diff options
Diffstat (limited to 'src/libcharon')
68 files changed, 2267 insertions, 2079 deletions
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index f381860b9..d1fb33702 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -16,7 +16,6 @@ config/backend_manager.c config/backend_manager.h config/backend.h \ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ -config/proposal.c config/proposal.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 964a19ec8..25ac7972c 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -14,7 +14,6 @@ config/backend_manager.c config/backend_manager.h config/backend.h \ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ -config/proposal.c config/proposal.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ @@ -209,6 +208,13 @@ if MONOLITHIC endif endif +if USE_SAVE_KEYS + SUBDIRS += plugins/save_keys +if MONOLITHIC + libcharon_la_LIBADD += plugins/save_keys/libstrongswan-save-keys.la +endif +endif + if USE_SOCKET_DEFAULT SUBDIRS += plugins/socket_default if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index d3cbb0fb6..6c39317fa 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -155,150 +155,152 @@ host_triplet = @host@ @USE_LOAD_TESTER_TRUE@am__append_6 = plugins/load_tester @MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_7 = plugins/load_tester/libstrongswan-load-tester.la -@USE_SOCKET_DEFAULT_TRUE@am__append_8 = plugins/socket_default -@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_9 = plugins/socket_default/libstrongswan-socket-default.la -@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic -@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la -@USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win -@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_13 = plugins/socket_win/libstrongswan-socket-win.la -@USE_CONNMARK_TRUE@am__append_14 = plugins/connmark -@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_15 = plugins/connmark/libstrongswan-connmark.la -@USE_BYPASS_LAN_TRUE@am__append_16 = plugins/bypass_lan -@MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE@am__append_17 = plugins/bypass_lan/libstrongswan-bypass-lan.la -@USE_FORECAST_TRUE@am__append_18 = plugins/forecast -@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_19 = plugins/forecast/libstrongswan-forecast.la -@USE_FARP_TRUE@am__append_20 = plugins/farp -@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_21 = plugins/farp/libstrongswan-farp.la -@USE_COUNTERS_TRUE@am__append_22 = plugins/counters -@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_23 = plugins/counters/libstrongswan-counters.la -@USE_STROKE_TRUE@am__append_24 = plugins/stroke -@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_25 = plugins/stroke/libstrongswan-stroke.la -@USE_VICI_TRUE@am__append_26 = plugins/vici -@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_27 = plugins/vici/libstrongswan-vici.la -@USE_SMP_TRUE@am__append_28 = plugins/smp -@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_29 = plugins/smp/libstrongswan-smp.la -@USE_SQL_TRUE@am__append_30 = plugins/sql -@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_31 = plugins/sql/libstrongswan-sql.la -@USE_DNSCERT_TRUE@am__append_32 = plugins/dnscert -@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_33 = plugins/dnscert/libstrongswan-dnscert.la -@USE_IPSECKEY_TRUE@am__append_34 = plugins/ipseckey -@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_35 = plugins/ipseckey/libstrongswan-ipseckey.la -@USE_UPDOWN_TRUE@am__append_36 = plugins/updown -@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_37 = plugins/updown/libstrongswan-updown.la -@USE_EXT_AUTH_TRUE@am__append_38 = plugins/ext_auth -@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_39 = plugins/ext_auth/libstrongswan-ext-auth.la -@USE_EAP_IDENTITY_TRUE@am__append_40 = plugins/eap_identity -@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_41 = plugins/eap_identity/libstrongswan-eap-identity.la -@USE_EAP_SIM_TRUE@am__append_42 = plugins/eap_sim -@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_43 = plugins/eap_sim/libstrongswan-eap-sim.la -@USE_EAP_SIM_FILE_TRUE@am__append_44 = plugins/eap_sim_file -@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_45 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIM_PCSC_TRUE@am__append_46 = plugins/eap_sim_pcsc -@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_47 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la -@USE_EAP_SIMAKA_SQL_TRUE@am__append_48 = plugins/eap_simaka_sql -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_49 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_50 = plugins/eap_simaka_pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_52 = plugins/eap_simaka_reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_53 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_54 = plugins/eap_aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_55 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP_TRUE@am__append_56 = plugins/eap_aka_3gpp -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_57 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_58 = plugins/eap_aka_3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_59 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_60 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_61 = plugins/eap_md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_62 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_63 = plugins/eap_gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_64 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_65 = plugins/eap_mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_66 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_DYNAMIC_TRUE@am__append_67 = plugins/eap_dynamic -@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_68 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la -@USE_EAP_RADIUS_TRUE@am__append_69 = plugins/eap_radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_70 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_EAP_TLS_TRUE@am__append_71 = plugins/eap_tls -@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_72 = plugins/eap_tls/libstrongswan-eap-tls.la -@USE_EAP_TTLS_TRUE@am__append_73 = plugins/eap_ttls -@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_74 = plugins/eap_ttls/libstrongswan-eap-ttls.la -@USE_EAP_PEAP_TRUE@am__append_75 = plugins/eap_peap -@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_76 = plugins/eap_peap/libstrongswan-eap-peap.la -@USE_EAP_TNC_TRUE@am__append_77 = plugins/eap_tnc -@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_78 = plugins/eap_tnc/libstrongswan-eap-tnc.la -@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_79 = $(top_builddir)/src/libtls/libtls.la -@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_80 = $(top_builddir)/src/libradius/libradius.la -@USE_TNC_IFMAP_TRUE@am__append_81 = plugins/tnc_ifmap -@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_82 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la -@USE_TNC_PDP_TRUE@am__append_83 = plugins/tnc_pdp -@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_84 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la -@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_85 = $(top_builddir)/src/libtnccs/libtnccs.la -@USE_MEDSRV_TRUE@am__append_86 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_87 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_88 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_89 = plugins/medcli/libstrongswan-medcli.la -@USE_DHCP_TRUE@am__append_90 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_91 = plugins/dhcp/libstrongswan-dhcp.la -@USE_OSX_ATTR_TRUE@am__append_92 = plugins/osx_attr -@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_93 = plugins/osx_attr/libstrongswan-osx-attr.la -@USE_P_CSCF_TRUE@am__append_94 = plugins/p_cscf -@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_95 = plugins/p_cscf/libstrongswan-p-cscf.la -@USE_ANDROID_DNS_TRUE@am__append_96 = plugins/android_dns -@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_97 = plugins/android_dns/libstrongswan-android-dns.la -@USE_ANDROID_LOG_TRUE@am__append_98 = plugins/android_log -@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_99 = plugins/android_log/libstrongswan-android-log.la -@USE_HA_TRUE@am__append_100 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_101 = plugins/ha/libstrongswan-ha.la -@USE_KERNEL_PFKEY_TRUE@am__append_102 = plugins/kernel_pfkey -@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_103 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -@USE_KERNEL_PFROUTE_TRUE@am__append_104 = plugins/kernel_pfroute -@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_105 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -@USE_KERNEL_NETLINK_TRUE@am__append_106 = plugins/kernel_netlink -@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_107 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la -@USE_KERNEL_LIBIPSEC_TRUE@am__append_108 = plugins/kernel_libipsec -@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_109 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la -@USE_KERNEL_WFP_TRUE@am__append_110 = plugins/kernel_wfp -@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_111 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la -@USE_KERNEL_IPH_TRUE@am__append_112 = plugins/kernel_iph -@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_113 = plugins/kernel_iph/libstrongswan-kernel-iph.la -@USE_WHITELIST_TRUE@am__append_114 = plugins/whitelist -@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_115 = plugins/whitelist/libstrongswan-whitelist.la -@USE_LOOKIP_TRUE@am__append_116 = plugins/lookip -@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_117 = plugins/lookip/libstrongswan-lookip.la -@USE_ERROR_NOTIFY_TRUE@am__append_118 = plugins/error_notify -@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_119 = plugins/error_notify/libstrongswan-error-notify.la -@USE_CERTEXPIRE_TRUE@am__append_120 = plugins/certexpire -@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_121 = plugins/certexpire/libstrongswan-certexpire.la -@USE_SYSTIME_FIX_TRUE@am__append_122 = plugins/systime_fix -@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_123 = plugins/systime_fix/libstrongswan-systime-fix.la -@USE_LED_TRUE@am__append_124 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_125 = plugins/led/libstrongswan-led.la -@USE_DUPLICHECK_TRUE@am__append_126 = plugins/duplicheck -@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_127 = plugins/duplicheck/libstrongswan-duplicheck.la -@USE_COUPLING_TRUE@am__append_128 = plugins/coupling -@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_129 = plugins/coupling/libstrongswan-coupling.la -@USE_RADATTR_TRUE@am__append_130 = plugins/radattr -@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_131 = plugins/radattr/libstrongswan-radattr.la -@USE_UCI_TRUE@am__append_132 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_133 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_134 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_135 = plugins/addrblock/libstrongswan-addrblock.la -@USE_UNITY_TRUE@am__append_136 = plugins/unity -@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_137 = plugins/unity/libstrongswan-unity.la -@USE_XAUTH_GENERIC_TRUE@am__append_138 = plugins/xauth_generic -@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_139 = plugins/xauth_generic/libstrongswan-xauth-generic.la -@USE_XAUTH_EAP_TRUE@am__append_140 = plugins/xauth_eap -@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_141 = plugins/xauth_eap/libstrongswan-xauth-eap.la -@USE_XAUTH_PAM_TRUE@am__append_142 = plugins/xauth_pam -@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_143 = plugins/xauth_pam/libstrongswan-xauth-pam.la -@USE_XAUTH_NOAUTH_TRUE@am__append_144 = plugins/xauth_noauth -@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_145 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la -@USE_RESOLVE_TRUE@am__append_146 = plugins/resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_147 = plugins/resolve/libstrongswan-resolve.la -@USE_ATTR_TRUE@am__append_148 = plugins/attr -@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_149 = plugins/attr/libstrongswan-attr.la -@USE_ATTR_SQL_TRUE@am__append_150 = plugins/attr_sql -@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_151 = plugins/attr_sql/libstrongswan-attr-sql.la +@USE_SAVE_KEYS_TRUE@am__append_8 = plugins/save_keys +@MONOLITHIC_TRUE@@USE_SAVE_KEYS_TRUE@am__append_9 = plugins/save_keys/libstrongswan-save-keys.la +@USE_SOCKET_DEFAULT_TRUE@am__append_10 = plugins/socket_default +@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_11 = plugins/socket_default/libstrongswan-socket-default.la +@USE_SOCKET_DYNAMIC_TRUE@am__append_12 = plugins/socket_dynamic +@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_13 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la +@USE_SOCKET_WIN_TRUE@am__append_14 = plugins/socket_win +@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_15 = plugins/socket_win/libstrongswan-socket-win.la +@USE_CONNMARK_TRUE@am__append_16 = plugins/connmark +@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_17 = plugins/connmark/libstrongswan-connmark.la +@USE_BYPASS_LAN_TRUE@am__append_18 = plugins/bypass_lan +@MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE@am__append_19 = plugins/bypass_lan/libstrongswan-bypass-lan.la +@USE_FORECAST_TRUE@am__append_20 = plugins/forecast +@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_21 = plugins/forecast/libstrongswan-forecast.la +@USE_FARP_TRUE@am__append_22 = plugins/farp +@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_23 = plugins/farp/libstrongswan-farp.la +@USE_COUNTERS_TRUE@am__append_24 = plugins/counters +@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_25 = plugins/counters/libstrongswan-counters.la +@USE_STROKE_TRUE@am__append_26 = plugins/stroke +@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_27 = plugins/stroke/libstrongswan-stroke.la +@USE_VICI_TRUE@am__append_28 = plugins/vici +@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_29 = plugins/vici/libstrongswan-vici.la +@USE_SMP_TRUE@am__append_30 = plugins/smp +@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_31 = plugins/smp/libstrongswan-smp.la +@USE_SQL_TRUE@am__append_32 = plugins/sql +@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_33 = plugins/sql/libstrongswan-sql.la +@USE_DNSCERT_TRUE@am__append_34 = plugins/dnscert +@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_35 = plugins/dnscert/libstrongswan-dnscert.la +@USE_IPSECKEY_TRUE@am__append_36 = plugins/ipseckey +@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_37 = plugins/ipseckey/libstrongswan-ipseckey.la +@USE_UPDOWN_TRUE@am__append_38 = plugins/updown +@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_39 = plugins/updown/libstrongswan-updown.la +@USE_EXT_AUTH_TRUE@am__append_40 = plugins/ext_auth +@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_41 = plugins/ext_auth/libstrongswan-ext-auth.la +@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity +@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_43 = plugins/eap_identity/libstrongswan-eap-identity.la +@USE_EAP_SIM_TRUE@am__append_44 = plugins/eap_sim +@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim/libstrongswan-eap-sim.la +@USE_EAP_SIM_FILE_TRUE@am__append_46 = plugins/eap_sim_file +@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_47 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la +@USE_EAP_SIM_PCSC_TRUE@am__append_48 = plugins/eap_sim_pcsc +@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_49 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_50 = plugins/eap_simaka_sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = plugins/eap_simaka_pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_56 = plugins/eap_aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP_TRUE@am__append_58 = plugins/eap_aka_3gpp +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_59 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_62 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_63 = plugins/eap_md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_65 = plugins/eap_gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_66 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_67 = plugins/eap_mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_68 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_DYNAMIC_TRUE@am__append_69 = plugins/eap_dynamic +@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_70 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la +@USE_EAP_RADIUS_TRUE@am__append_71 = plugins/eap_radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_72 