (this->job) - { - this->job->cancel(this->job); - } - if (this->socket > 0) - { - close(this->socket); - } - if (this->socket_events > 0) - { - close(this->socket_events); - } - this->mutex_pfkey->destroy(this->mutex_pfkey); - this->mutex->destroy(this->mutex); - this->ipsec_devices->destroy_function(this->ipsec_devices, (void*)ipsec_dev_destroy); - this->installed_sas->destroy_function(this->installed_sas, (void*)sa_entry_destroy); - this->allocated_spis->destroy_function(this->allocated_spis, (void*)sa_entry_destroy); - this->policies->destroy_function(this->policies, (void*)policy_entry_destroy); - free(this); -} - -/* - * Described in header. - */ -kernel_klips_ipsec_t *kernel_klips_ipsec_create() -{ - private_kernel_klips_ipsec_t *this; - - INIT(this, - .public.interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .bypass_socket = _bypass_socket, - .destroy = _destroy, - }, - .policies = linked_list_create(), - .allocated_spis = linked_list_create(), - .installed_sas = linked_list_create(), - .ipsec_devices = linked_list_create(), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT), - .install_routes = lib->settings->get_bool(lib->settings, - "charon.install_routes", TRUE), - ); - - /* initialize ipsec devices */ - init_ipsec_devices(this); - - /* create a PF_KEY socket to communicate with the kernel */ - this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY socket"); - destroy(this); - return NULL; - } - - /* create a PF_KEY socket for ACQUIRE & EXPIRE */ - this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket_events <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY event socket"); - destroy(this); - return NULL; - } - - /* register the event socket */ - if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS || - register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS) - { - DBG1(DBG_KNL, "unable to register PF_KEY event socket"); - destroy(this); - return NULL; - } - - this->job = callback_job_create((callback_job_cb_t)receive_events, - this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); - - return &this->public; -} - diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h deleted file mode 100644 index 306ec0ada..000000000 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_klips_ipsec_i kernel_klips_ipsec - * @{ @ingroup kernel_klips - */ - -#ifndef KERNEL_KLIPS_IPSEC_H_ -#define KERNEL_KLIPS_IPSEC_H_ - -#include <kernel/kernel_ipsec.h> - -typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t; - -/** - * Implementation of the kernel ipsec interface using PF_KEY. - */ -struct kernel_klips_ipsec_t { - - /** - * Implements kernel_ipsec_t interface - */ - kernel_ipsec_t interface; -}; - -/** - * Create a PF_KEY kernel ipsec interface instance. - * - * @return kernel_klips_ipsec_t instance - */ -kernel_klips_ipsec_t *kernel_klips_ipsec_create(); - -#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c b/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c deleted file mode 100644 index fa5e9eb29..000000000 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "kernel_klips_plugin.h" - -#include "kernel_klips_ipsec.h" - -#include <daemon.h> - -typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t; - -/** - * private data of kernel PF_KEY plugin - */ -struct private_kernel_klips_plugin_t { - /** - * implements plugin interface - */ - kernel_klips_plugin_t public; -}; - -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_klips_plugin_t *this) -{ - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); - free(this); -} - -/* - * see header file - */ -plugin_t *kernel_klips_plugin_create() -{ - private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); - - return &this->public.plugin; -} diff --git a/src/libcharon/plugins/kernel_klips/pfkeyv2.h b/src/libcharon/plugins/kernel_klips/pfkeyv2.h deleted file mode 100644 index 20d1c298d..000000000 --- a/src/libcharon/plugins/kernel_klips/pfkeyv2.h +++ /dev/null @@ -1,322 +0,0 @@ -/* -RFC 2367 PF_KEY Key Management API July 1998 - - -Appendix D: Sample Header File - -This file defines structures and symbols for the PF_KEY Version 2 -key management interface. It was written at the U.S. Naval Research -Laboratory. This file is in the public domain. The authors ask that -you leave this credit intact on any copies of this file. -*/ -#ifndef __PFKEY_V2_H -#define __PFKEY_V2_H 1 - -#define PF_KEY_V2 2 -#define PFKEYV2_REVISION 199806L - -#define SADB_RESERVED 0 -#define SADB_GETSPI 1 -#define SADB_UPDATE 2 -#define SADB_ADD 3 -#define SADB_DELETE 4 -#define SADB_GET 5 -#define SADB_ACQUIRE 6 -#define SADB_REGISTER 7 -#define SADB_EXPIRE 8 -#define SADB_FLUSH 9 -#define SADB_DUMP 10 -#define SADB_X_PROMISC 11 -#define SADB_X_PCHANGE 12 -#define SADB_X_GRPSA 13 -#define SADB_X_ADDFLOW 14 -#define SADB_X_DELFLOW 15 -#define SADB_X_DEBUG 16 -#define SADB_X_NAT_T_NEW_MAPPING 17 -#define SADB_MAX 17 - -struct sadb_msg { - uint8_t sadb_msg_version; - uint8_t sadb_msg_type; - uint8_t sadb_msg_errno; - uint8_t sadb_msg_satype; - uint16_t sadb_msg_len; - uint16_t sadb_msg_reserved; - uint32_t sadb_msg_seq; - uint32_t sadb_msg_pid; -}; - -struct sadb_ext { - uint16_t sadb_ext_len; - uint16_t sadb_ext_type; -}; - -struct sadb_sa { - uint16_t sadb_sa_len; - uint16_t sadb_sa_exttype; - uint32_t sadb_sa_spi; - uint8_t sadb_sa_replay; - uint8_t sadb_sa_state; - uint8_t sadb_sa_auth; - uint8_t sadb_sa_encrypt; - uint32_t sadb_sa_flags; -}; - -struct sadb_lifetime { - uint16_t sadb_lifetime_len; - uint16_t sadb_lifetime_exttype; - uint32_t sadb_lifetime_allocations; - uint64_t sadb_lifetime_bytes; - uint64_t sadb_lifetime_addtime; - uint64_t sadb_lifetime_usetime; - uint32_t sadb_x_lifetime_packets; - uint32_t sadb_x_lifetime_reserved; -}; - -struct sadb_address { - uint16_t sadb_address_len; - uint16_t sadb_address_exttype; - uint8_t sadb_address_proto; - uint8_t sadb_address_prefixlen; - uint16_t sadb_address_reserved; -}; - -struct sadb_key { - uint16_t sadb_key_len; - uint16_t sadb_key_exttype; - uint16_t sadb_key_bits; - uint16_t sadb_key_reserved; -}; - -struct sadb_ident { - uint16_t sadb_ident_len; - uint16_t sadb_ident_exttype; - uint16_t sadb_ident_type; - uint16_t sadb_ident_reserved; - uint64_t sadb_ident_id; -}; - -struct sadb_sens { - uint16_t sadb_sens_len; - uint16_t sadb_sens_exttype; - uint32_t sadb_sens_dpd; - uint8_t sadb_sens_sens_level; - uint8_t sadb_sens_sens_len; - uint8_t sadb_sens_integ_level; - uint8_t sadb_sens_integ_len; - uint32_t sadb_sens_reserved; -}; - -struct sadb_prop { - uint16_t sadb_prop_len; - uint16_t sadb_prop_exttype; - uint8_t sadb_prop_replay; - uint8_t sadb_prop_reserved[3]; -}; - -struct sadb_comb { - uint8_t sadb_comb_auth; - uint8_t sadb_comb_encrypt; - uint16_t sadb_comb_flags; - uint16_t sadb_comb_auth_minbits; - uint16_t sadb_comb_auth_maxbits; - uint16_t sadb_comb_encrypt_minbits; - uint16_t sadb_comb_encrypt_maxbits; - uint32_t sadb_comb_reserved; - uint32_t sadb_comb_soft_allocations; - uint32_t sadb_comb_hard_allocations; - uint64_t sadb_comb_soft_bytes; - uint64_t sadb_comb_hard_bytes; - uint64_t sadb_comb_soft_addtime; - uint64_t sadb_comb_hard_addtime; - uint64_t sadb_comb_soft_usetime; - uint64_t sadb_comb_hard_usetime; - uint32_t sadb_x_comb_soft_packets; - uint32_t sadb_x_comb_hard_packets; -}; - -struct sadb_supported { - uint16_t sadb_supported_len; - uint16_t sadb_supported_exttype; - uint32_t sadb_supported_reserved; -}; - -struct sadb_alg { - uint8_t sadb_alg_id; - uint8_t sadb_alg_ivlen; - uint16_t sadb_alg_minbits; - uint16_t sadb_alg_maxbits; - uint16_t sadb_alg_reserved; -}; - -struct sadb_spirange { - uint16_t sadb_spirange_len; - uint16_t sadb_spirange_exttype; - uint32_t sadb_spirange_min; - uint32_t sadb_spirange_max; - uint32_t sadb_spirange_reserved; -}; - -struct sadb_x_kmprivate { - uint16_t sadb_x_kmprivate_len; - uint16_t sadb_x_kmprivate_exttype; - uint32_t sadb_x_kmprivate_reserved; -}; - -struct sadb_x_satype { - uint16_t sadb_x_satype_len; - uint16_t sadb_x_satype_exttype; - uint8_t sadb_x_satype_satype; - uint8_t sadb_x_satype_reserved[3]; -}; - -struct sadb_x_debug { - uint16_t sadb_x_debug_len; - uint16_t sadb_x_debug_exttype; - uint32_t sadb_x_debug_tunnel; - uint32_t sadb_x_debug_netlink; - uint32_t sadb_x_debug_xform; - uint32_t sadb_x_debug_eroute; - uint32_t sadb_x_debug_spi; - uint32_t sadb_x_debug_radij; - uint32_t sadb_x_debug_esp; - uint32_t sadb_x_debug_ah; - uint32_t sadb_x_debug_rcv; - uint32_t sadb_x_debug_pfkey; - uint32_t sadb_x_debug_ipcomp; - uint32_t sadb_x_debug_verbose; - uint8_t sadb_x_debug_reserved[4]; -}; - -struct sadb_x_nat_t_type { - uint16_t sadb_x_nat_t_type_len; - uint16_t sadb_x_nat_t_type_exttype; - uint8_t sadb_x_nat_t_type_type; - uint8_t sadb_x_nat_t_type_reserved[3]; -}; -struct sadb_x_nat_t_port { - uint16_t sadb_x_nat_t_port_len; - uint16_t sadb_x_nat_t_port_exttype; - uint16_t sadb_x_nat_t_port_port; - uint16_t sadb_x_nat_t_port_reserved; -}; - -/* - * A protocol structure for passing through the transport level - * protocol. It contains more fields than are actually used/needed - * but it is this way to be compatible with the structure used in - * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h) - */ -struct sadb_protocol { - uint16_t sadb_protocol_len; - uint16_t sadb_protocol_exttype; - uint8_t sadb_protocol_proto; - uint8_t sadb_protocol_direction; - uint8_t sadb_protocol_flags; - uint8_t sadb_protocol_reserved2; -}; - -#define SADB_EXT_RESERVED 0 -#define SADB_EXT_SA 1 -#define SADB_EXT_LIFETIME_CURRENT 2 -#define SADB_EXT_LIFETIME_HARD 3 -#define SADB_EXT_LIFETIME_SOFT 4 -#define SADB_EXT_ADDRESS_SRC 5 -#define SADB_EXT_ADDRESS_DST 6 -#define SADB_EXT_ADDRESS_PROXY 7 -#define SADB_EXT_KEY_AUTH 8 -#define SADB_EXT_KEY_ENCRYPT 9 -#define SADB_EXT_IDENTITY_SRC 10 -#define SADB_EXT_IDENTITY_DST 11 -#define SADB_EXT_SENSITIVITY 12 -#define SADB_EXT_PROPOSAL 13 -#define SADB_EXT_SUPPORTED_AUTH 14 -#define SADB_EXT_SUPPORTED_ENCRYPT 15 -#define SADB_EXT_SPIRANGE 16 -#define SADB_X_EXT_KMPRIVATE 17 -#define SADB_X_EXT_SATYPE2 18 -#define SADB_X_EXT_SA2 19 -#define SADB_X_EXT_ADDRESS_DST2 20 -#define SADB_X_EXT_ADDRESS_SRC_FLOW 21 -#define SADB_X_EXT_ADDRESS_DST_FLOW 22 -#define SADB_X_EXT_ADDRESS_SRC_MASK 23 -#define SADB_X_EXT_ADDRESS_DST_MASK 24 -#define SADB_X_EXT_DEBUG 25 -#define SADB_X_EXT_PROTOCOL 26 -#define SADB_X_EXT_NAT_T_TYPE 27 -#define SADB_X_EXT_NAT_T_SPORT 28 -#define SADB_X_EXT_NAT_T_DPORT 29 -#define SADB_X_EXT_NAT_T_OA 30 -#define SADB_EXT_MAX 30 - -/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */ -#define SADB_X_EXT_ADDRESS_DELFLOW \ - ( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \ - | (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \ - | (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \ - | (1<<SADB_X_EXT_ADDRESS_DST_MASK)) - -#define SADB_SATYPE_UNSPEC 0 -#define SADB_SATYPE_AH 2 -#define SADB_SATYPE_ESP 3 -#define SADB_SATYPE_RSVP 5 -#define SADB_SATYPE_OSPFV2 6 -#define SADB_SATYPE_RIPV2 7 -#define SADB_SATYPE_MIP 8 -#define SADB_X_SATYPE_IPIP 9 -#define SADB_X_SATYPE_COMP 10 -#define SADB_X_SATYPE_INT 11 -#define SADB_SATYPE_MAX 11 - -#define SADB_SASTATE_LARVAL 0 -#define SADB_SASTATE_MATURE 1 -#define SADB_SASTATE_DYING 2 -#define SADB_SASTATE_DEAD 3 -#define SADB_SASTATE_MAX 3 - -#define SADB_SAFLAGS_PFS 1 -#define SADB_X_SAFLAGS_REPLACEFLOW 2 -#define SADB_X_SAFLAGS_CLEARFLOW 4 -#define SADB_X_SAFLAGS_INFLOW 8 - -#define SADB_AALG_NONE 0 -#define SADB_AALG_MD5HMAC 2 -#define SADB_AALG_SHA1HMAC 3 -#define SADB_AALG_SHA256_HMAC 5 -#define SADB_AALG_SHA384_HMAC 6 -#define SADB_AALG_SHA512_HMAC 7 -#define SADB_AALG_RIPEMD160HMAC 8 -#define SADB_AALG_MAX 15 - -#define SADB_EALG_NONE 0 -#define SADB_EALG_DESCBC 2 -#define SADB_EALG_3DESCBC 3 -#define SADB_EALG_BFCBC 7 -#define SADB_EALG_NULL 11 -#define SADB_EALG_AESCBC 12 -#define SADB_EALG_MAX 255 - -#define SADB_X_CALG_NONE 0 -#define SADB_X_CALG_OUI 1 -#define SADB_X_CALG_DEFLATE 2 -#define SADB_X_CALG_LZS 3 -#define SADB_X_CALG_V42BIS 4 -#define SADB_X_CALG_MAX 4 - -#define SADB_X_TALG_NONE 0 -#define SADB_X_TALG_IPv4_in_IPv4 1 -#define SADB_X_TALG_IPv6_in_IPv4 2 -#define SADB_X_TALG_IPv4_in_IPv6 3 -#define SADB_X_TALG_IPv6_in_IPv6 4 -#define SADB_X_TALG_MAX 4 - - -#define SADB_IDENTTYPE_RESERVED 0 -#define SADB_IDENTTYPE_PREFIX 1 -#define SADB_IDENTTYPE_FQDN 2 -#define SADB_IDENTTYPE_USERFQDN 3 -#define SADB_X_IDENTTYPE_CONNECTION 4 -#define SADB_IDENTTYPE_MAX 4 - -#define SADB_KEY_FLAGS_MAX 0 -#endif /* __PFKEY_V2_H */ diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am deleted file mode 100644 index 2bb00ec0d..000000000 --- a/src/libcharon/plugins/kernel_netlink/Makefile.am +++ /dev/null @@ -1,20 +0,0 @@ - -INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic \ --DROUTING_TABLE=${routing_table} \ --DROUTING_TABLE_PRIO=${routing_table_prio} - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la -else -plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la -endif - -libstrongswan_kernel_netlink_la_SOURCES = \ - kernel_netlink_plugin.h kernel_netlink_plugin.c \ - kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ - kernel_netlink_shared.h kernel_netlink_shared.c - -libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c deleted file mode 100644 index 019ec93f8..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ /dev/null @@ -1,2265 +0,0 @@ -/* - * Copyright (C) 2006-2009 Tobias Brunner - * Copyright (C) 2005-2009 Martin Willi - * Copyright (C) 2008 Andreas Steffen - * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser - * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <stdint.h> -#include <linux/ipsec.h> -#include <linux/netlink.h> -#include <linux/rtnetlink.h> -#include <linux/xfrm.h> -#include <linux/udp.h> -#include <unistd.h> -#include <time.h> -#include <errno.h> -#include <string.h> -#include <fcntl.h> - -#include "kernel_netlink_ipsec.h" -#include "kernel_netlink_shared.h" - -#include <daemon.h> -#include <threading/thread.h> -#include <threading/mutex.h> -#include <utils/hashtable.h> -#include <processing/jobs/callback_job.h> -#include <processing/jobs/acquire_job.h> -#include <processing/jobs/migrate_job.h> -#include <processing/jobs/rekey_child_sa_job.h> -#include <processing/jobs/delete_child_sa_job.h> -#include <processing/jobs/update_sa_job.h> - -/** required for Linux 2.6.26 kernel and later */ -#ifndef XFRM_STATE_AF_UNSPEC -#define XFRM_STATE_AF_UNSPEC 32 -#endif - -/** from linux/in.h */ -#ifndef IP_XFRM_POLICY -#define IP_XFRM_POLICY 17 -#endif - -/* missing on uclibc */ -#ifndef IPV6_XFRM_POLICY -#define IPV6_XFRM_POLICY 34 -#endif /*IPV6_XFRM_POLICY*/ - -/** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 - -/** - * map the limit for bytes and packets to XFRM_INF per default - */ -#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x)) - -/** - * Create ORable bitfield of XFRM NL groups - */ -#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1)) - -/** - * returns a pointer to the first rtattr following the nlmsghdr *nlh and the - * 'usual' netlink data x like 'struct xfrm_usersa_info' - */ -#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) -/** - * returns a pointer to the next rtattr following rta. - * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!! - */ -#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) -/** - * returns the total size of attached rta data - * (after 'usual' netlink data x like 'struct xfrm_usersa_info') - */ -#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x)) - -typedef struct kernel_algorithm_t kernel_algorithm_t; - -/** - * Mapping of IKEv2 kernel identifier to linux crypto API names - */ -struct kernel_algorithm_t { - /** - * Identifier specified in IKEv2 - */ - int ikev2; - - /** - * Name of the algorithm in linux crypto API - */ - char *name; -}; - -ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING, - "XFRM_MSG_NEWSA", - "XFRM_MSG_DELSA", - "XFRM_MSG_GETSA", - "XFRM_MSG_NEWPOLICY", - "XFRM_MSG_DELPOLICY", - "XFRM_MSG_GETPOLICY", - "XFRM_MSG_ALLOCSPI", - "XFRM_MSG_ACQUIRE", - "XFRM_MSG_EXPIRE", - "XFRM_MSG_UPDPOLICY", - "XFRM_MSG_UPDSA", - "XFRM_MSG_POLEXPIRE", - "XFRM_MSG_FLUSHSA", - "XFRM_MSG_FLUSHPOLICY", - "XFRM_MSG_NEWAE", - "XFRM_MSG_GETAE", - "XFRM_MSG_REPORT", - "XFRM_MSG_MIGRATE", - "XFRM_MSG_NEWSADINFO", - "XFRM_MSG_GETSADINFO", - "XFRM_MSG_NEWSPDINFO", - "XFRM_MSG_GETSPDINFO", - "XFRM_MSG_MAPPING" -); - -ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS, - "XFRMA_UNSPEC", - "XFRMA_ALG_AUTH", - "XFRMA_ALG_CRYPT", - "XFRMA_ALG_COMP", - "XFRMA_ENCAP", - "XFRMA_TMPL", - "XFRMA_SA", - "XFRMA_POLICY", - "XFRMA_SEC_CTX", - "XFRMA_LTIME_VAL", - "XFRMA_REPLAY_VAL", - "XFRMA_REPLAY_THRESH", - "XFRMA_ETIMER_THRESH", - "XFRMA_SRCADDR", - "XFRMA_COADDR", - "XFRMA_LASTUSED", - "XFRMA_POLICY_TYPE", - "XFRMA_MIGRATE", - "XFRMA_ALG_AEAD", - "XFRMA_KMADDRESS" -); - -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, "***" }, */ - {ENCR_DES, "des" }, - {ENCR_3DES, "des3_ede" }, -/* {ENCR_RC5, "***" }, */ -/* {ENCR_IDEA, "***" }, */ - {ENCR_CAST, "cast128" }, - {ENCR_BLOWFISH, "blowfish" }, -/* {ENCR_3IDEA, "***" }, */ -/* {ENCR_DES_IV32, "***" }, */ - {ENCR_NULL, "cipher_null" }, - {ENCR_AES_CBC, "aes" }, - {ENCR_AES_CTR, "rfc3686(ctr(aes))" }, - {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, - {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, - {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, - {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, - {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, - {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, - {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" }, - {ENCR_CAMELLIA_CBC, "cbc(camellia)" }, -/* {ENCR_CAMELLIA_CTR, "***" }, */ -/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */ -/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */ -/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */ - {END_OF_LIST, NULL } -}; - -/** - * Algorithms for integrity protection - */ -static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, "md5" }, - {AUTH_HMAC_SHA1_96, "sha1" }, - {AUTH_HMAC_SHA2_256_96, "sha256" }, - {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" }, - {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" }, - {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" }, -/* {AUTH_DES_MAC, "***" }, */ -/* {AUTH_KPDK_MD5, "***" }, */ - {AUTH_AES_XCBC_96, "xcbc(aes)" }, - {END_OF_LIST, NULL } -}; - -/** - * Algorithms for IPComp - */ -static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, "***" }, */ - {IPCOMP_DEFLATE, "deflate" }, - {IPCOMP_LZS, "lzs" }, - {IPCOMP_LZJH, "lzjh" }, - {END_OF_LIST, NULL } -}; - -/** - * Look up a kernel algorithm name and its key size - */ -static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2) -{ - while (list->ikev2 != END_OF_LIST) - { - if (list->ikev2 == ikev2) - { - return list->name; - } - list++; - } - return NULL; -} - -typedef struct route_entry_t route_entry_t; - -/** - * installed routing entry - */ -struct route_entry_t { - /** Name of the interface the route is bound to */ - char *if_name; - - /** Source ip of the route */ - host_t *src_ip; - - /** gateway for this route */ - host_t *gateway; - - /** Destination net */ - chunk_t dst_net; - - /** Destination net prefixlen */ - u_int8_t prefixlen; -}; - -/** - * destroy an route_entry_t object - */ -static void route_entry_destroy(route_entry_t *this) -{ - free(this->if_name); - this->src_ip->destroy(this->src_ip); - DESTROY_IF(this->gateway); - chunk_free(&this->dst_net); - free(this); -} - -typedef struct policy_entry_t policy_entry_t; - -/** - * installed kernel policy. - */ -struct policy_entry_t { - - /** direction of this policy: in, out, forward */ - u_int8_t direction; - - /** parameters of installed policy */ - struct xfrm_selector sel; - - /** optional mark */ - u_int32_t mark; - - /** associated route installed for this policy */ - route_entry_t *route; - - /** by how many CHILD_SA's this policy is used */ - u_int refcount; -}; - -/** - * Hash function for policy_entry_t objects - */ -static u_int policy_hash(policy_entry_t *key) -{ - chunk_t chunk = chunk_create((void*)&key->sel, - sizeof(struct xfrm_selector) + sizeof(u_int32_t)); - return chunk_hash(chunk); -} - -/** - * Equality function for policy_entry_t objects - */ -static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key) -{ - return memeq(&key->sel, &other_key->sel, - sizeof(struct xfrm_selector) + sizeof(u_int32_t)) && - key->direction == other_key->direction; -} - -typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t; - -/** - * Private variables and functions of kernel_netlink class. - */ -struct private_kernel_netlink_ipsec_t { - /** - * Public part of the kernel_netlink_t object. - */ - kernel_netlink_ipsec_t public; - - /** - * mutex to lock access to various lists - */ - mutex_t *mutex; - - /** - * Hash table of installed policies (policy_entry_t) - */ - hashtable_t *policies; - - /** - * job receiving netlink events - */ - callback_job_t *job; - - /** - * Netlink xfrm socket (IPsec) - */ - netlink_socket_t *socket_xfrm; - - /** - * netlink xfrm socket to receive acquire and expire events - */ - int socket_xfrm_events; - - /** - * whether to install routes along policies - */ - bool install_routes; -}; - -/** - * convert a IKEv2 specific protocol identifier to the kernel one - */ -static u_int8_t proto_ike2kernel(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return IPPROTO_ESP; - case PROTO_AH: - return IPPROTO_AH; - default: - return proto; - } -} - -/** - * reverse of ike2kernel - */ -static protocol_id_t proto_kernel2ike(u_int8_t proto) -{ - switch (proto) - { - case IPPROTO_ESP: - return PROTO_ESP; - case IPPROTO_AH: - return PROTO_AH; - default: - return proto; - } -} - -/** - * convert the general ipsec mode to the one defined in xfrm.h - */ -static u_int8_t mode2kernel(ipsec_mode_t mode) -{ - switch (mode) - { - case MODE_TRANSPORT: - return XFRM_MODE_TRANSPORT; - case MODE_TUNNEL: - return XFRM_MODE_TUNNEL; - case MODE_BEET: - return XFRM_MODE_BEET; - default: - return mode; - } -} - -/** - * convert a host_t to a struct xfrm_address - */ -static void host2xfrm(host_t *host, xfrm_address_t *xfrm) -{ - chunk_t chunk = host->get_address(host); - memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); -} - -/** - * convert a struct xfrm_address to a host_t - */ -static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port) -{ - chunk_t chunk; - - switch (family) - { - case AF_INET: - chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4)); - break; - case AF_INET6: - chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6)); - break; - default: - return NULL; - } - return host_create_from_chunk(family, chunk, ntohs(port)); -} - -/** - * convert a traffic selector address range to subnet and its mask. - */ -static void ts2subnet(traffic_selector_t* ts, - xfrm_address_t *net, u_int8_t *mask) -{ - host_t *net_host; - chunk_t net_chunk; - - ts->to_subnet(ts, &net_host, mask); - net_chunk = net_host->get_address(net_host); - memcpy(net, net_chunk.ptr, net_chunk.len); - net_host->destroy(net_host); -} - -/** - * convert a traffic selector port range to port/portmask - */ -static void ts2ports(traffic_selector_t* ts, - u_int16_t *port, u_int16_t *mask) -{ - /* linux does not seem to accept complex portmasks. Only - * any or a specific port is allowed. We set to any, if we have - * a port range, or to a specific, if we have one port only. - */ - u_int16_t from, to; - - from = ts->get_from_port(ts); - to = ts->get_to_port(ts); - - if (from == to) - { - *port = htons(from); - *mask = ~0; - } - else - { - *port = 0; - *mask = 0; - } -} - -/** - * convert a pair of traffic_selectors to a xfrm_selector - */ -static struct xfrm_selector ts2selector(traffic_selector_t *src, - traffic_selector_t *dst) -{ - struct xfrm_selector sel; - - memset(&sel, 0, sizeof(sel)); - sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6; - /* src or dest proto may be "any" (0), use more restrictive one */ - sel.proto = max(src->get_protocol(src), dst->get_protocol(dst)); - ts2subnet(dst, &sel.daddr, &sel.prefixlen_d); - ts2subnet(src, &sel.saddr, &sel.prefixlen_s); - ts2ports(dst, &sel.dport, &sel.dport_mask); - ts2ports(src, &sel.sport, &sel.sport_mask); - sel.ifindex = 0; - sel.user = 0; - - return sel; -} - -/** - * convert a xfrm_selector to a src|dst traffic_selector - */ -static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) -{ - u_char *addr; - u_int8_t prefixlen; - u_int16_t port = 0; - host_t *host = NULL; - - if (src) - { - addr = (u_char*)&sel->saddr; - prefixlen = sel->prefixlen_s; - if (sel->sport_mask) - { - port = htons(sel->sport); - } - } - else - { - addr = (u_char*)&sel->daddr; - prefixlen = sel->prefixlen_d; - if (sel->dport_mask) - { - port = htons(sel->dport); - } - } - - /* The Linux 2.6 kernel does not set the selector's family field, - * so as a kludge we additionally test the prefix length. - */ - if (sel->family == AF_INET || sel->prefixlen_s == 32) - { - host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0); - } - else if (sel->family == AF_INET6 || sel->prefixlen_s == 128) - { - host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0); - } - - if (host) - { - return traffic_selector_create_from_subnet(host, prefixlen, - sel->proto, port); - } - return NULL; -} - -/** - * process a XFRM_MSG_ACQUIRE from kernel - */ -static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) -{ - u_int32_t reqid = 0; - int proto = 0; - traffic_selector_t *src_ts, *dst_ts; - struct xfrm_user_acquire *acquire; - struct rtattr *rta; - size_t rtasize; - job_t *job; - - acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr); - rta = XFRM_RTA(hdr, struct xfrm_user_acquire); - rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire); - - DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE"); - - while (RTA_OK(rta, rtasize)) - { - DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type); - - if (rta->rta_type == XFRMA_TMPL) - { - struct xfrm_user_tmpl* tmpl; - - tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta); - reqid = tmpl->reqid; - proto = tmpl->id.proto; - } - rta = RTA_NEXT(rta, rtasize); - } - switch (proto) - { - case 0: - case IPPROTO_ESP: - case IPPROTO_AH: - break; - default: - /* acquire for AH/ESP only, not for IPCOMP */ - return; - } - src_ts = selector2ts(&acquire->sel, TRUE); - dst_ts = selector2ts(&acquire->sel, FALSE); - DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}", - src_ts, dst_ts, reqid); - job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts); - charon->processor->queue_job(charon->processor, job); -} - -/** - * process a XFRM_MSG_EXPIRE from kernel - */ -static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) -{ - job_t *job; - protocol_id_t protocol; - u_int32_t spi, reqid; - struct xfrm_user_expire *expire; - - expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); - protocol = proto_kernel2ike(expire->state.id.proto); - spi = expire->state.id.spi; - reqid = expire->state.reqid; - - DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - - if (protocol != PROTO_ESP && protocol != PROTO_AH) - { - DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} " - "which is not a CHILD_SA", ntohl(spi), reqid); - return; - } - - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}", - expire->hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (expire->hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->processor->queue_job(charon->processor, job); -} - -/** - * process a XFRM_MSG_MIGRATE from kernel - */ -static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) -{ - traffic_selector_t *src_ts, *dst_ts; - host_t *local = NULL, *remote = NULL; - host_t *old_src = NULL, *old_dst = NULL; - host_t *new_src = NULL, *new_dst = NULL; - struct xfrm_userpolicy_id *policy_id; - struct rtattr *rta; - size_t rtasize; - u_int32_t reqid = 0; - policy_dir_t dir; - job_t *job; - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id); - rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id); - - DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE"); - - src_ts = selector2ts(&policy_id->sel, TRUE); - dst_ts = selector2ts(&policy_id->sel, FALSE); - dir = (policy_dir_t)policy_id->dir; - - DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names); - - while (RTA_OK(rta, rtasize)) - { - DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type); - if (rta->rta_type == XFRMA_KMADDRESS) - { - struct xfrm_user_kmaddress *kmaddress; - - kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta); - local = xfrm2host(kmaddress->family, &kmaddress->local, 0); - remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0); - DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote); - } - else if (rta->rta_type == XFRMA_MIGRATE) - { - struct xfrm_user_migrate *migrate; - protocol_id_t proto; - - migrate = (struct xfrm_user_migrate*)RTA_DATA(rta); - old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0); - old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0); - new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0); - new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0); - proto = proto_kernel2ike(migrate->proto); - reqid = migrate->reqid; - DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}", - protocol_id_names, proto, old_src, old_dst, - new_src, new_dst, reqid); - DESTROY_IF(old_src); - DESTROY_IF(old_dst); - DESTROY_IF(new_src); - DESTROY_IF(new_dst); - } - rta = RTA_NEXT(rta, rtasize); - } - - if (src_ts && dst_ts && local && remote) - { - DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}", - src_ts, dst_ts, policy_dir_names, dir, reqid, local); - job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir, - local, remote); - charon->processor->queue_job(charon->processor, job); - } - else - { - DESTROY_IF(src_ts); - DESTROY_IF(dst_ts); - DESTROY_IF(local); - DESTROY_IF(remote); - } -} - -/** - * process a XFRM_MSG_MAPPING from kernel - */ -static void process_mapping(private_kernel_netlink_ipsec_t *this, - struct nlmsghdr *hdr) -{ - job_t *job; - u_int32_t spi, reqid; - struct xfrm_user_mapping *mapping; - host_t *host; - - mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr); - spi = mapping->id.spi; - reqid = mapping->reqid; - - DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING"); - - if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP) - { - host = xfrm2host(mapping->id.family, &mapping->new_saddr, - mapping->new_sport); - if (host) - { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and " - "reqid {%u} changed, queuing update job", ntohl(spi), reqid); - job = (job_t*)update_sa_job_create(reqid, host); - charon->processor->queue_job(charon->processor, job); - } - } -} - -/** - * Receives events from kernel - */ -static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this) -{ - char response[1024]; - struct nlmsghdr *hdr = (struct nlmsghdr*)response; - struct sockaddr_nl addr; - socklen_t addr_len = sizeof(addr); - int len; - bool oldstate; - - oldstate = thread_cancelability(TRUE); - len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0, - (struct sockaddr*)&addr, &addr_len); - thread_cancelability(oldstate); - - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return JOB_REQUEUE_DIRECT; - case EAGAIN: - /* no data ready, select again */ - return JOB_REQUEUE_DIRECT; - default: - DBG1(DBG_KNL, "unable to receive from xfrm event socket"); - sleep(1); - return JOB_REQUEUE_FAIR; - } - } - - if (addr.nl_pid != 0) - { /* not from kernel. not interested, try another one */ - return JOB_REQUEUE_DIRECT; - } - - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_ACQUIRE: - process_acquire(this, hdr); - break; - case XFRM_MSG_EXPIRE: - process_expire(this, hdr); - break; - case XFRM_MSG_MIGRATE: - process_migrate(this, hdr); - break; - case XFRM_MSG_MAPPING: - process_mapping(this, hdr); - break; - default: - DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type); - break; - } - hdr = NLMSG_NEXT(hdr, len); - } - return JOB_REQUEUE_DIRECT; -} - -/** - * Get an SPI for a specific protocol from the kernel. - */ -static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, - host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max, - u_int32_t reqid, u_int32_t *spi) -{ - netlink_buf_t request; - struct nlmsghdr *hdr, *out; - struct xfrm_userspi_info *userspi; - u_int32_t received_spi = 0; - size_t len; - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_ALLOCSPI; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info)); - - userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr); - host2xfrm(src, &userspi->info.saddr); - host2xfrm(dst, &userspi->info.id.daddr); - userspi->info.id.proto = proto; - userspi->info.mode = XFRM_MODE_TUNNEL; - userspi->info.reqid = reqid; - userspi->info.family = src->get_family(src); - userspi->min = min; - userspi->max = max; - - if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr); - received_spi = usersa->id.spi; - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - - DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - free(out); - } - - if (received_spi == 0) - { - return FAILED; - } - - *spi = received_spi; - return SUCCESS; -} - -METHOD(kernel_ipsec_t, get_spi, status_t, - private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) -{ - DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid); - - if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol), - 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS) - { - DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid); - return FAILED; - } - - DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, get_cpi, status_t, - private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) -{ - u_int32_t received_spi = 0; - - DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid); - - if (get_spi_internal(this, src, dst, - IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS) - { - DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid); - return FAILED; - } - - *cpi = htons((u_int16_t)ntohl(received_spi)); - - DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_sa, status_t, - private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool inbound, - traffic_selector_t* src_ts, traffic_selector_t* dst_ts) -{ - netlink_buf_t request; - char *alg_name; - struct nlmsghdr *hdr; - struct xfrm_usersa_info *sa; - u_int16_t icv_size = 64; - - /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 - * we are in the recursive call below */ - if (ipcomp != IPCOMP_NONE && cpi != 0) - { - lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, - &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, - mode, ipcomp, 0, FALSE, inbound, NULL, NULL); - ipcomp = IPCOMP_NONE; - /* use transport mode ESP SA, IPComp uses tunnel mode */ - mode = MODE_TRANSPORT; - } - - memset(&request, 0, sizeof(request)); - - if (mark.value) - { - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} " - "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", - ntohl(spi), reqid); - } - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - - sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); - host2xfrm(src, &sa->saddr); - host2xfrm(dst, &sa->id.daddr); - sa->id.spi = spi; - sa->id.proto = proto_ike2kernel(protocol); - sa->family = src->get_family(src); - sa->mode = mode2kernel(mode); - switch (mode) - { - case MODE_TUNNEL: - sa->flags |= XFRM_STATE_AF_UNSPEC; - break; - case MODE_BEET: - if(src_ts && dst_ts) - { - sa->sel = ts2selector(src_ts, dst_ts); - } - break; - default: - break; - } - - sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32; - sa->reqid = reqid; - sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey); - sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life); - sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey); - sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life); - /* we use lifetimes since added, not since used */ - sa->lft.soft_add_expires_seconds = lifetime->time.rekey; - sa->lft.hard_add_expires_seconds = lifetime->time.life; - sa->lft.soft_use_expires_seconds = 0; - sa->lft.hard_use_expires_seconds = 0; - - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info); - - switch (enc_alg) - { - case ENCR_UNDEFINED: - /* no encryption */ - break; - case ENCR_AES_CCM_ICV16: - case ENCR_AES_GCM_ICV16: - case ENCR_NULL_AUTH_AES_GMAC: - case ENCR_CAMELLIA_CCM_ICV16: - icv_size += 32; - /* FALL */ - case ENCR_AES_CCM_ICV12: - case ENCR_AES_GCM_ICV12: - case ENCR_CAMELLIA_CCM_ICV12: - icv_size += 32; - /* FALL */ - case ENCR_AES_CCM_ICV8: - case ENCR_AES_GCM_ICV8: - case ENCR_CAMELLIA_CCM_ICV8: - { - struct xfrm_algo_aead *algo; - - alg_name = lookup_algorithm(encryption_algs, enc_alg); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg, enc_key.len * 8); - - rthdr->rta_type = XFRMA_ALG_AEAD; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); - algo->alg_key_len = enc_key.len * 8; - algo->alg_icv_len = icv_size; - strcpy(algo->alg_name, alg_name); - memcpy(algo->alg_key, enc_key.ptr, enc_key.len); - - rthdr = XFRM_RTA_NEXT(rthdr); - break; - } - default: - { - struct xfrm_algo *algo; - - alg_name = lookup_algorithm(encryption_algs, enc_alg); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg, enc_key.len * 8); - - rthdr->rta_type = XFRMA_ALG_CRYPT; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = enc_key.len * 8; - strcpy(algo->alg_name, alg_name); - memcpy(algo->alg_key, enc_key.ptr, enc_key.len); - - rthdr = XFRM_RTA_NEXT(rthdr); - } - } - - if (int_alg != AUTH_UNDEFINED) - { - alg_name = lookup_algorithm(integrity_algs, int_alg); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - integrity_algorithm_names, int_alg); - return FAILED; - } - DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", - integrity_algorithm_names, int_alg, int_key.len * 8); - - if (int_alg == AUTH_HMAC_SHA2_256_128) - { - struct xfrm_algo_auth* algo; - - /* the kernel uses SHA256 with 96 bit truncation by default, - * use specified truncation size supported by newer kernels */ - rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr); - algo->alg_key_len = int_key.len * 8; - algo->alg_trunc_len = 128; - strcpy(algo->alg_name, alg_name); - memcpy(algo->alg_key, int_key.ptr, int_key.len); - } - else - { - struct xfrm_algo* algo; - - rthdr->rta_type = XFRMA_ALG_AUTH; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = int_key.len * 8; - strcpy(algo->alg_name, alg_name); - memcpy(algo->alg_key, int_key.ptr, int_key.len); - } - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (ipcomp != IPCOMP_NONE) - { - rthdr->rta_type = XFRMA_ALG_COMP; - alg_name = lookup_algorithm(compression_algs, ipcomp); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - ipcomp_transform_names, ipcomp); - return FAILED; - } - DBG2(DBG_KNL, " using compression algorithm %N", - ipcomp_transform_names, ipcomp); - - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo)); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = 0; - strcpy(algo->alg_name, alg_name); - - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (encap) - { - struct xfrm_encap_tmpl *tmpl; - - rthdr->rta_type = XFRMA_ENCAP; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); - tmpl->encap_type = UDP_ENCAP_ESPINUDP; - tmpl->encap_sport = htons(src->get_port(src)); - tmpl->encap_dport = htons(dst->get_port(dst)); - memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t)); - /* encap_oa could probably be derived from the - * traffic selectors [rfc4306, p39]. In the netlink kernel implementation - * pluto does the same as we do here but it uses encap_oa in the - * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates - * the kernel ignores it anyway - * -> does that mean that NAT-T encap doesn't work in transport mode? - * No. The reason the kernel ignores NAT-OA is that it recomputes - * (or, rather, just ignores) the checksum. If packets pass - * the IPsec checks it marks them "checksum ok" so OA isn't needed. */ - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (mark.value) - { - struct xfrm_mark *mrk; - - rthdr->rta_type = XFRMA_MARK; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - mrk = (struct xfrm_mark*)RTA_DATA(rthdr); - mrk->v = mark.value; - mrk->m = mark.mask; - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - if (mark.value) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x " - "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask); - } - else - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); - } - return FAILED; - } - return SUCCESS; -} - -/** - * Get the replay state (i.e. sequence numbers) of an SA. - */ -static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, host_t *dst, - struct xfrm_replay_state *replay) -{ - netlink_buf_t request; - struct nlmsghdr *hdr, *out = NULL; - struct xfrm_aevent_id *out_aevent = NULL, *aevent_id; - size_t len; - struct rtattr *rta; - size_t rtasize; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETAE; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); - - aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr); - aevent_id->flags = XFRM_AE_RVAL; - - host2xfrm(dst, &aevent_id->sa_id.daddr); - aevent_id->sa_id.spi = spi; - aevent_id->sa_id.proto = proto_ike2kernel(protocol); - aevent_id->sa_id.family = dst->get_family(dst); - - if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWAE: - { - out_aevent = NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (out_aevent == NULL) - { - DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x", - ntohl(spi)); - free(out); - return FAILED; - } - - rta = XFRM_RTA(out, struct xfrm_aevent_id); - rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id); - while(RTA_OK(rta, rtasize)) - { - if (rta->rta_type == XFRMA_REPLAY_VAL && - RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state)) - { - memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta)); - free(out); - return SUCCESS; - } - rta = RTA_NEXT(rta, rtasize); - } - - DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x", - ntohl(spi)); - free(out); - return FAILED; -} - -METHOD(kernel_ipsec_t, query_sa, status_t, - private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) -{ - netlink_buf_t request; - struct nlmsghdr *out = NULL, *hdr; - struct xfrm_usersa_id *sa_id; - struct xfrm_usersa_info *sa = NULL; - size_t len; - - memset(&request, 0, sizeof(request)); - - if (mark.value) - { - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)", - ntohl(spi), mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - } - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); - sa_id->family = dst->get_family(dst); - - if (mark.value) - { - struct xfrm_mark *mrk; - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id); - - rthdr->rta_type = XFRMA_MARK; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - mrk = (struct xfrm_mark*)RTA_DATA(rthdr); - mrk->v = mark.value; - mrk->m = mark.mask; - } - - if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - - if (mark.value) - { - DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " - "(mark %u/0x%8x) failed: %s (%d)", - ntohl(spi), mark.value, mark.mask, - strerror(-err->error), -err->error); - } - else - { - DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " - "failed: %s (%d)", ntohl(spi), - strerror(-err->error), -err->error); - } - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (sa == NULL) - { - DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; - } - *bytes = sa->curlft.bytes; - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, del_sa, status_t, - private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) -{ - netlink_buf_t request; - struct nlmsghdr *hdr; - struct xfrm_usersa_id *sa_id; - - /* if IPComp was used, we first delete the additional IPComp SA */ - if (cpi) - { - del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark); - } - - memset(&request, 0, sizeof(request)); - - if (mark.value) - { - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)", - ntohl(spi), mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - } - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_DELSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); - sa_id->family = dst->get_family(dst); - - if (mark.value) - { - struct xfrm_mark *mrk; - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id); - - rthdr->rta_type = XFRMA_MARK; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - mrk = (struct xfrm_mark*)RTA_DATA(rthdr); - mrk->v = mark.value; - mrk->m = mark.mask; - } - - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - if (mark.value) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x " - "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask); - } - else - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); - } - return FAILED; - } - if (mark.value) - { - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)", - ntohl(spi), mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); - } - return SUCCESS; -} - -METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, - u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool old_encap, bool new_encap, mark_t mark) -{ - netlink_buf_t request; - u_char *pos; - struct nlmsghdr *hdr, *out = NULL; - struct xfrm_usersa_id *sa_id; - struct xfrm_usersa_info *out_sa = NULL, *sa; - size_t len; - struct rtattr *rta; - size_t rtasize; - struct xfrm_encap_tmpl* tmpl = NULL; - bool got_replay_state = FALSE; - struct xfrm_replay_state replay; - - /* if IPComp is used, we first update the IPComp SA */ - if (cpi) - { - update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0, - src, dst, new_src, new_dst, FALSE, FALSE, mark); - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi)); - - /* query the existing SA first */ - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = proto_ike2kernel(protocol); - sa_id->family = dst->get_family(dst); - - if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - out_sa = NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - if (out_sa == NULL) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; - } - - /* try to get the replay state */ - if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS) - { - got_replay_state = TRUE; - } - - /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", - ntohl(spi), src, dst, new_src, new_dst); - /* copy over the SA from out to request */ - hdr = (struct nlmsghdr*)request; - memcpy(hdr, out, min(out->nlmsg_len, sizeof(request))); - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_NEWSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - sa = NLMSG_DATA(hdr); - sa->family = new_dst->get_family(new_dst); - - if (!src->ip_equals(src, new_src)) - { - host2xfrm(new_src, &sa->saddr); - } - if (!dst->ip_equals(dst, new_dst)) - { - host2xfrm(new_dst, &sa->id.daddr); - } - - rta = XFRM_RTA(out, struct xfrm_usersa_info); - rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info); - pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info); - while(RTA_OK(rta, rtasize)) - { - /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */ - if (rta->rta_type != XFRMA_ENCAP || new_encap) - { - if (rta->rta_type == XFRMA_ENCAP) - { /* update encap tmpl */ - tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta); - tmpl->encap_sport = ntohs(new_src->get_port(new_src)); - tmpl->encap_dport = ntohs(new_dst->get_port(new_dst)); - } - memcpy(pos, rta, rta->rta_len); - pos += RTA_ALIGN(rta->rta_len); - hdr->nlmsg_len += RTA_ALIGN(rta->rta_len); - } - rta = RTA_NEXT(rta, rtasize); - } - - rta = (struct rtattr*)pos; - if (tmpl == NULL && new_encap) - { /* add tmpl if we are enabling it */ - rta->rta_type = XFRMA_ENCAP; - rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - - hdr->nlmsg_len += rta->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta); - tmpl->encap_type = UDP_ENCAP_ESPINUDP; - tmpl->encap_sport = ntohs(new_src->get_port(new_src)); - tmpl->encap_dport = ntohs(new_dst->get_port(new_dst)); - memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t)); - - rta = XFRM_RTA_NEXT(rta); - } - - if (got_replay_state) - { /* copy the replay data if available */ - rta->rta_type = XFRMA_REPLAY_VAL; - rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); - - hdr->nlmsg_len += rta->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - memcpy(RTA_DATA(rta), &replay, sizeof(replay)); - - rta = XFRM_RTA_NEXT(rta); - } - - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; - } - free(out); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_policy, status_t, - private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) -{ - policy_entry_t *current, *policy; - bool found = FALSE; - netlink_buf_t request; - struct xfrm_userpolicy_info *policy_info; - struct nlmsghdr *hdr; - - /* create a policy */ - policy = malloc_thing(policy_entry_t); - memset(policy, 0, sizeof(policy_entry_t)); - policy->sel = ts2selector(src_ts, dst_ts); - policy->mark = mark.value & mark.mask; - policy->direction = direction; - - /* find the policy, which matches EXACTLY */ - this->mutex->lock(this->mutex); - current = this->policies->get(this->policies, policy); - if (current) - { - /* use existing policy */ - current->refcount++; - if (mark.value) - { - DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) " - "already exists, increasing refcount", - src_ts, dst_ts, policy_dir_names, direction, - mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "policy %R === %R %N " - "already exists, increasing refcount", - src_ts, dst_ts, policy_dir_names, direction); - } - free(policy); - policy = current; - found = TRUE; - } - else - { /* apply the new one, if we have no such policy */ - this->policies->put(this->policies, policy, policy); - policy->refcount = 1; - } - - if (mark.value) - { - DBG2(DBG_KNL, "adding policy %R === %R %N (mark %u/0x%8x)", - src_ts, dst_ts, policy_dir_names, direction, - mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "adding policy %R === %R %N", - src_ts, dst_ts, policy_dir_names, direction); - } - - memset(&request, 0, sizeof(request)); - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); - - policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); - policy_info->sel = policy->sel; - policy_info->dir = policy->direction; - /* calculate priority based on source selector size, small size = high prio */ - policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; - policy_info->action = XFRM_POLICY_ALLOW; - policy_info->share = XFRM_SHARE_ANY; - this->mutex->unlock(this->mutex); - - /* policies don't expire */ - policy_info->lft.soft_byte_limit = XFRM_INF; - policy_info->lft.soft_packet_limit = XFRM_INF; - policy_info->lft.hard_byte_limit = XFRM_INF; - policy_info->lft.hard_packet_limit = XFRM_INF; - policy_info->lft.soft_add_expires_seconds = 0; - policy_info->lft.hard_add_expires_seconds = 0; - policy_info->lft.soft_use_expires_seconds = 0; - policy_info->lft.hard_use_expires_seconds = 0; - - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info); - rthdr->rta_type = XFRMA_TMPL; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); - - if (ipcomp != IPCOMP_NONE) - { - tmpl->reqid = reqid; - tmpl->id.proto = IPPROTO_COMP; - tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode2kernel(mode); - tmpl->optional = direction != POLICY_OUT; - tmpl->family = src->get_family(src); - - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); - - /* add an additional xfrm_user_tmpl */ - rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - tmpl++; - - /* use transport mode for ESP if we have a tunnel mode IPcomp SA */ - mode = MODE_TRANSPORT; - } - else - { - /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */ - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); - } - - tmpl->reqid = reqid; - tmpl->id.proto = proto_ike2kernel(protocol); - tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode2kernel(mode); - tmpl->family = src->get_family(src); - rthdr = XFRM_RTA_NEXT(rthdr); - - if (mark.value) - { - struct xfrm_mark *mrk; - - rthdr->rta_type = XFRMA_MARK; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - mrk = (struct xfrm_mark*)RTA_DATA(rthdr); - mrk->v = mark.value; - mrk->m = mark.mask; - } - - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - - /* install a route, if: - * - we are NOT updating a policy - * - this is a forward policy (to just get one for each child) - * - we are in tunnel/BEET mode - * - routing is not disabled via strongswan.conf - */ - if (policy->route == NULL && direction == POLICY_FWD && - mode != MODE_TRANSPORT && this->install_routes) - { - route_entry_t *route = malloc_thing(route_entry_t); - - if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface, - dst_ts, &route->src_ip) == SUCCESS) - { - /* get the nexthop to src (src as we are in POLICY_FWD).*/ - route->gateway = charon->kernel_interface->get_nexthop( - charon->kernel_interface, src); - /* install route via outgoing interface */ - route->if_name = charon->kernel_interface->get_interface( - charon->kernel_interface, dst); - route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); - memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len); - route->prefixlen = policy->sel.prefixlen_s; - - if (route->if_name) - { - switch (charon->kernel_interface->add_route( - charon->kernel_interface, route->dst_net, - route->prefixlen, route->gateway, - route->src_ip, route->if_name)) - { - default: - DBG1(DBG_KNL, "unable to install source route for %H", - route->src_ip); - /* FALL */ - case ALREADY_DONE: - /* route exists, do not uninstall */ - route_entry_destroy(route); - break; - case SUCCESS: - /* cache the installed route */ - policy->route = route; - break; - } - } - else - { - route_entry_destroy(route); - } - } - else - { - free(route); - } - } - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_policy, status_t, - private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - u_int32_t *use_time) -{ - netlink_buf_t request; - struct nlmsghdr *out = NULL, *hdr; - struct xfrm_userpolicy_id *policy_id; - struct xfrm_userpolicy_info *policy = NULL; - size_t len; - - memset(&request, 0, sizeof(request)); - - if (mark.value) - { - DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)", - src_ts, dst_ts, policy_dir_names, direction, - mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - } - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - policy_id->sel = ts2selector(src_ts, dst_ts); - policy_id->dir = direction; - - if (mark.value) - { - struct xfrm_mark *mrk; - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id); - - rthdr->rta_type = XFRMA_MARK; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - mrk = (struct xfrm_mark*)RTA_DATA(rthdr); - mrk->v = mark.value; - mrk->m = mark.mask; - } - - if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWPOLICY: - { - policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying policy failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (policy == NULL) - { - DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - free(out); - return FAILED; - } - - if (policy->curlft.use_time) - { - /* we need the monotonic time, but the kernel returns system time. */ - *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time); - } - else - { - *use_time = 0; - } - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - bool unrouted) -{ - policy_entry_t *current, policy, *to_delete = NULL; - route_entry_t *route; - netlink_buf_t request; - struct nlmsghdr *hdr; - struct xfrm_userpolicy_id *policy_id; - - if (mark.value) - { - DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)", - src_ts, dst_ts, policy_dir_names, direction, - mark.value, mark.mask); - } - else - { - DBG2(DBG_KNL, "deleting policy %R === %R %N", - src_ts, dst_ts, policy_dir_names, direction); - } - - /* create a policy */ - memset(&policy, 0, sizeof(policy_entry_t)); - policy.sel = ts2selector(src_ts, dst_ts); - policy.mark = mark.value & mark.mask; - policy.direction = direction; - - /* find the policy */ - this->mutex->lock(this->mutex); - current = this->policies->get(this->policies, &policy); - if (current) - { - to_delete = current; - if (--to_delete->refcount > 0) - { - /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - this->mutex->unlock(this->mutex); - return SUCCESS; - } - /* remove if last reference */ - this->policies->remove(this->policies, to_delete); - } - this->mutex->unlock(this->mutex); - if (!to_delete) - { - if (mark.value) - { - DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) " - "failed, not found", src_ts, dst_ts, policy_dir_names, - direction, mark.value, mark.mask); - } - else - { - DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", - src_ts, dst_ts, policy_dir_names, direction); - } - return NOT_FOUND; - } - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_DELPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - policy_id->sel = to_delete->sel; - policy_id->dir = direction; - - if (mark.value) - { - struct xfrm_mark *mrk; - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id); - - rthdr->rta_type = XFRMA_MARK; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - mrk = (struct xfrm_mark*)RTA_DATA(rthdr); - mrk->v = mark.value; - mrk->m = mark.mask; - } - - route = to_delete->route; - free(to_delete); - - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - if (mark.value) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N " - "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names, - direction, mark.value, mark.mask); - } - else - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N", - src_ts, dst_ts, policy_dir_names, direction); - } - return FAILED; - } - - if (route) - { - if (charon->kernel_interface->del_route(charon->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with " - "policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - } - route_entry_destroy(route); - } - return SUCCESS; -} - -METHOD(kernel_ipsec_t, bypass_socket, bool, - private_kernel_netlink_ipsec_t *this, int fd, int family) -{ - struct xfrm_userpolicy_info policy; - u_int sol, ipsec_policy; - - switch (family) - { - case AF_INET: - sol = SOL_IP; - ipsec_policy = IP_XFRM_POLICY; - break; - case AF_INET6: - sol = SOL_IPV6; - ipsec_policy = IPV6_XFRM_POLICY; - break; - default: - return FALSE; - } - - memset(&policy, 0, sizeof(policy)); - policy.action = XFRM_POLICY_ALLOW; - policy.sel.family = family; - - policy.dir = XFRM_POLICY_OUT; - if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) - { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); - return FALSE; - } - policy.dir = XFRM_POLICY_IN; - if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) - { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); - return FALSE; - } - return TRUE; -} - -METHOD(kernel_ipsec_t, destroy, void, - private_kernel_netlink_ipsec_t *this) -{ - enumerator_t *enumerator; - policy_entry_t *policy; - - if (this->job) - { - this->job->cancel(this->job); - } - if (this->socket_xfrm_events > 0) - { - close(this->socket_xfrm_events); - } - DESTROY_IF(this->socket_xfrm); - enumerator = this->policies->create_enumerator(this->policies); - while (enumerator->enumerate(enumerator, &policy, &policy)) - { - free(policy); - } - enumerator->destroy(enumerator); - this->policies->destroy(this->policies); - this->mutex->destroy(this->mutex); - free(this); -} - -/* - * Described in header. - */ -kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() -{ - private_kernel_netlink_ipsec_t *this; - struct sockaddr_nl addr; - int fd; - - INIT(this, - .public.interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .bypass_socket = _bypass_socket, - .destroy = _destroy, - }, - .policies = hashtable_create((hashtable_hash_t)policy_hash, - (hashtable_equals_t)policy_equals, 32), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .install_routes = lib->settings->get_bool(lib->settings, - "charon.install_routes", TRUE), - ); - - /* disable lifetimes for allocated SPIs in kernel */ - fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY); - if (fd) - { - ignore_result(write(fd, "165", 3)); - close(fd); - } - - this->socket_xfrm = netlink_socket_create(NETLINK_XFRM); - if (!this->socket_xfrm) - { - destroy(this); - return NULL; - } - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - - /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */ - this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); - if (this->socket_xfrm_events <= 0) - { - DBG1(DBG_KNL, "unable to create XFRM event socket"); - destroy(this); - return NULL; - } - addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | - XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING); - if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr))) - { - DBG1(DBG_KNL, "unable to bind XFRM event socket"); - destroy(this); - return NULL; - } - this->job = callback_job_create((callback_job_cb_t)receive_events, - this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); - - return &this->public; -} - diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h deleted file mode 100644 index 3a45cce06..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_netlink_ipsec_i kernel_netlink_ipsec - * @{ @ingroup kernel_netlink - */ - -#ifndef KERNEL_NETLINK_IPSEC_H_ -#define KERNEL_NETLINK_IPSEC_H_ - -#include <kernel/kernel_ipsec.h> - -typedef struct kernel_netlink_ipsec_t kernel_netlink_ipsec_t; - -/** - * Implementation of the kernel ipsec interface using Netlink. - */ -struct kernel_netlink_ipsec_t { - - /** - * Implements kernel_ipsec_t interface - */ - kernel_ipsec_t interface; -}; - -/** - * Create a netlink kernel ipsec interface instance. - * - * @return kernel_netlink_ipsec_t instance - */ -kernel_netlink_ipsec_t *kernel_netlink_ipsec_create(); - -#endif /** KERNEL_NETLINK_IPSEC_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c deleted file mode 100644 index 6750458cf..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ /dev/null @@ -1,1506 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/* - * Copyright (C) 2010 secunet Security Networks AG - * Copyright (C) 2010 Thomas Egerer - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -#include <sys/socket.h> -#include <linux/netlink.h> -#include <linux/rtnetlink.h> -#include <unistd.h> -#include <errno.h> -#include <net/if.h> - -#include "kernel_netlink_net.h" -#include "kernel_netlink_shared.h" - -#include <daemon.h> -#include <threading/thread.h> -#include <threading/condvar.h> -#include <threading/mutex.h> -#include <utils/linked_list.h> -#include <processing/jobs/callback_job.h> -#include <processing/jobs/roam_job.h> - -/** delay before firing roam jobs (ms) */ -#define ROAM_DELAY 100 - -typedef struct addr_entry_t addr_entry_t; - -/** - * IP address in an inface_entry_t - */ -struct addr_entry_t { - - /** The ip address */ - host_t *ip; - - /** virtual IP managed by us */ - bool virtual; - - /** scope of the address */ - u_char scope; - - /** Number of times this IP is used, if virtual */ - u_int refcount; -}; - -/** - * destroy a addr_entry_t object - */ -static void addr_entry_destroy(addr_entry_t *this) -{ - this->ip->destroy(this->ip); - free(this); -} - -typedef struct iface_entry_t iface_entry_t; - -/** - * A network interface on this system, containing addr_entry_t's - */ -struct iface_entry_t { - - /** interface index */ - int ifindex; - - /** name of the interface */ - char ifname[IFNAMSIZ]; - - /** interface flags, as in netdevice(7) SIOCGIFFLAGS */ - u_int flags; - - /** list of addresses as host_t */ - linked_list_t *addrs; -}; - -/** - * destroy an interface entry - */ -static void iface_entry_destroy(iface_entry_t *this) -{ - this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy); - free(this); -} - -typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t; - -/** - * Private variables and functions of kernel_netlink_net class. - */ -struct private_kernel_netlink_net_t { - /** - * Public part of the kernel_netlink_net_t object. - */ - kernel_netlink_net_t public; - - /** - * mutex to lock access to various lists - */ - mutex_t *mutex; - - /** - * condition variable to signal virtual IP add/removal - */ - condvar_t *condvar; - - /** - * Cached list of interfaces and its addresses (iface_entry_t) - */ - linked_list_t *ifaces; - - /** - * job receiving netlink events - */ - callback_job_t *job; - - /** - * netlink rt socket (routing) - */ - netlink_socket_t *socket; - - /** - * Netlink rt socket to receive address change events - */ - int socket_events; - - /** - * time of the last roam_job - */ - timeval_t last_roam; - - /** - * routing table to install routes - */ - int routing_table; - - /** - * priority of used routing table - */ - int routing_table_prio; - - /** - * whether to react to RTM_NEWROUTE or RTM_DELROUTE events - */ - bool process_route; - - /** - * whether to actually install virtual IPs - */ - bool install_virtual_ip; - - /** - * list with routing tables to be excluded from route lookup - */ - linked_list_t *rt_exclude; -}; - -/** - * get the refcount of a virtual ip - */ -static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip) -{ - iterator_t *ifaces, *addrs; - iface_entry_t *iface; - addr_entry_t *addr; - int refcount = 0; - - ifaces = this->ifaces->create_iterator(this->ifaces, TRUE); - while (ifaces->iterate(ifaces, (void**)&iface)) - { - addrs = iface->addrs->create_iterator(iface->addrs, TRUE); - while (addrs->iterate(addrs, (void**)&addr)) - { - if (addr->virtual && (iface->flags & IFF_UP) && - ip->ip_equals(ip, addr->ip)) - { - refcount = addr->refcount; - break; - } - } - addrs->destroy(addrs); - if (refcount) - { - break; - } - } - ifaces->destroy(ifaces); - - return refcount; -} - -/** - * start a roaming job. We delay it for a second and fire only one job - * for multiple events. Otherwise we would create two many jobs. - */ -static void fire_roam_job(private_kernel_netlink_net_t *this, bool address) -{ - timeval_t now; - - time_monotonic(&now); - if (timercmp(&now, &this->last_roam, >)) - { - now.tv_usec += ROAM_DELAY * 1000; - while (now.tv_usec > 1000000) - { - now.tv_sec++; - now.tv_usec -= 1000000; - } - this->last_roam = now; - charon->scheduler->schedule_job_ms(charon->scheduler, - (job_t*)roam_job_create(address), ROAM_DELAY); - } -} - -/** - * process RTM_NEWLINK/RTM_DELLINK from kernel - */ -static void process_link(private_kernel_netlink_net_t *this, - struct nlmsghdr *hdr, bool event) -{ - struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr)); - struct rtattr *rta = IFLA_RTA(msg); - size_t rtasize = IFLA_PAYLOAD (hdr); - enumerator_t *enumerator; - iface_entry_t *current, *entry = NULL; - char *name = NULL; - bool update = FALSE; - - while(RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case IFLA_IFNAME: - name = RTA_DATA(rta); - break; - } - rta = RTA_NEXT(rta, rtasize); - } - if (!name) - { - name = "(unknown)"; - } - - this->mutex->lock(this->mutex); - switch (hdr->nlmsg_type) - { - case RTM_NEWLINK: - { - if (msg->ifi_flags & IFF_LOOPBACK) - { /* ignore loopback interfaces */ - break; - } - enumerator = this->ifaces->create_enumerator(this->ifaces); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current->ifindex == msg->ifi_index) - { - entry = current; - break; - } - } - enumerator->destroy(enumerator); - if (!entry) - { - entry = malloc_thing(iface_entry_t); - entry->ifindex = msg->ifi_index; - entry->flags = 0; - entry->addrs = linked_list_create(); - this->ifaces->insert_last(this->ifaces, entry); - } - memcpy(entry->ifname, name, IFNAMSIZ); - entry->ifname[IFNAMSIZ-1] = '\0'; - if (event) - { - if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP)) - { - update = TRUE; - DBG1(DBG_KNL, "interface %s activated", name); - } - if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP)) - { - update = TRUE; - DBG1(DBG_KNL, "interface %s deactivated", name); - } - } - entry->flags = msg->ifi_flags; - break; - } - case RTM_DELLINK: - { - enumerator = this->ifaces->create_enumerator(this->ifaces); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current->ifindex == msg->ifi_index) - { - /* we do not remove it, as an address may be added to a - * "down" interface and we wan't to know that. */ - current->flags = msg->ifi_flags; - break; - } - } - enumerator->destroy(enumerator); - break; - } - } - this->mutex->unlock(this->mutex); - - /* send an update to all IKE_SAs */ - if (update && event) - { - fire_roam_job(this, TRUE); - } -} - -/** - * process RTM_NEWADDR/RTM_DELADDR from kernel - */ -static void process_addr(private_kernel_netlink_net_t *this, - struct nlmsghdr *hdr, bool event) -{ - struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr)); - struct rtattr *rta = IFA_RTA(msg); - size_t rtasize = IFA_PAYLOAD (hdr); - host_t *host = NULL; - enumerator_t *ifaces, *addrs; - iface_entry_t *iface; - addr_entry_t *addr; - chunk_t local = chunk_empty, address = chunk_empty; - bool update = FALSE, found = FALSE, changed = FALSE; - - while(RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case IFA_LOCAL: - local.ptr = RTA_DATA(rta); - local.len = RTA_PAYLOAD(rta); - break; - case IFA_ADDRESS: - address.ptr = RTA_DATA(rta); - address.len = RTA_PAYLOAD(rta); - break; - } - rta = RTA_NEXT(rta, rtasize); - } - - /* For PPP interfaces, we need the IFA_LOCAL address, - * IFA_ADDRESS is the peers address. But IFA_LOCAL is - * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */ - if (local.ptr) - { - host = host_create_from_chunk(msg->ifa_family, local, 0); - } - else if (address.ptr) - { - host = host_create_from_chunk(msg->ifa_family, address, 0); - } - - if (host == NULL) - { /* bad family? */ - return; - } - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - if (iface->ifindex == msg->ifa_index) - { - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, &addr)) - { - if (host->ip_equals(host, addr->ip)) - { - found = TRUE; - if (hdr->nlmsg_type == RTM_DELADDR) - { - iface->addrs->remove_at(iface->addrs, addrs); - if (!addr->virtual) - { - changed = TRUE; - DBG1(DBG_KNL, "%H disappeared from %s", - host, iface->ifname); - } - addr_entry_destroy(addr); - } - else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual) - { - addr->refcount = 1; - } - } - } - addrs->destroy(addrs); - - if (hdr->nlmsg_type == RTM_NEWADDR) - { - if (!found) - { - found = TRUE; - changed = TRUE; - addr = malloc_thing(addr_entry_t); - addr->ip = host->clone(host); - addr->virtual = FALSE; - addr->refcount = 1; - addr->scope = msg->ifa_scope; - - iface->addrs->insert_last(iface->addrs, addr); - if (event) - { - DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname); - } - } - } - if (found && (iface->flags & IFF_UP)) - { - update = TRUE; - } - break; - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - host->destroy(host); - - /* send an update to all IKE_SAs */ - if (update && event && changed) - { - fire_roam_job(this, TRUE); - } -} - -/** - * process RTM_NEWROUTE and RTM_DELROUTE from kernel - */ -static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr) -{ - struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr)); - struct rtattr *rta = RTM_RTA(msg); - size_t rtasize = RTM_PAYLOAD(hdr); - host_t *host = NULL; - - /* ignore routes added by us */ - if (msg->rtm_table && msg->rtm_table == this->routing_table) - { - return; - } - - while (RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case RTA_PREFSRC: - host = host_create_from_chunk(msg->rtm_family, - chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0); - break; - } - rta = RTA_NEXT(rta, rtasize); - } - if (host) - { - this->mutex->lock(this->mutex); - if (!get_vip_refcount(this, host)) - { /* ignore routes added for virtual IPs */ - fire_roam_job(this, FALSE); - } - this->mutex->unlock(this->mutex); - host->destroy(host); - } -} - -/** - * Receives events from kernel - */ -static job_requeue_t receive_events(private_kernel_netlink_net_t *this) -{ - char response[1024]; - struct nlmsghdr *hdr = (struct nlmsghdr*)response; - struct sockaddr_nl addr; - socklen_t addr_len = sizeof(addr); - int