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_EAP_TLS_TRUE@am__append_73 = plugins/eap_tls +@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_74 = plugins/eap_tls/libstrongswan-eap-tls.la +@USE_EAP_TTLS_TRUE@am__append_75 = plugins/eap_ttls +@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_76 = plugins/eap_ttls/libstrongswan-eap-ttls.la +@USE_EAP_PEAP_TRUE@am__append_77 = plugins/eap_peap +@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_78 = plugins/eap_peap/libstrongswan-eap-peap.la +@USE_EAP_TNC_TRUE@am__append_79 = plugins/eap_tnc +@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_80 = plugins/eap_tnc/libstrongswan-eap-tnc.la +@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_81 = $(top_builddir)/src/libtls/libtls.la +@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_82 = $(top_builddir)/src/libradius/libradius.la +@USE_TNC_IFMAP_TRUE@am__append_83 = plugins/tnc_ifmap +@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_84 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la +@USE_TNC_PDP_TRUE@am__append_85 = plugins/tnc_pdp +@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_86 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la +@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_87 = $(top_builddir)/src/libtnccs/libtnccs.la +@USE_MEDSRV_TRUE@am__append_88 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_89 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_90 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_91 = plugins/medcli/libstrongswan-medcli.la +@USE_DHCP_TRUE@am__append_92 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_93 = plugins/dhcp/libstrongswan-dhcp.la +@USE_OSX_ATTR_TRUE@am__append_94 = plugins/osx_attr +@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_95 = plugins/osx_attr/libstrongswan-osx-attr.la +@USE_P_CSCF_TRUE@am__append_96 = plugins/p_cscf +@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_97 = plugins/p_cscf/libstrongswan-p-cscf.la +@USE_ANDROID_DNS_TRUE@am__append_98 = plugins/android_dns +@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_99 = plugins/android_dns/libstrongswan-android-dns.la +@USE_ANDROID_LOG_TRUE@am__append_100 = plugins/android_log +@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_101 = plugins/android_log/libstrongswan-android-log.la +@USE_HA_TRUE@am__append_102 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_103 = plugins/ha/libstrongswan-ha.la +@USE_KERNEL_PFKEY_TRUE@am__append_104 = plugins/kernel_pfkey +@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_105 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +@USE_KERNEL_PFROUTE_TRUE@am__append_106 = plugins/kernel_pfroute +@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_107 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +@USE_KERNEL_NETLINK_TRUE@am__append_108 = plugins/kernel_netlink +@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_109 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la +@USE_KERNEL_LIBIPSEC_TRUE@am__append_110 = plugins/kernel_libipsec +@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_111 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la +@USE_KERNEL_WFP_TRUE@am__append_112 = plugins/kernel_wfp +@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_113 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la +@USE_KERNEL_IPH_TRUE@am__append_114 = plugins/kernel_iph +@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_115 = plugins/kernel_iph/libstrongswan-kernel-iph.la +@USE_WHITELIST_TRUE@am__append_116 = plugins/whitelist +@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_117 = plugins/whitelist/libstrongswan-whitelist.la +@USE_LOOKIP_TRUE@am__append_118 = plugins/lookip +@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_119 = plugins/lookip/libstrongswan-lookip.la +@USE_ERROR_NOTIFY_TRUE@am__append_120 = plugins/error_notify +@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_121 = plugins/error_notify/libstrongswan-error-notify.la +@USE_CERTEXPIRE_TRUE@am__append_122 = plugins/certexpire +@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_123 = plugins/certexpire/libstrongswan-certexpire.la +@USE_SYSTIME_FIX_TRUE@am__append_124 = plugins/systime_fix +@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_125 = plugins/systime_fix/libstrongswan-systime-fix.la +@USE_LED_TRUE@am__append_126 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_127 = plugins/led/libstrongswan-led.la +@USE_DUPLICHECK_TRUE@am__append_128 = plugins/duplicheck +@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_129 = plugins/duplicheck/libstrongswan-duplicheck.la +@USE_COUPLING_TRUE@am__append_130 = plugins/coupling +@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_131 = plugins/coupling/libstrongswan-coupling.la +@USE_RADATTR_TRUE@am__append_132 = plugins/radattr +@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_133 = plugins/radattr/libstrongswan-radattr.la +@USE_UCI_TRUE@am__append_134 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_135 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_136 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_137 = plugins/addrblock/libstrongswan-addrblock.la +@USE_UNITY_TRUE@am__append_138 = plugins/unity +@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_139 = plugins/unity/libstrongswan-unity.la +@USE_XAUTH_GENERIC_TRUE@am__append_140 = plugins/xauth_generic +@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_141 = plugins/xauth_generic/libstrongswan-xauth-generic.la +@USE_XAUTH_EAP_TRUE@am__append_142 = plugins/xauth_eap +@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_143 = plugins/xauth_eap/libstrongswan-xauth-eap.la +@USE_XAUTH_PAM_TRUE@am__append_144 = plugins/xauth_pam +@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_145 = plugins/xauth_pam/libstrongswan-xauth-pam.la +@USE_XAUTH_NOAUTH_TRUE@am__append_146 = plugins/xauth_noauth +@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_147 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la +@USE_RESOLVE_TRUE@am__append_148 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_149 = plugins/resolve/libstrongswan-resolve.la +@USE_ATTR_TRUE@am__append_150 = plugins/attr +@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_151 = plugins/attr/libstrongswan-attr.la +@USE_ATTR_SQL_TRUE@am__append_152 = plugins/attr_sql +@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_153 = plugins/attr_sql/libstrongswan-attr-sql.la subdir = src/libcharon ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -361,12 +363,12 @@ libcharon_la_DEPENDENCIES = \ $(am__append_41) $(am__append_43) $(am__append_45) \ $(am__append_47) $(am__append_49) $(am__append_51) \ $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_59) $(am__append_60) $(am__append_62) \ + $(am__append_59) $(am__append_61) $(am__append_62) \ $(am__append_64) $(am__append_66) $(am__append_68) \ $(am__append_70) $(am__append_72) $(am__append_74) \ - $(am__append_76) $(am__append_78) $(am__append_79) \ - $(am__append_80) $(am__append_82) $(am__append_84) \ - $(am__append_85) $(am__append_87) $(am__append_89) \ + $(am__append_76) $(am__append_78) $(am__append_80) \ + $(am__append_81) $(am__append_82) $(am__append_84) \ + $(am__append_86) $(am__append_87) $(am__append_89) \ $(am__append_91) $(am__append_93) $(am__append_95) \ $(am__append_97) $(am__append_99) $(am__append_101) \ $(am__append_103) $(am__append_105) $(am__append_107) \ @@ -377,7 +379,7 @@ libcharon_la_DEPENDENCIES = \ $(am__append_133) $(am__append_135) $(am__append_137) \ $(am__append_139) $(am__append_141) $(am__append_143) \ $(am__append_145) $(am__append_147) $(am__append_149) \ - $(am__append_151) + $(am__append_151) $(am__append_153) am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ attributes/attributes.h attributes/attribute_provider.h \ attributes/attribute_handler.h attributes/attribute_manager.c \ @@ -388,11 +390,11 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ bus/listeners/file_logger.h config/backend_manager.c \ config/backend_manager.h config/backend.h config/child_cfg.c \ config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h control/controller.c control/controller.h \ - daemon.c daemon.h encoding/generator.c encoding/generator.h \ - encoding/message.c encoding/message.h encoding/parser.c \ - encoding/parser.h encoding/payloads/auth_payload.c \ + config/peer_cfg.c config/peer_cfg.h control/controller.c \ + control/controller.h daemon.c daemon.h encoding/generator.c \ + encoding/generator.h encoding/message.c encoding/message.h \ + encoding/parser.c encoding/parser.h \ + encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -609,10 +611,9 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \ attributes/attribute_manager.lo attributes/mem_pool.lo \ bus/bus.lo bus/listeners/file_logger.lo \ config/backend_manager.lo config/child_cfg.lo \ - config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \ - control/controller.lo daemon.lo encoding/generator.lo \ - encoding/message.lo encoding/parser.lo \ - encoding/payloads/auth_payload.lo \ + config/ike_cfg.lo config/peer_cfg.lo control/controller.lo \ + daemon.lo encoding/generator.lo encoding/message.lo \ + encoding/parser.lo encoding/payloads/auth_payload.lo \ encoding/payloads/cert_payload.lo \ encoding/payloads/certreq_payload.lo \ encoding/payloads/configuration_attribute.lo \ @@ -744,22 +745,23 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ - plugins/socket_dynamic plugins/socket_win plugins/connmark \ - plugins/bypass_lan plugins/forecast plugins/farp \ - plugins/counters plugins/stroke plugins/vici plugins/smp \ - plugins/sql plugins/dnscert plugins/ipseckey plugins/updown \ - plugins/ext_auth plugins/eap_identity plugins/eap_sim \ - plugins/eap_sim_file plugins/eap_sim_pcsc \ - plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ - plugins/eap_simaka_reauth plugins/eap_aka plugins/eap_aka_3gpp \ - plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \ - plugins/eap_mschapv2 plugins/eap_dynamic plugins/eap_radius \ - plugins/eap_tls plugins/eap_ttls plugins/eap_peap \ - plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \ - plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \ - plugins/p_cscf plugins/android_dns plugins/android_log \ - plugins/ha plugins/kernel_pfkey plugins/kernel_pfroute \ +DIST_SUBDIRS = . plugins/load_tester plugins/save_keys \ + plugins/socket_default plugins/socket_dynamic \ + plugins/socket_win plugins/connmark plugins/bypass_lan \ + plugins/forecast plugins/farp plugins/counters plugins/stroke \ + plugins/vici plugins/smp plugins/sql plugins/dnscert \ + plugins/ipseckey plugins/updown plugins/ext_auth \ + plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \ + plugins/eap_sim_pcsc plugins/eap_simaka_sql \ + plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \ + plugins/eap_aka plugins/eap_aka_3gpp plugins/eap_aka_3gpp2 \ + plugins/eap_md5 plugins/eap_gtc plugins/eap_mschapv2 \ + plugins/eap_dynamic plugins/eap_radius plugins/eap_tls \ + plugins/eap_ttls plugins/eap_peap plugins/eap_tnc \ + plugins/tnc_ifmap plugins/tnc_pdp plugins/medsrv \ + plugins/medcli plugins/dhcp plugins/osx_attr plugins/p_cscf \ + plugins/android_dns plugins/android_log plugins/ha \ + plugins/kernel_pfkey plugins/kernel_pfroute \ plugins/kernel_netlink plugins/kernel_libipsec \ plugins/kernel_wfp plugins/kernel_iph plugins/whitelist \ plugins/lookip plugins/error_notify plugins/certexpire \ @@ -1043,11 +1045,11 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \ bus/listeners/file_logger.h config/backend_manager.c \ config/backend_manager.h config/backend.h config/child_cfg.c \ config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h control/controller.c control/controller.h \ - daemon.c daemon.h encoding/generator.c encoding/generator.h \ - encoding/message.c encoding/message.h encoding/parser.c \ - encoding/parser.h encoding/payloads/auth_payload.c \ + config/peer_cfg.c config/peer_cfg.h control/controller.c \ + control/controller.h daemon.c daemon.h encoding/generator.c \ + encoding/generator.h encoding/message.c encoding/message.h \ + encoding/parser.c encoding/parser.h \ + encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -1163,11 +1165,11 @@ libcharon_la_LIBADD = \ $(am__append_43) $(am__append_45) $(am__append_47) \ $(am__append_49) $(am__append_51) $(am__append_53) \ $(am__append_55) $(am__append_57) $(am__append_59) \ - $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_61) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_78) $(am__append_79) $(am__append_80) \ - $(am__append_82) $(am__append_84) $(am__append_85) \ + $(am__append_78) $(am__append_80) $(am__append_81) \ + $(am__append_82) $(am__append_84) $(am__append_86) \ $(am__append_87) $(am__append_89) $(am__append_91) \ $(am__append_93) $(am__append_95) $(am__append_97) \ $(am__append_99) $(am__append_101) $(am__append_103) \ @@ -1178,7 +1180,8 @@ libcharon_la_LIBADD = \ $(am__append_129) $(am__append_131) $(am__append_133) \ $(am__append_135) $(am__append_137) $(am__append_139) \ $(am__append_141) $(am__append_143) $(am__append_145) \ - $(am__append_147) $(am__append_149) $(am__append_151) + $(am__append_147) $(am__append_149) $(am__append_151) \ + $(am__append_153) EXTRA_DIST = Android.mk @STATIC_PLUGIN_CONSTRUCTORS_TRUE@BUILT_SOURCES = $(srcdir)/plugin_constructors.c @STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c @@ -1195,13 +1198,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_61) \ +@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_60) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ @MONOLITHIC_FALSE@ $(am__append_75) $(am__append_77) \ -@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \ -@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ +@MONOLITHIC_FALSE@ $(am__append_79) $(am__append_83) \ +@MONOLITHIC_FALSE@ $(am__append_85) $(am__append_88) \ @MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \ @MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \ @@ -1217,7 +1220,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) \ @MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) \ -@MONOLITHIC_FALSE@ $(am__append_150) tests +@MONOLITHIC_FALSE@ $(am__append_150) $(am__append_152) tests # build optional plugins ######################## @@ -1234,13 +1237,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_61) \ +@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_60) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ @MONOLITHIC_TRUE@ $(am__append_75) $(am__append_77) \ -@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \ -@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ +@MONOLITHIC_TRUE@ $(am__append_79) $(am__append_83) \ +@MONOLITHIC_TRUE@ $(am__append_85) $(am__append_88) \ @MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \ @MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \ @@ -1256,7 +1259,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) \ @MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) \ -@MONOLITHIC_TRUE@ $(am__append_150) . tests +@MONOLITHIC_TRUE@ $(am__append_150) $(am__append_152) . tests all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1367,8 +1370,6 @@ config/ike_cfg.lo: config/$(am__dirstamp) \ config/$(DEPDIR)/$(am__dirstamp) config/peer_cfg.lo: config/$(am__dirstamp) \ config/$(DEPDIR)/$(am__dirstamp) -config/proposal.lo: config/$(am__dirstamp) \ - config/$(DEPDIR)/$(am__dirstamp) control/$(am__dirstamp): @$(MKDIR_P) control @: > control/$(am__dirstamp) @@ -1784,7 +1785,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/child_cfg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/ike_cfg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/peer_cfg.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/proposal.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@control/$(DEPDIR)/controller.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@encoding/$(DEPDIR)/generator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@encoding/$(DEPDIR)/message.Plo@am__quote@ diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index ec2a12431..3d110e9a2 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -224,6 +224,10 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, while (prefer_enum->enumerate(prefer_enum, &proposal)) { proposal = proposal->clone(proposal); + if (strip_dh) + { + proposal->strip_dh(proposal, MODP_NONE); + } if (prefer_self) { proposals->reset_enumerator(proposals, match_enum); @@ -234,11 +238,13 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, } while (match_enum->enumerate(match_enum, &match)) { + match = match->clone(match); if (strip_dh) { - proposal->strip_dh(proposal, MODP_NONE); + match->strip_dh(match, MODP_NONE); } selected = proposal->select(proposal, match, prefer_self, private); + match->destroy(match); if (selected) { DBG2(DBG_CFG, "received proposals: %#P", proposals); diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 93904ec71..e2834fa8f 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -31,7 +31,7 @@ typedef struct child_cfg_create_t child_cfg_create_t; #include <library.h> #include <selectors/traffic_selector.