len; - bool oldstate; - - oldstate = thread_cancelability(TRUE); - len = recvfrom(this->socket_events, response, sizeof(response), 0, - (struct sockaddr*)&addr, &addr_len); - thread_cancelability(oldstate); - - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return JOB_REQUEUE_DIRECT; - case EAGAIN: - /* no data ready, select again */ - return JOB_REQUEUE_DIRECT; - default: - DBG1(DBG_KNL, "unable to receive from rt event socket"); - sleep(1); - return JOB_REQUEUE_FAIR; - } - } - - if (addr.nl_pid != 0) - { /* not from kernel. not interested, try another one */ - return JOB_REQUEUE_DIRECT; - } - - while (NLMSG_OK(hdr, len)) - { - /* looks good so far, dispatch netlink message */ - switch (hdr->nlmsg_type) - { - case RTM_NEWADDR: - case RTM_DELADDR: - process_addr(this, hdr, TRUE); - this->condvar->broadcast(this->condvar); - break; - case RTM_NEWLINK: - case RTM_DELLINK: - process_link(this, hdr, TRUE); - this->condvar->broadcast(this->condvar); - break; - case RTM_NEWROUTE: - case RTM_DELROUTE: - if (this->process_route) - { - process_route(this, hdr); - } - break; - default: - break; - } - hdr = NLMSG_NEXT(hdr, len); - } - return JOB_REQUEUE_DIRECT; -} - -/** enumerator over addresses */ -typedef struct { - private_kernel_netlink_net_t* this; - /** whether to enumerate down interfaces */ - bool include_down_ifaces; - /** whether to enumerate virtual ip addresses */ - bool include_virtual_ips; -} address_enumerator_t; - -/** - * cleanup function for address enumerator - */ -static void address_enumerator_destroy(address_enumerator_t *data) -{ - data->this->mutex->unlock(data->this->mutex); - free(data); -} - -/** - * filter for addresses - */ -static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) -{ - if (!data->include_virtual_ips && (*in)->virtual) - { /* skip virtual interfaces added by us */ - return FALSE; - } - if ((*in)->scope >= RT_SCOPE_LINK) - { /* skip addresses with a unusable scope */ - return FALSE; - } - *out = (*in)->ip; - return TRUE; -} - -/** - * enumerator constructor for interfaces - */ -static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) -{ - return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), - (void*)filter_addresses, data, NULL); -} - -/** - * filter for interfaces - */ -static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) -{ - if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) - { /* skip interfaces not up */ - return FALSE; - } - *out = *in; - return TRUE; -} - -/** - * implementation of kernel_net_t.create_address_enumerator - */ -static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this, - bool include_down_ifaces, bool include_virtual_ips) -{ - address_enumerator_t *data = malloc_thing(address_enumerator_t); - data->this = this; - data->include_down_ifaces = include_down_ifaces; - data->include_virtual_ips = include_virtual_ips; - - this->mutex->lock(this->mutex); - return enumerator_create_nested( - enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), - (void*)filter_interfaces, data, NULL), - (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); -} - -/** - * implementation of kernel_net_t.get_interface_name - */ -static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip) -{ - enumerator_t *ifaces, *addrs; - iface_entry_t *iface; - addr_entry_t *addr; - char *name = NULL; - - DBG2(DBG_KNL, "getting interface name for %H", ip); - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, &addr)) - { - if (ip->ip_equals(ip, addr->ip)) - { - name = strdup(iface->ifname); - break; - } - } - addrs->destroy(addrs); - if (name) - { - break; - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - - if (name) - { - DBG2(DBG_KNL, "%H is on interface %s", ip, name); - } - else - { - DBG2(DBG_KNL, "%H is not a local address", ip); - } - return name; -} - -/** - * get the index of an interface by name - */ -static int get_interface_index(private_kernel_netlink_net_t *this, char* name) -{ - enumerator_t *ifaces; - iface_entry_t *iface; - int ifindex = 0; - - DBG2(DBG_KNL, "getting iface index for %s", name); - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - if (streq(name, iface->ifname)) - { - ifindex = iface->ifindex; - break; - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - - if (ifindex == 0) - { - DBG1(DBG_KNL, "unable to get interface index for %s", name); - } - return ifindex; -} - -/** - * Check if an interface with a given index is up - */ -static bool is_interface_up(private_kernel_netlink_net_t *this, int index) -{ - enumerator_t *ifaces; - iface_entry_t *iface; - /* default to TRUE for interface we do not monitor (e.g. lo) */ - bool up = TRUE; - - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - if (iface->ifindex == index) - { - up = iface->flags & IFF_UP; - break; - } - } - ifaces->destroy(ifaces); - return up; -} - -/** - * check if an address (chunk) addr is in subnet (net with net_len net bits) - */ -static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len) -{ - static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; - int byte = 0; - - if (net_len == 0) - { /* any address matches a /0 network */ - return TRUE; - } - if (addr.len != net.len || net_len > 8 * net.len ) - { - return FALSE; - } - /* scan through all bytes in network order */ - while (net_len > 0) - { - if (net_len < 8) - { - return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]); - } - else - { - if (addr.ptr[byte] != net.ptr[byte]) - { - return FALSE; - } - byte++; - net_len -= 8; - } - } - return TRUE; -} - -/** - * Get a route: If "nexthop", the nexthop is returned. source addr otherwise. - */ -static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, - bool nexthop, host_t *candidate) -{ - netlink_buf_t request; - struct nlmsghdr *hdr, *out, *current; - struct rtmsg *msg; - chunk_t chunk; - size_t len; - int best = -1; - enumerator_t *enumerator; - host_t *src = NULL, *gtw = NULL; - - DBG2(DBG_KNL, "getting address to reach %H", dest); - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - if (dest->get_family(dest) == AF_INET) - { - /* We dump all addresses for IPv4, as we want to ignore IPsec specific - * routes installed by us. But the kernel does not return source - * addresses in a IPv6 dump, so fall back to get() for v6 routes. */ - hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP; - } - hdr->nlmsg_type = RTM_GETROUTE; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); - - msg = (struct rtmsg*)NLMSG_DATA(hdr); - msg->rtm_family = dest->get_family(dest); - if (candidate) - { - chunk = candidate->get_address(candidate); - netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request)); - } - chunk = dest->get_address(dest); - netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request)); - - if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "getting address to %H failed", dest); - return NULL; - } - this->mutex->lock(this->mutex); - - for (current = out; NLMSG_OK(current, len); - current = NLMSG_NEXT(current, len)) - { - switch (current->nlmsg_type) - { - case NLMSG_DONE: - break; - case RTM_NEWROUTE: - { - struct rtattr *rta; - size_t rtasize; - chunk_t rta_gtw, rta_src, rta_dst; - u_int32_t rta_oif = 0; - host_t *new_src, *new_gtw; - bool cont = FALSE; - uintptr_t table; - - rta_gtw = rta_src = rta_dst = chunk_empty; - msg = (struct rtmsg*)(NLMSG_DATA(current)); - rta = RTM_RTA(msg); - rtasize = RTM_PAYLOAD(current); - while (RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case RTA_PREFSRC: - rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)); - break; - case RTA_GATEWAY: - rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)); - break; - case RTA_DST: - rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)); - break; - case RTA_OIF: - if (RTA_PAYLOAD(rta) == sizeof(rta_oif)) - { - rta_oif = *(u_int32_t*)RTA_DATA(rta); - } - break; - } - rta = RTA_NEXT(rta, rtasize); - } - if (msg->rtm_dst_len <= best) - { /* not better than a previous one */ - continue; - } - enumerator = this->rt_exclude->create_enumerator(this->rt_exclude); - while (enumerator->enumerate(enumerator, &table)) - { - if (table == msg->rtm_table) - { - cont = TRUE; - break; - } - } - enumerator->destroy(enumerator); - if (cont) - { - continue; - } - if (this->routing_table != 0 && - msg->rtm_table == this->routing_table) - { /* route is from our own ipsec routing table */ - continue; - } - if (rta_oif && !is_interface_up(this, rta_oif)) - { /* interface is down */ - continue; - } - if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len)) - { /* route destination does not contain dest */ - continue; - } - - if (nexthop) - { - /* nexthop lookup, return gateway if any */ - DESTROY_IF(gtw); - gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0); - best = msg->rtm_dst_len; - continue; - } - if (rta_src.ptr) - { - /* got a source address */ - new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0); - if (new_src) - { - if (get_vip_refcount(this, new_src)) - { /* skip source address if it is installed by us */ - new_src->destroy(new_src); - } - else - { - DESTROY_IF(src); - src = new_src; - best = msg->rtm_dst_len; - } - } - continue; - } - if (rta_gtw.ptr) - { /* no source, but a gateway. Lookup source to reach gtw. */ - new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0); - new_src = get_route(this, new_gtw, FALSE, candidate); - new_gtw->destroy(new_gtw); - if (new_src) - { - DESTROY_IF(src); - src = new_src; - best = msg->rtm_dst_len; - } - continue; - } - continue; - } - default: - continue; - } - break; - } - free(out); - this->mutex->unlock(this->mutex); - - if (nexthop) - { - if (gtw) - { - return gtw; - } - return dest->clone(dest); - } - return src; -} - -/** - * Implementation of kernel_net_t.get_source_addr. - */ -static host_t* get_source_addr(private_kernel_netlink_net_t *this, - host_t *dest, host_t *src) -{ - return get_route(this, dest, FALSE, src); -} - -/** - * Implementation of kernel_net_t.get_nexthop. - */ -static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest) -{ - return get_route(this, dest, TRUE, NULL); -} - -/** - * Manages the creation and deletion of ip addresses on an interface. - * By setting the appropriate nlmsg_type, the ip will be set or unset. - */ -static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type, - int flags, int if_index, host_t *ip) -{ - netlink_buf_t request; - struct nlmsghdr *hdr; - struct ifaddrmsg *msg; - chunk_t chunk; - - memset(&request, 0, sizeof(request)); - - chunk = ip->get_address(ip); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg)); - - msg = (struct ifaddrmsg*)NLMSG_DATA(hdr); - msg->ifa_family = ip->get_family(ip); - msg->ifa_flags = 0; - msg->ifa_prefixlen = 8 * chunk.len; - msg->ifa_scope = RT_SCOPE_UNIVERSE; - msg->ifa_index = if_index; - - netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request)); - - return this->socket->send_ack(this->socket, hdr); -} - -/** - * Implementation of kernel_net_t.add_ip. - */ -static status_t add_ip(private_kernel_netlink_net_t *this, - host_t *virtual_ip, host_t *iface_ip) -{ - iface_entry_t *iface; - addr_entry_t *addr; - enumerator_t *addrs, *ifaces; - int ifindex; - - if (!this->install_virtual_ip) - { /* disabled by config */ - return SUCCESS; - } - - DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip); - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - bool iface_found = FALSE; - - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, &addr)) - { - if (iface_ip->ip_equals(iface_ip, addr->ip)) - { - iface_found = TRUE; - } - else if (virtual_ip->ip_equals(virtual_ip, addr->ip)) - { - addr->refcount++; - DBG2(DBG_KNL, "virtual IP %H already installed on %s", - virtual_ip, iface->ifname); - addrs->destroy(addrs); - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - return SUCCESS; - } - } - addrs->destroy(addrs); - - if (iface_found) - { - ifindex = iface->ifindex; - addr = malloc_thing(addr_entry_t); - addr->ip = virtual_ip->clone(virtual_ip); - addr->refcount = 0; - addr->virtual = TRUE; - addr->scope = RT_SCOPE_UNIVERSE; - iface->addrs->insert_last(iface->addrs, addr); - - if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL, - ifindex, virtual_ip) == SUCCESS) - { - while (get_vip_refcount(this, virtual_ip) == 0) - { /* wait until address appears */ - this->condvar->wait(this->condvar, this->mutex); - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - return SUCCESS; - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip); - return FAILED; - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - - DBG1(DBG_KNL, "interface address %H not found, unable to install" - "virtual IP %H", iface_ip, virtual_ip); - return FAILED; -} - -/** - * Implementation of kernel_net_t.del_ip. - */ -static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip) -{ - iface_entry_t *iface; - addr_entry_t *addr; - enumerator_t *addrs, *ifaces; - status_t status; - int ifindex; - - if (!this->install_virtual_ip) - { /* disabled by config */ - return SUCCESS; - } - - DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip); - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, &addr)) - { - if (virtual_ip->ip_equals(virtual_ip, addr->ip)) - { - ifindex = iface->ifindex; - if (addr->refcount == 1) - { - status = manage_ipaddr(this, RTM_DELADDR, 0, - ifindex, virtual_ip); - if (status == SUCCESS) - { /* wait until the address is really gone */ - while (get_vip_refcount(this, virtual_ip) > 0) - { - this->condvar->wait(this->condvar, this->mutex); - } - } - addrs->destroy(addrs); - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - return status; - } - else - { - addr->refcount--; - } - DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting", - virtual_ip); - addrs->destroy(addrs); - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - return SUCCESS; - } - } - addrs->destroy(addrs); - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - - DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip); - return FAILED; -} - -/** - * Manages source routes in the routing table. - * By setting the appropriate nlmsg_type, the route gets added or removed. - */ -static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type, - int flags, chunk_t dst_net, u_int8_t prefixlen, - host_t *gateway, host_t *src_ip, char *if_name) -{ - netlink_buf_t request; - struct nlmsghdr *hdr; - struct rtmsg *msg; - int ifindex; - chunk_t chunk; - - /* if route is 0.0.0.0/0, we can't install it, as it would - * overwrite the default route. Instead, we add two routes: - * 0.0.0.0/1 and 128.0.0.0/1 */ - if (this->routing_table == 0 && prefixlen == 0) - { - chunk_t half_net; - u_int8_t half_prefixlen; - status_t status; - - half_net = chunk_alloca(dst_net.len); - memset(half_net.ptr, 0, half_net.len); - half_prefixlen = 1; - - status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen, - gateway, src_ip, if_name); - half_net.ptr[0] |= 0x80; - status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen, - gateway, src_ip, if_name); - return status; - } - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); - - msg = (struct rtmsg*)NLMSG_DATA(hdr); - msg->rtm_family = src_ip->get_family(src_ip); - msg->rtm_dst_len = prefixlen; - msg->rtm_table = this->routing_table; - msg->rtm_protocol = RTPROT_STATIC; - msg->rtm_type = RTN_UNICAST; - msg->rtm_scope = RT_SCOPE_UNIVERSE; - - netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request)); - chunk = src_ip->get_address(src_ip); - netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request)); - if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip)) - { - chunk = gateway->get_address(gateway); - netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request)); - } - ifindex = get_interface_index(this, if_name); - chunk.ptr = (char*)&ifindex; - chunk.len = sizeof(ifindex); - netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request)); - - return this->socket->send_ack(this->socket, hdr); -} - -/** - * Implementation of kernel_net_t.add_route. - */ -static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) -{ - return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, - dst_net, prefixlen, gateway, src_ip, if_name); -} - -/** - * Implementation of kernel_net_t.del_route. - */ -static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) -{ - return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen, - gateway, src_ip, if_name); -} - -/** - * Initialize a list of local addresses. - */ -static status_t init_address_list(private_kernel_netlink_net_t *this) -{ - netlink_buf_t request; - struct nlmsghdr *out, *current, *in; - struct rtgenmsg *msg; - size_t len; - enumerator_t *ifaces, *addrs; - iface_entry_t *iface; - addr_entry_t *addr; - - DBG1(DBG_KNL, "listening on interfaces:"); - - memset(&request, 0, sizeof(request)); - - in = (struct nlmsghdr*)&request; - in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)); - in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT; - msg = (struct rtgenmsg*)NLMSG_DATA(in); - msg->rtgen_family = AF_UNSPEC; - - /* get all links */ - in->nlmsg_type = RTM_GETLINK; - if (this->socket->send(this->socket, in, &out, &len) != SUCCESS) - { - return FAILED; - } - current = out; - while (NLMSG_OK(current, len)) - { - switch (current->nlmsg_type) - { - case NLMSG_DONE: - break; - case RTM_NEWLINK: - process_link(this, current, FALSE); - /* fall through */ - default: - current = NLMSG_NEXT(current, len); - continue; - } - break; - } - free(out); - - /* get all interface addresses */ - in->nlmsg_type = RTM_GETADDR; - if (this->socket->send(this->socket, in, &out, &len) != SUCCESS) - { - return FAILED; - } - current = out; - while (NLMSG_OK(current, len)) - { - switch (current->nlmsg_type) - { - case NLMSG_DONE: - break; - case RTM_NEWADDR: - process_addr(this, current, FALSE); - /* fall through */ - default: - current = NLMSG_NEXT(current, len); - continue; - } - break; - } - free(out); - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - if (iface->flags & IFF_UP) - { - DBG1(DBG_KNL, " %s", iface->ifname); - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, (void**)&addr)) - { - DBG1(DBG_KNL, " %H", addr->ip); - } - addrs->destroy(addrs); - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - return SUCCESS; -} - -/** - * create or delete a rule to use our routing table - */ -static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type, - int family, u_int32_t table, u_int32_t prio) -{ - netlink_buf_t request; - struct nlmsghdr *hdr; - struct rtmsg *msg; - chunk_t chunk; - - memset(&request, 0, sizeof(request)); - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = nlmsg_type; - if (nlmsg_type == RTM_NEWRULE) - { - hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL; - } - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); - - msg = (struct rtmsg*)NLMSG_DATA(hdr); - msg->rtm_table = table; - msg->rtm_family = family; - msg->rtm_protocol = RTPROT_BOOT; - msg->rtm_scope = RT_SCOPE_UNIVERSE; - msg->rtm_type = RTN_UNICAST; - - chunk = chunk_from_thing(prio); - netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request)); - - return this->socket->send_ack(this->socket, hdr); -} - -/** - * Implementation of kernel_netlink_net_t.destroy. - */ -static void destroy(private_kernel_netlink_net_t *this) -{ - if (this->routing_table) - { - manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table, - this->routing_table_prio); - manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table, - this->routing_table_prio); - } - if (this->job) - { - this->job->cancel(this->job); - } - if (this->socket_events > 0) - { - close(this->socket_events); - } - DESTROY_IF(this->socket); - this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy); - this->rt_exclude->destroy(this->rt_exclude); - this->condvar->destroy(this->condvar); - this->mutex->destroy(this->mutex); - free(this); -} - -/* - * Described in header. - */ -kernel_netlink_net_t *kernel_netlink_net_create() -{ - private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t); - struct sockaddr_nl addr; - enumerator_t *enumerator; - char *exclude; - - /* public functions */ - this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; - this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; - this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; - this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; - this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; - this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; - this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; - this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; - this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; - - /* private members */ - this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); - timerclear(&this->last_roam); - this->routing_table = lib->settings->get_int(lib->settings, - "charon.routing_table", ROUTING_TABLE); - this->routing_table_prio = lib->settings->get_int(lib->settings, - "charon.routing_table_prio", ROUTING_TABLE_PRIO); - this->process_route = lib->settings->get_bool(lib->settings, - "charon.process_route", TRUE); - this->install_virtual_ip = lib->settings->get_bool(lib->settings, - "charon.install_virtual_ip", TRUE); - - this->rt_exclude = linked_list_create(); - exclude = lib->settings->get_str(lib->settings, - "charon.ignore_routing_tables", NULL); - if (exclude) - { - char *token; - uintptr_t table; - - enumerator = enumerator_create_token(exclude, " ", " "); - while (enumerator->enumerate(enumerator, &token)) - { - errno = 0; - table = strtoul(token, NULL, 10); - - if (errno == 0) - { - this->rt_exclude->insert_last(this->rt_exclude, (void*)table); - } - } - enumerator->destroy(enumerator); - } - - this->socket = netlink_socket_create(NETLINK_ROUTE); - this->job = NULL; - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - - /* create and bind RT socket for events (address/interface/route changes) */ - this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - if (this->socket_events < 0) - { - DBG1(DBG_KNL, "unable to create RT event socket"); - destroy(this); - return NULL; - } - addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | - RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK; - if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr))) - { - DBG1(DBG_KNL, "unable to bind RT event socket"); - destroy(this); - return NULL; - } - - this->job = callback_job_create((callback_job_cb_t)receive_events, - this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); - - if (init_address_list(this) != SUCCESS) - { - DBG1(DBG_KNL, "unable to get interface list"); - destroy(this); - return NULL; - } - - if (this->routing_table) - { - if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table, - this->routing_table_prio) != SUCCESS) - { - DBG1(DBG_KNL, "unable to create IPv4 routing table rule"); - } - if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table, - this->routing_table_prio) != SUCCESS) - { - DBG1(DBG_KNL, "unable to create IPv6 routing table rule"); - } - } - - return &this->public; -} diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h deleted file mode 100644 index ff9831d3c..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_netlink_net_i kernel_netlink_net - * @{ @ingroup kernel_netlink - */ - -#ifndef KERNEL_NETLINK_NET_H_ -#define KERNEL_NETLINK_NET_H_ - -#include <kernel/kernel_net.h> - -typedef struct kernel_netlink_net_t kernel_netlink_net_t; - -/** - * Implementation of the kernel network interface using Netlink. - */ -struct kernel_netlink_net_t { - - /** - * Implements kernel_net_t interface - */ - kernel_net_t interface; -}; - -/** - * Create a netlink kernel network interface instance. - * - * @return kernel_netlink_net_t instance - */ -kernel_netlink_net_t *kernel_netlink_net_create(); - -#endif /** KERNEL_NETLINK_NET_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c deleted file mode 100644 index 4c61265aa..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "kernel_netlink_plugin.h" - -#include "kernel_netlink_ipsec.h" -#include "kernel_netlink_net.h" - -#include <daemon.h> - -typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t; - -/** - * private data of kernel netlink plugin - */ -struct private_kernel_netlink_plugin_t { - /** - * implements plugin interface - */ - kernel_netlink_plugin_t public; -}; - -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_netlink_plugin_t *this) -{ - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); - charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create); - free(this); -} - -/* - * see header file - */ -plugin_t *kernel_netlink_plugin_create() -{ - private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); - charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create); - - return &this->public.plugin; -} diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c deleted file mode 100644 index 5ed568150..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c +++ /dev/null @@ -1,306 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/socket.h> -#include <linux/netlink.h> -#include <linux/rtnetlink.h> -#include <errno.h> -#include <unistd.h> - -#include "kernel_netlink_shared.h" - -#include <daemon.h> -#include <threading/mutex.h> - -typedef struct private_netlink_socket_t private_netlink_socket_t; - -/** - * Private variables and functions of netlink_socket_t class. - */ -struct private_netlink_socket_t { - /** - * public part of the netlink_socket_t object. - */ - netlink_socket_t public; - - /** - * mutex to lock access to netlink socket - */ - mutex_t *mutex; - - /** - * current sequence number for netlink request - */ - int seq; - - /** - * netlink socket protocol - */ - int protocol; - - /** - * netlink socket - */ - int socket; -}; - -/** - * Imported from kernel_netlink_ipsec.c - */ -extern enum_name_t *xfrm_msg_names; - -/** - * Implementation of netlink_socket_t.send - */ -static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in, - struct nlmsghdr **out, size_t *out_len) -{ - int len, addr_len; - struct sockaddr_nl addr; - chunk_t result = chunk_empty, tmp; - struct nlmsghdr *msg, peek; - - this->mutex->lock(this->mutex); - - in->nlmsg_seq = ++this->seq; - in->nlmsg_pid = getpid(); - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = 0; - addr.nl_groups = 0; - - if (this->protocol == NETLINK_XFRM) - { - chunk_t in_chunk = { (u_char*)in, in->nlmsg_len }; - - DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk); - } - - while (TRUE) - { - len = sendto(this->socket, in, in->nlmsg_len, 0, - (struct sockaddr*)&addr, sizeof(addr)); - - if (len != in->nlmsg_len) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno)); - return FAILED; - } - break; - } - - while (TRUE) - { - char buf[4096]; - tmp.len = sizeof(buf); - tmp.ptr = buf; - msg = (struct nlmsghdr*)tmp.ptr; - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = getpid(); - addr.nl_groups = 0; - addr_len = sizeof(addr); - - len = recvfrom(this->socket, tmp.ptr, tmp.len, 0, - (struct sockaddr*)&addr, &addr_len); - - if (len < 0) - { - if (errno == EINTR) - { - DBG1(DBG_KNL, "got interrupted"); - /* interrupted, try again */ - continue; - } - DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno)); - this->mutex->unlock(this->mutex); - free(result.ptr); - return FAILED; - } - if (!NLMSG_OK(msg, len)) - { - DBG1(DBG_KNL, "received corrupted netlink message"); - this->mutex->unlock(this->mutex); - free(result.ptr); - return FAILED; - } - if (msg->nlmsg_seq != this->seq) - { - DBG1(DBG_KNL, "received invalid netlink sequence number"); - if (msg->nlmsg_seq < this->seq) - { - continue; - } - this->mutex->unlock(this->mutex); - free(result.ptr); - return FAILED; - } - - tmp.len = len; - result.ptr = realloc(result.ptr, result.len + tmp.len); - memcpy(result.ptr + result.len, tmp.ptr, tmp.len); - result.len += tmp.len; - - /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence - * numbers to detect multi header messages */ - len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT, - (struct sockaddr*)&addr, &addr_len); - - if (len == sizeof(peek) && peek.nlmsg_seq == this->seq) - { - /* seems to be multipart */ - continue; - } - break; - } - - *out_len = result.len; - *out = (struct nlmsghdr*)result.ptr; - - this->mutex->unlock(this->mutex); - - return SUCCESS; -} - -/** - * Implementation of netlink_socket_t.send_ack. - */ -static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr *in) -{ - struct nlmsghdr *out, *hdr; - size_t len; - - if (netlink_send(this, in, &out, &len) != SUCCESS) - { - return FAILED; - } - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case NLMSG_ERROR: - { - struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr); - - if (err->error) - { - if (-err->error == EEXIST) - { /* do not report existing routes */ - free(out); - return ALREADY_DONE; - } - DBG1(DBG_KNL, "received netlink error: %s (%d)", - strerror(-err->error), -err->error); - free(out); - return FAILED; - } - free(out); - return SUCCESS; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - DBG1(DBG_KNL, "netlink request not acknowledged"); - free(out); - return FAILED; -} - -/** - * Implementation of netlink_socket_t.destroy. - */ -static void destroy(private_netlink_socket_t *this) -{ - if (this->socket > 0) - { - close(this->socket); - } - this->mutex->destroy(this->mutex); - free(this); -} - -/** - * Described in header. - */ -netlink_socket_t *netlink_socket_create(int protocol) -{ - private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t); - struct sockaddr_nl addr; - - /* public functions */ - this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send; - this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack; - this->public.destroy = (void(*)(netlink_socket_t*))destroy; - - /* private members */ - this->seq = 200; - this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - - this->protocol = protocol; - this->socket = socket(AF_NETLINK, SOCK_RAW, protocol); - if (this->socket < 0) - { - DBG1(DBG_KNL, "unable to create netlink socket"); - destroy(this); - return NULL; - } - - addr.nl_groups = 0; - if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr))) - { - DBG1(DBG_KNL, "unable to bind netlink socket"); - destroy(this); - return NULL; - } - - return &this->public; -} - -/** - * Described in header. - */ -void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, - size_t buflen) -{ - struct rtattr *rta; - - if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen) - { - DBG1(DBG_KNL, "unable to add attribute, buffer too small"); - return; - } - - rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len)); - rta->rta_type = rta_type; - rta->rta_len = RTA_LENGTH(data.len); - memcpy(RTA_DATA(rta), data.ptr, data.len); - hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len; -} diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h deleted file mode 100644 index dfd27a21a..000000000 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef KERNEL_NETLINK_SHARED_H_ -#define KERNEL_NETLINK_SHARED_H_ - -#include <library.h> - -#include <linux/rtnetlink.h> - -/** - * General purpose netlink buffer. - * - * 1024 byte is currently sufficient for all operations. Some platform - * require an enforced aligment to four bytes (e.g. ARM). - */ -typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO))); - -typedef struct netlink_socket_t netlink_socket_t; - -/** - * Wrapper around a netlink socket. - */ -struct netlink_socket_t { - - /** - * Send a netlink message and wait for a reply. - * - * @param in netlink message to send - * @param out received netlink message - * @param out_len length of the received message - */ - status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len); - - /** - * Send a netlink message and wait for its acknowledge. - * - * @param in netlink message to send - */ - status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in); - - /** - * Destroy the socket. - */ - void (*destroy)(netlink_socket_t *this); -}; - -/** - * Create a netlink_socket_t object. - * - * @param protocol protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE) - */ -netlink_socket_t *netlink_socket_create(int protocol); - -/** - * Creates an rtattr and adds it to the given netlink message. - * - * @param hdr netlink message - * @param rta_type type of the rtattr - * @param data data to add to the rtattr - * @param buflen length of the netlink message buffer - */ -void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen); - -#endif /* KERNEL_NETLINK_SHARED_H_ */ diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am deleted file mode 100644 index 778a7f9a9..000000000 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.am +++ /dev/null @@ -1,17 +0,0 @@ - -INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la -else -plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la -endif - -libstrongswan_kernel_pfkey_la_SOURCES = \ - kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ - kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c - -libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c deleted file mode 100644 index a64c27f6f..000000000 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ /dev/null @@ -1,2210 +0,0 @@ -/* - * Copyright (C) 2008-2010 Tobias Brunner - * Copyright (C) 2008 Andreas Steffen - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/socket.h> - -#ifdef __FreeBSD__ -#include <limits.h> /* for LONG_MAX */ -#endif - -#ifdef HAVE_NET_PFKEYV2_H -#include <net/pfkeyv2.h> -#else -#include <stdint.h> -#include <linux/pfkeyv2.h> -#endif - -#ifdef SADB_X_EXT_NAT_T_TYPE -#define HAVE_NATT -#endif - -#ifdef HAVE_NETIPSEC_IPSEC_H -#include <netipsec/ipsec.h> -#elif defined(HAVE_NETINET6_IPSEC_H) -#include <netinet6/ipsec.h> -#else -#include <linux/ipsec.h> -#endif - -#ifdef HAVE_NATT -#ifdef HAVE_LINUX_UDP_H -#include <linux/udp.h> -#else -#include <netinet/udp.h> -#endif /*HAVE_LINUX_UDP_H*/ -#endif /*HAVE_NATT*/ - -#include <unistd.h> -#include <time.h> -#include <errno.h> - -#include "kernel_pfkey_ipsec.h" - -#include <daemon.h> -#include <utils/host.h> -#include <threading/thread.h> -#include <threading/mutex.h> -#include <processing/jobs/callback_job.h> -#include <processing/jobs/acquire_job.h> -#include <processing/jobs/migrate_job.h> -#include <processing/jobs/rekey_child_sa_job.h> -#include <processing/jobs/delete_child_sa_job.h> -#include <processing/jobs/update_sa_job.h> - -/** non linux specific */ -#ifndef IPPROTO_COMP -#ifdef IPPROTO_IPCOMP -#define IPPROTO_COMP IPPROTO_IPCOMP -#endif -#endif - -#ifndef SADB_X_AALG_SHA2_256HMAC -#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 -#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384 -#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512 -#endif - -#ifndef SADB_X_EALG_AESCBC -#define SADB_X_EALG_AESCBC SADB_X_EALG_AES -#endif - -#ifndef SADB_X_EALG_CASTCBC -#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC -#endif - -#ifndef SOL_IP -#define SOL_IP IPPROTO_IP -#define SOL_IPV6 IPPROTO_IPV6 -#endif - -/** from linux/in.h */ -#ifndef IP_IPSEC_POLICY -#define IP_IPSEC_POLICY 16 -#endif - -/** missing on uclibc */ -#ifndef IPV6_IPSEC_POLICY -#define IPV6_IPSEC_POLICY 34 -#endif - -/** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 - -#ifdef __APPLE__ -/** from xnu/bsd/net/pfkeyv2.h */ -#define SADB_X_EXT_NATT 0x002 - struct sadb_sa_2 { - struct sadb_sa sa; - u_int16_t sadb_sa_natt_port; - u_int16_t sadb_reserved0; - u_int32_t sadb_reserved1; - }; -#endif - -/** buffer size for PF_KEY messages */ -#define PFKEY_BUFFER_SIZE 4096 - -/** PF_KEY messages are 64 bit aligned */ -#define PFKEY_ALIGNMENT 8 -/** aligns len to 64 bits */ -#define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1)) -/** calculates the properly padded length in 64 bit chunks */ -#define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT)) -/** calculates user mode length i.e. in bytes */ -#define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT) - -/** given a PF_KEY message header and an