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <kernel/kernel_ipsec.h> /** diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 034996f60..81f2b6906 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -31,7 +31,7 @@ typedef struct ike_cfg_t ike_cfg_t; #include <networking/host.h> #include <collections/linked_list.h> #include <utils/identification.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <crypto/diffie_hellman.h> /** @@ -61,7 +61,7 @@ enum fragmentation_t { }; /** - * enum strings fro ike_version_t + * enum strings for ike_version_t */ extern enum_name_t *ike_version_names; diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index b294ae72f..6074a7cd4 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -32,7 +32,7 @@ typedef struct peer_cfg_create_t peer_cfg_create_t; #include <utils/identification.h> #include <collections/enumerator.h> #include <selectors/traffic_selector.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <config/ike_cfg.h> #include <config/child_cfg.h> #include <credentials/auth_cfg.h> diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c deleted file mode 100644 index 46c3c9400..000000000 --- a/src/libcharon/config/proposal.c +++ /dev/null @@ -1,1103 +0,0 @@ -/* - * Copyright (C) 2008-2016 Tobias Brunner - * Copyright (C) 2006-2010 Martin Willi - * Copyright (C) 2013-2015 Andreas Steffen - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <string.h> - -#include "proposal.h" - -#include <daemon.h> -#include <collections/array.h> -#include <utils/identification.h> - -#include <crypto/transform.h> -#include <crypto/prfs/prf.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> - -ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP, - "PROTO_NONE", - "IKE", - "AH", - "ESP", - "IPCOMP", -); - -typedef struct private_proposal_t private_proposal_t; - -/** - * Private data of an proposal_t object - */ -struct private_proposal_t { - - /** - * Public part - */ - proposal_t public; - - /** - * protocol (ESP or AH) - */ - protocol_id_t protocol; - - /** - * Priority ordered list of transforms, as entry_t - */ - array_t *transforms; - - /** - * senders SPI - */ - uint64_t spi; - - /** - * Proposal number - */ - u_int number; -}; - -/** - * Struct used to store different kinds of algorithms. - */ -typedef struct { - /** Type of the transform */ - transform_type_t type; - /** algorithm identifier */ - uint16_t alg; - /** key size in bits, or zero if not needed */ - uint16_t key_size; -} entry_t; - -METHOD(proposal_t, add_algorithm, void, - private_proposal_t *this, transform_type_t type, - uint16_t alg, uint16_t key_size) -{ - entry_t entry = { - .type = type, - .alg = alg, - .key_size = key_size, - }; - - array_insert(this->transforms, ARRAY_TAIL, &entry); -} - -CALLBACK(alg_filter, bool, - uintptr_t type, enumerator_t *orig, va_list args) -{ - entry_t *entry; - uint16_t *alg, *key_size; - - VA_ARGS_VGET(args, alg, key_size); - - while (orig->enumerate(orig, &entry)) - { - if (entry->type != type) - { - continue; - } - if (alg) - { - *alg = entry->alg; - } - if (key_size) - { - *key_size = entry->key_size; - } - return TRUE; - } - return FALSE; -} - -METHOD(proposal_t, create_enumerator, enumerator_t*, - private_proposal_t *this, transform_type_t type) -{ - return enumerator_create_filter( - array_create_enumerator(this->transforms), - alg_filter, (void*)(uintptr_t)type, NULL); -} - -METHOD(proposal_t, get_algorithm, bool, - private_proposal_t *this, transform_type_t type, - uint16_t *alg, uint16_t *key_size) -{ - enumerator_t *enumerator; - bool found = FALSE; - - enumerator = create_enumerator(this, type); - if (enumerator->enumerate(enumerator, alg, key_size)) - { - found = TRUE; - } - enumerator->destroy(enumerator); - - return found; -} - -METHOD(proposal_t, has_dh_group, bool, - private_proposal_t *this, diffie_hellman_group_t group) -{ - bool found = FALSE, any = FALSE; - enumerator_t *enumerator; - uint16_t current; - - enumerator = create_enumerator(this, DIFFIE_HELLMAN_GROUP); - while (enumerator->enumerate(enumerator, ¤t, NULL)) - { - any = TRUE; - if (current == group) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - if (!any && group == MODP_NONE) - { - found = TRUE; - } - return found; -} - -METHOD(proposal_t, strip_dh, void, - private_proposal_t *this, diffie_hellman_group_t keep) -{ - enumerator_t *enumerator; - entry_t *entry; - - enumerator = array_create_enumerator(this->transforms); - while (enumerator->enumerate(enumerator, &entry)) - { - if (entry->type == DIFFIE_HELLMAN_GROUP && - entry->alg != keep) - { - array_remove_at(this->transforms, enumerator); - } - } - enumerator->destroy(enumerator); -} - -/** - * Select a matching proposal from this and other, insert into selected. - */ -static bool select_algo(private_proposal_t *this, proposal_t *other, - proposal_t *selected, transform_type_t type, bool priv) -{ - enumerator_t *e1, *e2; - uint16_t alg1, alg2, ks1, ks2; - bool found = FALSE, optional = FALSE; - - if (type == INTEGRITY_ALGORITHM && - selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) && - encryption_algorithm_is_aead(alg1)) - { - /* no integrity algorithm required, we have an AEAD */ - return TRUE; - } - if (type == DIFFIE_HELLMAN_GROUP) - { - optional = this->protocol == PROTO_ESP || this->protocol == PROTO_AH; - } - - e1 = create_enumerator(this, type); - e2 = other->create_enumerator(other, type); - if (!e1->enumerate(e1, &alg1, NULL)) - { - if (!e2->enumerate(e2, &alg2, NULL)) - { - found = TRUE; - } - else if (optional) - { - do - { /* if NONE is proposed, we accept the proposal */ - found = !alg2; - } - while (!found && e2->enumerate(e2, &alg2, NULL)); - } - } - else if (!e2->enumerate(e2, NULL, NULL)) - { - if (optional) - { - do - { /* if NONE is proposed, we accept the proposal */ - found = !alg1; - } - while (!found && e1->enumerate(e1, &alg1, NULL)); - } - } - - e1->destroy(e1); - e1 = create_enumerator(this, type); - /* compare algs, order of algs in "first" is preferred */ - while (!found && e1->enumerate(e1, &alg1, &ks1)) - { - e2->destroy(e2); - e2 = other->create_enumerator(other, type); - while (e2->enumerate(e2, &alg2, &ks2)) - { - if (alg1 == alg2 && ks1 == ks2) - { - if (!priv && alg1 >= 1024) - { - /* accept private use algorithms only if requested */ - DBG1(DBG_CFG, "an algorithm from private space would match, " - "but peer implementation is unknown, skipped"); - continue; - } - selected->add_algorithm(selected, type, alg1, ks1); - found = TRUE; - break; - } - } - } - /* no match in all comparisons */ - e1->destroy(e1); - e2->destroy(e2); - - if (!found) - { - DBG2(DBG_CFG, " no acceptable %N found", transform_type_names, type); - } - return found; -} - -METHOD(proposal_t, select_proposal, proposal_t*, - private_proposal_t *this, proposal_t *other, bool other_remote, - bool private) -{ - proposal_t *selected; - - DBG2(DBG_CFG, "selecting proposal:"); - - if (this->protocol != other->get_protocol(other)) - { - DBG2(DBG_CFG, " protocol mismatch, skipping"); - return NULL; - } - - if (other_remote) - { - selected = proposal_create(this->protocol, other->get_number(other)); - selected->set_spi(selected, other->get_spi(other)); - } - else - { - selected = proposal_create(this->protocol, this->number); - selected->set_spi(selected, this->spi); - - } - - if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) || - !select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) || - !select_algo(this, other, selected, INTEGRITY_ALGORITHM, private) || - !select_algo(this, other, selected, DIFFIE_HELLMAN_GROUP, private) || - !select_algo(this, other, selected, EXTENDED_SEQUENCE_NUMBERS, private)) - { - selected->destroy(selected); - return NULL; - } - - DBG2(DBG_CFG, " proposal matches"); - return selected; -} - -METHOD(proposal_t, get_protocol, protocol_id_t, - private_proposal_t *this) -{ - return this->protocol; -} - -METHOD(proposal_t, set_spi, void, - private_proposal_t *this, uint64_t spi) -{ - this->spi = spi; -} - -METHOD(proposal_t, get_spi, uint64_t, - private_proposal_t *this) -{ - return this->spi; -} - -/** - * Check if two proposals have the same algorithms for a given transform type - */ -static bool algo_list_equals(private_proposal_t *this, proposal_t *other, - transform_type_t type) -{ - enumerator_t *e1, *e2; - uint16_t alg1, alg2, ks1, ks2; - bool equals = TRUE; - - e1 = create_enumerator(this, type); - e2 = other->create_enumerator(other, type); - while (e1->enumerate(e1, &alg1, &ks1)) - { - if (!e2->enumerate(e2, &alg2, &ks2)) - { - /* this has more algs */ - equals = FALSE; - break; - } - if (alg1 != alg2 || ks1 != ks2) - { - equals = FALSE; - break; - } - } - if (e2->enumerate(e2, &alg2, &ks2)) - { - /* other has more algs */ - equals = FALSE; - } - e1->destroy(e1); - e2->destroy(e2); - - return equals; -} - -METHOD(proposal_t, get_number, u_int, - private_proposal_t *this) -{ - return this->number; -} - -METHOD(proposal_t, equals, bool, - private_proposal_t *this, proposal_t *other) -{ - if (&this->public == other) - { - return TRUE; - } - return ( - algo_list_equals(this, other, ENCRYPTION_ALGORITHM) && - algo_list_equals(this, other, INTEGRITY_ALGORITHM) && - algo_list_equals(this, other, PSEUDO_RANDOM_FUNCTION) && - algo_list_equals(this, other, DIFFIE_HELLMAN_GROUP) && - algo_list_equals(this, other, EXTENDED_SEQUENCE_NUMBERS)); -} - -METHOD(proposal_t, clone_, proposal_t*, - private_proposal_t *this) -{ - private_proposal_t *clone; - enumerator_t *enumerator; - entry_t *entry; - - clone = (private_proposal_t*)proposal_create(this->protocol, 0); - - enumerator = array_create_enumerator(this->transforms); - while (enumerator->enumerate(enumerator, &entry)) - { - array_insert(clone->transforms, ARRAY_TAIL, entry); - } - enumerator->destroy(enumerator); - - clone->spi = this->spi; - clone->number = this->number; - - return &clone->public; -} - -/** - * Map integrity algorithms to the PRF functions using the same algorithm. - */ -static const struct { - integrity_algorithm_t integ; - pseudo_random_function_t prf; -} integ_prf_map[] = { - {AUTH_HMAC_SHA1_96, PRF_HMAC_SHA1 }, - {AUTH_HMAC_SHA1_160, PRF_HMAC_SHA1 }, - {AUTH_HMAC_SHA2_256_128, PRF_HMAC_SHA2_256 }, - {AUTH_HMAC_SHA2_384_192, PRF_HMAC_SHA2_384 }, - {AUTH_HMAC_SHA2_512_256, PRF_HMAC_SHA2_512 }, - {AUTH_HMAC_MD5_96, PRF_HMAC_MD5 }, - {AUTH_HMAC_MD5_128, PRF_HMAC_MD5 }, - {AUTH_AES_XCBC_96, PRF_AES128_XCBC }, - {AUTH_CAMELLIA_XCBC_96, PRF_CAMELLIA128_XCBC }, - {AUTH_AES_CMAC_96, PRF_AES128_CMAC }, -}; - -/** - * Remove all entries of the given transform type - */ -static void remove_transform(private_proposal_t *this, transform_type_t type) -{ - enumerator_t *e; - entry_t *entry; - - e = array_create_enumerator(this->transforms); - while (e->enumerate(e, &entry)) - { - if (entry->type == type) - { - array_remove_at(this->transforms, e); - } - } - e->destroy(e); -} - -/** - * Checks the proposal read from a string. - */ -static bool check_proposal(private_proposal_t *this) -{ - enumerator_t *e; - entry_t *entry; - uint16_t alg, ks; - bool all_aead = TRUE, any_aead = FALSE, any_enc = FALSE; - int i; - - if (this->protocol == PROTO_IKE) - { - if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL)) - { /* No explicit PRF found. We assume the same algorithm as used - * for integrity checking. */ - e = create_enumerator(this, INTEGRITY_ALGORITHM); - while (e->enumerate(e, &alg, &ks)) - { - for (i = 0; i < countof(integ_prf_map); i++) - { - if (alg == integ_prf_map[i].integ) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, - integ_prf_map[i].prf, 0); - break; - } - } - } - e->destroy(e); - } - if (!get_algorithm(this, PSEUDO_RANDOM_FUNCTION, NULL, NULL)) - { - DBG1(DBG_CFG, "a PRF algorithm is mandatory in IKE proposals"); - return FALSE; - } - /* remove MODP_NONE from IKE proposal */ - e = array_create_enumerator(this->transforms); - while (e->enumerate(e, &entry)) - { - if (entry->type == DIFFIE_HELLMAN_GROUP && !entry->alg) - { - array_remove_at(this->transforms, e); - } - } - e->destroy(e); - if (!get_algorithm(this, DIFFIE_HELLMAN_GROUP, NULL, NULL)) - { - DBG1(DBG_CFG, "a DH group is mandatory in IKE proposals"); - return FALSE; - } - } - else - { /* remove PRFs from ESP/AH proposals */ - remove_transform(this, PSEUDO_RANDOM_FUNCTION); - } - - if (this->protocol == PROTO_IKE || this->protocol == PROTO_ESP) - { - e = create_enumerator(this, ENCRYPTION_ALGORITHM); - while (e->enumerate(e, &alg, &ks)) - { - any_enc = TRUE; - if (encryption_algorithm_is_aead(alg)) - { - any_aead = TRUE; - continue; - } - all_aead = FALSE; - } - e->destroy(e); - - if (!any_enc) - { - DBG1(DBG_CFG, "an encryption algorithm is mandatory in %N proposals", - protocol_id_names, this->protocol); - return FALSE; - } - else if (any_aead && !all_aead) - { - DBG1(DBG_CFG, "classic and combined-mode (AEAD) encryption " - "algorithms can't be contained in the same %N proposal", - protocol_id_names, this->protocol); - return FALSE; - } - else if (all_aead) - { /* if all encryption algorithms in the proposal are AEADs, - * we MUST NOT propose any integrity algorithms */ - remove_transform(this, INTEGRITY_ALGORITHM); - } - } - else - { /* AES-GMAC is parsed as encryption algorithm, so we map that to the - * proper integrity algorithm */ - e = array_create_enumerator(this->transforms); - while (e->enumerate(e, &entry)) - { - if (entry->type == ENCRYPTION_ALGORITHM) - { - if (entry->alg == ENCR_NULL_AUTH_AES_GMAC) - { - entry->type = INTEGRITY_ALGORITHM; - ks = entry->key_size; - entry->key_size = 0; - switch (ks) - { - case 128: - entry->alg = AUTH_AES_128_GMAC; - continue; - case 192: - entry->alg = AUTH_AES_192_GMAC; - continue; - case 256: - entry->alg = AUTH_AES_256_GMAC; - continue; - default: - break; - } - } - /* remove all other encryption algorithms */ - array_remove_at(this->transforms, e); - } - } - e->destroy(e); - - if (!get_algorithm(this, INTEGRITY_ALGORITHM, NULL, NULL)) - { - DBG1(DBG_CFG, "an integrity algorithm is mandatory in AH " - "proposals"); - return FALSE; - } - } - - if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP) - { - if (!get_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NULL, NULL)) - { /* ESN not specified, assume not supported */ - add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); - } - } - - array_compress(this->transforms); - return TRUE; -} - -/** - * add a algorithm identified by a string to the proposal. - */ -static bool add_string_algo(private_proposal_t *this, const char *alg) -{ - const proposal_token_t *token; - - token = lib->proposal->get_token(lib->proposal, alg); - if (token == NULL) - { - DBG1(DBG_CFG, "algorithm '%s' not recognized", alg); - return FALSE; - } - - add_algorithm(this, token->type, token->algorithm, token->keysize); - - return TRUE; -} - -/** - * print all algorithms of a kind to buffer - */ -static int print_alg(private_proposal_t *this, printf_hook_data_t *data, - u_int kind, void *names, bool *first) -{ - enumerator_t *enumerator; - size_t written = 0; - uint16_t alg, size; - - enumerator = create_enumerator(this, kind); - while (enumerator->enumerate(enumerator, &alg, &size)) - { - if (*first) - { - written += print_in_hook(data, "%N", names, alg); - *first = FALSE; - } - else - { - written += print_in_hook(data, "/%N", names, alg); - } - if (size) - { - written += print_in_hook(data, "_%u", size); - } - } - enumerator->destroy(enumerator); - return written; -} - -/** - * Described in header. - */ -int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args) -{ - private_proposal_t *this = *((private_proposal_t**)(args[0])); - linked_list_t *list = *((linked_list_t**)(args[0])); - enumerator_t *enumerator; - size_t written = 0; - bool first = TRUE; - - if (this == NULL) - { - return print_in_hook(data, "(null)"); - } - - if (spec->hash) - { - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &this)) - { /* call recursivly */ - if (first) - { - written += print_in_hook(data, "%P", this); - first = FALSE; - } - else - { - written += print_in_hook(data, ", %P", this); - } - } - enumerator->destroy(enumerator); - return written; - } - - written = print_in_hook(data, "%N:", protocol_id_names, this->protocol); - written += print_alg(this, data, ENCRYPTION_ALGORITHM, - encryption_algorithm_names, &first); - written += print_alg(this, data, INTEGRITY_ALGORITHM, - integrity_algorithm_names, &first); - written += print_alg(this, data, PSEUDO_RANDOM_FUNCTION, - pseudo_random_function_names, &first); - written += print_alg(this, data, DIFFIE_HELLMAN_GROUP, - diffie_hellman_group_names, &first); - written += print_alg(this, data, EXTENDED_SEQUENCE_NUMBERS, - extended_sequence_numbers_names, &first); - return written; -} - -METHOD(proposal_t, destroy, void, - private_proposal_t *this) -{ - array_destroy(this->transforms); - free(this); -} - -/* - * Described in header - */ -proposal_t *proposal_create(protocol_id_t protocol, u_int number) -{ - private_proposal_t *this; - - INIT(this, - .public = { - .add_algorithm = _add_algorithm, - .create_enumerator = _create_enumerator, - .get_algorithm = _get_algorithm, - .has_dh_group = _has_dh_group, - .strip_dh = _strip_dh, - .select = _select_proposal, - .get_protocol = _get_protocol, - .set_spi = _set_spi, - .get_spi = _get_spi, - .get_number = _get_number, - .equals = _equals, - .clone = _clone_, - .destroy = _destroy, - }, - .protocol = protocol, - .number = number, - .transforms = array_create(sizeof(entry_t), 0), - ); - - return &this->public; -} - -/** - * Add supported IKE algorithms to proposal - */ -static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) -{ - enumerator_t *enumerator; - encryption_algorithm_t encryption; - integrity_algorithm_t integrity; - pseudo_random_function_t prf; - diffie_hellman_group_t group; - const char *plugin_name; - - if (aead) - { - /* Round 1 adds algorithms with at least 128 bit security strength */ - enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { - switch (encryption) - { - case ENCR_AES_GCM_ICV16: - case ENCR_AES_CCM_ICV16: - case ENCR_CAMELLIA_CCM_ICV16: - /* we assume that we support all AES/Camellia sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - case ENCR_CHACHA20_POLY1305: - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 2 adds algorithms with less than 128 bit security strength */ - enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { - switch (encryption) - { - case ENCR_AES_GCM_ICV12: - case ENCR_AES_GCM_ICV8: - case ENCR_AES_CCM_ICV12: - case ENCR_AES_CCM_ICV8: - case ENCR_CAMELLIA_CCM_ICV12: - case ENCR_CAMELLIA_CCM_ICV8: - /* we assume that we support all AES/Camellia sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - if (!array_count(this->transforms)) - { - return FALSE; - } - } - else - { - /* Round 1 adds algorithms with at least 128 bit security strength */ - enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { - switch (encryption) - { - case ENCR_AES_CBC: - case ENCR_AES_CTR: - case ENCR_CAMELLIA_CBC: - case ENCR_CAMELLIA_CTR: - /* we assume that we support all AES/Camellia sizes */ - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 2 adds algorithms with less than 128 bit security strength */ - enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { - switch (encryption) - { - case ENCR_3DES: - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); - break; - case ENCR_DES: - /* no, thanks */ - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - if (!array_count(this->transforms)) - { - return FALSE; - } - - /* Round 1 adds algorithms with at least 128 bit security strength */ - enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) - { - switch (integrity) - { - case AUTH_HMAC_SHA2_256_128: - case AUTH_HMAC_SHA2_384_192: - case AUTH_HMAC_SHA2_512_256: - add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 2 adds algorithms with less than 128 bit security strength */ - enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) - { - switch (integrity) - { - case AUTH_AES_XCBC_96: - case AUTH_AES_CMAC_96: - case AUTH_HMAC_SHA1_96: - add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); - break; - case AUTH_HMAC_MD5_96: - /* no, thanks */ - default: - break; - } - } - enumerator->destroy(enumerator); - } - - /* Round 1 adds algorithms with at least 128 bit security strength */ - enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf, &plugin_name)) - { - switch (prf) - { - case PRF_HMAC_SHA2_256: - case PRF_HMAC_SHA2_384: - case PRF_HMAC_SHA2_512: - case PRF_AES128_XCBC: - case PRF_AES128_CMAC: - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 2 adds algorithms with less than 128 bit security strength */ - enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf, &plugin_name)) - { - switch (prf) - { - case PRF_HMAC_SHA1: - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); - break; - case PRF_HMAC_MD5: - /* no, thanks */ - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 1 adds ECC and NTRU algorithms with at least 128 bit security strength */ - enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group, &plugin_name)) - { - switch (group) - { - case ECP_256_BIT: - case ECP_384_BIT: - case ECP_521_BIT: - case ECP_256_BP: - case ECP_384_BP: - case ECP_512_BP: - case CURVE_25519: - case CURVE_448: - case NTRU_128_BIT: - case NTRU_192_BIT: - case NTRU_256_BIT: - case NH_128_BIT: - add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 2 adds other algorithms with at least 128 bit security strength */ - enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group, &plugin_name)) - { - switch (group) - { - case MODP_3072_BIT: - case MODP_4096_BIT: - case MODP_8192_BIT: - add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - /* Round 3 adds algorithms with less than 128 bit security strength */ - enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group, &plugin_name)) - { - switch (group) - { - case MODP_NULL: - /* only for testing purposes */ - break; - case MODP_768_BIT: - case MODP_1024_BIT: - case MODP_1536_BIT: - /* weak */ - break; - case MODP_1024_160: - case MODP_2048_224: - case MODP_2048_256: - /* RFC 5114 primes are of questionable source */ - break; - case ECP_224_BIT: - case ECP_224_BP: - case ECP_192_BIT: - case NTRU_112_BIT: - /* rarely used */ - break; - case MODP_2048_BIT: - add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); - break; - default: - break; - } - } - enumerator->destroy(enumerator); - - return TRUE; -} - -/* - * Described in header - */ -proposal_t *proposal_create_default(protocol_id_t protocol) -{ - private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); - - switch (protocol) - { - case PROTO_IKE: - if (!proposal_add_supported_ike(this, FALSE)) - { - destroy(this); - return NULL; - } - break; - case PROTO_ESP: - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); - break; - case PROTO_AH: - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); - break; - default: - break; - } - return &this->public; -} - -/* - * Described in header - */ -proposal_t *proposal_create_default_aead(protocol_id_t protocol) -{ - private_proposal_t *this; - - switch (protocol) - { - case PROTO_IKE: - this = (private_proposal_t*)proposal_create(protocol, 0); - if (!proposal_add_supported_ike(this, TRUE)) - { - destroy(this); - return NULL; - } - return &this->public; - case PROTO_ESP: - /* we currently don't include any AEAD proposal for ESP, as we - * don't know if our kernel backend actually supports it. */ - return NULL; - case PROTO_AH: - default: - return NULL; - } -} - -/* - * Described in header - */ -proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs) -{ - private_proposal_t *this; - enumerator_t *enumerator; - bool failed = TRUE; - char *alg; - - this = (private_proposal_t*)proposal_create(protocol, 0); - - /* get all tokens, separated by '-' */ - enumerator = enumerator_create_token(algs, "-", " "); - while (enumerator->enumerate(enumerator, &alg)) - { - if (!add_string_algo(this, alg)) - { - failed = TRUE; - break; - } - failed = FALSE; - } - enumerator->destroy(enumerator); - - if (failed || !check_proposal(this)) - { - destroy(this); - return NULL; - } - - return &this->public; -} diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h deleted file mode 100644 index 0dc70f4c5..000000000 --- a/src/libcharon/config/proposal.h +++ /dev/null @@ -1,237 +0,0 @@ -/* - * Copyright (C) 2009-2016 Tobias Brunner - * Copyright (C) 2006 Martin Willi - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup proposal proposal - * @{ @ingroup config - */ - -#ifndef PROPOSAL_H_ -#define PROPOSAL_H_ - -typedef enum protocol_id_t protocol_id_t; -typedef enum extended_sequence_numbers_t extended_sequence_numbers_t; -typedef struct proposal_t proposal_t; - -#include <library.h> -#include <utils/identification.h> -#include <collections/linked_list.h> -#include <networking/host.h> -#include <crypto/transform.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> -#include <crypto/diffie_hellman.h> -#include <selectors/traffic_selector.h> - -/** - * Protocol ID of a proposal. - */ -enum protocol_id_t { - PROTO_NONE = 0, - PROTO_IKE = 1, - PROTO_AH = 2, - PROTO_ESP = 3, - PROTO_IPCOMP = 4, /* IKEv1 only */ -}; - -/** - * enum names for protocol_id_t - */ -extern enum_name_t *protocol_id_names; - -/** - * Stores a set of algorithms used for an SA. - * - * A proposal stores algorithms for a specific - * protocol. It can store algorithms for one protocol. - * Proposals with multiple protocols are not supported, - * as it's not specified in RFC4301 anymore. - */ -struct proposal_t { - - /** - * Add an algorithm to the proposal. - * - * The algorithms are stored by priority, first added - * is the most preferred. - * Key size is only needed for encryption algorithms - * with variable key size (such as AES). Must be set - * to zero if key size is not specified. - * The alg parameter accepts encryption_algorithm_t, - * integrity_algorithm_t, dh_group_number_t and - * extended_sequence_numbers_t. - * - * @param type kind of algorithm - * @param alg identifier for algorithm - * @param key_size key size to use - */ - void (*add_algorithm) (proposal_t *this, transform_type_t type, - uint16_t alg, uint16_t key_size); - - /** - * Get an enumerator over algorithms for a specific algo type. - * - * @param type kind of algorithm - * @return enumerator over uint16_t alg, uint16_t key_size - */ - enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type); - - /** - * Get the algorithm for a type to use. - * - * If there are multiple algorithms, only the first is returned. - * - * @param type kind of algorithm - * @param alg pointer which receives algorithm - * @param key_size pointer which receives the key size - * @return TRUE if algorithm of this kind available - */ - bool (*get_algorithm) (proposal_t *this, transform_type_t type, - uint16_t *alg, uint16_t *key_size); - - /** - * Check if the proposal has a specific DH group. - * - * @param group group to check for - * @return TRUE if algorithm included - */ - bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group); - - /** - * Strip DH groups from proposal to use it without PFS. - * - * @param keep group to keep (MODP_NONE to remove all) - */ - void (*strip_dh)(proposal_t *this, diffie_hellman_group_t keep); - - /** - * Compare two proposal, and select a matching subset. - * - * If the proposals are for the same protocols (AH/ESP), they are - * compared. If they have at least one algorithm of each type - * in common, a resulting proposal of this kind is created. - * - * @param other proposal to compare against - * @param other_remote whether other is the remote proposal from which to - * copy SPI and proposal number to the result, - * otherwise copy from this proposal - * @param private accepts algorithms allocated in a private range - * @return selected proposal, NULL if proposals don't match - */ - proposal_t *(*select)(proposal_t *this, proposal_t *other, - bool other_remote, bool private); - - /** - * Get the protocol ID of the proposal. - * - * @return protocol of the proposal - */ - protocol_id_t (*get_protocol) (proposal_t *this); - - /** - * Get the SPI of the proposal. - * - * @return spi for proto - */ - uint64_t (*get_spi) (proposal_t *this); - - /** - * Set the SPI of the proposal. - * - * @param spi spi to set for proto - */ - void (*set_spi) (proposal_t *this, uint64_t spi); - - /** - * Get the proposal number, as encoded in SA payload - * - * @return proposal number - */ - u_int (*get_number)(proposal_t *this); - - /** - * Check for the eqality of two proposals. - * - * @param other other proposal to check for equality - * @return TRUE if other equal to this - */ - bool (*equals)(proposal_t *this, proposal_t *other); - - /** - * Clone a proposal. - * - * @return clone of proposal - */ - proposal_t *(*clone) (proposal_t *this); - - /** - * Destroys the proposal object. - */ - void (*destroy) (proposal_t *this); -}; - -/** - * Create a child proposal for AH, ESP or IKE. - * - * @param protocol protocol, such as PROTO_ESP - * @param number proposal number, as encoded in SA payload - * @return proposal_t object - */ -proposal_t *proposal_create(protocol_id_t protocol, u_int number); - -/** - * Create a default proposal if nothing further specified. - * - * @param protocol protocol, such as PROTO_ESP - * @return proposal_t object - */ -proposal_t *proposal_create_default(protocol_id_t protocol); - -/** - * Create a default proposal for supported AEAD algorithms - * - * @param protocol protocol, such as PROTO_ESP - * @return proposal_t object, NULL if none supported - */ -proposal_t *proposal_create_default_aead(protocol_id_t protocol); - -/** - * Create a proposal from a string identifying the algorithms. - * - * The string is in the same form as a in the ipsec.conf file. - * E.g.: aes128-sha2_256-modp2048 - * 3des-md5 - * An additional '!' at the end of the string forces this proposal, - * without it the peer may choose another algorithm we support. - * - * @param protocol protocol, such as PROTO_ESP - * @param algs algorithms as string - * @return proposal_t object - */ -proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs); - -/** - * printf hook function for proposal_t. - * - * Arguments are: - * proposal_t *proposal - * With the #-specifier, arguments are: - * linked_list_t *list containing proposal_t* - */ -int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args); - -#endif /** PROPOSAL_H_ @}*/ diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 7c9f83d12..e4b819710 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -55,7 +55,6 @@ #include <bus/listeners/sys_logger.h> #include <bus/listeners/file_logger.h> #include <collections/array.h> -#include <config/proposal.h> #include <plugins/plugin_feature.h> #include <kernel/kernel_handler.h> #include <processing/jobs/start_action_job.h> @@ -989,11 +988,6 @@ bool libcharon_init() dbg_old = dbg; dbg = dbg_bus; - lib->printf_hook->add_handler(lib->printf_hook, 'P', - proposal_printf_hook, - PRINTF_HOOK_ARGTYPE_POINTER, - PRINTF_HOOK_ARGTYPE_END); - if (lib->integrity && !lib->integrity->check(lib->integrity, "libcharon", libcharon_init)) { diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h index 375530776..9c7fe8979 100644 --- a/src/libcharon/encoding/generator.h +++ b/src/libcharon/encoding/generator.h @@ -35,8 +35,8 @@ typedef struct generator_t generator_t; * method. The generated bytes are appended. After all payloads are added, * the write_to_chunk method writes out all generated data since * the creation of the generator. - * The generater uses a set of encoding rules, which it can get from - * the supplied payload. With this rules, the generater can generate + * The generator uses a set of encoding rules, which it can get from + * the supplied payload. With this rules, the generator can generate * the payload and all substructures automatically. */ struct generator_t { diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index 6d850aac0..735526e3c 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -657,6 +657,7 @@ static payload_rule_t quick_mode_i_rules[] = { {PLV1_ID, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA_DRAFT_00_03, 0, 2, TRUE, FALSE}, + {PLV1_FRAGMENT, 0, 1, FALSE, TRUE}, }; /** @@ -673,6 +674,7 @@ static payload_order_t quick_mode_i_order[] = { {PLV1_ID, 0}, {PLV1_NAT_OA, 0}, {PLV1_NAT_OA_DRAFT_00_03, 0}, + {PLV1_FRAGMENT, 0}, }; /** @@ -689,6 +691,7 @@ static payload_rule_t quick_mode_r_rules[] = { {PLV1_ID, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA_DRAFT_00_03, 0, 2, TRUE, FALSE}, + {PLV1_FRAGMENT, 0, 1, FALSE, TRUE}, }; /** @@ -705,6 +708,7 @@ static payload_order_t quick_mode_r_order[] = { {PLV1_ID, 0}, {PLV1_NAT_OA, 0}, {PLV1_NAT_OA_DRAFT_00_03, 0}, + {PLV1_FRAGMENT, 0}, }; /** diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h index 796c10890..cad597e58 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.h +++ b/src/libcharon/encoding/payloads/proposal_substructure.h @@ -29,7 +29,7 @@ typedef struct proposal_substructure_t proposal_substructure_t; #include <library.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/transform_substructure.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <collections/linked_list.h> #include <kernel/kernel_ipsec.h> #include <sa/authenticator.h> diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index cb75f1ea7..a9d4f9f7d 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -32,7 +32,7 @@ typedef struct transform_substructure_t transform_substructure_t; #include <crypto/signers/signer.h> #include <crypto/prfs/prf.h> #include <crypto/crypters/crypter.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** * IKEv1 Value for a transform payload. diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c index 3d736b25b..91ca259ef 100644 --- a/src/libcharon/kernel/kernel_interface.c +++ b/src/libcharon/kernel/kernel_interface.c @@ -351,7 +351,7 @@ METHOD(kernel_interface_t, alloc_reqid, status_t, if (entry) { /* we don't require a traffic selector match for explicit reqids, - * as we wan't to reuse a reqid for trap-triggered policies that + * as we want to reuse a reqid for trap-triggered policies that * got narrowed during negotiation. */ reqid_entry_destroy(tmpl); } diff --git a/src/libcharon/plugins/certexpire/certexpire_cron.h b/src/libcharon/plugins/certexpire/certexpire_cron.h index 0d6623d7f..3e1005b23 100644 --- a/src/libcharon/plugins/certexpire/certexpire_cron.h +++ b/src/libcharon/plugins/certexpire/certexpire_cron.h @@ -38,7 +38,7 @@ struct certexpire_cron_t { /** * Destroy a certexpire_cron_t. * - * It currently is not possible to savely cancel a cron job. Make sure + * It currently is not possible to safely cancel a cron job. Make sure * any scheduled jobs have been canceled before cleaning up. */ void (*destroy)(certexpire_cron_t *this); diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 58bbc2edd..8188bb764 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -92,7 +92,7 @@ static void destroy_attr(attr_t *this) * Hashtable entry with leases and attributes */ typedef struct { - /** IKE_SA uniqe id we assign the IP lease */ + /** IKE_SA unique id we assign the IP lease */ uintptr_t id; /** list of IP leases received from AAA, as host_t */ linked_list_t *addrs; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c index 0fea50919..705fb188d 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c @@ -72,7 +72,7 @@ struct private_eap_radius_xauth_t { xauth_round_t round; /** - * Concatentated password of all rounds + * Concatenated password of all rounds */ chunk_t pass; }; diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 0e83b1642..fb8d22915 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -335,7 +335,7 @@ METHOD(listener_t, message_hook, bool, chunk_t iv; /* we need the last block (or expected next IV) of Phase 1, which gets - * upated after successful en-/decryption depending on direction */ + * updated after successful en-/decryption depending on direction */ if (incoming == plain) { if (message->get_message_id(message) == 0) diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index e41e78bbf..d23e45e0b 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -52,6 +53,11 @@ struct private_ha_socket_t { * remote host to receive/send to */ host_t *remote; + + /** + * Receive buffer size + */ + u_int buflen; }; /** @@ -120,13 +126,26 @@ METHOD(ha_socket_t, pull, ha_message_t*, while (TRUE) { ha_message_t *message; - char buf[1024]; + char buf[this->buflen]; + struct iovec iov = { + .iov_base = buf, + .iov_len = this->buflen, + }; + struct msghdr msg = { + .msg_iov = &iov, + .msg_iovlen = 1, + }; bool oldstate; ssize_t len; oldstate = thread_cancelability(TRUE); - len = recv(this->fd, buf, sizeof(buf), 0); + len = recvmsg(this->fd, &msg, 0); thread_cancelability(oldstate); + if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_CFG, "HA message exceeds receive buffer"); + continue; + } if (len <= 0) { switch (errno) @@ -208,6 +227,8 @@ ha_socket_t *ha_socket_create(char *local, char *remote) }, .local = host_create_from_dns(local, 0, HA_PORT), .remote = host_create_from_dns(remote, 0, HA_PORT), + .buflen = lib->settings->get_int(lib->settings, + "%s.plugins.ha.buflen", 2048, lib->ns), .fd = -1, ); diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c index a21d0ae7f..c3f92f500 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -78,6 +78,9 @@ #define ROUTING_TABLE_PRIO 0 #endif +/** multicast groups (for groups > 31 setsockopt has to be used) */ +#define nl_group(group) (1 << (group - 1)) + ENUM(rt_msg_names, RTM_NEWLINK, RTM_GETRULE, "RTM_NEWLINK", "RTM_DELLINK", @@ -473,6 +476,11 @@ struct private_kernel_netlink_net_t { bool process_route; /** + * whether to react to RTM_NEWRULE or RTM_DELRULE events + */ + bool process_rules; + + /** * whether to trigger roam events */ bool roam_events; @@ -1452,6 +1460,45 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h } /** + * process RTM_NEW|DELRULE from kernel + */ +static void process_rule(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr) +{ +#ifdef HAVE_LINUX_FIB_RULES_H + struct rtmsg* msg = NLMSG_DATA(hdr); + struct rtattr *rta = RTM_RTA(msg); + size_t rtasize = RTM_PAYLOAD(hdr); + uint32_t table = 0; + + /* ignore rules added by us or in the local routing table (local addrs) */ + if (msg->rtm_table && (msg->rtm_table == this->routing_table || + msg->rtm_table == RT_TABLE_LOCAL)) + { + return; + } + + while (RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case FRA_TABLE: + if (RTA_PAYLOAD(rta) == sizeof(table)) + { + table = *(uint32_t*)RTA_DATA(rta); + } + break; + } + rta = RTA_NEXT(rta, rtasize); + } + if (table && table == this->routing_table) + { /* also check against extended table ID */ + return; + } + fire_roam_event(this, FALSE); +#endif +} + +/** * Receives events from kernel */ static bool receive_events(private_kernel_netlink_net_t *this, int fd, @@ -1508,6 +1555,13 @@ static bool receive_events(private_kernel_netlink_net_t *this, int fd, process_route(this, hdr); } break; + case RTM_NEWRULE: + case RTM_DELRULE: + if (this->process_rules) + { + process_rule(this, hdr); + } + break; default: break; } @@ -2333,7 +2387,9 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type if (ip->get_family(ip) == AF_INET6) { +#ifdef IFA_F_NODAD msg->ifa_flags |= IFA_F_NODAD; +#endif if (this->rta_prefsrc_for_ipv6) { /* if source routes are possible we let the virtual IP get @@ -2983,6 +3039,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() "%s.prefer_temporary_addrs", FALSE, lib->ns), .roam_events = lib->settings->get_bool(lib->settings, "%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns), + .process_rules = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.process_rules", FALSE, lib->ns), .mtu = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.mtu", 0, lib->ns), .mss = lib->settings->get_int(lib->settings, @@ -3035,8 +3093,19 @@ kernel_netlink_net_t *kernel_netlink_net_create() destroy(this); return NULL; } - addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | - RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK; + addr.nl_groups = nl_group(RTNLGRP_IPV4_IFADDR) | + nl_group(RTNLGRP_IPV6_IFADDR) | + nl_group(RTNLGRP_LINK); + if (this->process_route) + { + addr.nl_groups |= nl_group(RTNLGRP_IPV4_ROUTE) | + nl_group(RTNLGRP_IPV6_ROUTE); + } + if (this->process_rules) + { + addr.nl_groups |= nl_group(RTNLGRP_IPV4_RULE) | + nl_group(RTNLGRP_IPV6_RULE); + } if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr))) { DBG1(DBG_KNL, "unable to bind RT event socket: %s (%d)", diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 710107889..79abe587a 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1752,13 +1752,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t, #ifdef SADB_X_EXT_SA_REPLAY if (data->inbound) { - struct sadb_x_sa_replay *replay; + struct sadb_x_sa_replay *repl; - replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); - replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY; - replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); - replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32); - PFKEY_EXT_ADD(msg, replay); + repl = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); + repl->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; + repl->sadb_x_sa_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); + repl->sadb_x_sa_replay_replay = min(data->replay_window, UINT32_MAX-32); + PFKEY_EXT_ADD(msg, repl); } #endif diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index 774fcf5c8..0f36e7be3 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -1982,7 +1982,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) { - /* To avoid sequencial SPIs, we use a one-to-one permuation function on + /* To avoid sequential SPIs, we use a one-to-one permutation function on * an incrementing counter, that is a full period PRNG for the range we * allocate SPIs in. We add some randomness using a fixed XOR and start * the counter at random position. This is not cryptographically safe, diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c index a6c32d65d..8324dd14f 100644 --- a/src/libcharon/plugins/lookip/lookip_plugin.c +++ b/src/libcharon/plugins/lookip/lookip_plugin.c @@ -33,7 +33,7 @@ struct private_lookip_plugin_t { lookip_plugin_t public; /** - * Listener collecting virtual IP assignements + * Listener collecting virtual IP assignments */ lookip_listener_t *listener; diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c index e7a627b93..6f19a03d5 100644 --- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c +++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c @@ -150,7 +150,7 @@ static bool manage_dns(private_osx_attr_handler_t *this, if (add) { if (!this->append && !this->original) - { /* backup orignal config, start with empty set */ + { /* backup original config, start with empty set */ this->original = arr; arr = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); } diff --git a/src/libcharon/plugins/save_keys/Makefile.am b/src/libcharon/plugins/save_keys/Makefile.am new file mode 100644 index 000000000..a41668bb5 --- /dev/null +++ b/src/libcharon/plugins/save_keys/Makefile.am @@ -0,0 +1,18 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-save-keys.la +else +plugin_LTLIBRARIES = libstrongswan-save-keys.la +endif + +libstrongswan_save_keys_la_SOURCES = \ + save_keys_plugin.h save_keys_plugin.c \ + save_keys_listener.c save_keys_listener.h + +libstrongswan_save_keys_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/save_keys/Makefile.in b/src/libcharon/plugins/save_keys/Makefile.in new file mode 100644 index 000000000..a56d8eacd --- /dev/null +++ b/src/libcharon/plugins/save_keys/Makefile.in @@ -0,0 +1,803 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/save_keys +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_save_keys_la_LIBADD = +am_libstrongswan_save_keys_la_OBJECTS = save_keys_plugin.lo \ + save_keys_listener.lo +libstrongswan_save_keys_la_OBJECTS = \ + $(am_libstrongswan_save_keys_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_save_keys_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_save_keys_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_save_keys_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_save_keys_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_save_keys_la_SOURCES) +DIST_SOURCES = $(libstrongswan_save_keys_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-save-keys.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-save-keys.la +libstrongswan_save_keys_la_SOURCES = \ + save_keys_plugin.h save_keys_plugin.c \ + save_keys_listener.c save_keys_listener.h + +libstrongswan_save_keys_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/save_keys/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/save_keys/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-save-keys.la: $(libstrongswan_save_keys_la_OBJECTS) $(libstrongswan_save_keys_la_DEPENDENCIES) $(EXTRA_libstrongswan_save_keys_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_save_keys_la_LINK) $(am_libstrongswan_save_keys_la_rpath) $(libstrongswan_save_keys_la_OBJECTS) $(libstrongswan_save_keys_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/save_keys_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/save_keys_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.c b/src/libcharon/plugins/save_keys/save_keys_listener.c new file mode 100644 index 000000000..fc16f20e6 --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_listener.c @@ -0,0 +1,435 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#define _GNU_SOURCE + +#include "save_keys_listener.h" + +#include <stdio.h> +#include <inttypes.h> +#include <errno.h> + +#include <daemon.h> + +typedef struct private_save_keys_listener_t private_save_keys_listener_t; +typedef struct algo_map_t algo_map_t; + +/** + * Name for IKEv1 decryption table file + */ +static char *ikev1_name = "ikev1_decryption_table"; + +/** + * Name for IKEv2 decryption table file + */ +static char *ikev2_name = "ikev2_decryption_table"; + +/** + * Name for esp decryption table file + */ +static char *esp_name = "esp_sa"; + +/** + * Private data. + */ +struct private_save_keys_listener_t { + + /** + * Public interface. + */ + save_keys_listener_t public; + + /** + * Path to the directory where the decryption tables will be stored. + */ + char *path; + + /** + * Whether to save IKE keys + */ + bool ike; + + /** + * Whether to save ESP keys + */ + bool esp; +}; + +METHOD(save_keys_listener_t, destroy, void, + private_save_keys_listener_t *this) +{ + free(this); +} + +/** + * Mapping strongSwan identifiers to Wireshark names + */ +struct algo_map_t { + + /** + * IKE identifier + */ + const uint16_t ike; + + /** + * Optional key length + */ + const int key_len; + + /** + * Name of the algorithm in wireshark + */ + const char *name; +}; + +/** + * Map an algorithm identifier to a name + */ +static inline const char *algo_name(algo_map_t *map, int count, + uint16_t alg, int key_len) +{ + int i; + + for (i = 0; i < count; i++) + { + if (map[i].ike == alg) + { + if (map[i].key_len == -1 || map[i].key_len == key_len) + { + return map[i].name; + } + } + } + return NULL; +} + +/** + * Wireshark IKE algorithm identifiers for encryption + */ +static algo_map_t ike_encr[] = { + { ENCR_3DES, -1, "3DES [RFC2451]" }, + { ENCR_NULL, -1, "NULL [RFC2410]" }, + { ENCR_AES_CBC, 128, "AES-CBC-128 [RFC3602]" }, + { ENCR_AES_CBC, 192, "AES-CBC-192 [RFC3602]" }, + { ENCR_AES_CBC, 256, "AES-CBC-256 [RFC3602]" }, + { ENCR_AES_CTR, 128, "AES-CTR-128 [RFC5930]" }, + { ENCR_AES_CTR, 192, "AES-CTR-192 [RFC5930]" }, + { ENCR_AES_CTR, 256, "AES-CTR-256 [RFC5930]" }, + { ENCR_AES_GCM_ICV8, 128, "AES-GCM-128 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV8, 192, "AES-GCM-192 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV8, 256, "AES-GCM-256 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV12, 128, "AES-GCM-128 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV12, 192, "AES-GCM-192 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV12, 256, "AES-GCM-256 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV16, 128, "AES-GCM-128 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV16, 192, "AES-GCM-192 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV16, 256, "AES-GCM-256 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV8, 128, "AES-CCM-128 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV8, 192, "AES-CCM-192 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV8, 256, "AES-CCM-256 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV12, 128, "AES-CCM-128 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV12, 192, "AES-CCM-192 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV12, 256, "AES-CCM-256 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV16, 128, "AES-CCM-128 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV16, 192, "AES-CCM-192 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV16, 256, "AES-CCM-256 with 16 octet ICV [RFC5282]" }, +}; + +/** + * Wireshark IKE algorithms for integrity + */ +static algo_map_t ike_integ[] = { + { AUTH_HMAC_MD5_96, -1, "HMAC_MD5_96 [RFC2403]" }, + { AUTH_HMAC_SHA1_96, -1, "HMAC_SHA1_96 [RFC2404]" }, + { AUTH_HMAC_MD5_128, -1, "HMAC_MD5_128 [RFC4595]" }, + { AUTH_HMAC_SHA1_160, -1, "HMAC_SHA1_160 [RFC4595]" }, + { AUTH_HMAC_SHA2_256_128, -1, "HMAC_SHA2_256_128 [RFC4868]" }, + { AUTH_HMAC_SHA2_384_192, -1, "HMAC_SHA2_384_192 [RFC4868]" }, + { AUTH_HMAC_SHA2_512_256, -1, "HMAC_SHA2_512_256 [RFC4868]" }, + { AUTH_HMAC_SHA2_256_96, -1, "HMAC_SHA2_256_96 [draft-ietf-ipsec-ciph-sha-256-00]" }, + { AUTH_UNDEFINED, -1, "NONE [RFC4306]" }, +}; + +/** + * Map an IKE proposal + */ +static inline void ike_names(proposal_t *proposal, const char **enc, + const char **integ) +{ + uint16_t alg, len; + + if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len)) + { + *enc = algo_name(ike_encr, countof(ike_encr), alg, len); + } + if (encryption_algorithm_is_aead(alg)) + { + alg = AUTH_UNDEFINED; + } + else if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)) + { + return; + } + *integ = algo_name(ike_integ, countof(ike_integ), alg, -1); +} + +/** + * Wireshark ESP algorithm identifiers for encryption + */ +static algo_map_t esp_encr[] = { + { ENCR_NULL, -1, "NULL" }, + { ENCR_3DES, -1, "TripleDes-CBC [RFC2451]" }, + { ENCR_AES_CBC, -1, "AES-CBC [RFC3602]" }, + { ENCR_AES_CTR, -1, "AES-CTR [RFC3686]" }, + { ENCR_DES, -1, "DES-CBC [RFC2405]" }, + { ENCR_CAST, -1, "CAST5-CBC [RFC2144]" }, + { ENCR_BLOWFISH, -1, "BLOWFISH-CBC [RFC2451]" }, + { ENCR_TWOFISH_CBC, -1, "TWOFISH-CBC" }, + { ENCR_AES_GCM_ICV8, -1, "AES-GCM [RFC4106]" }, + { ENCR_AES_GCM_ICV12, -1, "AES-GCM [RFC4106]" }, + { ENCR_AES_GCM_ICV16, -1, "AES-GCM [RFC4106]" }, +}; + +/** + * Wireshark ESP algorithms for integrity + */ +static algo_map_t esp_integ[] = { + { AUTH_HMAC_SHA1_96, -1, "HMAC-SHA-1-96 [RFC2404]" }, + { AUTH_HMAC_MD5_96, -1, "HMAC-MD5-96 [RFC2403]" }, + { AUTH_HMAC_SHA2_256_128, -1, "HMAC-SHA-256-128 [RFC4868]" }, + { AUTH_HMAC_SHA2_384_192, -1, "HMAC-SHA-384-192 [RFC4868]" }, + { AUTH_HMAC_SHA2_512_256, -1, "HMAC-SHA-512-256 [RFC4868]" }, + { AUTH_HMAC_SHA2_256_96, -1, "HMAC-SHA-256-96 [draft-ietf-ipsec-ciph-sha-256-00]" }, + { AUTH_UNDEFINED, 64, "ANY 64 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 96, "ANY 96 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 128, "ANY 128 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 192, "ANY 192 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 256, "ANY 256 bit authentication [no checking]" }, + { AUTH_UNDEFINED, -1, "NULL" }, +}; + +/** + * Map an ESP proposal + */ +static inline void esp_names(proposal_t *proposal, const char **enc, + const char **integ) +{ + uint16_t alg, len; + + if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len)) + { + *enc = algo_name(esp_encr, countof(esp_encr), alg, len); + } + len = -1; + if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)) + { + switch (alg) + { + case ENCR_AES_GCM_ICV8: + len = 64; + break; + case ENCR_AES_GCM_ICV12: + len = 64; + break; + case ENCR_AES_GCM_ICV16: + len = 128; + break; + } + alg = AUTH_UNDEFINED; + } + *integ = algo_name(esp_integ, countof(esp_integ), alg, len); +} + +METHOD(listener_t, ike_derived_keys, bool, + private_save_keys_listener_t *this, ike_sa_t *ike_sa, chunk_t sk_ei, + chunk_t sk_er, chunk_t sk_ai, chunk_t sk_ar) +{ + ike_version_t version; + ike_sa_id_t *id; + const char *enc = NULL, *integ = NULL; + char *path, *name; + FILE *file; + + if (!this->path || !this->ike) + { + return TRUE; + } + + version = ike_sa->get_version(ike_sa); + name = version == IKEV2 ? ikev2_name : ikev1_name; + if (asprintf(&path, "%s/%s", this->path, name) < 0) + { + DBG1(DBG_IKE, "failed to build path to IKE key table"); + return TRUE; + } + + file = fopen(path, "a"); + if (file) + { + id = ike_sa->get_id(ike_sa); + if (version == IKEV2) + { + ike_names(ike_sa->get_proposal(ike_sa), &enc, &integ); + if (enc && integ) + { + fprintf(file, "%.16"PRIx64",%.16"PRIx64",%+B,%+B,\"%s\"," + "%+B,%+B,\"%s\"\n", be64toh(id->get_initiator_spi(id)), + be64toh(id->get_responder_spi(id)), &sk_ei, &sk_er, + enc, &sk_ai, &sk_ar, integ); + } + } + else + { + fprintf(file, "%.16"PRIx64",%+B\n", + be64toh(id->get_initiator_spi(id)), &sk_ei); + } + fclose(file); + } + else + { + DBG1(DBG_IKE, "failed to open IKE key table '%s': %s", path, + strerror(errno)); + } + free(path); + return TRUE; +} + +METHOD(listener_t, child_derived_keys, bool, + private_save_keys_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool initiator, chunk_t encr_i, chunk_t encr_r, chunk_t integ_i, + chunk_t integ_r) +{ + host_t *init, *resp; + uint32_t spi_i, spi_r; + const char *enc = NULL, *integ = NULL; + char *path, *family; + FILE *file; + + if (!this->path || !this->esp || + child_sa->get_protocol(child_sa) != PROTO_ESP) + { + return TRUE; + } + + if (asprintf(&path, "%s/%s", this->path, esp_name) < 0) + { + DBG1(DBG_CHD, "failed to build path to ESP key table"); + return TRUE; + } + + file = fopen(path, "a"); + if (file) + { + esp_names(child_sa->get_proposal(child_sa), &enc, &integ); + if (enc && integ) + { + /* Since the IPs are printed this is not compatible with MOBIKE */ + if (initiator) + { + init = ike_sa->get_my_host(ike_sa); + resp = ike_sa->get_other_host(ike_sa); + } + else + { + init = ike_sa->get_other_host(ike_sa); + resp = ike_sa->get_my_host(ike_sa); + } + spi_i = child_sa->get_spi(child_sa, initiator); + spi_r = child_sa->get_spi(child_sa, !initiator); + family = init->get_family(init) == AF_INET ? "IPv4" : "IPv6"; + fprintf(file, "\"%s\",\"%H\",\"%H\",\"0x%.8x\",\"%s\",\"0x%+B\"," + "\"%s\",\"0x%+B\"\n", family, init, resp, ntohl(spi_r), enc, + &encr_i, integ, &integ_i); + fprintf(file, "\"%s\",\"%H\",\"%H\",\"0x%.8x\",\"%s\",\"0x%+B\"," + "\"%s\",\"0x%+B\"\n", family, resp, init, ntohl(spi_i), enc, + &encr_r, integ, &integ_r); + } + fclose(file); + } + else + { + DBG1(DBG_CHD, "failed to open ESP key table '%s': %s", path, + strerror(errno)); + } + free(path); + return TRUE; +} + +/** + * See header. + */ +save_keys_listener_t *save_keys_listener_create() +{ + private_save_keys_listener_t *this; + + INIT(this, + .public = { + .listener = { + .ike_derived_keys = _ike_derived_keys, + .child_derived_keys = _child_derived_keys, + }, + .destroy = _destroy, + }, + .path = lib->settings->get_str(lib->settings, + "%s.plugins.save-keys.wireshark_keys", + NULL, lib->ns), + .esp = lib->settings->get_bool(lib->settings, + "%s.plugins.save-keys.esp", + FALSE, lib->ns), + .ike = lib->settings->get_bool(lib->settings, + "%s.plugins.save-keys.ike", + FALSE, lib->ns), + ); + + if (this->path && (this->ike || this->esp)) + { + char *keys = "IKE"; + + if (this->ike && this->esp) + { + keys = "IKE AND ESP"; + } + else if (this->esp) + { + keys = "ESP"; + } + DBG0(DBG_DMN, "!!", keys, this->path); + DBG0(DBG_DMN, "!! WARNING: SAVING %s KEYS TO '%s'", keys, this->path); + DBG0(DBG_DMN, "!!", keys, this->path); + } + return &this->public; +} diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.h b/src/libcharon/plugins/save_keys/save_keys_listener.h new file mode 100644 index 000000000..c4dc2cf45 --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_listener.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @defgroup save_keys_listener save_keys_listener + * @{ @ingroup save_keys + */ + +#ifndef SAVE_KEYS_LISTENER_H_ +#define SAVE_KEYS_LISTENER_H_ + +#include <bus/listeners/listener.h> + +typedef struct save_keys_listener_t save_keys_listener_t; + +/** + * Listener saving derived IKE and ESP keys. + */ +struct save_keys_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy this instance. + */ + void (*destroy)(save_keys_listener_t *this); +}; + +/** + * Create a save_keys_listener_t instance. + */ +save_keys_listener_t *save_keys_listener_create(); + +#endif /** SAVE_KEYS_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/save_keys/save_keys_plugin.c b/src/libcharon/plugins/save_keys/save_keys_plugin.c new file mode 100644 index 000000000..93db5bcac --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_plugin.c @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "save_keys_plugin.h" +#include "save_keys_listener.h" + +#include <daemon.h> + +typedef struct private_save_keys_plugin_t private_save_keys_plugin_t; + +/** + * Private data. + */ +struct private_save_keys_plugin_t { + + /** + * Implements plugin interface. + */ + save_keys_plugin_t public; + + /** + * Listener saving keys to file. + */ + save_keys_listener_t *listener; +}; + +METHOD(plugin_t, get_name, char*, + private_save_keys_plugin_t *this) +{ + return "save-keys"; +} + +/** + * Register listener. + */ +static bool plugin_cb(private_save_keys_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->bus->add_listener(charon->bus, &this->listener->listener); + } + else + { + charon->bus->remove_listener(charon->bus, &this->listener->listener); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_save_keys_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "save-keys"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_save_keys_plugin_t *this) +{ + this->listener->destroy(this->listener); + free(this); +} + +/** + * Plugin constructor. + */ +plugin_t *save_keys_plugin_create() +{ + private_save_keys_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .listener = save_keys_listener_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/save_keys/save_keys_plugin.h b/src/libcharon/plugins/save_keys/save_keys_plugin.h new file mode 100644 index 000000000..9501b5479 --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_plugin.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @defgroup save_keys save_keys + * @ingroup cplugins + * + * @defgroup save_keys_plugin save_keys_plugin + * @{ @ingroup save_keys + */ + +#ifndef SAVE_KEYS_PLUGIN_H_ +#define SAVE_KEYS_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct save_keys_plugin_t save_keys_plugin_t; + +/** + * Plugin that saves derived IKE and ESP keys. + */ +struct save_keys_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** SAVE_KEYS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index ac0129210..ca22c7f82 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -519,7 +519,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator->destroy(enumerator); } - /* authentication metod (class, actually) */ + /* authentication method (class, actually) */ if (strpfx(auth, "ike:") || strpfx(auth, "pubkey") || strpfx(auth, "rsa") || diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 9b61afb5c..7fc95657e 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1131,7 +1131,6 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr, shared_key_t *shared_key; linked_list_t *owners; chunk_t secret = chunk_empty; - bool any = TRUE; err_t ugh = extract_secret(&secret, &line); if (ugh != NULL) @@ -1148,7 +1147,6 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr, while (ids.len > 0) { chunk_t id; - identification_t *peer_id; ugh = extract_value(&id, &ids); if (ugh != NULL) @@ -1165,17 +1163,9 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr, /* NULL terminate the ID string */ *(id.ptr + id.len) = '\0'; - peer_id = identification_create_from_string(id.ptr); - if (peer_id->get_type(peer_id) == ID_ANY) - { - peer_id->destroy(peer_id); - continue; - } - - owners->insert_last(owners, peer_id); - any = FALSE; + owners->insert_last(owners, identification_create_from_string(id.ptr)); } - if (any) + if (!owners->get_count(owners)) { owners->insert_last(owners, identification_create_from_encoding(ID_ANY, chunk_empty)); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 22992599d..2bed420be 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -693,7 +693,7 @@ METHOD(stroke_list_t, status, void, /** * create a unique certificate list without duplicates - * certicates having the same issuer are grouped together. + * certificates having the same issuer are grouped together. */ static linked_list_t* create_unique_cert_list(certificate_type_t type) { diff --git a/src/libcharon/plugins/uci/uci_parser.c b/src/libcharon/plugins/uci/uci_parser.c index e847dd393..283d93928 100644 --- a/src/libcharon/plugins/uci/uci_parser.c +++ b/src/libcharon/plugins/uci/uci_parser.c @@ -112,7 +112,7 @@ METHOD(uci_parser_t, create_section_enumerator, enumerator_t*, va_list args; int i; - /* allocate enumerator large enought to hold keyword pointers */ + /* allocate enumerator large enough to hold keyword pointers */ i = 1; va_start(args, this); while (va_arg(args, char*)) diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index 83521250d..49cce379d 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -530,11 +530,11 @@ on the key identifier derived from the public key). ### load-shared() ### -Load a shared IKE PSK, EAP or XAuth secret into the daemon. +Load a shared IKE PSK, EAP, XAuth or NTLM secret into the daemon. { id = <optional unique identifier of this shared key> - type = <shared key type, IKE|EAP|XAUTH> + type = <shared key type, IKE|EAP|XAUTH|NTLM> data = <raw shared key data> owners = [ <list of shared key owner identities> @@ -546,8 +546,8 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon. ### unload-shared() ### -Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique -identifier. +Unload a previously loaded shared IKE PSK, EAP, XAuth or NTLM secret by its +unique identifier. { id = <unique identifier of the shared key to unload> diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h index 3ca9de424..d69597881 100644 --- a/src/libcharon/plugins/vici/libvici.h +++ b/src/libcharon/plugins/vici/libvici.h @@ -43,7 +43,7 @@ * thread pool. * * Connecting requires an uri, which is currently either a UNIX socket path - * prefixed with unix://, or a hostname:port touple prefixed with tcp://. + * prefixed with unix://, or a hostname:port tuple prefixed with tcp://. * Passing NULL takes the system default socket path. * * After the connection has been established, request messages can be sent. diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index ff4e07d2d..6d29988db 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -476,8 +476,8 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@RUBY_GEMS_INSTALL_FALSE@uninstall-local: @RUBY_GEMS_INSTALL_FALSE@install-data-local: +@RUBY_GEMS_INSTALL_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index 5d8bf2f05..ec6c80a5b 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -434,7 +434,7 @@ CALLBACK(load_shared, vici_message_t*, { type = SHARED_IKE; } - else if (strcaseeq(str, "eap") || streq(str, "xauth")) + else if (strcaseeq(str, "eap") || strcaseeq(str, "xauth")) { type = SHARED_EAP; } diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 134ea375d..82c3d7855 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -774,7 +774,7 @@ CALLBACK(list_conns, vici_message_t*, ike_cfg_t *ike_cfg; child_cfg_t *child_cfg; char *ike, *str, *interface; - uint32_t manual_prio; + uint32_t manual_prio, dpd_delay, dpd_timeout; linked_list_t *list; traffic_selector_t *ts; lifetime_cfg_t *lft; @@ -825,6 +825,18 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "unique", "%N", unique_policy_names, peer_cfg->get_unique_policy(peer_cfg)); + dpd_delay = peer_cfg->get_dpd(peer_cfg); + if (dpd_delay) + { + b->add_kv(b, "dpd_delay", "%u", dpd_delay); + } + + dpd_timeout = peer_cfg->get_dpd_timeout(peer_cfg); + if (dpd_timeout) + { + b->add_kv(b, "dpd_timeout", "%u", dpd_timeout); + } + build_auth_cfgs(peer_cfg, TRUE, b); build_auth_cfgs(peer_cfg, FALSE, b); @@ -843,6 +855,11 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey); free(lft); + b->add_kv(b, "dpd_action", "%N", action_names, + child_cfg->get_dpd_action(child_cfg)); + b->add_kv(b, "close_action", "%N", action_names, + child_cfg->get_close_action(child_cfg)); + b->begin_list(b, "local-ts"); list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); selectors = list->create_enumerator(list); diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h index b2d5a11f6..b33ea617b 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.h +++ b/src/libcharon/processing/jobs/delete_child_sa_job.h @@ -27,7 +27,7 @@ typedef struct delete_child_sa_job_t delete_child_sa_job_t; #include <library.h> #include <sa/ike_sa_id.h> #include <processing/jobs/job.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h index 1de06fd07..1c9d9b400 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.h +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h @@ -26,7 +26,7 @@ typedef struct rekey_child_sa_job_t rekey_child_sa_job_t; #include <library.h> #include <sa/ike_sa_id.h> #include <processing/jobs/job.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** * Class representing an REKEY_CHILD_SA Job. @@ -50,4 +50,5 @@ struct rekey_child_sa_job_t { */ rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol, uint32_t spi, host_t *dst); + #endif /** REKEY_CHILD_SA_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h index ed978dc8b..17beb68b6 100644 --- a/src/libcharon/processing/jobs/update_sa_job.h +++ b/src/libcharon/processing/jobs/update_sa_job.h @@ -26,7 +26,7 @@ typedef struct update_sa_job_t update_sa_job_t; #include <library.h> #include <networking/host.h> #include <processing/jobs/job.