extension this updates the length in the header */ -#define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len) -/** given a PF_KEY message header this returns a pointer to the next extension */ -#define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len))) -/** copy an extension and append it to a PF_KEY message */ -#define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))) -/** given a PF_KEY extension this returns a pointer to the next extension */ -#define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))) -/** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */ -#define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext)) -/** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */ -#define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \ - (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \ - (ext)->sadb_ext_len <= (len)) - -typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t; - -/** - * Private variables and functions of kernel_pfkey class. - */ -struct private_kernel_pfkey_ipsec_t -{ - /** - * Public part of the kernel_pfkey_t object. - */ - kernel_pfkey_ipsec_t public; - - /** - * mutex to lock access to various lists - */ - mutex_t *mutex; - - /** - * List of installed policies (policy_entry_t) - */ - linked_list_t *policies; - - /** - * whether to install routes along policies - */ - bool install_routes; - - /** - * job receiving PF_KEY events - */ - callback_job_t *job; - - /** - * mutex to lock access to the PF_KEY socket - */ - mutex_t *mutex_pfkey; - - /** - * PF_KEY socket to communicate with the kernel - */ - int socket; - - /** - * PF_KEY socket to receive acquire and expire events - */ - int socket_events; - - /** - * sequence number for messages sent to the kernel - */ - int seq; -}; - -typedef struct route_entry_t route_entry_t; - -/** - * installed routing entry - */ -struct route_entry_t { - /** Name of the interface the route is bound to */ - char *if_name; - - /** Source ip of the route */ - host_t *src_ip; - - /** gateway for this route */ - host_t *gateway; - - /** Destination net */ - chunk_t dst_net; - - /** Destination net prefixlen */ - u_int8_t prefixlen; -}; - -/** - * destroy an route_entry_t object - */ -static void route_entry_destroy(route_entry_t *this) -{ - free(this->if_name); - DESTROY_IF(this->src_ip); - DESTROY_IF(this->gateway); - chunk_free(&this->dst_net); - free(this); -} - -typedef struct policy_entry_t policy_entry_t; - -/** - * installed kernel policy. - */ -struct policy_entry_t { - - /** reqid of this policy */ - u_int32_t reqid; - - /** index assigned by the kernel */ - u_int32_t index; - - /** direction of this policy: in, out, forward */ - u_int8_t direction; - - /** parameters of installed policy */ - struct { - /** subnet and port */ - host_t *net; - /** subnet mask */ - u_int8_t mask; - /** protocol */ - u_int8_t proto; - } src, dst; - - /** associated route installed for this policy */ - route_entry_t *route; - - /** by how many CHILD_SA's this policy is used */ - u_int refcount; -}; - -/** - * create a policy_entry_t object - */ -static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid) -{ - policy_entry_t *policy = malloc_thing(policy_entry_t); - policy->reqid = reqid; - policy->index = 0; - policy->direction = dir; - policy->route = NULL; - policy->refcount = 0; - - src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask); - dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask); - - /* src or dest proto may be "any" (0), use more restrictive one */ - policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); - policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; - policy->dst.proto = policy->src.proto; - - return policy; -} - -/** - * destroy a policy_entry_t object - */ -static void policy_entry_destroy(policy_entry_t *this) -{ - DESTROY_IF(this->src.net); - DESTROY_IF(this->dst.net); - if (this->route) - { - route_entry_destroy(this->route); - } - free(this); -} - -/** - * compares two policy_entry_t - */ -static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy) -{ - return current->direction == policy->direction && - current->src.proto == policy->src.proto && - current->dst.proto == policy->dst.proto && - current->src.mask == policy->src.mask && - current->dst.mask == policy->dst.mask && - current->src.net->equals(current->src.net, policy->src.net) && - current->dst.net->equals(current->dst.net, policy->dst.net); -} - -/** - * compare the given kernel index with that of a policy - */ -static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index) -{ - return current->index == *index; -} - -typedef struct pfkey_msg_t pfkey_msg_t; - -struct pfkey_msg_t -{ - /** - * PF_KEY message base - */ - struct sadb_msg *msg; - - /** - * PF_KEY message extensions - */ - union { - struct sadb_ext *ext[SADB_EXT_MAX + 1]; - struct { - struct sadb_ext *reserved; /* SADB_EXT_RESERVED */ - struct sadb_sa *sa; /* SADB_EXT_SA */ - struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */ - struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */ - struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */ - struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */ - struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */ - struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */ - struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */ - struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */ - struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */ - struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */ - struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */ - struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */ - struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */ - struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */ - struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */ - struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */ - struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */ - struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */ - struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */ - struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */ - struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */ - struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */ - struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */ - struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */ - } __attribute__((__packed__)); - }; -}; - -ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, - "SADB_EXT_RESERVED", - "SADB_EXT_SA", - "SADB_EXT_LIFETIME_CURRENT", - "SADB_EXT_LIFETIME_HARD", - "SADB_EXT_LIFETIME_SOFT", - "SADB_EXT_ADDRESS_SRC", - "SADB_EXT_ADDRESS_DST", - "SADB_EXT_ADDRESS_PROXY", - "SADB_EXT_KEY_AUTH", - "SADB_EXT_KEY_ENCRYPT", - "SADB_EXT_IDENTITY_SRC", - "SADB_EXT_IDENTITY_DST", - "SADB_EXT_SENSITIVITY", - "SADB_EXT_PROPOSAL", - "SADB_EXT_SUPPORTED_AUTH", - "SADB_EXT_SUPPORTED_ENCRYPT", - "SADB_EXT_SPIRANGE", - "SADB_X_EXT_KMPRIVATE", - "SADB_X_EXT_POLICY", - "SADB_X_EXT_SA2", - "SADB_X_EXT_NAT_T_TYPE", - "SADB_X_EXT_NAT_T_SPORT", - "SADB_X_EXT_NAT_T_DPORT", - "SADB_X_EXT_NAT_T_OA", - "SADB_X_EXT_SEC_CTX", - "SADB_X_EXT_KMADDRESS" -); - -/** - * convert a IKEv2 specific protocol identifier to the PF_KEY sa type - */ -static u_int8_t proto_ike2satype(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return SADB_SATYPE_ESP; - case PROTO_AH: - return SADB_SATYPE_AH; - case IPPROTO_COMP: - return SADB_X_SATYPE_IPCOMP; - default: - return proto; - } -} - -/** - * convert a PF_KEY sa type to a IKEv2 specific protocol identifier - */ -static protocol_id_t proto_satype2ike(u_int8_t proto) -{ - switch (proto) - { - case SADB_SATYPE_ESP: - return PROTO_ESP; - case SADB_SATYPE_AH: - return PROTO_AH; - case SADB_X_SATYPE_IPCOMP: - return IPPROTO_COMP; - default: - return proto; - } -} - -/** - * convert a IKEv2 specific protocol identifier to the IP protocol identifier - */ -static u_int8_t proto_ike2ip(protocol_id_t proto) -{ - switch (proto) - { - case PROTO_ESP: - return IPPROTO_ESP; - case PROTO_AH: - return IPPROTO_AH; - default: - return proto; - } -} - -/** - * convert the general ipsec mode to the one defined in ipsec.h - */ -static u_int8_t mode2kernel(ipsec_mode_t mode) -{ - switch (mode) - { - case MODE_TRANSPORT: - return IPSEC_MODE_TRANSPORT; - case MODE_TUNNEL: - return IPSEC_MODE_TUNNEL; -#ifdef HAVE_IPSEC_MODE_BEET - case MODE_BEET: - return IPSEC_MODE_BEET; -#endif - default: - return mode; - } -} - -/** - * convert the general policy direction to the one defined in ipsec.h - */ -static u_int8_t dir2kernel(policy_dir_t dir) -{ - switch (dir) - { - case POLICY_IN: - return IPSEC_DIR_INBOUND; - case POLICY_OUT: - return IPSEC_DIR_OUTBOUND; -#ifdef HAVE_IPSEC_DIR_FWD - case POLICY_FWD: - return IPSEC_DIR_FWD; -#endif - default: - return IPSEC_DIR_INVALID; - } -} - -#ifdef SADB_X_MIGRATE -/** - * convert the policy direction in ipsec.h to the general one. - */ -static policy_dir_t kernel2dir(u_int8_t dir) -{ - switch (dir) - { - case IPSEC_DIR_INBOUND: - return POLICY_IN; - case IPSEC_DIR_OUTBOUND: - return POLICY_OUT; -#ifdef HAVE_IPSEC_DIR_FWD - case IPSEC_DIR_FWD: - return POLICY_FWD; -#endif - default: - return dir; - } -} -#endif /*SADB_X_MIGRATE*/ - -typedef struct kernel_algorithm_t kernel_algorithm_t; - -/** - * Mapping of IKEv2 algorithms to PF_KEY algorithms - */ -struct kernel_algorithm_t { - /** - * Identifier specified in IKEv2 - */ - int ikev2; - - /** - * Identifier as defined in pfkeyv2.h - */ - int kernel; -}; - -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, 0 }, */ - {ENCR_DES, SADB_EALG_DESCBC }, - {ENCR_3DES, SADB_EALG_3DESCBC }, -/* {ENCR_RC5, 0 }, */ -/* {ENCR_IDEA, 0 }, */ - {ENCR_CAST, SADB_X_EALG_CASTCBC }, - {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, -/* {ENCR_3IDEA, 0 }, */ -/* {ENCR_DES_IV32, 0 }, */ - {ENCR_NULL, SADB_EALG_NULL }, - {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ -/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ -/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ -/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ -/* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */ -/* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */ -/* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */ - {END_OF_LIST, 0 }, -}; - -/** - * Algorithms for integrity protection - */ -static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, - {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC }, - {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC }, - {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC }, - {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC }, -/* {AUTH_DES_MAC, 0, }, */ -/* {AUTH_KPDK_MD5, 0, }, */ -#ifdef SADB_X_AALG_AES_XCBC_MAC - {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, }, -#endif - {END_OF_LIST, 0, }, -}; - -#if 0 -/** - * Algorithms for IPComp, unused yet - */ -static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, 0 }, */ - {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE }, - {IPCOMP_LZS, SADB_X_CALG_LZS }, - {IPCOMP_LZJH, SADB_X_CALG_LZJH }, - {END_OF_LIST, 0 }, -}; -#endif - -/** - * Look up a kernel algorithm ID and its key size - */ -static int lookup_algorithm(kernel_algorithm_t *list, int ikev2) -{ - while (list->ikev2 != END_OF_LIST) - { - if (ikev2 == list->ikev2) - { - return list->kernel; - } - list++; - } - return 0; -} - -/** - * Copy a host_t as sockaddr_t to the given memory location. Ports are - * reset to zero as per RFC 2367. - * @return the number of bytes copied - */ -static size_t hostcpy(void *dest, host_t *host) -{ - sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest; - socklen_t *len = host->get_sockaddr_len(host); - memcpy(dest, addr, *len); -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - dest_addr->sa_len = *len; -#endif - switch (dest_addr->sa_family) - { - case AF_INET: - { - struct sockaddr_in *sin = dest; - sin->sin_port = 0; - break; - } - case AF_INET6: - { - struct sockaddr_in6 *sin6 = dest; - sin6->sin6_port = 0; - break; - } - } - return *len; -} - -/** - * add a host behind an sadb_address extension - */ -static void host2ext(host_t *host, struct sadb_address *ext) -{ - size_t len = hostcpy(ext + 1, host); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len); -} - -/** - * add a host to the given sadb_msg - */ -static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type, - u_int8_t proto, u_int8_t prefixlen) -{ - struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg); - addr->sadb_address_exttype = type; - addr->sadb_address_proto = proto; - addr->sadb_address_prefixlen = prefixlen; - host2ext(host, addr); - PFKEY_EXT_ADD(msg, addr); -} - -/** - * adds an empty address extension to the given sadb_msg - */ -static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type) -{ - socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6); - struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg); - addr->sadb_address_exttype = type; - sockaddr_t *saddr = (sockaddr_t*)(addr + 1); - saddr->sa_family = family; -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - saddr->sa_len = len; -#endif - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); - PFKEY_EXT_ADD(msg, addr); -} - -#ifdef HAVE_NATT -/** - * add udp encap extensions to a sadb_msg - */ -static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst) -{ - struct sadb_x_nat_t_type* nat_type; - struct sadb_x_nat_t_port* nat_port; - - nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg); - nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; - nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type)); - nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP; - PFKEY_EXT_ADD(msg, nat_type); - - nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg); - nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT; - nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port)); - nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src)); - PFKEY_EXT_ADD(msg, nat_port); - - nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg); - nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT; - nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port)); - nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst)); - PFKEY_EXT_ADD(msg, nat_port); -} -#endif /*HAVE_NATT*/ - -/** - * Convert a sadb_address to a traffic_selector - */ -static traffic_selector_t* sadb_address2ts(struct sadb_address *address) -{ - traffic_selector_t *ts; - host_t *host; - - /* The Linux 2.6 kernel does not set the protocol and port information - * in the src and dst sadb_address extensions of the SADB_ACQUIRE message. - */ - host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ; - ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen, - address->sadb_address_proto, host->get_port(host)); - return ts; -} - -/** - * Parses a pfkey message received from the kernel - */ -static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) -{ - struct sadb_ext* ext; - size_t len; - - memset(out, 0, sizeof(pfkey_msg_t)); - out->msg = msg; - - len = msg->sadb_msg_len; - len -= PFKEY_LEN(sizeof(struct sadb_msg)); - - ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg)); - - while (len >= PFKEY_LEN(sizeof(struct sadb_ext))) - { - DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); - if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) || - ext->sadb_ext_len > len) - { - DBG1(DBG_KNL, "length of %N extension is invalid", - sadb_ext_type_names, ext->sadb_ext_type); - break; - } - - if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type)) - { - DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type); - break; - } - - if (out->ext[ext->sadb_ext_type]) - { - DBG1(DBG_KNL, "duplicate %N extension", - sadb_ext_type_names, ext->sadb_ext_type); - break; - } - - out->ext[ext->sadb_ext_type] = ext; - ext = PFKEY_EXT_NEXT_LEN(ext, len); - } - - if (len) - { - DBG1(DBG_KNL, "PF_KEY message length is invalid"); - return FAILED; - } - - return SUCCESS; -} - -/** - * Send a message to a specific PF_KEY socket and handle the response. - */ -static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket, - struct sadb_msg *in, struct sadb_msg **out, size_t *out_len) -{ - unsigned char buf[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg; - int in_len, len; - - this->mutex_pfkey->lock(this->mutex_pfkey); - - /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, - * in particular the behavior in response to an SADB_ACQUIRE. */ - in->sadb_msg_seq = ++this->seq; - in->sadb_msg_pid = getpid(); - - in_len = PFKEY_USER_LEN(in->sadb_msg_len); - - while (TRUE) - { - len = send(socket, in, in_len, 0); - - if (len != in_len) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - this->mutex_pfkey->unlock(this->mutex_pfkey); - DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno)); - return FAILED; - } - break; - } - - while (TRUE) - { - msg = (struct sadb_msg*)buf; - - len = recv(socket, buf, sizeof(buf), 0); - - if (len < 0) - { - if (errno == EINTR) - { - DBG1(DBG_KNL, "got interrupted"); - /* interrupted, try again */ - continue; - } - DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno)); - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (len < sizeof(struct sadb_msg) || - msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg))) - { - DBG1(DBG_KNL, "received corrupted PF_KEY message"); - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT) - { - DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message"); - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - if (msg->sadb_msg_pid != in->sadb_msg_pid) - { - DBG2(DBG_KNL, "received PF_KEY message is not intended for us"); - continue; - } - if (msg->sadb_msg_seq != this->seq) - { - DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence " - "number, was %d expected %d", msg->sadb_msg_seq, this->seq); - if (msg->sadb_msg_seq == 0) - { - /* FreeBSD and Mac OS X do this for the response to - * SADB_X_SPDGET (but not for the response to SADB_GET). - * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */ - } - else if (msg->sadb_msg_seq < this->seq) - { - continue; - } - else - { - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; - } - } - if (msg->sadb_msg_type != in->sadb_msg_type) - { - DBG2(DBG_KNL, "received PF_KEY message of wrong type, " - "was %d expected %d, ignoring", - msg->sadb_msg_type, in->sadb_msg_type); - } - break; - } - - *out_len = len; - *out = (struct sadb_msg*)malloc(len); - memcpy(*out, buf, len); - - this->mutex_pfkey->unlock(this->mutex_pfkey); - - return SUCCESS; -} - -/** - * Send a message to the default PF_KEY socket and handle the response. - */ -static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this, - struct sadb_msg *in, struct sadb_msg **out, size_t *out_len) -{ - return pfkey_send_socket(this, this->socket, in, out, out_len); -} - -/** - * Process a SADB_ACQUIRE message from the kernel - */ -static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) -{ - pfkey_msg_t response; - u_int32_t index, reqid = 0; - traffic_selector_t *src_ts, *dst_ts; - policy_entry_t *policy; - job_t *job; - - switch (msg->sadb_msg_satype) - { - case SADB_SATYPE_UNSPEC: - case SADB_SATYPE_ESP: - case SADB_SATYPE_AH: - break; - default: - /* acquire for AH/ESP only */ - return; - } - DBG2(DBG_KNL, "received an SADB_ACQUIRE"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed"); - return; - } - - index = response.x_policy->sadb_x_policy_id; - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS) - { - reqid = policy->reqid; - } - else - { - DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found", - index); - } - src_ts = sadb_address2ts(response.src); - dst_ts = sadb_address2ts(response.dst); - this->mutex->unlock(this->mutex); - - DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}", - src_ts, dst_ts, reqid); - job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts); - charon->processor->queue_job(charon->processor, job); -} - -/** - * Process a SADB_EXPIRE message from the kernel - */ -static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) -{ - pfkey_msg_t response; - protocol_id_t protocol; - u_int32_t spi, reqid; - bool hard; - job_t *job; - - DBG2(DBG_KNL, "received an SADB_EXPIRE"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed"); - return; - } - - protocol = proto_satype2ike(msg->sadb_msg_satype); - spi = response.sa->sadb_sa_spi; - reqid = response.x_sa2->sadb_x_sa2_reqid; - hard = response.lft_hard != NULL; - - if (protocol != PROTO_ESP && protocol != PROTO_AH) - { - DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} " - "which is not a CHILD_SA", ntohl(spi), reqid); - return; - } - - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}", - hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->processor->queue_job(charon->processor, job); -} - -#ifdef SADB_X_MIGRATE -/** - * Process a SADB_X_MIGRATE message from the kernel - */ -static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) -{ - pfkey_msg_t response; - traffic_selector_t *src_ts, *dst_ts; - policy_dir_t dir; - u_int32_t reqid = 0; - host_t *local = NULL, *remote = NULL; - job_t *job; - - DBG2(DBG_KNL, "received an SADB_X_MIGRATE"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed"); - return; - } - src_ts = sadb_address2ts(response.src); - dst_ts = sadb_address2ts(response.dst); - dir = kernel2dir(response.x_policy->sadb_x_policy_dir); - DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts, - policy_dir_names, dir); - - /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ - if (response.x_kmaddress) - { - sockaddr_t *local_addr, *remote_addr; - u_int32_t local_len; - - local_addr = (sockaddr_t*)&response.x_kmaddress[1]; - local = host_create_from_sockaddr(local_addr); - local_len = (local_addr->sa_family == AF_INET6)? - sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in); - remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len); - remote = host_create_from_sockaddr(remote_addr); - DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote); - } - - if (src_ts && dst_ts && local && remote) - { - DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}", - src_ts, dst_ts, policy_dir_names, dir, reqid, local); - job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir, - local, remote); - charon->processor->queue_job(charon->processor, job); - } - else - { - DESTROY_IF(src_ts); - DESTROY_IF(dst_ts); - DESTROY_IF(local); - DESTROY_IF(remote); - } -} -#endif /*SADB_X_MIGRATE*/ - -#ifdef SADB_X_NAT_T_NEW_MAPPING -/** - * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel - */ -static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) -{ - pfkey_msg_t response; - u_int32_t spi, reqid; - host_t *host; - job_t *job; - - DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING"); - - if (parse_pfkey_message(msg, &response) != SUCCESS) - { - DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed"); - return; - } - - if (!response.x_sa2) - { - DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information"); - return; - } - - spi = response.sa->sadb_sa_spi; - reqid = response.x_sa2->sadb_x_sa2_reqid; - - if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP) - { - sockaddr_t *sa = (sockaddr_t*)(response.dst + 1); - switch (sa->sa_family) - { - case AF_INET: - { - struct sockaddr_in *sin = (struct sockaddr_in*)sa; - sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port); - } - case AF_INET6: - { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa; - sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port); - } - default: - break; - } - host = host_create_from_sockaddr(sa); - if (host) - { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and " - "reqid {%u} changed, queuing update job", ntohl(spi), reqid); - job = (job_t*)update_sa_job_create(reqid, host); - charon->processor->queue_job(charon->processor, job); - } - } -} -#endif /*SADB_X_NAT_T_NEW_MAPPING*/ - -/** - * Receives events from kernel - */ -static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) -{ - unsigned char buf[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg = (struct sadb_msg*)buf; - int len; - bool oldstate; - - oldstate = thread_cancelability(TRUE); - len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); - thread_cancelability(oldstate); - - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return JOB_REQUEUE_DIRECT; - case EAGAIN: - /* no data ready, select again */ - return JOB_REQUEUE_DIRECT; - default: - DBG1(DBG_KNL, "unable to receive from PF_KEY event socket"); - sleep(1); - return JOB_REQUEUE_FAIR; - } - } - - if (len < sizeof(struct sadb_msg) || - msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg))) - { - DBG2(DBG_KNL, "received corrupted PF_KEY message"); - return JOB_REQUEUE_DIRECT; - } - if (msg->sadb_msg_pid != 0) - { /* not from kernel. not interested, try another one */ - return JOB_REQUEUE_DIRECT; - } - if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT) - { - DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message"); - return JOB_REQUEUE_DIRECT; - } - - switch (msg->sadb_msg_type) - { - case SADB_ACQUIRE: - process_acquire(this, msg); - break; - case SADB_EXPIRE: - process_expire(this, msg); - break; -#ifdef SADB_X_MIGRATE - case SADB_X_MIGRATE: - process_migrate(this, msg); - break; -#endif /*SADB_X_MIGRATE*/ -#ifdef SADB_X_NAT_T_NEW_MAPPING - case SADB_X_NAT_T_NEW_MAPPING: - process_mapping(this, msg); - break; -#endif /*SADB_X_NAT_T_NEW_MAPPING*/ - default: - break; - } - - return JOB_REQUEUE_DIRECT; -} - -METHOD(kernel_ipsec_t, get_spi, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_sa2 *sa2; - struct sadb_spirange *range; - pfkey_msg_t response; - u_int32_t received_spi = 0; - size_t len; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_GETSPI; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); - sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; - sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); - sa2->sadb_x_sa2_reqid = reqid; - PFKEY_EXT_ADD(msg, sa2); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); - - range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg); - range->sadb_spirange_exttype = SADB_EXT_SPIRANGE; - range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange)); - range->sadb_spirange_min = 0xc0000000; - range->sadb_spirange_max = 0xcFFFFFFF; - PFKEY_EXT_ADD(msg, range); - - if (pfkey_send(this, msg, &out, &len) == SUCCESS) - { - if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - } - else if (parse_pfkey_message(out, &response) == SUCCESS) - { - received_spi = response.sa->sadb_sa_spi; - } - free(out); - } - - if (received_spi == 0) - { - return FAILED; - } - - *spi = received_spi; - return SUCCESS; -} - -METHOD(kernel_ipsec_t, get_cpi, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) -{ - return FAILED; -} - -METHOD(kernel_ipsec_t, add_sa, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - struct sadb_x_sa2 *sa2; - struct sadb_lifetime *lft; - struct sadb_key *key; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - -#ifdef __APPLE__ - if (encap) - { - struct sadb_sa_2 *sa_2; - sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); - sa_2->sadb_sa_natt_port = dst->get_port(dst); - sa = &sa_2->sa; - sa->sadb_sa_flags |= SADB_X_EXT_NATT; - len = sizeof(struct sadb_sa_2); - } - else -#endif - { - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - len = sizeof(struct sadb_sa); - } - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(len); - sa->sadb_sa_spi = spi; - sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32; - sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg); - sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg); - PFKEY_EXT_ADD(msg, sa); - - sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); - sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; - sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); - sa2->sadb_x_sa2_mode = mode2kernel(mode); - sa2->sadb_x_sa2_reqid = reqid; - PFKEY_EXT_ADD(msg, sa2); - - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); - - lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); - lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; - lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); - lft->sadb_lifetime_allocations = lifetime->packets.rekey; - lft->sadb_lifetime_bytes = lifetime->bytes.rekey; - lft->sadb_lifetime_addtime = lifetime->time.rekey; - lft->sadb_lifetime_usetime = 0; /* we only use addtime */ - PFKEY_EXT_ADD(msg, lft); - - lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); - lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); - lft->sadb_lifetime_allocations = lifetime->packets.life; - lft->sadb_lifetime_bytes = lifetime->bytes.life; - lft->sadb_lifetime_addtime = lifetime->time.life; - lft->sadb_lifetime_usetime = 0; /* we only use addtime */ - PFKEY_EXT_ADD(msg, lft); - - if (enc_alg != ENCR_UNDEFINED) - { - if (!sa->sadb_sa_encrypt) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg, enc_key.len * 8); - - key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg); - key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - key->sadb_key_bits = enc_key.len * 8; - key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len); - memcpy(key + 1, enc_key.ptr, enc_key.len); - - PFKEY_EXT_ADD(msg, key); - } - - if (int_alg != AUTH_UNDEFINED) - { - if (!sa->sadb_sa_auth) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - integrity_algorithm_names, int_alg); - return FAILED; - } - DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", - integrity_algorithm_names, int_alg, int_key.len * 8); - - key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg); - key->sadb_key_exttype = SADB_EXT_KEY_AUTH; - key->sadb_key_bits = int_key.len * 8; - key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len); - memcpy(key + 1, int_key.ptr, int_key.len); - - PFKEY_EXT_ADD(msg, key); - } - - if (ipcomp != IPCOMP_NONE) - { - /*TODO*/ - } - -#ifdef HAVE_NATT - if (encap) - { - add_encap_ext(msg, src, dst); - } -#endif /*HAVE_NATT*/ - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, update_sa, status_t, - private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, - u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap, mark_t mark) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - pfkey_msg_t response; - size_t len; - - /* we can't update the SA if any of the ip addresses have changed. - * that's because we can't use SADB_UPDATE and by deleting and readding the - * SA the sequence numbers would get lost */ - if (!src->ip_equals(src, new_src) || - !dst->ip_equals(dst, new_dst)) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes" - " are not supported", ntohl(spi)); - return NOT_SUPPORTED; - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though - * it is not used for anything. */ - add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", - ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response " - "from kernel failed", ntohl(spi)); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", - ntohl(spi), src, dst, new_src, new_dst); - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_UPDATE; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - -#ifdef __APPLE__ - { - struct sadb_sa_2 *sa_2; - sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); - sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2)); - memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa)); - if (encap) - { - sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst); - sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT; - } - } -#else - PFKEY_EXT_COPY(msg, response.sa); -#endif - PFKEY_EXT_COPY(msg, response.x_sa2); - - PFKEY_EXT_COPY(msg, response.src); - PFKEY_EXT_COPY(msg, response.dst); - - PFKEY_EXT_COPY(msg, response.lft_soft); - PFKEY_EXT_COPY(msg, response.lft_hard); - - if (response.key_encr) - { - PFKEY_EXT_COPY(msg, response.key_encr); - } - - if (response.key_auth) - { - PFKEY_EXT_COPY(msg, response.key_auth); - } - -#ifdef HAVE_NATT - if (new_encap) - { - add_encap_ext(msg, new_src, new_dst); - } -#endif /*HAVE_NATT*/ - - free(out); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_sa, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - pfkey_msg_t response; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_GET; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the Linux Kernel doesn't care for the src address, but other systems do - * (e.g. FreeBSD) - */ - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; - } - *bytes = response.lft_current->sadb_lifetime_bytes; - - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, del_sa, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_sa *sa; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_DELETE; - msg->sadb_msg_satype = proto_ike2satype(protocol); - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); - sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); - sa->sadb_sa_spi = spi; - PFKEY_EXT_ADD(msg, sa); - - /* the Linux Kernel doesn't care for the src address, but other systems do - * (e.g. FreeBSD) - */ - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); - add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)", - ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, add_policy, status_t, - private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_policy *pol; - struct sadb_x_ipsecrequest *req; - policy_entry_t *policy, *found = NULL; - pfkey_msg_t response; - size_t len; - - if (dir2kernel(direction) == IPSEC_DIR_INVALID) - { - /* FWD policies are not supported on all platforms */ - return SUCCESS; - } - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction, reqid); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS) - { - /* use existing policy */ - found->refcount++; - DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing " - "refcount", src_ts, dst_ts, - policy_dir_names, direction); - policy_entry_destroy(policy); - policy = found; - } - else - { - /* apply the new one, if we have no such policy */ - this->policies->insert_last(this->policies, policy); - policy->refcount = 1; - } - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD; - msg->sadb_msg_satype = 0; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg); - pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); - pol->sadb_x_policy_id = 0; - pol->sadb_x_policy_dir = dir2kernel(direction); - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; -#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY - /* calculate priority based on source selector size, small size = high prio */ - pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; - pol->sadb_x_policy_priority -= policy->src.mask * 10; - pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; - pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; -#endif - - /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ - req = (struct sadb_x_ipsecrequest*)(pol + 1); - req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol); - /* !!! the length of this struct MUST be in octets instead of 64 bit words */ - req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest); - req->sadb_x_ipsecrequest_mode = mode2kernel(mode); - req->sadb_x_ipsecrequest_reqid = reqid; - req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; - if (mode == MODE_TUNNEL) - { - len = hostcpy(req + 1, src); - req->sadb_x_ipsecrequest_len += len; - len = hostcpy((char*)(req + 1) + len, dst); - req->sadb_x_ipsecrequest_len += len; - } - - pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len); - PFKEY_EXT_ADD(msg, pol); - - add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, - policy->src.mask); - add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, - policy->dst.mask); - -#ifdef __FreeBSD__ - { /* on FreeBSD a lifetime has to be defined to be able to later query - * the current use time. */ - struct sadb_lifetime *lft; - lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); - lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); - lft->sadb_lifetime_addtime = LONG_MAX; - PFKEY_EXT_ADD(msg, lft); - } -#endif - - this->mutex->unlock(this->mutex); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts, - policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response " - "from kernel failed", src_ts, dst_ts, policy_dir_names, direction); - free(out); - return FAILED; - } - - this->mutex->lock(this->mutex); - - /* we try to find the policy again and update the kernel index */ - if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS) - { - DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is " - "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction); - this->mutex->unlock(this->mutex); - free(out); - return SUCCESS; - } - policy->index = response.x_policy->sadb_x_policy_id; - free(out); - - /* install a route, if: - * - we are NOT updating a policy - * - this is a forward policy (to just get one for each child) - * - we are in tunnel mode - * - we are not using IPv6 (does not work correctly yet!) - * - routing is not disabled via strongswan.conf - */ - if (policy->route == NULL && direction == POLICY_FWD && - mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 && - this->install_routes) - { - route_entry_t *route = malloc_thing(route_entry_t); - - if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface, - dst_ts, &route->src_ip) == SUCCESS) - { - /* get the nexthop to src (src as we are in POLICY_FWD).*/ - route->gateway = charon->kernel_interface->get_nexthop( - charon->kernel_interface, src); - route->if_name = charon->kernel_interface->get_interface( - charon->kernel_interface, dst); - route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)); - route->prefixlen = policy->src.mask; - - if (route->if_name) - { - switch (charon->kernel_interface->add_route( - charon->kernel_interface, route->dst_net, - route->prefixlen, route->gateway, - route->src_ip, route->if_name)) - { - default: - DBG1(DBG_KNL, "unable to install source route for %H", - route->src_ip); - /* FALL */ - case ALREADY_DONE: - /* route exists, do not uninstall */ - route_entry_destroy(route); - break; - case SUCCESS: - /* cache the installed route */ - policy->route = route; - break; - } - } - else - { - route_entry_destroy(route); - } - } - else - { - free(route); - } - } - - this->mutex->unlock(this->mutex); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, query_policy, status_t, - private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - u_int32_t *use_time) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_policy *pol; - policy_entry_t *policy, *found = NULL; - pfkey_msg_t response; - size_t len; - - if (dir2kernel(direction) == IPSEC_DIR_INVALID) - { - /* FWD policies are not supported on all platforms */ - return NOT_FOUND; - } - - DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction, 0); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS) - { - DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy); - this->mutex->unlock(this->mutex); - return NOT_FOUND; - } - policy_entry_destroy(policy); - policy = found; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_SPDGET; - msg->sadb_msg_satype = 0; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg); - pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - pol->sadb_x_policy_id = policy->index; - pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); - pol->sadb_x_policy_dir = dir2kernel(direction); - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; - PFKEY_EXT_ADD(msg, pol); - - add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, - policy->src.mask); - add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, - policy->dst.mask); - - this->mutex->unlock(this->mutex); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - else if (parse_pfkey_message(out, &response) != SUCCESS) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response " - "from kernel failed", src_ts, dst_ts, policy_dir_names, direction); - free(out); - return FAILED; - } - else if (response.lft_current == NULL) - { - DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no " - "use time", src_ts, dst_ts, policy_dir_names, direction); - free(out); - return FAILED; - } - /* we need the monotonic time, but the kernel returns system time. */ - if (response.lft_current->sadb_lifetime_usetime) - { - *use_time = time_monotonic(NULL) - - (time(NULL) - response.lft_current->sadb_lifetime_usetime); - } - else - { - *use_time = 0; - } - free(out); - - return SUCCESS; -} - -METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, - bool unrouted) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - struct sadb_x_policy *pol; - policy_entry_t *policy, *found = NULL; - route_entry_t *route; - size_t len; - - if (dir2kernel(direction) == IPSEC_DIR_INVALID) - { - /* FWD policies are not supported on all platforms */ - return SUCCESS; - } - - DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - - /* create a policy */ - policy = create_policy_entry(src_ts, dst_ts, direction, 0); - - /* find a matching policy */ - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, - (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS) - { - if (--found->refcount > 0) - { - /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - policy_entry_destroy(policy); - this->mutex->unlock(this->mutex); - return SUCCESS; - } - /* remove if last reference */ - this->policies->remove(this->policies, found, NULL); - policy_entry_destroy(policy); - policy = found; - } - else - { - DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); - policy_entry_destroy(policy); - this->mutex->unlock(this->mutex); - return NOT_FOUND; - } - this->mutex->unlock(this->mutex); - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_X_SPDDELETE; - msg->sadb_msg_satype = 0; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg); - pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); - pol->sadb_x_policy_dir = dir2kernel(direction); - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; - PFKEY_EXT_ADD(msg, pol); - - add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, - policy->src.mask); - add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, - policy->dst.mask); - - route = policy->route; - policy->route = NULL; - policy_entry_destroy(policy); - - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts, - dst_ts, policy_dir_names, direction, - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - - if (route) - { - if (charon->kernel_interface->del_route(charon->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with " - "policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - } - route_entry_destroy(route); - } - - return SUCCESS; -} - -/** - * Register a socket for AQUIRE/EXPIRE messages - */ -static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, - u_int8_t satype) -{ - unsigned char request[PFKEY_BUFFER_SIZE]; - struct sadb_msg *msg, *out; - size_t len; - - memset(&request, 0, sizeof(request)); - - msg = (struct sadb_msg*)request; - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_REGISTER; - msg->sadb_msg_satype = satype; - msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to register PF_KEY socket"); - return FAILED; - } - else if (out->sadb_msg_errno) - { - DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); - free(out); - return FAILED; - } - free(out); - return SUCCESS; -} - -METHOD(kernel_ipsec_t, bypass_socket, bool, - private_kernel_pfkey_ipsec_t *this, int fd, int family) -{ - struct sadb_x_policy policy; - u_int sol, ipsec_policy; - - switch (family) - { - case AF_INET: - { - sol = SOL_IP; - ipsec_policy = IP_IPSEC_POLICY; - break; - } - case AF_INET6: - { - sol = SOL_IPV6; - ipsec_policy = IPV6_IPSEC_POLICY; - break; - } - default: - return FALSE; - } - - memset(&policy, 0, sizeof(policy)); - policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); - policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; - policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; - - policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; - if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) - { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); - return FALSE; - } - policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; - if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) - { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); - return FALSE; - } - return TRUE; -} - -METHOD(kernel_ipsec_t, destroy, void, - private_kernel_pfkey_ipsec_t *this) -{ - if (this->job) - { - this->job->cancel(this->job); - } - if (this->socket > 0) - { - close(this->socket); - } - if (this->socket_events > 0) - { - close(this->socket_events); - } - this->policies->destroy_function(this->policies, (void*)policy_entry_destroy); - this->mutex->destroy(this->mutex); - this->mutex_pfkey->destroy(this->mutex_pfkey); - free(this); -} - -/* - * Described in header. - */ -kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() -{ - private_kernel_pfkey_ipsec_t *this; - - INIT(this, - .public.interface = { - .get_spi = _get_spi, - .get_cpi = _get_cpi, - .add_sa = _add_sa, - .update_sa = _update_sa, - .query_sa = _query_sa, - .del_sa = _del_sa, - .add_policy = _add_policy, - .query_policy = _query_policy, - .del_policy = _del_policy, - .bypass_socket = _bypass_socket, - .destroy = _destroy, - }, - .policies = linked_list_create(), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT), - .install_routes = lib->settings->get_bool(lib->settings, - "charon.install_routes", TRUE), - ); - - /* create a PF_KEY socket to communicate with the kernel */ - this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY socket"); - destroy(this); - return NULL; - } - - /* create a PF_KEY socket for ACQUIRE & EXPIRE */ - this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket_events <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY event socket"); - destroy(this); - return NULL; - } - - /* register the event socket */ - if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS || - register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS) - { - DBG1(DBG_KNL, "unable to register PF_KEY event socket"); - destroy(this); - return NULL; - } - - this->job = callback_job_create((callback_job_cb_t)receive_events, - this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); - - return &this->public; -} - diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h deleted file mode 100644 index 649f93733..000000000 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_pfkey_ipsec_i kernel_pfkey_ipsec - * @{ @ingroup kernel_pfkey - */ - -#ifndef KERNEL_PFKEY_IPSEC_H_ -#define KERNEL_PFKEY_IPSEC_H_ - -#include <kernel/kernel_ipsec.h> - -typedef struct kernel_pfkey_ipsec_t kernel_pfkey_ipsec_t; - -/** - * Implementation of the kernel ipsec interface using PF_KEY. - */ -struct kernel_pfkey_ipsec_t { - - /** - * Implements kernel_ipsec_t interface - */ - kernel_ipsec_t interface; -}; - -/** - * Create a PF_KEY kernel ipsec interface instance. - * - * @return kernel_pfkey_ipsec_t instance - */ -kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create(); - -#endif /** KERNEL_PFKEY_IPSEC_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c deleted file mode 100644 index b84ccf150..000000000 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "kernel_pfkey_plugin.h" - -#include "kernel_pfkey_ipsec.h" - -#include <daemon.h> - -typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t; - -/** - * private data of kernel PF_KEY plugin - */ -struct private_kernel_pfkey_plugin_t { - /** - * implements plugin interface - */ - kernel_pfkey_plugin_t public; -}; - -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfkey_plugin_t *this) -{ - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); - free(this); -} - -/* - * see header file - */ -plugin_t *kernel_pfkey_plugin_create() -{ - private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); - - return &this->public.plugin; -} diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.am b/src/libcharon/plugins/kernel_pfroute/Makefile.am deleted file mode 100644 index 83db48160..000000000 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.am +++ /dev/null @@ -1,17 +0,0 @@ - -INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la -else -plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la -endif - -libstrongswan_kernel_pfroute_la_SOURCES = \ - kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ - kernel_pfroute_net.h kernel_pfroute_net.c - -libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c deleted file mode 100644 index 97c019b58..000000000 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ /dev/null @@ -1,729 +0,0 @@ -/* - * Copyright (C) 2009 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <net/if.h> -#include <ifaddrs.h> -#include <net/route.h> -#include <unistd.h> -#include <errno.h> - -#include "kernel_pfroute_net.h" - -#include <daemon.h> -#include <utils/host.h> -#include <threading/thread.h> -#include <threading/mutex.h> -#include <utils/linked_list.h> -#include <processing/jobs/callback_job.h> -#include <processing/jobs/roam_job.h> - -#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN -#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member. -#endif - -/** delay before firing roam jobs (ms) */ -#define ROAM_DELAY 100 - -/** buffer size for PF_ROUTE messages */ -#define PFROUTE_BUFFER_SIZE 4096 - -typedef struct addr_entry_t addr_entry_t; - -/** - * IP address in an inface_entry_t - */ -struct addr_entry_t { - - /** The ip address */ - host_t *ip; - - /** virtual IP managed by us */ - bool virtual; - - /** Number of times this IP is used, if virtual */ - u_int refcount; -}; - -/** - * destroy a addr_entry_t object - */ -static void addr_entry_destroy(addr_entry_t *this) -{ - this->ip->destroy(this->ip); - free(this); -} - -typedef struct iface_entry_t iface_entry_t; - -/** - * A network interface on this system, containing addr_entry_t's - */ -struct iface_entry_t { - - /** interface index */ - int ifindex; - - /** name of the interface */ - char ifname[IFNAMSIZ]; - - /** interface flags, as in netdevice(7) SIOCGIFFLAGS */ - u_int flags; - - /** list of addresses as host_t */ - linked_list_t *addrs; -}; - -/** - * destroy an interface entry - */ -static void iface_entry_destroy(iface_entry_t *this) -{ - this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy); - free(this); -} - - -typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t; - -/** - * Private variables and functions of kernel_pfroute class. - */ -struct private_kernel_pfroute_net_t -{ - /** - * Public part of the kernel_pfroute_t object. - */ - kernel_pfroute_net_t public; - - /** - * mutex to lock access to various lists - */ - mutex_t *mutex; - - /** - * Cached list of interfaces and their addresses (iface_entry_t) - */ - linked_list_t *ifaces; - - /** - * job receiving PF_ROUTE events - */ - callback_job_t *job; - - /** - * mutex to lock access to the PF_ROUTE socket - */ - mutex_t *mutex_pfroute; - - /** - * PF_ROUTE socket to communicate with the kernel - */ - int socket; - - /** - * PF_ROUTE socket to receive events - */ - int socket_events; - - /** - * sequence number for messages sent to the kernel - */ - int seq; - - /** - * time of last roam job - */ - timeval_t last_roam; -}; - -/** - * Start a roaming job. We delay it a bit and fire only one job - * for multiple events. Otherwise we would create too many jobs. - */ -static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address) -{ - timeval_t now; - - time_monotonic(&now); - if (timercmp(&now, &this->last_roam, >)) - { - now.tv_usec += ROAM_DELAY * 1000; - while (now.tv_usec > 1000000) - { - now.tv_sec++; - now.tv_usec -= 1000000; - } - this->last_roam = now; - charon->scheduler->schedule_job_ms(charon->scheduler, - (job_t*)roam_job_create(address), ROAM_DELAY); - } -} - -/** - * Process an RTM_*ADDR message from the kernel - */ -static void process_addr(private_kernel_pfroute_net_t *this, - struct rt_msghdr *msg) -{ - struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg; - sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1); - host_t *host = NULL; - enumerator_t *ifaces, *addrs; - iface_entry_t *iface; - addr_entry_t *addr; - bool found = FALSE, changed = FALSE, roam = FALSE; - int i; - - for (i = 1; i < (1 << RTAX_MAX); i <<= 1) - { - if (ifa->ifam_addrs & i) - { - if (RTA_IFA & i) - { - host = host_create_from_sockaddr(sockaddr); - break; - } - sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len); - } - } - - if (!host) - { - return; - } - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - if (iface->ifindex == ifa->ifam_index) - { - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, &addr)) - { - if (host->ip_equals(host, addr->ip)) - { - found = TRUE; - if (ifa->ifam_type == RTM_DELADDR) - { - iface->addrs->remove_at(iface->addrs, addrs); - if (!addr->virtual) - { - changed = TRUE; - DBG1(DBG_KNL, "%H disappeared from %s", - host, iface->ifname); - } - addr_entry_destroy(addr); - } - else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual) - { - addr->refcount = 1; - } - } - } - addrs->destroy(addrs); - - if (!found && ifa->ifam_type == RTM_NEWADDR) - { - changed = TRUE; - addr = malloc_thing(addr_entry_t); - addr->ip = host->clone(host); - addr->virtual = FALSE; - addr->refcount = 1; - iface->addrs->insert_last(iface->addrs, addr); - DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname); - } - - if (changed && (iface->flags & IFF_UP)) - { - roam = TRUE; - } - break; - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - host->destroy(host); - - if (roam) - { - fire_roam_job(this, TRUE); - } -} - -/** - * Process an RTM_IFINFO message from the kernel - */ -static void process_link(private_kernel_pfroute_net_t *this, - struct rt_msghdr *hdr) -{ - struct if_msghdr *msg = (struct if_msghdr*)hdr; - enumerator_t *enumerator; - iface_entry_t *iface; - bool roam = FALSE; - - if (msg->ifm_flags & IFF_LOOPBACK) - { /* ignore loopback interfaces */ - return; - } - - this->mutex->lock(this->mutex); - enumerator = this->ifaces->create_enumerator(this->ifaces); - while (enumerator->enumerate(enumerator, &iface)) - { - if (iface->ifindex == msg->ifm_index) - { - if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP)) - { - roam = TRUE; - DBG1(DBG_KNL, "interface %s activated", iface->ifname); - } - else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP)) - { - roam = TRUE; - DBG1(DBG_KNL, "interface %s deactivated", iface->ifname); - } - iface->flags = msg->ifm_flags; - break; - } - } - enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); - - if (roam) - { - fire_roam_job(this, TRUE); - } -} - -/** - * Process an RTM_*ROUTE message from the kernel - */ -static void process_route(private_kernel_pfroute_net_t *this, - struct rt_msghdr *msg) -{ - -} - -/** - * Receives events from kernel - */ -static job_requeue_t receive_events(private_kernel_pfroute_net_t *this) -{ - unsigned char buf[PFROUTE_BUFFER_SIZE]; - struct rt_msghdr *msg = (struct rt_msghdr*)buf; - int len; - bool oldstate; - - oldstate = thread_cancelability(TRUE); - len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); - thread_cancelability(oldstate); - - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return JOB_REQUEUE_DIRECT; - case EAGAIN: - /* no data ready, select again */ - return JOB_REQUEUE_DIRECT; - default: - DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket"); - sleep(1); - return JOB_REQUEUE_FAIR; - } - } - - if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen || - msg->rtm_version != RTM_VERSION) - { - DBG2(DBG_KNL, "received corrupted PF_ROUTE message"); - return JOB_REQUEUE_DIRECT; - } - - switch (msg->rtm_type) - { - case RTM_NEWADDR: - case RTM_DELADDR: - process_addr(this, msg); - break; - case RTM_IFINFO: - /*case RTM_IFANNOUNCE <- what about this*/ - process_link(this, msg); - break; - case RTM_ADD: - case RTM_DELETE: - process_route(this, msg); - default: - break; - } - - return JOB_REQUEUE_DIRECT; -} - - -/** enumerator over addresses */ -typedef struct { - private_kernel_pfroute_net_t* this; - /** whether to enumerate down interfaces */ - bool include_down_ifaces; - /** whether to enumerate virtual ip addresses */ - bool include_virtual_ips; -} address_enumerator_t; - -/** - * cleanup function for address enumerator - */ -static void address_enumerator_destroy(address_enumerator_t *data) -{ - data->this->mutex->unlock(data->this->mutex); - free(data); -} - -/** - * filter for addresses - */ -static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) -{ - host_t *ip; - if (!data->include_virtual_ips && (*in)->virtual) - { /* skip virtual interfaces added by us */ - return FALSE; - } - ip = (*in)->ip; - if (ip->get_family(ip) == AF_INET6) - { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip); - if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) - { /* skip addresses with a unusable scope */ - return FALSE; - } - } - *out = ip; - return TRUE; -} - -/** - * enumerator constructor for interfaces - */ -static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) -{ - return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), - (void*)filter_addresses, data, NULL); -} - -/** - * filter for interfaces - */ -static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) -{ - if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) - { /* skip interfaces not up */ - return FALSE; - } - *out = *in; - return TRUE; -} - -/** - * implementation of kernel_net_t.create_address_enumerator - */ -static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this, - bool include_down_ifaces, bool include_virtual_ips) -{ - address_enumerator_t *data = malloc_thing(address_enumerator_t); - data->this = this; - data->include_down_ifaces = include_down_ifaces; - data->include_virtual_ips = include_virtual_ips; - - this->mutex->lock(this->mutex); - return enumerator_create_nested( - enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), - (void*)filter_interfaces, data, NULL), - (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); -} - -/** - * implementation of kernel_net_t.get_interface_name - */ -static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip) -{ - enumerator_t *ifaces, *addrs; - iface_entry_t *iface; - addr_entry_t *addr; - char *name = NULL; - - DBG2(DBG_KNL, "getting interface name for %H", ip); - - this->mutex->lock(this->mutex); - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, &addr)) - { - if (ip->ip_equals(ip, addr->ip)) - { - name = strdup(iface->ifname); - break; - } - } - addrs->destroy(addrs); - if (name) - { - break; - } - } - ifaces->destroy(ifaces); - this->mutex->unlock(this->mutex); - - if (name) - { - DBG2(DBG_KNL, "%H is on interface %s", ip, name); - } - else - { - DBG2(DBG_KNL, "%H is not a local address", ip); - } - return name; -} - -/** - * Implementation of kernel_net_t.get_source_addr. - */ -static host_t* get_source_addr(private_kernel_pfroute_net_t *this, - host_t *dest, host_t *src) -{ - return NULL; -} - -/** - * Implementation of kernel_net_t.get_nexthop. - */ -static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest) -{ - return NULL; -} - -/** - * Implementation of kernel_net_t.add_ip. - */ -static status_t add_ip(private_kernel_pfroute_net_t *this, - host_t *virtual_ip, host_t *iface_ip) -{ - return FAILED; -} - -/** - * Implementation of kernel_net_t.del_ip. - */ -static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip) -{ - return FAILED; -} - -/** - * Implementation of kernel_net_t.add_route. - */ -static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) -{ - return FAILED; -} - -/** - * Implementation of kernel_net_t.del_route. - */ -static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) -{ - return FAILED; -} - -/** - * Initialize a list of local addresses. - */ -static status_t init_address_list(private_kernel_pfroute_net_t *this) -{ - struct ifaddrs *ifap, *ifa; - iface_entry_t *iface, *current; - addr_entry_t *addr; - enumerator_t *ifaces, *addrs; - - DBG1(DBG_KNL, "listening on interfaces:"); - - if (getifaddrs(&ifap) < 0) - { - DBG1(DBG_KNL, " failed to get interfaces!"); - return FAILED; - } - - for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) - { - if (ifa->ifa_addr == NULL) - { - continue; - } - switch(ifa->ifa_addr->sa_family) - { - case AF_LINK: - case AF_INET: - case AF_INET6: - { - if (ifa->ifa_flags & IFF_LOOPBACK) - { /* ignore loopback interfaces */ - continue; - } - - iface = NULL; - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, ¤t)) - { - if (streq(current->ifname, ifa->ifa_name)) - { - iface = current; - break; - } - } - ifaces->destroy(ifaces); - - if (!iface) - { - iface = malloc_thing(iface_entry_t); - memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ); - iface->ifindex = if_nametoindex(ifa->ifa_name); - iface->flags = ifa->ifa_flags; - iface->addrs = linked_list_create(); - this->ifaces->insert_last(this->ifaces, iface); - } - - if (ifa->ifa_addr->sa_family != AF_LINK) - { - addr = malloc_thing(addr_entry_t); - addr->ip = host_create_from_sockaddr(ifa->ifa_addr); - addr->virtual = FALSE; - addr->refcount = 1; - iface->addrs->insert_last(iface->addrs, addr); - } - } - } - } - freeifaddrs(ifap); - - ifaces = this->ifaces->create_enumerator(this->ifaces); - while (ifaces->enumerate(ifaces, &iface)) - { - if (iface->flags & IFF_UP) - { - DBG1(DBG_KNL, " %s", iface->ifname); - addrs = iface->addrs->create_enumerator(iface->addrs); - while (addrs->enumerate(addrs, (void**)&addr)) - { - DBG1(DBG_KNL, " %H", addr->ip); - } - addrs->destroy(addrs); - } - } - ifaces->destroy(ifaces); - - return SUCCESS; -} - -/** - * Implementation of kernel_netlink_net_t.destroy. - */ -static void destroy(private_kernel_pfroute_net_t *this) -{ - if (this->job) - { - this->job->cancel(this->job); - } - if (this->socket > 0) - { - close(this->socket); - } - if (this->socket_events) - { - close(this->socket_events); - } - this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy); - this->mutex->destroy(this->mutex); - this->mutex_pfroute->destroy(this->mutex_pfroute); - free(this); -} - -/* - * Described in header. - */ -kernel_pfroute_net_t *kernel_pfroute_net_create() -{ - private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t); - - /* public functions */ - this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; - this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; - this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; - this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; - this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; - this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; - this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; - this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; - - this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; - - /* private members */ - this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT); - - this->seq = 0; - this->socket_events = 0; - this->job = NULL; - - /* create a PF_ROUTE socket to communicate with the kernel */ - this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); - if (this->socket < 0) - { - DBG1(DBG_KNL, "unable to create PF_ROUTE socket"); - destroy(this); - return NULL; - } - - /* create a PF_ROUTE socket to receive events */ - this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); - if (this->socket_events < 0) - { - DBG1(DBG_KNL, "unable to create PF_ROUTE event socket"); - destroy(this); - return NULL; - } - - this->job = callback_job_create((callback_job_cb_t)receive_events, - this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); - - if (init_address_list(this) != SUCCESS) - { - DBG1(DBG_KNL, "unable to get interface list"); - destroy(this); - return NULL; - } - - return &this->public; -} diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h deleted file mode 100644 index 10c3c9eb7..000000000 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2009 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup kernel_pfroute_net_i kernel_pfroute_net - * @{ @ingroup kernel_pfroute - */ - -#ifndef KERNEL_PFROUTE_NET_H_ -#define KERNEL_PFROUTE_NET_H_ - -#include <kernel/kernel_net.h> - -typedef struct kernel_pfroute_net_t kernel_pfroute_net_t; - -/** - * Implementation of the kernel net interface using PF_ROUTE. - */ -struct kernel_pfroute_net_t { - - /** - * Implements kernel_net_t interface - */ - kernel_net_t interface; -}; - -/** - * Create a PF_ROUTE kernel net interface instance. - * - * @return kernel_pfroute_net_t instance - */ -kernel_pfroute_net_t *kernel_pfroute_net_create(); - -#endif /** KERNEL_PFROUTE_NET_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c deleted file mode 100644 index 97139fb56..000000000 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (C) 2009 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "kernel_pfroute_plugin.h" - -#include "kernel_pfroute_net.h" - -#include <daemon.h> - -typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t; - -/** - * private data of kernel PF_ROUTE plugin - */ -struct private_kernel_pfroute_plugin_t { - /** - * implements plugin interface - */ - kernel_pfroute_plugin_t public; -}; - -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfroute_plugin_t *this) -{ - charon->kernel_interface->remove_net_interface(charon->kernel_interface, - (kernel_net_constructor_t)kernel_pfroute_net_create); - free(this); -} - -/* - * see header file - */ -plugin_t *kernel_pfroute_plugin_create() -{ - private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - charon->kernel_interface->add_net_interface(charon->kernel_interface, - (kernel_net_constructor_t)kernel_pfroute_net_create); - - return &this->public.plugin; -} diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am new file mode 100644 index 000000000..6428361fc --- /dev/null +++ b/src/libcharon/plugins/led/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-led.la +else +plugin_LTLIBRARIES = libstrongswan-led.la +endif + +libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \ + led_listener.h led_listener.c + +libstrongswan_led_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libcharon/plugins/led/Makefile.in index 9cac89ec3..a4e529d89 100644 --- a/src/libcharon/plugins/kernel_klips/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_klips +subdir = src/libcharon/plugins/led DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -73,18 +74,14 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_kernel_klips_la_LIBADD = -am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \ - kernel_klips_ipsec.lo -libstrongswan_kernel_klips_la_OBJECTS = \ - $(am_libstrongswan_kernel_klips_la_OBJECTS) -libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_kernel_klips_la_rpath = -rpath \ -@MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_kernel_klips_la_rpath = +libstrongswan_led_la_LIBADD = +am_libstrongswan_led_la_OBJECTS = led_plugin.lo led_listener.lo +libstrongswan_led_la_OBJECTS = $(am_libstrongswan_led_la_OBJECTS) +libstrongswan_led_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_led_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_led_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_led_la_rpath = DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -98,8 +95,8 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_kernel_klips_la_SOURCES) -DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES) +SOURCES = $(libstrongswan_led_la_SOURCES) +DIST_SOURCES = $(libstrongswan_led_la_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -168,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +198,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +223,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +255,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -262,13 +274,12 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la -libstrongswan_kernel_klips_la_SOURCES = \ - kernel_klips_plugin.h kernel_klips_plugin.c \ - kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-led.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-led.la +libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \ + led_listener.h led_listener.c -libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version +libstrongswan_led_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: @@ -282,9 +293,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile + $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -343,8 +354,8 @@ clean-pluginLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) - $(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS) +libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) + $(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -352,8 +363,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_ipsec.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_plugin.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c new file mode 100644 index 000000000..18def8005 --- /dev/null +++ b/src/libcharon/plugins/led/led_listener.c @@ -0,0 +1,241 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "led_listener.h" + +#include <errno.h> + +#include <daemon.h> +#include <threading/mutex.h> +#include <processing/jobs/callback_job.h> + +typedef struct private_led_listener_t private_led_listener_t; + +/** + * Private data of an led_listener_t object. + */ +struct private_led_listener_t { + + /** + * Public led_listener_t interface. + */ + led_listener_t public; + + /** + * Mutex + */ + mutex_t *mutex; + + /** + * Number of established IKE_SAs + */ + int count; + + /** + * LED blink on/off time, in ms + */ + int blink_time; + + /** + * Activity LED fd, if any + */ + FILE *activity; + + /** + * Activity LED maximum brightness + */ + int activity_max; +}; + +/** + * Open a LED brightness control file, get max brightness + */ +static FILE *open_led(char *name, int *max_brightness) +{ + char path[PATH_MAX]; + FILE *f; + + if (!name) + { + return NULL; + } + + *max_brightness = 1; + snprintf(path, sizeof(path), "/sys/class/leds/%s/max_brightness", name); + f = fopen(path, "r"); + if (f) + { + if (fscanf(f, "%d\n", max_brightness) != 1) + { + DBG1(DBG_CFG, "reading max brightness for '%s' failed: %s, using 1", + name, strerror(errno)); + } + fclose(f); + } + else + { + DBG1(DBG_CFG, "reading max_brightness for '%s' failed: %s, using 1", + name, strerror(errno)); + } + + snprintf(path, sizeof(path), "/sys/class/leds/%s/brightness", name); + f = fopen(path, "w"); + if (!f) + { + DBG1(DBG_CFG, "opening LED file '%s' failed: %s", path, strerror(errno)); + } + return f; +} + +/** + * Set a LED to a given brightness + */ +static void set_led(FILE *led, int brightness) +{ + if (led) + { + if (fprintf(led, "%d\n", brightness) <= 0 || + fflush(led) != 0) + { + DBG1(DBG_CFG, "setting LED brightness failed: %s", strerror(errno)); + } + } +} + +/** + * Plugin unloaded? + */ +static bool plugin_gone = FALSE; + +/** + * Reset activity LED after timeout + */ +static job_requeue_t reset_activity_led(private_led_listener_t *this) +{ + if (!plugin_gone) + { /* TODO: fix race */ + this->mutex->lock(this->mutex); + if (this->count) + { + set_led(this->activity, this->activity_max); + } + else + { + set_led(this->activity, 0); + } + this->mutex->unlock(this->mutex); + } + return JOB_REQUEUE_NONE; +} + +/** + * Blink the activity LED + */ +static void blink_activity(private_led_listener_t *this) +{ + if (this->activity) + { + this->mutex->lock(this->mutex); + if (this->count) + { + set_led(this->activity, 0); + } + else + { + set_led(this->activity, this->activity_max); + } + lib->scheduler->schedule_job_ms(lib->scheduler, + (job_t*)callback_job_create((callback_job_cb_t)reset_activity_led, + this, NULL, NULL), this->blink_time); + this->mutex->unlock(this->mutex); + } +} + +METHOD(listener_t, ike_state_change, bool, + private_led_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) +{ + this->mutex->lock(this->mutex); + if (state == IKE_ESTABLISHED && ike_sa->get_state(ike_sa) != IKE_ESTABLISHED) + { + this->count++; + if (this->count == 1) + { + set_led(this->activity, this->activity_max); + } + } + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && state != IKE_ESTABLISHED) + { + this->count--; + if (this->count == 0) + { + set_led(this->activity, 0); + } + } + this->mutex->unlock(this->mutex); + return TRUE; +} + +METHOD(listener_t, message_hook, bool, + private_led_listener_t *this, ike_sa_t *ike_sa, + message_t *message, bool incoming) +{ + if (incoming || message->get_request(message)) + { + blink_activity(this); + } + return TRUE; +} + +METHOD(led_listener_t, destroy, void, + private_led_listener_t *this) +{ + this->mutex->lock(this->mutex); + set_led(this->activity, 0); + plugin_gone = TRUE; + this->mutex->unlock(this->mutex); + if (this->activity) + { + fclose(this->activity); + } + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +led_listener_t *led_listener_create() +{ + private_led_listener_t *this; + + INIT(this, + .public = { + .listener = { + .ike_state_change = _ike_state_change, + .message = _message_hook, + }, + .destroy = _destroy, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .blink_time = lib->settings->get_int(lib->settings, + "charon.plugins.led.blink_time", 50), + ); + + this->activity = open_led(lib->settings->get_str(lib->settings, + "charon.plugins.led.activity_led", NULL), &this->activity_max); + set_led(this->activity, 0); + + return &this->public; +} diff --git a/src/libcharon/plugins/led/led_listener.h b/src/libcharon/plugins/led/led_listener.h new file mode 100644 index 000000000..05ae28275 --- /dev/null +++ b/src/libcharon/plugins/led/led_listener.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup led_listener led_listener + * @{ @ingroup led + */ + +#ifndef LED_LISTENER_H_ +#define LED_LISTENER_H_ + +#include <bus/listeners/listener.h> + +typedef struct led_listener_t led_listener_t; + +/** + * Listener that controls LEDs based on IKEv2 activity/state. + */ +struct led_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy a led_listener_t. + */ + void (*destroy)(led_listener_t *this); +}; + +/** + * Create a led_listener instance. + */ +led_listener_t *led_listener_create(); + +#endif /** LED_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c new file mode 100644 index 000000000..322d198ff --- /dev/null +++ b/src/libcharon/plugins/led/led_plugin.c @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "led_plugin.h" + +#include "led_listener.h" + +#include <daemon.h> + +typedef struct private_led_plugin_t private_led_plugin_t; + +/** + * private data of led plugin + */ +struct private_led_plugin_t { + + /** + * implements plugin interface + */ + led_plugin_t public; + + /** + * Listener controlling LEDs + */ + led_listener_t *listener; +}; + +METHOD(plugin_t, destroy, void, + private_led_plugin_t *this) +{ + charon->bus->remove_listener(charon->bus, &this->listener->listener); + this->listener->destroy(this->listener); + free(this); +} + +/** + * Plugin constructor + */ +plugin_t *led_plugin_create() +{ + private_led_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .listener = led_listener_create(), + ); + + charon->bus->add_listener(charon->bus, &this->listener->listener); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libcharon/plugins/led/led_plugin.h index 50642a572..a7449addd 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h +++ b/src/libcharon/plugins/led/led_plugin.h @@ -1,6 +1,6 @@ /* - * Copyright (C) 2009 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -14,24 +14,24 @@ */ /** - * @defgroup kernel_pfroute kernel_pfroute + * @defgroup led led * @ingroup cplugins * - * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin - * @{ @ingroup kernel_pfroute + * @defgroup led_plugin led_plugin + * @{ @ingroup led */ -#ifndef KERNEL_PFROUTE_PLUGIN_H_ -#define KERNEL_PFROUTE_PLUGIN_H_ +#ifndef LED_PLUGIN_H_ +#define LED_PLUGIN_H_ #include <plugins/plugin.h> -typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t; +typedef struct led_plugin_t led_plugin_t; /** - * PF_ROUTE kernel interface plugin + * Linux LED control based on IKE activity/state. */ -struct kernel_pfroute_plugin_t { +struct led_plugin_t { /** * implements plugin interface @@ -39,4 +39,4 @@ struct kernel_pfroute_plugin_t { plugin_t plugin; }; -#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/ +#endif /** LED_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index d049bb41b..85db9a10b 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -201,14 +204,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -248,7 +261,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 43c0ef009..aece95e12 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t { METHOD(kernel_ipsec_t, get_spi, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { *spi = ++this->spi; return SUCCESS; @@ -51,7 +51,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, @@ -61,7 +61,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } METHOD(kernel_ipsec_t, update_sa, status_t, - private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, bool encap, bool new_encap, mark_t mark) { @@ -70,14 +70,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; } METHOD(kernel_ipsec_t, del_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { return SUCCESS; } @@ -85,9 +85,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool routed) + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, bool routed) { return SUCCESS; } diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c index 96b0cf1ec..cf6dd0562 100644 --- a/src/libcharon/plugins/load_tester/load_tester_listener.c +++ b/src/libcharon/plugins/load_tester/load_tester_listener.c @@ -59,7 +59,7 @@ static bool ike_state_change(private_load_tester_listener_t *this, if (this->delete_after_established) { - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)delete_ike_sa_job_create(id, TRUE)); } diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index 15dbccb00..cb9b80c7f 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -22,6 +22,7 @@ #include <unistd.h> +#include <hydra.h> #include <daemon.h> #include <processing/jobs/callback_job.h> #include <threading/condvar.h> @@ -155,7 +156,7 @@ static void destroy(private_load_tester_plugin_t *this) this->condvar->wait(this->condvar, this->mutex); } this->mutex->unlock(this->mutex); - charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, + hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)load_tester_ipsec_create); charon->backends->remove_backend(charon->backends, &this->config->backend); lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set); @@ -215,13 +216,13 @@ plugin_t *load_tester_plugin_create() if (lib->settings->get_bool(lib->settings, "charon.plugins.load-tester.fake_kernel", FALSE)) { - charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, + hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)load_tester_ipsec_create); } this->running = 0; for (i = 0; i < this->initiators; i++) { - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create((callback_job_cb_t)do_load_test, this, NULL, NULL)); } diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am new file mode 100644 index 000000000..ed6c76c0f --- /dev/null +++ b/src/libcharon/plugins/maemo/Makefile.am @@ -0,0 +1,23 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon ${maemo_CFLAGS} + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-maemo.la +else +plugin_LTLIBRARIES = libstrongswan-maemo.la +endif + +libstrongswan_maemo_la_SOURCES = \ + maemo_plugin.h maemo_plugin.c \ + maemo_service.h maemo_service.c + +libstrongswan_maemo_la_LDFLAGS = -module -avoid-version +libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} + +dbusservice_DATA = org.strongswan.charon.service + +EXTRA_DIST = $(dbusservice_DATA) + diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in new file mode 100644 index 000000000..978950d22 --- /dev/null +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -0,0 +1,631 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/maemo +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" \ + "$(DESTDIR)$(dbusservicedir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo +libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS) +libstrongswan_maemo_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_maemo_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_maemo_la_SOURCES) +DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES) +DATA = $(dbusservice_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon ${maemo_CFLAGS} + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la +libstrongswan_maemo_la_SOURCES = \ + maemo_plugin.h maemo_plugin.c \ + maemo_service.h maemo_service.c + +libstrongswan_maemo_la_LDFLAGS = -module -avoid-version +libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} +dbusservice_DATA = org.strongswan.charon.service +EXTRA_DIST = $(dbusservice_DATA) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) + $(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_service.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dbusserviceDATA: $(dbusservice_DATA) + @$(NORMAL_INSTALL) + test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" + @list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \ + done + +uninstall-dbusserviceDATA: + @$(NORMAL_UNINSTALL) + @list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(dbusservicedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-dbusserviceDATA install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dbusserviceDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-pluginLTLIBRARIES \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-dbusserviceDATA \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c new file mode 100644 index 000000000..d4549f43a --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_plugin.c @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "maemo_plugin.h" +#include "maemo_service.h" + +#include <daemon.h> + +typedef struct private_maemo_plugin_t private_maemo_plugin_t; + +/** + * private data of maemo plugin + */ +struct private_maemo_plugin_t { + + /** + * implements plugin interface + */ + maemo_plugin_t public; + + /** + * service + */ + maemo_service_t *service; + +}; + +METHOD(plugin_t, destroy, void, + private_maemo_plugin_t *this) +{ + this->service->destroy(this->service); + free(this); +} + +/* + * See header + */ +plugin_t *maemo_plugin_create() +{ + private_maemo_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + this->service = maemo_service_create(); + if (!this->service) + { + return NULL; + } + + return &this->public.plugin; +} + diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h b/src/libcharon/plugins/maemo/maemo_plugin.h index 6086217ad..23d139b49 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h +++ b/src/libcharon/plugins/maemo/maemo_plugin.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2010 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -14,24 +14,24 @@ */ /** - * @defgroup kernel_klips kernel_klips + * @defgroup maemo maemo * @ingroup cplugins * - * @defgroup kernel_klips_plugin kernel_klips_plugin - * @{ @ingroup kernel_klips + * @defgroup maemo_plugin maemo_plugin + * @{ @ingroup maemo */ -#ifndef KERNEL_KLIPS_PLUGIN_H_ -#define KERNEL_KLIPS_PLUGIN_H_ +#ifndef MAEMO_PLUGIN_H_ +#define MAEMO_PLUGIN_H_ #include <plugins/plugin.h> -typedef struct kernel_klips_plugin_t kernel_klips_plugin_t; +typedef struct maemo_plugin_t maemo_plugin_t; /** - * PF_KEY kernel interface plugin + * Maemo integration plugin. */ -struct kernel_klips_plugin_t { +struct maemo_plugin_t { /** * implements plugin interface @@ -39,4 +39,4 @@ struct kernel_klips_plugin_t { plugin_t plugin; }; -#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/ +#endif /** MAEMO_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c new file mode 100644 index 000000000..efd914a00 --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -0,0 +1,510 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <glib.h> +#include <libosso.h> +#include <sys/stat.h> + +#include "maemo_service.h" + +#include <daemon.h> +#include <credentials/sets/mem_cred.h> +#include <processing/jobs/callback_job.h> + +#define OSSO_STATUS_NAME "status" +#define OSSO_STATUS_SERVICE "org.strongswan."OSSO_STATUS_NAME +#define OSSO_STATUS_OBJECT "/org/strongswan/"OSSO_STATUS_NAME +#define OSSO_STATUS_IFACE "org.strongswan."OSSO_STATUS_NAME + +#define OSSO_CHARON_NAME "charon" +#define OSSO_CHARON_SERVICE "org.strongswan."OSSO_CHARON_NAME +#define OSSO_CHARON_OBJECT "/org/strongswan/"OSSO_CHARON_NAME +#define OSSO_CHARON_IFACE "org.strongswan."OSSO_CHARON_NAME + +#define MAEMO_COMMON_CA_DIR "/etc/certs/common-ca" +#define MAEMO_USER_CA_DIR "/home/user/.maemosec-certs/wifi-ca" +/* there is also an smime-ca and an ssl-ca sub-directory and the same for + * ...-user, which store end user/server certificates */ + +typedef enum { + VPN_STATUS_DISCONNECTED, + VPN_STATUS_CONNECTING, + VPN_STATUS_CONNECTED, + VPN_STATUS_AUTH_FAILED, + VPN_STATUS_CONNECTION_FAILED, +} vpn_status_t; + +typedef struct private_maemo_service_t private_maemo_service_t; + +/** + * private data of maemo service + */ +struct private_maemo_service_t { + + /** + * public interface + */ + maemo_service_t public; + + /** + * credentials + */ + mem_cred_t *creds; + + /** + * Glib main loop for a thread, handles DBUS calls + */ + GMainLoop *loop; + + /** + * Context for OSSO + */ + osso_context_t *context; + + /** + * Current IKE_SA + */ + ike_sa_t *ike_sa; + + /** + * Status of the current connection + */ + vpn_status_t status; + + /** + * Name of the current connection + */ + gchar *current; + +}; + +static gint change_status(private_maemo_service_t *this, int status) +{ + osso_rpc_t retval; + gint res; + this->status = status; + res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT, + OSSO_STATUS_IFACE, "StatusChanged", &retval, + DBUS_TYPE_INT32, status, + DBUS_TYPE_INVALID); + return res; +} + +METHOD(listener_t, ike_updown, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, bool up) +{ + /* this callback is only registered during initiation, so if the IKE_SA + * goes down we assume an authentication error */ + if (this->ike_sa == ike_sa && !up) + { + change_status(this, VPN_STATUS_AUTH_FAILED); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_state_change, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + child_sa_state_t state) +{ + /* this call back is only registered during initiation */ + if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + change_status(this, VPN_STATUS_CONNECTION_FAILED); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_updown, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (this->ike_sa == ike_sa) + { + if (up) + { + /* disable hooks registered to catch initiation failures */ + this->public.listener.ike_updown = NULL; + this->public.listener.child_state_change = NULL; + change_status(this, VPN_STATUS_CONNECTED); + } + else + { + change_status(this, VPN_STATUS_CONNECTION_FAILED); + return FALSE; + } + } + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new) +{ + if (this->ike_sa == old) + { + this->ike_sa = new; + } + return TRUE; +} + +/** + * load all CA certificates in the given directory + */ +static void load_ca_dir(private_maemo_service_t *this, char *dir) +{ + enumerator_t *enumerator; + char *rel, *abs; + struct stat st; + + enumerator = enumerator_create_directory(dir); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &rel, &abs, &st)) + { + if (rel[0] != '.') + { + if (S_ISREG(st.st_mode)) + { + certificate_t *cert; + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, abs, + BUILD_END); + if (!cert) + { + DBG1(DBG_CFG, "loading CA certificate '%s' failed", + abs); + continue; + } + DBG2(DBG_CFG, "loaded CA certificate '%Y'", + cert->get_subject(cert)); + this->creds->add_cert(this->creds, TRUE, cert); + } + } + } + enumerator->destroy(enumerator); + } +} + +static void disconnect(private_maemo_service_t *this) +{ + ike_sa_t *ike_sa; + u_int id; + + if (!this->current) + { + return; + } + + /* avoid status updates, as this is called from the Glib main loop */ + charon->bus->remove_listener(charon->bus, &this->public.listener); + + ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, + this->current, FALSE); + if (ike_sa) + { + id = ike_sa->get_unique_id(ike_sa); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + charon->controller->terminate_ike(charon->controller, id, + NULL, NULL); + } + this->current = (g_free(this->current), NULL); + this->status = VPN_STATUS_DISCONNECTED; +} + +static gboolean initiate_connection(private_maemo_service_t *this, + GArray *arguments) +{ + gint i; + gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL; + identification_t *gateway = NULL, *user = NULL; + ike_sa_t *ike_sa; + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + traffic_selector_t *ts; + auth_cfg_t *auth; + certificate_t *cert; + lifetime_cfg_t lifetime = { + .time = { + .life = 10800, /* 3h */ + .rekey = 10200, /* 2h50min */ + .jitter = 300 /* 5min */ + } + }; + + if (this->status == VPN_STATUS_CONNECTED || + this->status == VPN_STATUS_CONNECTING) + { + DBG1(DBG_CFG, "currently connected to '%s', disconnecting first", + this->current); + disconnect (this); + } + + if (arguments->len != 5) + { + DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len); + return FALSE; + } + + for (i = 0; i < arguments->len; i++) + { + osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i); + if (arg->type != DBUS_TYPE_STRING) + { + DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type); + return FALSE; + } + switch (i) + { + case 0: /* name */ + this->current = (g_free(this->current), NULL); + this->current = g_strdup(arg->value.s); + break; + case 1: /* hostname */ + hostname = arg->value.s; + break; + case 2: /* CA certificate path */ + cacert = arg->value.s; + break; + case 3: /* username */ + username = arg->value.s; + break; + case 4: /* password */ + password = arg->value.s; + break; + } + } + + DBG1(DBG_CFG, "received initiate for connection '%s'", this->current); + + this->creds->clear(this->creds); + + if (cacert && !streq(cacert, "")) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, cacert, BUILD_END); + if (cert) + { + this->creds->add_cert(this->creds, TRUE, cert); + } + else + { + DBG1(DBG_CFG, "failed to load CA certificate"); + } + /* if this is a server cert we could use the cert subject as id */ + } + else + { + load_ca_dir(this, MAEMO_COMMON_CA_DIR); + load_ca_dir(this, MAEMO_USER_CA_DIR); + } + + gateway = identification_create_from_string(hostname); + DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway); + + { + shared_key_t *shared_key; + chunk_t secret = chunk_create(password, strlen(password)); + user = identification_create_from_string(username); + shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret)); + this->creds->add_shared(this->creds, shared_key, user->clone(user), + NULL); + } + + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, + hostname, IKEV2_UDP_PORT); + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + + peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED, + UNIQUE_REPLACE, 1, /* keyingtries */ + 36000, 0, /* rekey 10h, reauth none */ + 600, 600, /* jitter, over 10min */ + TRUE, 0, /* mobike, DPD */ + host_create_from_string("0.0.0.0", 0) /* virt */, + NULL, FALSE, NULL, NULL); /* pool, mediation */ + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_IDENTITY, user); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + auth->add(auth, AUTH_RULE_IDENTITY, gateway); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */, + TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", + 0, "255.255.255.255", 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + /* get an additional reference because initiate consumes one */ + child_cfg->get_ref(child_cfg); + + /* get us an IKE_SA */ + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); + if (!ike_sa->get_peer_cfg(ike_sa)) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + peer_cfg->destroy(peer_cfg); + + /* store the IKE_SA, so we can track its progress */ + this->ike_sa = ike_sa; + this->status = VPN_STATUS_CONNECTING; + this->public.listener.ike_updown = _ike_updown; + this->public.listener.child_state_change = _child_state_change; + charon->bus->add_listener(charon->bus, &this->public.listener); + + if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) + { + DBG1(DBG_CFG, "failed to initiate tunnel"); + charon->bus->remove_listener(charon->bus, &this->public.listener); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + this->status = VPN_STATUS_CONNECTION_FAILED; + return FALSE; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return TRUE; +} + +/** + * Callback for libosso dbus wrapper + */ +static gint dbus_req_handler(const gchar *interface, const gchar *method, + GArray *arguments, private_maemo_service_t *this, + osso_rpc_t *retval) +{ + if (streq(method, "Start")) + { /* void start (void), dummy function to start charon as root */ + return OSSO_OK; + } + else if (streq(method, "Connect")) + { /* bool connect (name, host, cert, user, pass) */ + retval->value.b = initiate_connection(this, arguments); + retval->type = DBUS_TYPE_BOOLEAN; + } + else if (streq(method, "Disconnect")) + { /* void disconnect (void) */ + disconnect(this); + } + else + { + return OSSO_ERROR; + } + return OSSO_OK; +} + +/** + * Main loop to handle D-BUS messages. + */ +static job_requeue_t run(private_maemo_service_t *this) +{ + this->loop = g_main_loop_new(NULL, FALSE); + g_main_loop_run(this->loop); + return JOB_REQUEUE_NONE; +} + +METHOD(maemo_service_t, destroy, void, + private_maemo_service_t *this) +{ + if (this->loop) + { + if (g_main_loop_is_running(this->loop)) + { + g_main_loop_quit(this->loop); + } + g_main_loop_unref(this->loop); + } + if (this->context) + { + osso_rpc_unset_cb_f(this->context, + OSSO_CHARON_SERVICE, + OSSO_CHARON_OBJECT, + OSSO_CHARON_IFACE, + (osso_rpc_cb_f*)dbus_req_handler, + this); + osso_deinitialize(this->context); + } + charon->bus->remove_listener(charon->bus, &this->public.listener); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + this->creds->destroy(this->creds); + this->current = (g_free(this->current), NULL); + free(this); +} + +/* + * See header + */ +maemo_service_t *maemo_service_create() +{ + osso_return_t result; + private_maemo_service_t *this; + + INIT(this, + .public = { + .listener = { + .ike_updown = _ike_updown, + .child_state_change = _child_state_change, + .child_updown = _child_updown, + .ike_rekey = _ike_rekey, + }, + .destroy = _destroy, + }, + .creds = mem_cred_create(), + ); + + lib->credmgr->add_set(lib->credmgr, &this->creds->set); + + this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL); + if (!this->context) + { + DBG1(DBG_CFG, "failed to initialize OSSO context"); + destroy(this); + return NULL; + } + + result = osso_rpc_set_cb_f(this->context, + OSSO_CHARON_SERVICE, + OSSO_CHARON_OBJECT, + OSSO_CHARON_IFACE, + (osso_rpc_cb_f*)dbus_req_handler, + this); + if (result != OSSO_OK) + { + DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result); + destroy(this); + return NULL; + } + + this->loop = NULL; + if (!g_thread_supported()) + { + g_thread_init(NULL); + } + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL)); + + return &this->public; +} + diff --git a/src/libcharon/plugins/maemo/maemo_service.h b/src/libcharon/plugins/maemo/maemo_service.h new file mode 100644 index 000000000..b0240cbaa --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_service.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup maemo_service maemo_service + * @{ @ingroup maemo + */ + +#ifndef MAEMO_SERVICE_H_ +#define MAEMO_SERVICE_H_ + +#include <bus/listeners/listener.h> + +typedef struct maemo_service_t maemo_service_t; + +/** + * Maemo connection management. + */ +struct maemo_service_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a maemo_service_t. + */ + void (*destroy)(maemo_service_t *this); +}; + +/** + * Create an instance of maemo_service_t. + */ +maemo_service_t *maemo_service_create(); + +#endif /** MAEMO_SERVICE_H_ @}*/ diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service new file mode 100644 index 000000000..7dd31ed60 --- /dev/null +++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service @@ -0,0 +1,4 @@ +[D-BUS Service] +Name=org.strongswan.charon +Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon +User=root diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index c26d325a9..6dcbc99dd 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 6cbaf36f2..870d87c7e 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -126,11 +126,11 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam med_cfg = peer_cfg_create( "mediation", 2, ike_cfg, CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, this->dpd, /* mobike, dpddelay */ - NULL, NULL, /* vip, pool */ - TRUE, NULL, NULL); /* mediation, med by, peer id */ + 1, this->rekey*60, 0, /* keytries, rekey, reauth */ + this->rekey*5, this->rekey*3, /* jitter, overtime */ + TRUE, this->dpd, /* mobike, dpddelay */ + NULL, NULL, /* vip, pool */ + TRUE, NULL, NULL); /* mediation, med by, peer id */ e->destroy(e); auth = auth_cfg_create(); @@ -163,10 +163,10 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam peer_cfg = peer_cfg_create( name, 2, this->ike->get_ref(this->ike), CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, this->dpd, /* mobike, dpddelay */ - NULL, NULL, /* vip, pool */ + 1, this->rekey*60, 0, /* keytries, rekey, reauth */ + this->rekey*5, this->rekey*3, /* jitter, overtime */ + TRUE, this->dpd, /* mobike, dpddelay */ + NULL, NULL, /* vip, pool */ FALSE, med_cfg, /* mediation, med by */ identification_create_from_encoding(ID_KEY_ID, other)); @@ -243,11 +243,11 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current = peer_cfg_create( name, 2, this->ike->get_ref(this->ike), CERT_NEVER_SEND, UNIQUE_REPLACE, - 1, this->rekey*60, 0, /* keytries, rekey, reauth */ - this->rekey*5, this->rekey*3, /* jitter, overtime */ - TRUE, this->dpd, /* mobike, dpddelay */ - NULL, NULL, /* vip, pool */ - FALSE, NULL, NULL); /* mediation, med by, peer id */ + 1, this->rekey*60, 0, /* keytries, rekey, reauth */ + this->rekey*5, this->rekey*3, /* jitter, overtime */ + TRUE, this->dpd, /* mobike, dpddelay */ + NULL, NULL, /* vip, pool */ + FALSE, NULL, NULL); /* mediation, med by, peer id */ auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); @@ -364,7 +364,7 @@ static void schedule_autoinit(private_medcli_config_t *this) if (peer_cfg) { /* schedule asynchronous initiation job */ - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create( (callback_job_cb_t)initiate_config, peer_cfg, (void*)peer_cfg->destroy, NULL)); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 4dc9c00d0..f6db7d834 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index 1b3e4c5a6..2f5c20971 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -197,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -244,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c index 193838e6b..638787019 100644 --- a/src/libcharon/plugins/nm/nm_creds.c +++ b/src/libcharon/plugins/nm/nm_creds.c @@ -51,6 +51,16 @@ struct private_nm_creds_t { char *pass; /** + * Private key decryption password / smartcard pin + */ + char *keypass; + + /** + * private key ID of smartcard key + */ + chunk_t keyid; + + /** * users certificate */ certificate_t *usercert; @@ -239,8 +249,14 @@ static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key, return FALSE; } *key = this->key; - *me = ID_MATCH_PERFECT; - *other = ID_MATCH_ANY; + if (me) + { + *me = ID_MATCH_PERFECT; + } + if (other) + { + *other = ID_MATCH_ANY; + } this->done = TRUE; return TRUE; } @@ -262,18 +278,39 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, identification_t *other) { shared_enumerator_t *enumerator; + chunk_t key; - if (!this->pass || !this->user) + switch (type) { - return NULL; - } - if (type != SHARED_EAP && type != SHARED_IKE) - { - return NULL; - } - if (me && !me->equals(me, this->user)) - { - return NULL; + case SHARED_EAP: + case SHARED_IKE: + if (!this->pass || !this->user) + { + return NULL; + } + if (me && !me->equals(me, this->user)) + { + return NULL; + } + key = chunk_create(this->pass, strlen(this->pass)); + break; + case SHARED_PRIVATE_KEY_PASS: + if (!this->keypass) + { + return NULL; + } + key = chunk_create(this->keypass, strlen(this->keypass)); + break; + case SHARED_PIN: + if (!this->keypass || !me || + !chunk_equals(me->get_encoding(me), this->keyid)) + { + return NULL; + } + key = chunk_create(this->keypass, strlen(this->keypass)); + break; + default: + return NULL; } enumerator = malloc_thing(shared_enumerator_t); @@ -282,9 +319,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, enumerator->this = this; enumerator->done = FALSE; this->lock->read_lock(this->lock); - enumerator->key = shared_key_create(type, - chunk_clone(chunk_create(this->pass, - strlen(this->pass)))); + enumerator->key = shared_key_create(type, chunk_clone(key)); return &enumerator->public; } @@ -370,6 +405,30 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id } /** + * Implementation of nm_creds_t.set_key_password + */ +static void set_key_password(private_nm_creds_t *this, char *password) +{ + this->lock->write_lock(this->lock); + free(this->keypass); + this->keypass = password ? strdup(password) : NULL; + this->lock->unlock(this->lock); +} + +/** + * Implementation of nm_creds_t.set_pin + */ +static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin) +{ + this->lock->write_lock(this->lock); + free(this->keypass); + free(this->keyid.ptr); + this->keypass = pin ? strdup(pin) : NULL; + this->keyid = chunk_clone(keyid); + this->lock->unlock(this->lock); +} + +/** * Implementation of nm_creds_t.set_cert_and_key */ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert, @@ -396,12 +455,16 @@ static void clear(private_nm_creds_t *this) } DESTROY_IF(this->user); free(this->pass); + free(this->keypass); + free(this->keyid.ptr); DESTROY_IF(this->usercert); DESTROY_IF(this->key); this->key = NULL; this->usercert = NULL; this->pass = NULL; this->user = NULL; + this->keypass = NULL; + this->keyid = chunk_empty; } /** @@ -430,6 +493,8 @@ nm_creds_t *nm_creds_create() this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate; this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir; this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password; + this->public.set_key_password = (void(*)(nm_creds_t*, char *password))set_key_password; + this->public.set_pin = (void(*)(nm_creds_t*, chunk_t keyid, char *pin))set_pin; this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key; this->public.clear = (void(*)(nm_creds_t*))clear; this->public.destroy = (void(*)(nm_creds_t*))destroy; @@ -441,6 +506,8 @@ nm_creds_t *nm_creds_create() this->pass = NULL; this->usercert = NULL; this->key = NULL; + this->keypass = NULL; + this->keyid = chunk_empty; return &this->public; } diff --git a/src/libcharon/plugins/nm/nm_creds.h b/src/libcharon/plugins/nm/nm_creds.h index b55cff31e..91f645c7e 100644 --- a/src/libcharon/plugins/nm/nm_creds.h +++ b/src/libcharon/plugins/nm/nm_creds.h @@ -58,6 +58,22 @@ struct nm_creds_t { */ void (*set_username_password)(nm_creds_t *this, identification_t *id, char *password); + + /** + * Set the passphrase to use for private key decryption. + * + * @param password password to use + */ + void (*set_key_password)(nm_creds_t *this, char *password); + + /** + * Set the PIN to unlock a smartcard. + * + * @param keyid keyid of the smartcard key + * @param pin PIN + */ + void (*set_pin)(nm_creds_t *this, chunk_t keyid, char *pin); + /** * Set the certificate and private key to use for client authentication. * @@ -66,6 +82,7 @@ struct nm_creds_t { */ void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert, private_key_t *key); + /** * Clear the stored credentials. */ diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c index 250e6f7f9..fd0580bd6 100644 --- a/src/libcharon/plugins/nm/nm_plugin.c +++ b/src/libcharon/plugins/nm/nm_plugin.c @@ -122,7 +122,7 @@ plugin_t *nm_plugin_create() /* bypass file permissions to read from users ssh-agent */ charon->keep_cap(charon, CAP_DAC_OVERRIDE); - charon->processor->queue_job(charon->processor, + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL)); return &this->public.plugin; diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index 07318bbbf..72c5bbbb5 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -204,6 +204,59 @@ static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new) } /** + * Find a certificate for which we have a private key on a smartcard + */ +static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv, + char *pin) +{ + enumerator_t *enumerator, *sans; + identification_t *id = NULL; + certificate_t *cert; + x509_t *x509; + private_key_t *key; + chunk_t keyid; + + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509, KEY_ANY, NULL, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + x509 = (x509_t*)cert; + + /* there might be a lot of certificates, filter them by usage */ + if ((x509->get_flags(x509) & X509_CLIENT_AUTH) && + !(x509->get_flags(x509) & X509_CA)) + { + keyid = x509->get_subjectKeyIdentifier(x509); + if (keyid.ptr) + { + /* try to find a private key by the certificate keyid */ + priv->creds->set_pin(priv->creds, keyid, pin); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END); + if (key) + { + /* prefer a more convenient subjectAltName */ + sans = x509->create_subjectAltName_enumerator(x509); + if (!sans->enumerate(sans, &id)) + { + id = cert->get_subject(cert); + } + id = id->clone(id); + sans->destroy(sans); + + DBG1(DBG_CFG, "using smartcard certificate '%Y'", id); + priv->creds->set_cert_and_key(priv->creds, + cert->get_ref(cert), key); + break; + } + } + } + } + enumerator->destroy(enumerator); + return id; +} + +/** * Connect function called from NM via DBUS */ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, @@ -224,7 +277,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, auth_class_t auth_class = AUTH_CLASS_EAP; certificate_t *cert = NULL; x509_t *x509; - bool agent = FALSE; + bool agent = FALSE, smartcard = FALSE; lifetime_cfg_t lifetime = { .time = { .life = 10800 /* 3h */, @@ -279,6 +332,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { auth_class = AUTH_CLASS_PUBKEY; } + else if (streq(str, "smartcard")) + { + auth_class = AUTH_CLASS_PUBKEY; + smartcard = TRUE; + } } /** @@ -338,9 +396,26 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, if (auth_class == AUTH_CLASS_PUBKEY) { + if (smartcard) + { + char *pin; + + pin = (char*)nm_setting_vpn_get_secret(vpn, "password"); + if (pin) + { + user = find_smartcard_key(priv, pin); + } + if (!user) + { + g_set_error(err, NM_VPN_PLUGIN_ERROR, + NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, + "no usable smartcard certificate found."); + gateway->destroy(gateway); + return FALSE; + } + } /* ... or certificate/private key authenitcation */ - str = nm_setting_vpn_get_data_item(vpn, "usercert"); - if (str) + else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert"))) { public_key_t *public; private_key_t *private = NULL; @@ -380,16 +455,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, str = nm_setting_vpn_get_data_item(vpn, "userkey"); if (!agent && str) { - chunk_t secret; + char *secret; - secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password"); - if (secret.ptr) + secret = (char*)nm_setting_vpn_get_secret(vpn, "password"); + if (secret) { - secret.len = strlen(secret.ptr); + priv->creds->set_key_password(priv->creds, secret); } private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - KEY_RSA, BUILD_FROM_FILE, str, - BUILD_PASSPHRASE, secret, BUILD_END); + KEY_RSA, BUILD_FROM_FILE, str, BUILD_END); if (!private) { g_set_error(err, NM_VPN_PLUGIN_ERROR, @@ -524,17 +598,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, if (path) { private_key_t *key; - chunk_t secret; - secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password"); - if (secret.ptr) - { - secret.len = strlen(secret.ptr); - } /* try to load/decrypt the private key */ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - KEY_RSA, BUILD_FROM_FILE, path, - BUILD_PASSPHRASE, secret, BUILD_END); + KEY_RSA, BUILD_FROM_FILE, path, BUILD_END); if (key) { key->destroy(key); @@ -542,6 +609,13 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, } } } + else if streq(method, "smartcard") + { + if (nm_setting_vpn_get_secret(settings, "password")) + { + return FALSE; + } + } } *setting_name = NM_SETTING_VPN_SETTING_NAME; return TRUE; diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 35fb8367f..f24e2d1e7 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c index 64820eb45..60937f23d 100644 --- a/src/libcharon/plugins/smp/smp.c +++ b/src/libcharon/plugins/smp/smp.c @@ -702,7 +702,7 @@ static job_requeue_t dispatch(private_smp_t *this) fdp = malloc_thing(int); *fdp = fd; job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job); - charon->processor->queue_job(charon->processor, (job_t*)job); + lib->processor->queue_job(lib->processor, (job_t*)job); return JOB_REQUEUE_DIRECT; } @@ -761,7 +761,7 @@ plugin_t *smp_plugin_create() } this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index df63d862e..bd85386b2 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c index 45390ddae..b5dea68b6 100644 --- a/src/libcharon/plugins/socket_default/socket_default_plugin.c +++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -31,17 +33,13 @@ struct private_socket_default_plugin_t { */ socket_default_plugin_t public; - /** - * Socket instance. - */ - socket_default_socket_t *socket; }; METHOD(plugin_t, destroy, void, private_socket_default_plugin_t *this) { - charon->socket->remove_socket(charon->socket, &this->socket->socket); - this->socket->destroy(this->socket); + charon->socket->remove_socket(charon->socket, + (socket_constructor_t)socket_default_socket_create); free(this); } @@ -53,16 +51,15 @@ plugin_t *socket_default_plugin_create() private_socket_default_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, - .socket = socket_default_socket_create(), + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); - if (!this->socket) - { - free(this); - return NULL; - } - charon->socket->add_socket(charon->socket, &this->socket->socket); + charon->socket->add_socket(charon->socket, + (socket_constructor_t)socket_default_socket_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index bc998182e..e95646643 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -42,11 +42,12 @@ #include <sys/sysctl.h> #endif +#include <hydra.h> #include <daemon.h> #include <threading/thread.h> /* Maximum size of a packet */ -#define MAX_PACKET 5000 +#define MAX_PACKET 10000 /* length of non-esp marker */ #define MARKER_LEN sizeof(u_int32_t) @@ -116,12 +117,17 @@ struct private_socket_default_socket_t { * IPv6 socket for NATT (4500) */ int ipv6_natt; + + /** + * Maximum packet size to receive + */ + int max_packet; }; METHOD(socket_t, receiver, status_t, private_socket_default_socket_t *this, packet_t **packet) { - char buffer[MAX_PACKET]; + char buffer[this->max_packet]; chunk_t data; packet_t *pkt; host_t *source = NULL, *dest = NULL; @@ -195,7 +201,7 @@ METHOD(socket_t, receiver, status_t, msg.msg_name = &src; msg.msg_namelen = sizeof(src); iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); + iov.iov_len = this->max_packet; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ancillary; @@ -207,6 +213,11 @@ METHOD(socket_t, receiver, status_t, DBG1(DBG_NET, "error reading socket: %s", strerror(errno)); return FAILED; } + if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_NET, "receive buffer too small, packet discarded"); + return FAILED; + } DBG3(DBG_NET, "received packet %b", buffer, bytes_read); if (bytes_read < MARKER_LEN) @@ -351,12 +362,6 @@ METHOD(socket_t, sender, status_t, if (data.len != 1 || data.ptr[0] != 0xFF) { /* add non esp marker to packet */ - if (data.len > MAX_PACKET - MARKER_LEN) - { - DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", - data.len); - return FAILED; - } marked = chunk_alloc(data.len + MARKER_LEN); memset(marked.ptr, 0, MARKER_LEN); memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len); @@ -521,8 +526,8 @@ static int open_socket(private_socket_default_socket_t *this, } } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - skt, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + skt, family)) { DBG1(DBG_NET, "installing IKE bypass policy failed"); } @@ -541,7 +546,7 @@ static int open_socket(private_socket_default_socket_t *this, return skt; } -METHOD(socket_default_socket_t, destroy, void, +METHOD(socket_t, destroy, void, private_socket_default_socket_t *this) { if (this->ipv4) @@ -575,9 +580,11 @@ socket_default_socket_t *socket_default_socket_create() .socket = { .send = _sender, .receive = _receiver, + .destroy = _destroy, }, - .destroy = _destroy, }, + .max_packet = lib->settings->get_int(lib->settings, + "charon.max_packet", MAX_PACKET), ); #ifdef __APPLE__ diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.h b/src/libcharon/plugins/socket_default/socket_default_socket.h index 755016662..89aa6f435 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.h +++ b/src/libcharon/plugins/socket_default/socket_default_socket.h @@ -35,10 +35,6 @@ struct socket_default_socket_t { */ socket_t socket; - /** - * Destroy a socket_default_socket_t. - */ - void (*destroy)(socket_default_socket_t *this); }; /** diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 8a3a15188..8e0790671 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c index 3410fc7a4..a6ff14efd 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -31,17 +33,13 @@ struct private_socket_dynamic_plugin_t { */ socket_dynamic_plugin_t public; - /** - * Socket instance. - */ - socket_dynamic_socket_t *socket; }; METHOD(plugin_t, destroy, void, private_socket_dynamic_plugin_t *this) { - charon->socket->remove_socket(charon->socket, &this->socket->socket); - this->socket->destroy(this->socket); + charon->socket->remove_socket(charon->socket, + (socket_constructor_t)socket_dynamic_socket_create); free(this); } @@ -53,16 +51,15 @@ plugin_t *socket_dynamic_plugin_create() private_socket_dynamic_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, - .socket = socket_dynamic_socket_create(), + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); - if (!this->socket) - { - free(this); - return NULL; - } - charon->socket->add_socket(charon->socket, &this->socket->socket); + charon->socket->add_socket(charon->socket, + (socket_constructor_t)socket_dynamic_socket_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c index a7db59ce5..74dba82cc 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -36,13 +36,14 @@ #include <netinet/udp.h> #include <net/if.h> +#include <hydra.h> #include <daemon.h> #include <threading/thread.h> #include <threading/rwlock.h> #include <utils/hashtable.h> /* Maximum size of a packet */ -#define MAX_PACKET 5000 +#define MAX_PACKET 10000 /* length of non-esp marker */ #define MARKER_LEN sizeof(u_int32_t) @@ -100,6 +101,11 @@ struct private_socket_dynamic_socket_t { * Notification pipe to signal receiver */ int notify[2]; + + /** + * Maximum packet size to receive + */ + int max_packet; }; /** @@ -197,7 +203,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this, { host_t *source = NULL, *dest = NULL; ssize_t len; - char buffer[MAX_PACKET]; + char buffer[this->max_packet]; chunk_t data; packet_t *packet; struct msghdr msg; @@ -212,7 +218,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this, msg.msg_name = &src; msg.msg_namelen = sizeof(src); iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); + iov.iov_len = this->max_packet; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ancillary; @@ -224,6 +230,11 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this, DBG1(DBG_NET, "error reading socket: %s", strerror(errno)); return NULL; } + if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_NET, "receive buffer too small, packet discarded"); + return NULL; + } DBG3(DBG_NET, "received packet %b", buffer, len); if (len < MARKER_LEN) @@ -412,8 +423,8 @@ static int open_socket(private_socket_dynamic_socket_t *this, return 0; } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - fd, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + fd, family)) { DBG1(DBG_NET, "installing IKE bypass policy failed"); } @@ -495,12 +506,6 @@ METHOD(socket_t, sender, status_t, !(data.len == 1 && data.ptr[0] == 0xFF)) { /* add non esp marker to packet */ - if (data.len > MAX_PACKET - MARKER_LEN) - { - DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", - data.len); - return FAILED; - } marked = chunk_alloc(data.len + MARKER_LEN); memset(marked.ptr, 0, MARKER_LEN); memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len); @@ -567,7 +572,7 @@ METHOD(socket_t, sender, status_t, return SUCCESS; } -METHOD(socket_dynamic_socket_t, destroy, void, +METHOD(socket_t, destroy, void, private_socket_dynamic_socket_t *this) { enumerator_t *enumerator; @@ -600,10 +605,12 @@ socket_dynamic_socket_t *socket_dynamic_socket_create() .socket = { .send = _sender, .receive = _receiver, + .destroy = _destroy, }, - .destroy = _destroy, }, .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .max_packet = lib->settings->get_int(lib->settings, + "charon.max_packet", MAX_PACKET), ); if (pipe(this->notify) != 0) diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h index 72551e545..8c93f53d6 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h @@ -35,10 +35,6 @@ struct socket_dynamic_socket_t { */ socket_t socket; - /** - * Destroy a socket_dynamic_socket_t. - */ - void (*destroy)(socket_dynamic_socket_t *this); }; /** diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 32bd9e0a1..5f4cba131 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c index 5b011abcf..17a3a8db7 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c +++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -31,17 +33,13 @@ struct private_socket_raw_plugin_t { */ socket_raw_plugin_t public; - /** - * Raw socket instance. - */ - socket_raw_socket_t *socket; }; METHOD(plugin_t, destroy, void, private_socket_raw_plugin_t *this) { - charon->socket->remove_socket(charon->socket, &this->socket->socket); - this->socket->destroy(this->socket); + charon->socket->remove_socket(charon->socket, + (socket_constructor_t)socket_raw_socket_create); free(this); } @@ -53,16 +51,15 @@ plugin_t *socket_raw_plugin_create() private_socket_raw_plugin_t *this; INIT(this, - .public.plugin.destroy = _destroy, - .socket = socket_raw_socket_create(), + .public = { + .plugin = { + .destroy = _destroy, + }, + }, ); - if (!this->socket) - { - free(this); - return NULL; - } - charon->socket->add_socket(charon->socket, &this->socket->socket); + charon->socket->add_socket(charon->socket, + (socket_constructor_t)socket_raw_socket_create); return &this->public.plugin; } diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c index 166870421..f6e87a86f 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c +++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c @@ -1,6 +1,7 @@ /* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Copyright (C) 2006-2010 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -36,11 +37,12 @@ #include <linux/filter.h> #include <net/if.h> +#include <hydra.h> #include <daemon.h> #include <threading/thread.h> /* Maximum size of a packet */ -#define MAX_PACKET 5000 +#define MAX_PACKET 10000 /* constants for packet handling */ #define IP_LEN sizeof(struct iphdr) @@ -119,12 +121,17 @@ struct private_socket_raw_socket_t { * send socket on nat-t port for IPv6 */ int send6_natt; + + /** + * Maximum packet size to receive + */ + int max_packet; }; METHOD(socket_t, receiver, status_t, private_socket_raw_socket_t *this, packet_t **packet) { - char buffer[MAX_PACKET]; + char buffer[this->max_packet]; chunk_t data; packet_t *pkt; struct udphdr *udp; @@ -161,12 +168,17 @@ METHOD(socket_t, receiver, status_t, struct iphdr *ip; struct sockaddr_in src, dst; - bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0); + bytes_read = recv(this->recv4, buffer, this->max_packet, 0); if (bytes_read < 0) { DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno)); return FAILED; } + if (bytes_read == this->max_packet) + { + DBG1(DBG_NET, "receive buffer too small, packet discarded"); + return FAILED; + } DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read); /* read source/dest from raw IP/UDP header */ @@ -216,7 +228,7 @@ METHOD(socket_t, receiver, status_t, msg.msg_name = &src; msg.msg_namelen = sizeof(src); iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); + iov.iov_len = this->max_packet; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ancillary; @@ -343,12 +355,6 @@ METHOD(socket_t, sender, status_t, if (data.len != 1 || data.ptr[0] != 0xFF) { /* add non esp marker to packet */ - if (data.len > MAX_PACKET - MARKER_LEN) - { - DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", - data.len); - return FAILED; - } marked = chunk_alloc(data.len + MARKER_LEN); memset(marked.ptr, 0, MARKER_LEN); memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len); @@ -492,8 +498,8 @@ static int open_send_socket(private_socket_raw_socket_t *this, } } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - skt, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + skt, family)) { DBG1(DBG_NET, "installing bypass policy on send socket failed"); } @@ -598,8 +604,8 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) return 0; } - if (!charon->kernel_interface->bypass_socket(charon->kernel_interface, - skt, family)) + if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, + skt, family)) { DBG1(DBG_NET, "installing bypass policy on receive socket failed"); } @@ -607,7 +613,7 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) return skt; } -METHOD(socket_raw_socket_t, destroy, void, +METHOD(socket_t, destroy, void, private_socket_raw_socket_t *this) { if (this->recv4) @@ -649,9 +655,11 @@ socket_raw_socket_t *socket_raw_socket_create() .socket = { .send = _sender, .receive = _receiver, + .destroy = _destroy, }, - .destroy = _destroy, }, + .max_packet = lib->settings->get_int(lib->settings, + "charon.max_packet", MAX_PACKET), ); this->recv4 = open_recv_socket(this, AF_INET); diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.h b/src/libcharon/plugins/socket_raw/socket_raw_socket.h index 94cf666e8..23ff304a8 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_socket.h +++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.h @@ -41,10 +41,6 @@ struct socket_raw_socket_t { */ socket_t socket; - /** - * Destroy a socket_raw_socket_t. - */ - void (*destroy)(socket_raw_socket_t *this); }; /** diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am index 68b7e8cb2..37b87117c 100644 --- a/src/libcharon/plugins/sql/Makefile.am +++ b/src/libcharon/plugins/sql/Makefile.am @@ -2,9 +2,6 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon -AM_CFLAGS = -rdynamic \ - -DPLUGINS=\""${libstrongswan_plugins}\"" - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-sql.la else diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index e32dc7b57..7c4521785 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -258,9 +274,6 @@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon -AM_CFLAGS = -rdynamic \ - -DPLUGINS=\""${libstrongswan_plugins}\"" - @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la libstrongswan_sql_la_SOURCES = \ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index e094200ca..e6e98838b 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 617069432..165212a5e 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -15,6 +15,7 @@ #include "stroke_config.h" +#include <hydra.h> #include <daemon.h> #include <threading/mutex.h> #include <utils/lexparser.h> @@ -199,8 +200,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg host = host_create_from_dns(msg->add_conn.other.address, 0, 0); if (host) { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, host); + interface = hydra->kernel_interface->get_interface( + hydra->kernel_interface, host); host->destroy(host); if (interface) { @@ -215,8 +216,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg host = host_create_from_dns(msg->add_conn.me.address, 0, 0); if (host) { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, host); + interface = hydra->kernel_interface->get_interface( + hydra->kernel_interface, host); host->destroy(host); if (!interface) { @@ -362,7 +363,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } } else - { /* no second authentication round, fine */ + { /* no second authentication round, fine. But load certificates + * for other purposes (EAP-TLS) */ + if (cert) + { + certificate = this->cred->load_peer(this->cred, cert); + if (certificate) + { + certificate->destroy(certificate); + } + } return NULL; } } @@ -502,6 +512,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity); } + if (msg->add_conn.aaa_identity) + { + cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, + identification_create_from_string(msg->add_conn.aaa_identity)); + } } else { diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index f64421551..e0398ba78 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -354,7 +354,7 @@ static void terminate_srcip(private_stroke_control_t *this, } /* schedule delete asynchronously */ - charon->processor->queue_job(charon->processor, (job_t*) + lib->processor->queue_job(lib->processor, (job_t*) delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE)); } enumerator->destroy(enumerator); diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 2816b9bb2..91e71f1f4 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -14,10 +14,15 @@ * for more details. */ +#include <sys/types.h> #include <sys/stat.h> #include <limits.h> #include <glob.h> #include <libgen.h> +#include <sys/mman.h> +#include <fcntl.h> +#include <errno.h> +#include <unistd.h> #include "stroke_cred.h" #include "stroke_shared_key.h" @@ -25,6 +30,8 @@ #include <credentials/certificates/x509.h> #include <credentials/certificates/crl.h> #include <credentials/certificates/ac.h> +#include <credentials/sets/mem_cred.h> +#include <credentials/sets/callback_cred.h> #include <utils/linked_list.h> #include <utils/lexparser.h> #include <threading/rwlock.h> @@ -88,7 +95,8 @@ struct private_stroke_cred_t { typedef struct { private_stroke_cred_t *this; identification_t *id; - certificate_type_t type; + certificate_type_t cert; + key_type_t key; } id_data_t; /** @@ -109,15 +117,18 @@ static bool private_filter(id_data_t *data, private_key_t *key; key = *in; - if (data->id == NULL) + if (data->key == KEY_ANY || data->key == key->get_type(key)) { - *out = key; - return TRUE; - } - if (key->has_fingerprint(key, data->id->get_encoding(data->id))) - { - *out = key; - return TRUE; + if (data->id == NULL) + { + *out = key; + return TRUE; + } + if (key->has_fingerprint(key, data->id->get_encoding(data->id))) + { + *out = key; + return TRUE; + } } return FALSE; } @@ -133,6 +144,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, data = malloc_thing(id_data_t); data->this = this; data->id = id; + data->key = type; this->lock->read_lock(this->lock); return enumerator_create_filter(this->private->create_enumerator(this->private), @@ -148,7 +160,7 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou public_key_t *public; certificate_t *cert = *in; - if (data->type != CERT_ANY && data->type != cert->get_type(cert)) + if (data->cert != CERT_ANY && data->cert != cert->get_type(cert)) { return FALSE; } @@ -161,11 +173,14 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou public = cert->get_public_key(cert); if (public) { - if (public->has_fingerprint(public, data->id->get_encoding(data->id))) + if (data->key == KEY_ANY || data->key != public->get_type(public)) { - public->destroy(public); - *out = *in; - return TRUE; + if (public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = *in; + return TRUE; + } } public->destroy(public); } @@ -188,7 +203,8 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, data = malloc_thing(id_data_t); data->this = this; data->id = id; - data->type = cert; + data->cert = cert; + data->key = key; this->lock->read_lock(this->lock); return enumerator_create_filter(this->certs->create_enumerator(this->certs), @@ -667,47 +683,443 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) } /** - * Data to pass to passphrase_cb + * Data for passphrase callback */ typedef struct { /** socket we use for prompting */ FILE *prompt; /** private key file */ - char *file; - /** buffer for passphrase */ - char buf[256]; + char *path; + /** number of tries */ + int try; } passphrase_cb_data_t; /** - * Passphrase callback to read from whack fd + * Callback function to receive Passphrases */ -chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) +static shared_key_t* passphrase_cb(passphrase_cb_data_t *data, + shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other) { - chunk_t secret = chunk_empty;; + chunk_t secret; + char buf[256]; - if (try > 5) + if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS) { - fprintf(data->prompt, "invalid passphrase, too many trials\n"); - return chunk_empty; + return NULL; } - if (try == 1) + + if (data->try > 1) { - fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file); + if (data->try > 5) + { + fprintf(data->prompt, "PIN invalid, giving up.\n"); + return NULL; + } + fprintf(data->prompt, "PIN invalid!\n"); } - else + data->try++; + fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path); + fprintf(data->prompt, "Passphrase:\n"); + if (fgets(buf, sizeof(buf), data->prompt)) { - fprintf(data->prompt, "invalid passphrase\n"); + secret = chunk_create(buf, strlen(buf)); + if (secret.len > 1) + { /* trim appended \n */ + secret.len--; + if (match_me) + { + *match_me = ID_MATCH_PERFECT; + } + if (match_other) + { + *match_other = ID_MATCH_NONE; + } + return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret)); + } } - fprintf(data->prompt, "Passphrase:\n"); - if (fgets(data->buf, sizeof(data->buf), data->prompt)) + return NULL; +} + +/** + * Data for PIN callback + */ +typedef struct { + /** socket we use for prompting */ + FILE *prompt; + /** card label */ + char *card; + /** card keyid */ + chunk_t keyid; + /** number of tries */ + int try; +} pin_cb_data_t; + +/** + * Callback function to receive PINs + */ +static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other) +{ + chunk_t secret; + char buf[256]; + + if (type != SHARED_ANY && type != SHARED_PIN) + { + return NULL; + } + + if (!me || !chunk_equals(me->get_encoding(me), data->keyid)) + { + return NULL; + } + + if (data->try > 1) + { + fprintf(data->prompt, "PIN invalid, aborting.\n"); + return NULL; + } + data->try++; + fprintf(data->prompt, "Login to '%s' required\n", data->card); + fprintf(data->prompt, "PIN:\n"); + if (fgets(buf, sizeof(buf), data->prompt)) { - secret = chunk_create(data->buf, strlen(data->buf)); - if (secret.len) + secret = chunk_create(buf, strlen(buf)); + if (secret.len > 1) { /* trim appended \n */ secret.len--; + if (match_me) + { + *match_me = ID_MATCH_PERFECT; + } + if (match_other) + { + *match_other = ID_MATCH_NONE; + } + return shared_key_create(SHARED_PIN, chunk_clone(secret)); + } + } + return NULL; +} + +/** + * Load a smartcard with a PIN + */ +static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, + FILE *prompt) +{ + chunk_t sc = chunk_empty, secret = chunk_empty; + char smartcard[64], keyid[64], module[64], *pos; + private_key_t *key = NULL; + u_int slot; + chunk_t chunk; + shared_key_t *shared; + identification_t *id; + mem_cred_t *mem = NULL; + callback_cred_t *cb = NULL; + pin_cb_data_t pin_data; + enum { + SC_FORMAT_SLOT_MODULE_KEYID, + SC_FORMAT_SLOT_KEYID, + SC_FORMAT_KEYID, + } format; + + err_t ugh = extract_value(&sc, &line); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); + return FALSE; + } + if (sc.len == 0) + { + DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr); + return FALSE; + } + snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr); + smartcard[sizeof(smartcard) - 1] = '\0'; + + /* parse slot and key id. Three formats are supported: + * - %smartcard<slot>@<module>:<keyid> + * - %smartcard<slot>:<keyid> + * - %smartcard:<keyid> + */ + if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2) + { + pos = strchr(module, ':'); + if (!pos) + { + DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is " + "invalid", line_nr); + return FALSE; + } + *pos = '\0'; + strcpy(keyid, pos + 1); + format = SC_FORMAT_SLOT_MODULE_KEYID; + } + else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2) + { + format = SC_FORMAT_SLOT_KEYID; + } + else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1) + { + format = SC_FORMAT_KEYID; + } + else + { + DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not" + " supported or invalid", line_nr); + return FALSE; + } + + if (!eat_whitespace(&line)) + { + DBG1(DBG_CFG, "line %d: expected PIN", line_nr); + return FALSE; + } + ugh = extract_secret(&secret, &line); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh); + return FALSE; + } + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) + { + free(secret.ptr); + if (!prompt) + { /* no IO channel to prompt, skip */ + free(chunk.ptr); + return TRUE; + } + /* use callback credential set to prompt for the pin */ + pin_data.prompt = prompt; + pin_data.card = smartcard; + pin_data.keyid = chunk; + pin_data.try = 1; + cb = callback_cred_create_shared((void*)pin_cb, &pin_data); + lib->credmgr->add_local_set(lib->credmgr, &cb->set); + } + else + { + /* provide our pin in a temporary credential set */ + shared = shared_key_create(SHARED_PIN, secret); + id = identification_create_from_encoding(ID_KEY_ID, chunk); + mem = mem_cred_create(); + mem->add_shared(mem, shared, id, NULL); + lib->credmgr->add_local_set(lib->credmgr, &mem->set); + } + + /* unlock: smartcard needs the pin and potentially calls public set */ + this->lock->unlock(this->lock); + switch (format) + { + case SC_FORMAT_SLOT_MODULE_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_MODULE, module, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + case SC_FORMAT_SLOT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + case SC_FORMAT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + } + this->lock->write_lock(this->lock); + if (mem) + { + lib->credmgr->remove_local_set(lib->credmgr, &mem->set); + mem->destroy(mem); + } + if (cb) + { + lib->credmgr->remove_local_set(lib->credmgr, &cb->set); + cb->destroy(cb); + } + + if (key) + { + DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); + this->private->insert_last(this->private, key); + } + return TRUE; +} + +/** + * Load a private key + */ +static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, + FILE *prompt, key_type_t key_type) +{ + char path[PATH_MAX]; + chunk_t filename; + chunk_t secret = chunk_empty; + private_key_t *key; + + err_t ugh = extract_value(&filename, &line); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); + return FALSE; + } + if (filename.len == 0) + { + DBG1(DBG_CFG, "line %d: empty filename", line_nr); + return FALSE; + } + if (*filename.ptr == '/') + { + /* absolute path name */ + snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr); + } + else + { + /* relative path name */ + snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, + filename.len, filename.ptr); + } + + /* check for optional passphrase */ + if (eat_whitespace(&line)) + { + ugh = extract_secret(&secret, &line); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); + return FALSE; + } + } + if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) + { + callback_cred_t *cb = NULL; + passphrase_cb_data_t pp_data = { + .prompt = prompt, + .path = path, + .try = 1, + }; + + free(secret.ptr); + if (!prompt) + { + return TRUE; + } + /* use callback credential set to prompt for the passphrase */ + pp_data.prompt = prompt; + pp_data.path = path; + pp_data.try = 1; + cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data); + lib->credmgr->add_local_set(lib->credmgr, &cb->set); + + /* unlock, as the builder might ask for a secret */ + this->lock->unlock(this->lock); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, BUILD_END); + this->lock->write_lock(this->lock); + + lib->credmgr->remove_local_set(lib->credmgr, &cb->set); + cb->destroy(cb); + } + else + { + mem_cred_t *mem = NULL; + shared_key_t *shared; + + /* provide our pin in a temporary credential set */ + shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret); + mem = mem_cred_create(); + mem->add_shared(mem, shared, NULL); + lib->credmgr->add_local_set(lib->credmgr, &mem->set); + + /* unlock, as the builder might ask for a secret */ + this->lock->unlock(this->lock); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, path, BUILD_END); + this->lock->write_lock(this->lock); + + lib->credmgr->remove_local_set(lib->credmgr, &mem->set); + mem->destroy(mem); + } + if (key) + { + DBG1(DBG_CFG, " loaded %N private key from '%s'", + key_type_names, key->get_type(key), path); + this->private->insert_last(this->private, key); + } + else + { + DBG1(DBG_CFG, " loading private key from '%s' failed", path); + } + return TRUE; +} + +/** + * Load a shared key + */ +static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, + shared_key_type_t type, chunk_t ids) +{ + stroke_shared_key_t *shared_key; + chunk_t secret = chunk_empty; + bool any = TRUE; + + err_t ugh = extract_secret(&secret, &line); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); + return FALSE; + } + shared_key = stroke_shared_key_create(type, secret); + DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, + ids.len > 0 ? (char*)ids.ptr : "%any"); + DBG4(DBG_CFG, " secret: %#B", &secret); + + this->shared->insert_last(this->shared, shared_key); + while (ids.len > 0) + { + chunk_t id; + identification_t *peer_id; + + ugh = extract_value(&id, &ids); + if (ugh != NULL) + { + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); + return FALSE; + } + if (id.len == 0) + { + continue; + } + + /* NULL terminate the ID string */ + *(id.ptr + id.len) = '\0'; + peer_id = identification_create_from_string(id.ptr); + if (peer_id->get_type(peer_id) == ID_ANY) + { + peer_id->destroy(peer_id); + continue; } + + shared_key->add_owner(shared_key, peer_id); + any = FALSE; + } + if (any) + { + shared_key->add_owner(shared_key, + identification_create_from_encoding(ID_ANY, chunk_empty)); } - return secret; + return TRUE; } /** @@ -716,30 +1128,36 @@ chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) static void load_secrets(private_stroke_cred_t *this, char *file, int level, FILE *prompt) { - size_t bytes; - int line_nr = 0; - chunk_t chunk, src, line; - FILE *fd; + int line_nr = 0, fd; + chunk_t src, line; private_key_t *private; shared_key_t *shared; + struct stat sb; + void *addr; DBG1(DBG_CFG, "loading secrets from '%s'", file); - - fd = fopen(file, "r"); - if (fd == NULL) + fd = open(file, O_RDONLY); + if (fd == -1) { - DBG1(DBG_CFG, "opening secrets file '%s' failed", file); + DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file, + strerror(errno)); return; } - - /* TODO: do error checks */ - fseek(fd, 0, SEEK_END); - chunk.len = ftell(fd); - rewind(fd); - chunk.ptr = malloc(chunk.len); - bytes = fread(chunk.ptr, 1, chunk.len, fd); - fclose(fd); - src = chunk; + if (fstat(fd, &sb) == -1) + { + DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file, + strerror(errno)); + close(fd); + return; + } + addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno)); + close(fd); + return; + } + src = chunk_create(addr, sb.st_size); if (level == 0) { @@ -844,223 +1262,52 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, else { DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr); - goto error; + break; } if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line)) { DBG1(DBG_CFG, "line %d: missing token", line_nr); - goto error; + break; } if (match("RSA", &token) || match("ECDSA", &token)) { - char path[PATH_MAX]; - chunk_t filename; - chunk_t secret = chunk_empty; - private_key_t *key = NULL; - key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA; - - err_t ugh = extract_value(&filename, &line); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (filename.len == 0) - { - DBG1(DBG_CFG, "line %d: empty filename", line_nr); - goto error; - } - if (*filename.ptr == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, - filename.len, filename.ptr); - } - - /* check for optional passphrase */ - if (eat_whitespace(&line)) - { - ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); - goto error; - } - } - if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) - { - if (prompt) - { - passphrase_cb_data_t data; - - data.prompt = prompt; - data.file = path; - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, - key_type, BUILD_FROM_FILE, path, - BUILD_PASSPHRASE_CALLBACK, - passphrase_cb, &data, BUILD_END); - } - } - else - { - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, - BUILD_FROM_FILE, path, - BUILD_PASSPHRASE, secret, BUILD_END); - } - if (key) + if (!load_private(this, line, line_nr, prompt, + match("RSA", &token) ? KEY_RSA : KEY_ECDSA)) { - DBG1(DBG_CFG, " loaded %N private key from '%s'", - key_type_names, key->get_type(key), path); - this->private->insert_last(this->private, key); - } - else - { - DBG1(DBG_CFG, " loading private key from '%s' failed", path); + break; } - chunk_clear(&secret); } else if (match("PIN", &token)) { - chunk_t sc = chunk_empty, secret = chunk_empty; - char smartcard[32], keyid[22], pin[32]; - private_key_t *key; - u_int slot; - - err_t ugh = extract_value(&sc, &line); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (sc.len == 0) - { - DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr); - goto error; - } - snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr); - smartcard[sizeof(smartcard) - 1] = '\0'; - - /* parse slot and key id. only two formats are supported. - * first try %smartcard<slot>:<keyid> */ - if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2) - { - snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid); - } - /* then try %smartcard:<keyid> */ - else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1) - { - snprintf(smartcard, sizeof(smartcard), "%s", keyid); - } - else - { - DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not" - " supported or invalid", line_nr); - goto error; - } - - if (!eat_whitespace(&line)) - { - DBG1(DBG_CFG, "line %d: expected PIN", line_nr); - goto error; - } - ugh = extract_secret(&secret, &line); - if (ugh != NULL) + if (!load_pin(this, line, line_nr, prompt)) { - DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh); - goto error; - } - snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr); - pin[sizeof(pin) - 1] = '\0'; - - /* we assume an RSA key */ - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_SMARTCARD_KEYID, smartcard, - BUILD_SMARTCARD_PIN, pin, BUILD_END); - - if (key) - { - DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); - this->private->insert_last(this->private, key); + break; } - memset(pin, 0, sizeof(pin)); - chunk_clear(&secret); } else if ((match("PSK", &token) && (type = SHARED_IKE)) || (match("EAP", &token) && (type = SHARED_EAP)) || (match("NTLM", &token) && (type = SHARED_NT_HASH)) || (match("XAUTH", &token) && (type = SHARED_EAP))) { - stroke_shared_key_t *shared_key; - chunk_t secret = chunk_empty; - bool any = TRUE; - - err_t ugh = extract_secret(&secret, &line); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); - goto error; - } - shared_key = stroke_shared_key_create(type, secret); - DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, - ids.len > 0 ? (char*)ids.ptr : "%any"); - DBG4(DBG_CFG, " secret: %#B", &secret); - - this->shared->insert_last(this->shared, shared_key); - while (ids.len > 0) + if (!load_shared(this, line, line_nr, type, ids)) { - chunk_t id; - identification_t *peer_id; - - ugh = extract_value(&id, &ids); - if (ugh != NULL) - { - DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); - goto error; - } - if (id.len == 0) - { - continue; - } - - /* NULL terminate the ID string */ - *(id.ptr + id.len) = '\0'; - peer_id = identification_create_from_string(id.ptr); - if (peer_id->get_type(peer_id) == ID_ANY) - { - peer_id->destroy(peer_id); - continue; - } - - shared_key->add_owner(shared_key, peer_id); - any = FALSE; - } - if (any) - { - shared_key->add_owner(shared_key, - identification_create_from_encoding(ID_ANY, chunk_empty)); + break; } } else { DBG1(DBG_CFG, "line %d: token must be either " "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr); - goto error; + break; } } -error: if (level == 0) { this->lock->unlock(this->lock); } - chunk_clear(&chunk); + munmap(addr, sb.st_size); + close(fd); } /** diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index a6de35466..86deea490 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -21,6 +21,7 @@ #include <malloc.h> #endif /* HAVE_MALLINFO */ +#include <hydra.h> #include <daemon.h> #include <utils/linked_list.h> #include <credentials/certificates/x509.h> @@ -422,12 +423,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo } #endif /* HAVE_MALLINFO */ fprintf(out, " worker threads: %d idle of %d,", - charon->processor->get_idle_threads(charon->processor), - charon->processor->get_total_threads(charon->processor)); + lib->processor->get_idle_threads(lib->processor), + lib->processor->get_total_threads(lib->processor)); fprintf(out, " job queue load: %d,", - charon->processor->get_job_load(charon->processor)); + lib->processor->get_job_load(lib->processor)); fprintf(out, " scheduled events: %d\n", - charon->scheduler->get_job_load(charon->scheduler)); + lib->scheduler->get_job_load(lib->scheduler)); fprintf(out, " loaded plugins: "); enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); while (enumerator->enumerate(enumerator, &plugin)) @@ -454,8 +455,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo } enumerator->destroy(enumerator); - enumerator = charon->kernel_interface->create_address_enumerator( - charon->kernel_interface, FALSE, FALSE); + enumerator = hydra->kernel_interface->create_address_enumerator( + hydra->kernel_interface, FALSE, FALSE); fprintf(out, "Listening IP addresses:\n"); while (enumerator->enumerate(enumerator, (void**)&host)) { @@ -638,7 +639,7 @@ static void list_public_key(public_key_t *public, FILE *out) fprintf(out, " pubkey: %N %d bits%s\n", key_type_names, public->get_type(public), - public->get_keysize(public) * 8, + public->get_keysize(public), private ? ", has private key" : ""); if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { @@ -1026,9 +1027,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) */ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) { - bool first = TRUE; + bool first = TRUE, ok; enumerator_t *enumerator = list->create_enumerator(list); certificate_t *cert; + time_t produced, usable, now = time(NULL); while (enumerator->enumerate(enumerator, (void**)&cert)) { @@ -1039,8 +1041,20 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) fprintf(out, "\n"); first = FALSE; } - fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); + + /* check validity */ + ok = cert->get_validity(cert, &now, &produced, &usable); + fprintf(out, " validity: produced at %T\n", &produced, utc); + fprintf(out, " usable till %T, ", &usable, utc); + if (ok) + { + fprintf(out, "ok\n"); + } + else + { + fprintf(out, "expired (%V ago)\n", &now, &usable); + } } enumerator->destroy(enumerator); } @@ -1073,6 +1087,13 @@ static void list_algs(FILE *out) fprintf(out, "%N ", integrity_algorithm_names, integrity); } enumerator->destroy(enumerator); + fprintf(out, "\n aead: "); + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption)) + { + fprintf(out, "%N ", encryption_algorithm_names, encryption); + } + enumerator->destroy(enumerator); fprintf(out, "\n hasher: "); enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &hash)) @@ -1184,7 +1205,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, bool on; int found = 0; - fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n", + fprintf(out, "Leases in pool '%s', usage: %u/%u, %u online\n", pool, online + offline, size, online); enumerator = this->attribute->create_lease_enumerator(this->attribute, pool); while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on)) diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 18afa5af4..0a5110fd3 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -24,10 +24,10 @@ #include <unistd.h> #include <errno.h> -#include <processing/jobs/callback_job.h> #include <hydra.h> #include <daemon.h> #include <threading/thread.h> +#include <processing/jobs/callback_job.h> #include "stroke_config.h" #include "stroke_control.h" @@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg) pop_end(msg, "left", &msg->add_conn.me); pop_end(msg, "right", &msg->add_conn.other); pop_string(msg, &msg->add_conn.eap_identity); + pop_string(msg, &msg->add_conn.aaa_identity); pop_string(msg, &msg->add_conn.algorithms.ike); pop_string(msg, &msg->add_conn.algorithms.esp); pop_string(msg, &msg->add_conn.ikeme.mediated_by); pop_string(msg, &msg->add_conn.ikeme.peerid); DBG2(DBG_CFG, " eap_identity=%s", msg->add_conn.eap_identity); + DBG2(DBG_CFG, " aaa_identity=%s", msg->add_conn.aaa_identity); DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); DBG2(DBG_CFG, " mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no"); @@ -353,6 +355,37 @@ static void stroke_purge(private_stroke_socket_t *this, } /** + * Export in-memory credentials + */ +static void stroke_export(private_stroke_socket_t *this, + stroke_msg_t *msg, FILE *out) +{ + pop_string(msg, &msg->export.selector); + + if (msg->purge.flags & EXPORT_X509) + { + enumerator_t *enumerator; + identification_t *id; + certificate_t *cert; + chunk_t encoded; + + id = identification_create_from_string(msg->export.selector); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509, KEY_ANY, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + if (cert->get_encoding(cert, CERT_PEM, &encoded)) + { + fprintf(out, "%.*s", encoded.len, encoded.ptr); + free(encoded.ptr); + } + } + enumerator->destroy(enumerator); + id->destroy(id); + } +} + +/** * list pool leases */ static void stroke_leases(private_stroke_socket_t *this, @@ -364,21 +397,6 @@ static void stroke_leases(private_stroke_socket_t *this, this->list->leases(this->list, msg, out); } -debug_t get_group_from_name(char *type) -{ - if (strcaseeq(type, "any")) return DBG_ANY; - else if (strcaseeq(type, "mgr")) return DBG_MGR; - else if (strcaseeq(type, "ike")) return DBG_IKE; - else if (strcaseeq(type, "chd")) return DBG_CHD; - else if (strcaseeq(type, "job")) return DBG_JOB; - else if (strcaseeq(type, "cfg")) return DBG_CFG; - else if (strcaseeq(type, "knl")) return DBG_KNL; - else if (strcaseeq(type, "net")) return DBG_NET; - else if (strcaseeq(type, "enc")) return DBG_ENC; - else if (strcaseeq(type, "lib")) return DBG_LIB; - else return -1; -} - /** * set the verbosity debug output */ @@ -394,7 +412,7 @@ static void stroke_loglevel(private_stroke_socket_t *this, DBG1(DBG_CFG, "received stroke: loglevel %d for %s", msg->loglevel.level, msg->loglevel.type); - group = get_group_from_name(msg->loglevel.type); + group = enum_from_name(debug_names, msg->loglevel.type); if (group < 0) { fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); @@ -525,6 +543,9 @@ static job_requeue_t process(stroke_job_context_t *ctx) case STR_PURGE: stroke_purge(this, msg, out); break; + case STR_EXPORT: + stroke_export(this, msg, out); + break; case STR_LEASES: stroke_leases(this, msg, out); break; @@ -565,7 +586,7 @@ static job_requeue_t receive(private_stroke_socket_t *this) ctx->this = this; job = callback_job_create((callback_job_cb_t)process, ctx, (void*)stroke_job_context_destroy, this->job); - charon->processor->queue_job(charon->processor, (job_t*)job); + lib->processor->queue_job(lib->processor, (job_t*)job); return JOB_REQUEUE_FAIR; } @@ -663,7 +684,7 @@ stroke_socket_t *stroke_socket_create() this->job = callback_job_create((callback_job_cb_t)receive, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); return &this->public; } diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am new file mode 100644 index 000000000..ca8869460 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/Makefile.am @@ -0,0 +1,19 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnc_imc_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnc-imc.la +else +plugin_LTLIBRARIES = libstrongswan-tnc-imc.la +endif + +libstrongswan_tnc_imc_la_SOURCES = \ + tnc_imc_plugin.h tnc_imc_plugin.c + +libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in index f78a97013..9a8794e93 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libcharon/plugins/tnc_imc/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_pfroute +subdir = src/libcharon/plugins/tnc_imc DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -73,18 +74,16 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_kernel_pfroute_la_LIBADD = -am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \ - kernel_pfroute_net.lo -libstrongswan_kernel_pfroute_la_OBJECTS = \ - $(am_libstrongswan_kernel_pfroute_la_OBJECTS) -libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfroute_la_rpath = -rpath \ +libstrongswan_tnc_imc_la_DEPENDENCIES = +am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo +libstrongswan_tnc_imc_la_OBJECTS = \ + $(am_libstrongswan_tnc_imc_la_OBJECTS) +libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tnc_imc_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnc_imc_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfroute_la_rpath = +@MONOLITHIC_TRUE@am_libstrongswan_tnc_imc_la_rpath = DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -98,8 +97,8 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES) -DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES) +SOURCES = $(libstrongswan_tnc_imc_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -168,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -258,17 +272,17 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` AM_CFLAGS = -rdynamic -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la -libstrongswan_kernel_pfroute_la_SOURCES = \ - kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ - kernel_pfroute_net.h kernel_pfroute_net.c +libstrongswan_tnc_imc_la_LIBADD = -ltnc +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la +libstrongswan_tnc_imc_la_SOURCES = \ + tnc_imc_plugin.h tnc_imc_plugin.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version +libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: @@ -282,9 +296,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile + $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -343,8 +357,8 @@ clean-pluginLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) - $(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS) +libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) + $(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -352,8 +366,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c new file mode 100644 index 000000000..0ce930ba3 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc_plugin.h" + +#include <libtnctncc.h> + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnc_imc_plugin_t *this) +{ + libtnc_tncc_Terminate(); + free(this); +} + +/* + * see header file + */ +plugin_t *tnc_imc_plugin_create() +{ + char *tnc_config, *pref_lang; + tnc_imc_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + pref_lang = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.preferred_language", "en"); + tnc_config = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config"); + + if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + { + free(this); + DBG1(DBG_TNC, "TNC IMC initialization failed"); + return NULL; + } + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h new file mode 100644 index 000000000..8c5521cb2 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnc_imc tnc_imc + * @ingroup cplugins + * + * @defgroup tnc_imc_plugin tnc_imc_plugin + * @{ @ingroup tnc_imc + */ + +#ifndef TNC_IMC_PLUGIN_H_ +#define TNC_IMC_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnc_imc_plugin_t tnc_imc_plugin_t; + +/** + * TNC IMC plugin + */ +struct tnc_imc_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNC_IMC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am new file mode 100644 index 000000000..9c3b47364 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/Makefile.am @@ -0,0 +1,19 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnc_imv_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnc-imv.la +else +plugin_LTLIBRARIES = libstrongswan-tnc-imv.la +endif + +libstrongswan_tnc_imv_la_SOURCES = \ + tnc_imv_plugin.h tnc_imv_plugin.c + +libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in index 1dda6827b..f89b5e03b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/tnc_imv/Makefile.in @@ -34,7 +34,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_pfkey +subdir = src/libcharon/plugins/tnc_imv DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -73,18 +74,16 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_kernel_pfkey_la_LIBADD = -am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \ - kernel_pfkey_ipsec.lo -libstrongswan_kernel_pfkey_la_OBJECTS = \ - $(am_libstrongswan_kernel_pfkey_la_OBJECTS) -libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \ +libstrongswan_tnc_imv_la_DEPENDENCIES = +am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo +libstrongswan_tnc_imv_la_OBJECTS = \ + $(am_libstrongswan_tnc_imv_la_OBJECTS) +libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tnc_imv_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnc_imv_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath = +@MONOLITHIC_TRUE@am_libstrongswan_tnc_imv_la_rpath = DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -98,8 +97,8 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES) -DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES) +SOURCES = $(libstrongswan_tnc_imv_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -168,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -199,14 +200,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -221,24 +225,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -246,7 +257,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -258,17 +272,17 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon `xml2-config --cflags` AM_CFLAGS = -rdynamic -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la -libstrongswan_kernel_pfkey_la_SOURCES = \ - kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ - kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c +libstrongswan_tnc_imv_la_LIBADD = -ltnc +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la +libstrongswan_tnc_imv_la_SOURCES = \ + tnc_imv_plugin.h tnc_imv_plugin.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version +libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: @@ -282,9 +296,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile + $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -343,8 +357,8 @@ clean-pluginLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) - $(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS) +libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) + $(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -352,8 +366,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_ipsec.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c new file mode 100644 index 000000000..5b3d3892d --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv_plugin.h" + +#include <libtnctncs.h> + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnc_imv_plugin_t *this) +{ + libtnc_tncs_Terminate(); + free(this); +} + +/* + * see header file + */ +plugin_t *tnc_imv_plugin_create() +{ + char *tnc_config; + tnc_imv_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + tnc_config = lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config"); + if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + { + free(this); + DBG1(DBG_TNC, "TNC IMV initialization failed"); + return NULL; + } + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h new file mode 100644 index 000000000..afeee2ea2 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnc_imv tnc_imv + * @ingroup cplugins + * + * @defgroup tnc_imv_plugin tnc_imv_plugin + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_PLUGIN_H_ +#define TNC_IMV_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnc_imv_plugin_t tnc_imv_plugin_t; + +/** + * TNC IMV plugin + */ +struct tnc_imv_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNC_IMV_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am new file mode 100644 index 000000000..7ccd0dfee --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnccs_11_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnccs-11.la +else +plugin_LTLIBRARIES = libstrongswan-tnccs-11.la +libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_11_la_SOURCES = \ + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + +libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in index 49cc895bc..200ff7a0a 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libcharon/plugins/tnccs_11/Makefile.in @@ -34,7 +34,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -subdir = src/libcharon/plugins/kernel_netlink +@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la +subdir = src/libcharon/plugins/tnccs_11 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -44,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -73,19 +75,17 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_kernel_netlink_la_LIBADD = -am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \ - kernel_netlink_ipsec.lo kernel_netlink_net.lo \ - kernel_netlink_shared.lo -libstrongswan_kernel_netlink_la_OBJECTS = \ - $(am_libstrongswan_kernel_netlink_la_OBJECTS) -libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \ +libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1) +am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo +libstrongswan_tnccs_11_la_OBJECTS = \ + $(am_libstrongswan_tnccs_11_la_OBJECTS) +libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_11_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnccs_11_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath = +@MONOLITHIC_TRUE@am_libstrongswan_tnccs_11_la_rpath = DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -99,8 +99,8 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) -DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) +SOURCES = $(libstrongswan_tnccs_11_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -169,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -200,14 +202,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -222,24 +227,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -247,7 +259,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -259,21 +274,18 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic \ --DROUTING_TABLE=${routing_table} \ --DROUTING_TABLE_PRIO=${routing_table_prio} - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la -libstrongswan_kernel_netlink_la_SOURCES = \ - kernel_netlink_plugin.h kernel_netlink_plugin.c \ - kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ - kernel_netlink_shared.h kernel_netlink_shared.c - -libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1) +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la +libstrongswan_tnccs_11_la_SOURCES = \ + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + +libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: @@ -287,9 +299,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile + $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -348,8 +360,8 @@ clean-pluginLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) - $(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS) +libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) + $(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -357,10 +369,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_ipsec.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c new file mode 100644 index 000000000..704bf64ed --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_11.h" + +#include <libtnctncc.h> +#include <libtnctncs.h> + +#include <daemon.h> +#include <debug.h> + +#define TNC_SEND_BUFFER_SIZE 32 + +static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE]; + +/** + * Buffers TNCCS batch to be sent (TODO make the buffer scalable) + */ +static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len) +{ + if (id >= TNC_SEND_BUFFER_SIZE) + { + DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in " + "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); + return TNC_RESULT_FATAL; + } + if (tnc_send_buffer[id].ptr) + { + DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already " + "occupied", id); + return TNC_RESULT_FATAL; + } + tnc_send_buffer[id] = chunk_alloc(len); + memcpy(tnc_send_buffer[id].ptr, data, len); + + return TNC_RESULT_SUCCESS; +} + +/** + * Retrieves TNCCS batch to be sent + */ +static bool retrieve_batch(u_int32_t id, chunk_t *batch) +{ + if (id >= TNC_SEND_BUFFER_SIZE) + { + DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from " + "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); + return FALSE; + } + + *batch = tnc_send_buffer[id]; + return TRUE; +} + +/** + * Frees TNCCS batch that was sent + */ +static void free_batch(u_int32_t id) +{ + if (id < TNC_SEND_BUFFER_SIZE) + { + chunk_free(&tnc_send_buffer[id]); + } +} + +/** + * Define callback functions called by the libtnc library + */ +TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, + const char* messageBuffer, size_t messageLength) +{ + return buffer_batch(conn->connectionID, messageBuffer, messageLength); +} + +TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, + const char* messageBuffer, size_t messageLength) +{ + return buffer_batch(conn->connectionID, messageBuffer, messageLength); +} + +typedef struct private_tnccs_11_t private_tnccs_11_t; + +/** + * Private data of a tnccs_11_t object. + */ +struct private_tnccs_11_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; + + /** + * TNCC Connection to IMCs + */ + libtnc_tncc_connection* tncc_connection; + + /** + * TNCS Connection to IMVs + */ + libtnc_tncs_connection* tncs_connection; +}; + +METHOD(tls_t, process, status_t, + private_tnccs_11_t *this, void *buf, size_t buflen) +{ + u_int32_t conn_id; + + if (this->is_server && !this->tncs_connection) + { + this->tncs_connection = libtnc_tncs_CreateConnection(NULL); + if (!this->tncs_connection) + { + DBG1(DBG_TNC, "TNCS CreateConnection failed"); + return FAILED; + } + DBG1(DBG_TNC, "assigned TNCS Connection ID %u", + this->tncs_connection->connectionID); + if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCS BeginSession failed"); + return FAILED; + } + } + conn_id = this->is_server ? this->tncs_connection->connectionID + : this->tncc_connection->connectionID; + + DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u", + buflen, conn_id); + DBG3(DBG_TNC, "%.*s", buflen, buf); + + if (this->is_server) + { + if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) != + TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCS ReceiveBatch failed"); + return FAILED; + } + } + else + { + if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) != + TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCC ReceiveBatch failed"); + return FAILED; + } + } + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + chunk_t batch; + u_int32_t conn_id; + size_t len; + + if (!this->is_server && !this->tncc_connection) + { + this->tncc_connection = libtnc_tncc_CreateConnection(NULL); + if (!this->tncc_connection) + { + DBG1(DBG_TNC, "TNCC CreateConnection failed"); + return FAILED; + } + DBG1(DBG_TNC, "assigned TNCC Connection ID %u", + this->tncc_connection->connectionID); + if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "TNCC BeginSession failed"); + return FAILED; + } + } + conn_id = this->is_server ? this->tncs_connection->connectionID + : this->tncc_connection->connectionID; + + if (!retrieve_batch(conn_id, &batch)) + { + return FAILED; + } + len = *buflen; + len = min(len, batch.len); + *buflen = len; + if (msglen) + { + *msglen = batch.len; + } + + if (batch.len) + { + DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u", + batch.len, conn_id); + DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr); + memcpy(buf, batch.ptr, len); + free_batch(conn_id); + return ALREADY_DONE; + } + else + { + return INVALID_STATE; + } +} + +METHOD(tls_t, is_server, bool, + private_tnccs_11_t *this) +{ + return this->is_server; +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tnccs_11_t *this) +{ + return TLS_PURPOSE_EAP_TNC; +} + +METHOD(tls_t, is_complete, bool, + private_tnccs_11_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) == + TNC_RESULT_SUCCESS) + { + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + DBG1(DBG_TNC, "TNC recommendation is allow"); + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + DBG1(DBG_TNC, "TNC recommendation is isolate"); + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + DBG1(DBG_TNC, "TNC recommendation is none"); + return FALSE; + } + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group); + } + return TRUE; + } + else + { + return FALSE; + } +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tnccs_11_t *this) +{ + return chunk_empty; +} + +METHOD(tls_t, destroy, void, + private_tnccs_11_t *this) +{ + if (this->is_server) + { + if (this->tncs_connection) + { + libtnc_tncs_DeleteConnection(this->tncs_connection); + } + } + else + { + if (this->tncc_connection) + { + libtnc_tncc_DeleteConnection(this->tncc_connection); + } + libtnc_tncc_Terminate(); + } + free(this); +} + +/** + * See header + */ +tls_t *tnccs_11_create(bool is_server) +{ + private_tnccs_11_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + .is_server = is_server, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h new file mode 100644 index 000000000..7331fc8cd --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_11_h tnccs_11 + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_11_H_ +#define TNCCS_11_H_ + +#include <library.h> + +#include <tls.h> + +/** + * Create an instance of the TNC IF-TNCCS 1.1 protocol handler. + * + * @param is_server TRUE to act as TNC Server, FALSE for TNC Client + * @return TNC_IF_TNCCS 1.1 protocol stack + */ +tls_t *tnccs_11_create(bool is_server); + +#endif /** TNCCS_11_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c new file mode 100644 index 000000000..03905ca37 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_11_plugin.h" +#include "tnccs_11.h" + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnccs_11_plugin_t *this) +{ + charon->tnccs->remove_method(charon->tnccs, + (tnccs_constructor_t)tnccs_11_create); + free(this); +} + +/* + * see header file + */ +plugin_t *tnccs_11_plugin_create() +{ + tnccs_11_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->tnccs->add_method(charon->tnccs, TNCCS_1_1, + (tnccs_constructor_t)tnccs_11_create); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h new file mode 100644 index 000000000..619a073ad --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_11 tnccs_11 + * @ingroup cplugins + * + * @defgroup tnccs_11_plugin tnccs_11_plugin + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_11_PLUGIN_H_ +#define TNCCS_11_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnccs_11_plugin_t tnccs_11_plugin_t; + +/** + * EAP-TNC plugin + */ +struct tnccs_11_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNCCS_11_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am new file mode 100644 index 000000000..3018121e3 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/Makefile.am @@ -0,0 +1,21 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic + +libstrongswan_tnccs_20_la_LIBADD = -ltnc + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnccs-20.la +else +plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_20_la_SOURCES = \ + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + +libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version + diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in new file mode 100644 index 000000000..6101f91df --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la +subdir = src/libcharon/plugins/tnccs_20 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1) +am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo +libstrongswan_tnccs_20_la_OBJECTS = \ + $(am_libstrongswan_tnccs_20_la_OBJECTS) +libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_20_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnccs_20_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnccs_20_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnccs_20_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ + `xml2-config --cflags` + +AM_CFLAGS = -rdynamic +libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1) +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +libstrongswan_tnccs_20_la_SOURCES = \ + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + +libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) + $(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c new file mode 100644 index 000000000..2bd1bc476 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -0,0 +1,103 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_20.h" + +#include <debug.h> + +static chunk_t tncc_output; + +typedef struct private_tnccs_20_t private_tnccs_20_t; + +/** + * Private data of a tnccs_20_t object. + */ +struct private_tnccs_20_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; +}; + +METHOD(tls_t, process, status_t, + private_tnccs_20_t *this, void *buf, size_t buflen) +{ + return NEED_MORE; +} + +METHOD(tls_t, build, status_t, + private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + return ALREADY_DONE; +} + +METHOD(tls_t, is_server, bool, + private_tnccs_20_t *this) +{ + return this->is_server; +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tnccs_20_t *this) +{ + return TLS_PURPOSE_EAP_TNC; +} + +METHOD(tls_t, is_complete, bool, + private_tnccs_20_t *this) +{ + return FALSE; +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tnccs_20_t *this) +{ + return chunk_empty; +} + +METHOD(tls_t, destroy, void, + private_tnccs_20_t *this) +{ + free(this); +} + +/** + * See header + */ +tls_t *tnccs_20_create(bool is_server) +{ + private_tnccs_20_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + .is_server = is_server, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h new file mode 100644 index 000000000..400d1dc12 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20_h tnccs_20 + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_H_ +#define TNCCS_20_H_ + +#include <library.h> + +#include <tls.h> + +/** + * Create an instance of the TNC IF-TNCCS 2.0 protocol handler. + * + * @param is_server TRUE to act as TNC Server, FALSE for TNC Client + * @return TNC_IF_TNCCS 2.0 protocol stack + */ +tls_t *tnccs_20_create(bool is_server); + +#endif /** TNCCS_20_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c new file mode 100644 index 000000000..82c78f74c --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_20_plugin.h" +#include "tnccs_20.h" + +#include <daemon.h> + +METHOD(plugin_t, destroy, void, + tnccs_20_plugin_t *this) +{ + charon->tnccs->remove_method(charon->tnccs, + (tnccs_constructor_t)tnccs_20_create); + free(this); +} + +/* + * see header file + */ +plugin_t *tnccs_20_plugin_create() +{ + tnccs_20_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->tnccs->add_method(charon->tnccs, TNCCS_2_0, + (tnccs_constructor_t)tnccs_20_create); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h new file mode 100644 index 000000000..1c4ecf4c9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20 tnccs_20 + * @ingroup cplugins + * + * @defgroup tnccs_20_plugin tnccs_20_plugin + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_PLUGIN_H_ +#define TNCCS_20_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct tnccs_20_plugin_t tnccs_20_plugin_t; + +/** + * EAP-TNC plugin + */ +struct tnccs_20_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNCCS_20_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 934ab6080..9cb5f794a 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -196,14 +199,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -243,7 +256,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c index 3c4928be4..aee2505e3 100644 --- a/src/libcharon/plugins/uci/uci_control.c +++ b/src/libcharon/plugins/uci/uci_control.c @@ -294,7 +294,7 @@ uci_control_t *uci_control_create() { this->job = callback_job_create((callback_job_cb_t)receive, this, NULL, NULL); - charon->processor->queue_job(charon->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, (job_t*)this->job); } return &this->public; } diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 47850c1c5..47fff7e1d 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -202,14 +205,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -249,7 +262,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c index 3b00421f8..342194a4c 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_cert.c +++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c @@ -51,7 +51,7 @@ bool test_cert_x509() return FALSE; } - encoding = ca_cert->get_encoding(ca_cert); + ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding); parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_ASN1_DER, encoding, BUILD_END); @@ -81,7 +81,7 @@ bool test_cert_x509() return FALSE; } - encoding = peer_cert->get_encoding(peer_cert); + peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding); parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_ASN1_DER, encoding, BUILD_END); diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c index 59da15644..6ba5769b5 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c +++ b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c @@ -59,12 +59,12 @@ bool test_rsa_gen() return FALSE; } free(sig.ptr); - if (!public->encrypt(public, data, &crypt)) + if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt)) { DBG1(DBG_CFG, "encrypting data with RSA failed"); return FALSE; } - if (!private->decrypt(private, crypt, &plain)) + if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain)) { DBG1(DBG_CFG, "decrypting data with RSA failed"); return FALSE; @@ -110,7 +110,7 @@ bool test_rsa_load_any() public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, BUILD_BLOB_ASN1_DER, chunk, BUILD_END); - if (!public || public->get_keysize(public) != 256) + if (!public || public->get_keysize(public) != 2048) { return FALSE; } diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index ce233ad04..e93955d71 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -198,14 +201,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -245,7 +258,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index ea4a792c2..8e58b1a9b 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -18,6 +18,7 @@ #include "updown_listener.h" +#include <hydra.h> #include <daemon.h> #include <config/child_cfg.h> @@ -218,8 +219,8 @@ METHOD(listener_t, child_updown, bool, if (up) { - iface = charon->kernel_interface->get_interface( - charon->kernel_interface, me); + iface = hydra->kernel_interface->get_interface( + hydra->kernel_interface, me); if (iface) { cache_iface(this, child_sa->get_reqid(child_sa), iface); |