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** * Update the addresses of an IKE and its CHILD_SAs. diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 91da4d3e6..a01ee9e4d 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2017 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger @@ -1249,17 +1249,6 @@ METHOD(child_sa_t, install_policies, status_t, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - /* install outbound drop policy to avoid packets leaving unencrypted - * when updating policies */ - if (priority == POLICY_PRIORITY_DEFAULT && manual_prio == 0 && - require_policy_update() && install_outbound) - { - status |= install_policies_outbound(this, this->my_addr, - this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - } - status |= install_policies_inbound(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, @@ -1350,15 +1339,6 @@ METHOD(child_sa_t, install_outbound, status_t, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - /* install outbound drop policy to avoid packets leaving unencrypted - * when updating policies */ - if (manual_prio == 0 && require_policy_update()) - { - status |= install_policies_outbound(this, this->my_addr, - this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - } status |= install_policies_outbound(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, @@ -1407,12 +1387,6 @@ METHOD(child_sa_t, remove_outbound, void, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); - if (manual_prio == 0 && require_policy_update()) - { - del_policies_outbound(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, - POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0); - } } enumerator->destroy(enumerator); } @@ -1458,8 +1432,65 @@ CALLBACK(reinstall_vip, void, } } +/** + * Update addresses and encap state of IPsec SAs in the kernel + */ +static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other, + bool encap) +{ + /* update our (initiator) SA */ + if (this->my_spi) + { + kernel_ipsec_sa_id_t id = { + .src = this->other_addr, + .dst = this->my_addr, + .spi = this->my_spi, + .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), + }; + kernel_ipsec_update_sa_t sa = { + .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, + .new_src = other, + .new_dst = me, + .encap = this->encap, + .new_encap = encap, + }; + if (charon->kernel->update_sa(charon->kernel, &id, + &sa) == NOT_SUPPORTED) + { + return NOT_SUPPORTED; + } + } + + /* update his (responder) SA */ + if (this->other_spi) + { + kernel_ipsec_sa_id_t id = { + .src = this->my_addr, + .dst = this->other_addr, + .spi = this->other_spi, + .proto = proto_ike2ip(this->protocol), + .mark = this->mark_out, + }; + kernel_ipsec_update_sa_t sa = { + .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, + .new_src = me, + .new_dst = other, + .encap = this->encap, + .new_encap = encap, + }; + if (charon->kernel->update_sa(charon->kernel, &id, + &sa) == NOT_SUPPORTED) + { + return NOT_SUPPORTED; + } + } + /* we currently ignore the actual return values above */ + return SUCCESS; +} + METHOD(child_sa_t, update, status_t, - private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips, + private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips, bool encap) { child_sa_state_t old; @@ -1478,84 +1509,50 @@ METHOD(child_sa_t, update, status_t, this->config->has_option(this->config, OPT_PROXY_MODE); - if (!transport_proxy_mode) + if (!this->config->has_option(this->config, OPT_NO_POLICIES) && + require_policy_update()) { - /* update our (initiator) SA */ - if (this->my_spi) - { - kernel_ipsec_sa_id_t id = { - .src = this->other_addr, - .dst = this->my_addr, - .spi = this->my_spi, - .proto = proto_ike2ip(this->protocol), - .mark = mark_in_sa(this), - }; - kernel_ipsec_update_sa_t sa = { - .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, - .new_src = other, - .new_dst = me, - .encap = this->encap, - .new_encap = encap, - }; - if (charon->kernel->update_sa(charon->kernel, &id, - &sa) == NOT_SUPPORTED) - { - set_state(this, old); - return NOT_SUPPORTED; - } - } + ipsec_sa_cfg_t my_sa, other_sa; + enumerator_t *enumerator; + traffic_selector_t *my_ts, *other_ts; + uint32_t manual_prio; + status_t state; + + prepare_sa_cfg(this, &my_sa, &other_sa); + manual_prio = this->config->get_manual_prio(this->config); - /* update his (responder) SA */ - if (this->other_spi) + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - kernel_ipsec_sa_id_t id = { - .src = this->my_addr, - .dst = this->other_addr, - .spi = this->other_spi, - .proto = proto_ike2ip(this->protocol), - .mark = this->mark_out, - }; - kernel_ipsec_update_sa_t sa = { - .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, - .new_src = me, - .new_dst = other, - .encap = this->encap, - .new_encap = encap, - }; - if (charon->kernel->update_sa(charon->kernel, &id, - &sa) == NOT_SUPPORTED) - { - set_state(this, old); - return NOT_SUPPORTED; - } + /* install drop policy to avoid traffic leaks, acquires etc. */ + install_policies_outbound(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_DEFAULT, manual_prio); + + /* remove old policies */ + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, + POLICY_PRIORITY_DEFAULT, manual_prio); } - } + enumerator->destroy(enumerator); - if (!this->config->has_option(this->config, OPT_NO_POLICIES) && - require_policy_update()) - { - if (!me->ip_equals(me, this->my_addr) || - !other->ip_equals(other, this->other_addr)) - { - ipsec_sa_cfg_t my_sa, other_sa; - enumerator_t *enumerator; - traffic_selector_t *my_ts, *other_ts; - uint32_t manual_prio; + /* update the IPsec SAs */ + state = update_sas(this, me, other, encap); - prepare_sa_cfg(this, &my_sa, &other_sa); - manual_prio = this->config->get_manual_prio(this->config); + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + { + traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL; - /* always use high priorities, as hosts getting updated are INSTALLED */ - enumerator = create_policy_enumerator(this); - while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + /* reinstall the previous policies if we can't update the SAs */ + if (state == NOT_SUPPORTED) + { + install_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, + POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); + } + else { - traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL; - - /* remove old policies first */ - del_policies_internal(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, - POLICY_PRIORITY_DEFAULT, manual_prio); - /* check if we have to update a "dynamic" traffic selector */ if (!me->ip_equals(me, this->my_addr) && my_ts->is_host(my_ts, this->my_addr)) @@ -1578,23 +1575,32 @@ METHOD(child_sa_t, update, status_t, install_policies_internal(this, me, other, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); - - /* update fallback policies after the new policy is in place */ - if (manual_prio == 0) - { - del_policies_outbound(this, this->my_addr, this->other_addr, - old_my_ts ?: my_ts, - old_other_ts ?: other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - install_policies_outbound(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - } - DESTROY_IF(old_my_ts); - DESTROY_IF(old_other_ts); } - enumerator->destroy(enumerator); + /* remove the drop policy */ + del_policies_outbound(this, this->my_addr, this->other_addr, + old_my_ts ?: my_ts, + old_other_ts ?: other_ts, + &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_DEFAULT, 0); + + DESTROY_IF(old_my_ts); + DESTROY_IF(old_other_ts); + } + enumerator->destroy(enumerator); + + if (state == NOT_SUPPORTED) + { + set_state(this, old); + return NOT_SUPPORTED; + } + + } + else if (!transport_proxy_mode) + { + if (update_sas(this, me, other, encap) == NOT_SUPPORTED) + { + set_state(this, old); + return NOT_SUPPORTED; } } @@ -1655,13 +1661,6 @@ METHOD(child_sa_t, destroy, void, del_policies_inbound(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, priority, manual_prio); - if (!this->trap && manual_prio == 0 && require_policy_update() && - del_outbound) - { - del_policies_outbound(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, - POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0); - } } enumerator->destroy(enumerator); } diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index 082404d93..49175ca01 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -30,7 +30,7 @@ typedef struct child_sa_t child_sa_t; #include <library.h> #include <crypto/prf_plus.h> #include <encoding/payloads/proposal_substructure.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <config/child_cfg.h> /** @@ -145,7 +145,7 @@ extern enum_name_t *child_sa_outbound_state_names; * - B allocates an SPI for the selected protocol * - B calls child_sa_t.install for both, the allocated and received SPI * - B sends the proposal with the allocated SPI to A - * - A calls child_sa_t.install for both, the allocated and recevied SPI + * - A calls child_sa_t.install for both, the allocated and received SPI * * Once SAs are set up, policies can be added using add_policies. */ @@ -254,7 +254,7 @@ struct child_sa_t { /** * Set the negotiated IPsec mode to use. * - * @param mode TUNNEL | TRANPORT | BEET + * @param mode TUNNEL | TRANSPORT | BEET */ void (*set_mode)(child_sa_t *this, ipsec_mode_t mode); diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h index 4ed1cae20..391c906e9 100644 --- a/src/libcharon/sa/eap/eap_manager.h +++ b/src/libcharon/sa/eap/eap_manager.h @@ -30,7 +30,7 @@ typedef struct eap_manager_t eap_manager_t; * The EAP manager manages all EAP implementations and creates instances. * * A plugin registers it's implemented EAP method at the manager by - * providing type and a contructor function. The manager then instanciates + * providing type and a constructor function. The manager then instantiates * eap_method_t instances through the provided constructor to handle * EAP authentication. */ diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h index 8e25f7df8..840779727 100644 --- a/src/libcharon/sa/eap/eap_method.h +++ b/src/libcharon/sa/eap/eap_method.h @@ -64,7 +64,7 @@ struct eap_method_t { /** * Initiate the EAP exchange. * - * initiate() is only useable for server implementations, as clients only + * initiate() is only usable for server implementations, as clients only * reply to server requests. * A eap_payload is created in "out" if result is NEED_MORE. * diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 823cf2579..e1f4ec95a 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -232,11 +232,6 @@ struct private_ike_sa_t { chunk_t nat_detection_dest; /** - * number pending UPDATE_SA_ADDRESS (MOBIKE) - */ - uint32_t pending_updates; - - /** * NAT keep alive interval */ uint32_t keepalive_interval; @@ -734,8 +729,11 @@ METHOD(ike_sa_t, set_condition, void, switch (condition) { case COND_NAT_HERE: - case COND_NAT_FAKE: case COND_NAT_THERE: + DBG1(DBG_IKE, "%s host is not behind NAT anymore", + condition == COND_NAT_HERE ? "local" : "remote"); + /* fall-through */ + case COND_NAT_FAKE: set_condition(this, COND_NAT_ANY, has_condition(this, COND_NAT_HERE) || has_condition(this, COND_NAT_THERE) || @@ -1052,18 +1050,6 @@ METHOD(ike_sa_t, has_mapping_changed, bool, return TRUE; } -METHOD(ike_sa_t, set_pending_updates, void, - private_ike_sa_t *this, uint32_t updates) -{ - this->pending_updates = updates; -} - -METHOD(ike_sa_t, get_pending_updates, uint32_t, - private_ike_sa_t *this) -{ - return this->pending_updates; -} - METHOD(ike_sa_t, float_ports, void, private_ike_sa_t *this) { @@ -2561,6 +2547,12 @@ METHOD(ike_sa_t, roam, status_t, break; } + if (!this->ike_cfg) + { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and + * without config assigned */ + return SUCCESS; + } + /* ignore roam events if MOBIKE is not supported/enabled and the local * address is statically configured */ if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) && @@ -2964,8 +2956,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .supports_extension = _supports_extension, .set_condition = _set_condition, .has_condition = _has_condition, - .set_pending_updates = _set_pending_updates, - .get_pending_updates = _get_pending_updates, .create_peer_address_enumerator = _create_peer_address_enumerator, .add_peer_address = _add_peer_address, .clear_peer_addresses = _clear_peer_addresses, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index fbc367292..b4fbc56d7 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -646,20 +646,6 @@ struct ike_sa_t { */ bool (*has_condition) (ike_sa_t *this, ike_condition_t condition); - /** - * Get the number of queued MOBIKE address updates. - * - * @return number of pending updates - */ - uint32_t (*get_pending_updates)(ike_sa_t *this); - - /** - * Set the number of queued MOBIKE address updates. - * - * @param updates number of pending updates - */ - void (*set_pending_updates)(ike_sa_t *this, uint32_t updates); - #ifdef ME /** * Activate mediation server functionality for this IKE_SA. @@ -869,7 +855,7 @@ struct ike_sa_t { * @param message_id ID of the request to retransmit * @return * - SUCCESS - * - NOT_FOUND if request doesn't have to be retransmited + * - NOT_FOUND if request doesn't have to be retransmitted */ status_t (*retransmit) (ike_sa_t *this, uint32_t message_id); @@ -1169,7 +1155,7 @@ struct ike_sa_t { void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); /** - * Reset the IKE_SA, useable when initiating fails. + * Reset the IKE_SA, usable when initiating fails. * * @param new_spi TRUE to allocate a new initiator SPI */ diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index adce59f7e..5856f829e 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2012 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2012-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG @@ -102,6 +102,31 @@ static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local) } /** + * Find a shared key for the given identities + */ +static shared_key_t *find_shared_key(identification_t *my_id, host_t *me, + identification_t *other_id, host_t *other) +{ + identification_t *any_id = NULL; + shared_key_t *shared_key; + + if (!other_id) + { + any_id = identification_create_from_encoding(ID_ANY, chunk_empty); + other_id = any_id; + } + shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, + my_id, other_id); + if (!shared_key) + { + DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", + my_id, me, other_id, other); + } + DESTROY_IF(any_id); + return shared_key; +} + +/** * Lookup a shared secret for this IKE_SA */ static shared_key_t *lookup_shared_key(private_phase1_t *this, @@ -131,15 +156,9 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, { other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); } - if (my_id && other_id) + if (my_id) { - shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, - my_id, other_id); - if (!shared_key) - { - DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", - my_id, me, other_id, other); - } + shared_key = find_shared_key(my_id, me, other_id, other); } } } @@ -158,14 +177,11 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); if (my_id) { - shared_key = lib->credmgr->get_shared(lib->credmgr, - SHARED_IKE, my_id, other_id); + shared_key = find_shared_key(my_id, me, other_id, other); if (shared_key) { break; } - DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", - my_id, me, other_id, other); } } } diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 7098d24a2..43897c304 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -547,7 +547,7 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) type, value)); } enumerator->destroy(enumerator); - /* if a client did not re-request all adresses, release them */ + /* if a client did not re-request all addresses, release them */ enumerator = migrated->create_enumerator(migrated); while (enumerator->enumerate(enumerator, &found)) { diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 49b476ad8..77592e59a 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1330,7 +1330,7 @@ METHOD(task_t, process_i, status_t, &this->cpi_r); if (!list->get_count(list)) { - DBG1(DBG_IKE, "peer did not acccept our IPComp proposal, " + DBG1(DBG_IKE, "peer did not accept our IPComp proposal, " "IPComp disabled"); this->cpi_i = 0; } diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 361eb0fe1..5c0ec49f0 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2016 Tobias Brunner + * Copyright (C) 2007-2018 Tobias Brunner * Copyright (C) 2007-2010 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -737,7 +737,7 @@ static status_t process_response(private_task_manager_t *this, charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet); } - /* catch if we get resetted while processing */ + /* catch if we get reset while processing */ this->reset = FALSE; enumerator = array_create_enumerator(this->active_tasks); while (enumerator->enumerate(enumerator, &task)) @@ -1642,24 +1642,9 @@ METHOD(task_manager_t, process_message, status_t, METHOD(task_manager_t, queue_task_delayed, void, private_task_manager_t *this, task_t *task, uint32_t delay) { - enumerator_t *enumerator; queued_task_t *queued; timeval_t time; - if (task->get_type(task) == TASK_IKE_MOBIKE) - { /* there is no need to queue more than one mobike task */ - enumerator = array_create_enumerator(this->queued_tasks); - while (enumerator->enumerate(enumerator, &queued)) - { - if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE) - { - enumerator->destroy(enumerator); - task->destroy(task); - return; - } - } - enumerator->destroy(enumerator); - } time_monotonic(&time); if (delay) { @@ -1877,12 +1862,41 @@ METHOD(task_manager_t, queue_ike_delete, void, queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE)); } +/** + * There is no need to queue more than one mobike task, so this either returns + * an already queued task or queues one if there is none yet. + */ +static ike_mobike_t *queue_mobike_task(private_task_manager_t *this) +{ + enumerator_t *enumerator; + queued_task_t *queued; + ike_mobike_t *mobike = NULL; + + enumerator = array_create_enumerator(this->queued_tasks); + while (enumerator->enumerate(enumerator, &queued)) + { + if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE) + { + mobike = (ike_mobike_t*)queued->task; + break; + } + } + enumerator->destroy(enumerator); + + if (!mobike) + { + mobike = ike_mobike_create(this->ike_sa, TRUE); + queue_task(this, &mobike->task); + } + return mobike; +} + METHOD(task_manager_t, queue_mobike, void, private_task_manager_t *this, bool roam, bool address) { ike_mobike_t *mobike; - mobike = ike_mobike_create(this->ike_sa, TRUE); + mobike = queue_mobike_task(this); if (roam) { enumerator_t *enumerator; @@ -1909,7 +1923,31 @@ METHOD(task_manager_t, queue_mobike, void, { mobike->addresses(mobike); } - queue_task(this, &mobike->task); +} + +METHOD(task_manager_t, queue_dpd, void, + private_task_manager_t *this) +{ + ike_mobike_t *mobike; + + if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) && + this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) + { +#ifdef ME + peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (cfg->get_peer_id(cfg) || + this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) +#else + if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) +#endif + { + /* use mobike enabled DPD to detect NAT mapping changes */ + mobike = queue_mobike_task(this); + mobike->dpd(mobike); + return; + } + } + queue_task(this, (task_t*)ike_dpd_create(TRUE)); } METHOD(task_manager_t, queue_child, void, @@ -1940,32 +1978,6 @@ METHOD(task_manager_t, queue_child_delete, void, protocol, spi, expired)); } -METHOD(task_manager_t, queue_dpd, void, - private_task_manager_t *this) -{ - ike_mobike_t *mobike; - - if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) && - this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) - { -#ifdef ME - peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (cfg->get_peer_id(cfg) || - this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) -#else - if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) -#endif - { - /* use mobike enabled DPD to detect NAT mapping changes */ - mobike = ike_mobike_create(this->ike_sa, TRUE); - mobike->dpd(mobike); - queue_task(this, &mobike->task); - return; - } - } - queue_task(this, (task_t*)ike_dpd_create(TRUE)); -} - METHOD(task_manager_t, adopt_tasks, void, private_task_manager_t *this, task_manager_t *other_public) { diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 4d4d72e0b..85dac6d59 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -277,12 +277,13 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host) } /** - * Allocate SPIs and update proposals + * Allocate SPIs and update proposals, we also promote the selected DH group */ static bool allocate_spi(private_child_create_t *this) { enumerator_t *enumerator; proposal_t *proposal; + linked_list_t *other_dh_groups; if (this->initiator) { @@ -304,12 +305,29 @@ static bool allocate_spi(private_child_create_t *this) { if (this->initiator) { + other_dh_groups = linked_list_create(); enumerator = this->proposals->create_enumerator(this->proposals); while (enumerator->enumerate(enumerator, &proposal)) { proposal->set_spi(proposal, this->my_spi); + + /* move the selected DH group to the front, if any */ + if (this->dh_group != MODP_NONE && + !proposal->promote_dh_group(proposal, this->dh_group)) + { /* proposals that don't contain the selected group are + * moved to the back */ + this->proposals->remove_at(this->proposals, enumerator); + other_dh_groups->insert_last(other_dh_groups, proposal); + } + } + enumerator->destroy(enumerator); + enumerator = other_dh_groups->create_enumerator(other_dh_groups); + while (enumerator->enumerate(enumerator, (void**)&proposal)) + { /* no need to remove from the list as we destroy it anyway*/ + this->proposals->insert_last(this->proposals, proposal); } enumerator->destroy(enumerator); + other_dh_groups->destroy(other_dh_groups); } else { @@ -396,7 +414,7 @@ static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local) } /** - * Substitude any host address with NATed address in traffic selector + * Substitute any host address with NATed address in traffic selector */ static linked_list_t* get_transport_nat_ts(private_child_create_t *this, bool local, linked_list_t *in) @@ -1006,8 +1024,8 @@ METHOD(task_t, build_i, status_t, chunk_empty); return SUCCESS; } - if (!this->retry) - { + if (!this->retry && this->dh_group == MODP_NONE) + { /* during a rekeying the group might already be set */ this->dh_group = this->config->get_dh_group(this->config); } break; @@ -1615,6 +1633,12 @@ METHOD(child_create_t, use_marks, void, this->mark_out = out; } +METHOD(child_create_t, use_dh_group, void, + private_child_create_t *this, diffie_hellman_group_t dh_group) +{ + this->dh_group = dh_group; +} + METHOD(child_create_t, get_child, child_sa_t*, private_child_create_t *this) { @@ -1736,6 +1760,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, .get_lower_nonce = _get_lower_nonce, .use_reqid = _use_reqid, .use_marks = _use_marks, + .use_dh_group = _use_dh_group, .task = { .get_type = _get_type, .migrate = _migrate, diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h index f48d7b0a9..59fc6d2d9 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.h +++ b/src/libcharon/sa/ikev2/tasks/child_create.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -60,6 +61,15 @@ struct child_create_t { void (*use_marks)(child_create_t *this, u_int in, u_int out); /** + * Initially propose a specific DH group to override configuration. + * + * This is used during rekeying to prefer the previously negotiated group. + * + * @param dh_group DH group to use + */ + void (*use_dh_group)(child_create_t *this, diffie_hellman_group_t dh_group); + + /** * Get the lower of the two nonces, used for rekey collisions. * * @return lower nonce diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index b67e9b80f..f90056658 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2017 Tobias Brunner + * Copyright (C) 2009-2018 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -190,8 +190,18 @@ METHOD(task_t, build_i, status_t, /* our CHILD_CREATE task does the hard work for us */ if (!this->child_create) { + proposal_t *proposal; + uint16_t dh_group; + this->child_create = child_create_create(this->ike_sa, config->get_ref(config), TRUE, NULL, NULL); + + proposal = this->child_sa->get_proposal(this->child_sa); + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + &dh_group, NULL)) + { /* reuse the DH group negotiated previously */ + this->child_create->use_dh_group(this->child_create, dh_group); + } } reqid = this->child_sa->get_reqid(this->child_sa); this->child_create->use_reqid(this->child_create, reqid); diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index d75d21715..3d73d728b 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -282,7 +282,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) sa_payload_t *sa_payload; ke_payload_t *ke_payload; nonce_payload_t *nonce_payload; - linked_list_t *proposal_list; + linked_list_t *proposal_list, *other_dh_groups; ike_sa_id_t *id; proposal_t *proposal; enumerator_t *enumerator; @@ -294,16 +294,31 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) if (this->initiator) { proposal_list = this->config->get_proposals(this->config); - if (this->old_sa) + other_dh_groups = linked_list_create(); + enumerator = proposal_list->create_enumerator(proposal_list); + while (enumerator->enumerate(enumerator, (void**)&proposal)) { /* include SPI of new IKE_SA when we are rekeying */ - enumerator = proposal_list->create_enumerator(proposal_list); - while (enumerator->enumerate(enumerator, (void**)&proposal)) + if (this->old_sa) { proposal->set_spi(proposal, id->get_initiator_spi(id)); } - enumerator->destroy(enumerator); + /* move the selected DH group to the front of the proposal */ + if (!proposal->promote_dh_group(proposal, this->dh_group)) + { /* the proposal does not include the group, move to the back */ + proposal_list->remove_at(proposal_list, enumerator); + other_dh_groups->insert_last(other_dh_groups, proposal); + } } + enumerator->destroy(enumerator); + /* add proposals that don't contain the selected group */ + enumerator = other_dh_groups->create_enumerator(other_dh_groups); + while (enumerator->enumerate(enumerator, (void**)&proposal)) + { /* no need to remove from the list as we destroy it anyway*/ + proposal_list->insert_last(proposal_list, proposal); + } + enumerator->destroy(enumerator); + other_dh_groups->destroy(other_dh_groups); sa_payload = sa_payload_create_from_proposals_v2(proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); @@ -531,10 +546,30 @@ METHOD(task_t, build_i, status_t, return FAILED; } - /* if the DH group is set via use_dh_group(), we already have a DH object */ + /* if we are retrying after an INVALID_KE_PAYLOAD we already have one */ if (!this->dh) { - this->dh_group = this->config->get_dh_group(this->config); + if (this->old_sa && lib->settings->get_bool(lib->settings, + "%s.prefer_previous_dh_group", TRUE, lib->ns)) + { /* reuse the DH group we used for the old IKE_SA when rekeying */ + proposal_t *proposal; + uint16_t dh_group; + + proposal = this->old_sa->get_proposal(this->old_sa); + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + &dh_group, NULL)) + { + this->dh_group = dh_group; + } + else + { /* this shouldn't happen, but let's be safe */ + this->dh_group = this->config->get_dh_group(this->config); + } + } + else + { + this->dh_group = this->config->get_dh_group(this->config); + } this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, this->dh_group); if (!this->dh) @@ -544,6 +579,18 @@ METHOD(task_t, build_i, status_t, return FAILED; } } + else if (this->dh->get_dh_group(this->dh) != this->dh_group) + { /* reset DH instance if group changed (INVALID_KE_PAYLOAD) */ + this->dh->destroy(this->dh); + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + this->dh_group); + if (!this->dh) + { + DBG1(DBG_IKE, "requested DH group %N not supported", + diffie_hellman_group_names, this->dh_group); + return FAILED; + } + } /* generate nonce only when we are trying the first time */ if (this->my_nonce.ptr == NULL) @@ -929,12 +976,6 @@ METHOD(task_t, migrate, void, this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); this->proposal = NULL; this->dh_failed = FALSE; - if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group) - { /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */ - this->dh->destroy(this->dh); - this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, - this->dh_group); - } } METHOD(task_t, destroy, void, diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index dc0f24fb8..fe41a1cac 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2010-2014 Tobias Brunner + * Copyright (C) 2010-2018 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -76,14 +76,36 @@ struct private_ike_mobike_t { * additional addresses got updated */ bool addresses_updated; - - /** - * whether the pending updates counter was increased - */ - bool pending_update; }; /** + * Check if a newer MOBIKE update task is queued + */ +static bool is_newer_update_queued(private_ike_mobike_t *this) +{ + enumerator_t *enumerator; + private_ike_mobike_t *mobike; + task_t *task; + bool found = FALSE; + + enumerator = this->ike_sa->create_task_enumerator(this->ike_sa, + TASK_QUEUE_QUEUED); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_IKE_MOBIKE) + { + mobike = (private_ike_mobike_t*)task; + /* a queued check or update might invalidate the results of the + * current task */ + found = mobike->check || mobike->update; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** * read notifys from message and evaluate them */ static void process_payloads(private_ike_mobike_t *this, message_t *message) @@ -526,9 +548,8 @@ METHOD(task_t, process_i, status_t, } else if (message->get_exchange_type(message) == INFORMATIONAL) { - if (this->ike_sa->get_pending_updates(this->ike_sa) > 1) + if (is_newer_update_queued(this)) { - /* newer update queued, ignore this one */ return SUCCESS; } if (this->cookie2.ptr) @@ -553,7 +574,7 @@ METHOD(task_t, process_i, status_t, if (this->natd) { this->natd->task.process(&this->natd->task, message); - if (this->natd->has_mapping_changed(this->natd)) + if (!this->update && this->natd->has_mapping_changed(this->natd)) { /* force an update if mappings have changed */ this->update = this->check = TRUE; @@ -615,25 +636,13 @@ METHOD(ike_mobike_t, addresses, void, private_ike_mobike_t *this) { this->address = TRUE; - if (!this->pending_update) - { - this->pending_update = TRUE; - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } } METHOD(ike_mobike_t, roam, void, private_ike_mobike_t *this, bool address) { this->check = TRUE; - this->address = address; - if (!this->pending_update) - { - this->pending_update = TRUE; - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } + this->address |= address; } METHOD(ike_mobike_t, dpd, void, @@ -643,12 +652,6 @@ METHOD(ike_mobike_t, dpd, void, { this->natd = ike_natd_create(this->ike_sa, this->initiator); } - if (!this->pending_update) - { - this->pending_update = TRUE; - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } } METHOD(ike_mobike_t, is_probing, bool, @@ -678,21 +681,11 @@ METHOD(task_t, migrate, void, { this->natd->task.migrate(&this->natd->task, ike_sa); } - if (this->pending_update) - { - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } } METHOD(task_t, destroy, void, private_ike_mobike_t *this) { - if (this->pending_update) - { - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) - 1); - } chunk_free(&this->cookie2); if (this->natd) { diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index bc40b3d92..17d2efe37 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -27,7 +27,7 @@ typedef struct keymat_t keymat_t; #include <utils/identification.h> #include <crypto/prfs/prf.h> #include <crypto/aead.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <config/peer_cfg.h> #include <sa/ike_sa_id.h> diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index e3fddf39b..9545da4f3 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -86,7 +86,7 @@ enum task_queue_t { * completed. * For the initial IKE_SA setup, several tasks are queued: One for the * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup - * and maybe one for virtual IP assignement. + * and maybe one for virtual IP assignment. * The task manager is also responsible for retransmission. It uses a backoff * algorithm. The timeout is calculated using * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try). diff --git a/src/libcharon/sa/xauth/xauth_manager.h b/src/libcharon/sa/xauth/xauth_manager.h index 65b3c58a3..513bf32f5 100644 --- a/src/libcharon/sa/xauth/xauth_manager.h +++ b/src/libcharon/sa/xauth/xauth_manager.h @@ -29,7 +29,7 @@ typedef struct xauth_manager_t xauth_manager_t; * The XAuth manager manages all XAuth implementations and creates instances. * * A plugin registers it's implemented XAuth method at the manager by - * providing type and a contructor function. The manager then instanciates + * providing type and a constructor function. The manager then instantiates * xauth_method_t instances through the provided constructor to handle * XAuth authentication. */ diff --git a/src/libcharon/sa/xauth/xauth_method.h b/src/libcharon/sa/xauth/xauth_method.h index 701b4dc77..c0c2024e0 100644 --- a/src/libcharon/sa/xauth/xauth_method.h +++ b/src/libcharon/sa/xauth/xauth_method.h @@ -54,7 +54,7 @@ struct xauth_method_t { /** * Initiate the XAuth exchange. * - * initiate() is only useable for server implementations, as clients only + * initiate() is only usable for server implementations, as clients only * reply to server requests. * A cp_payload is created in "out" if result is NEED_MORE. * diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am index 8f762a2e6..5ebd0456c 100644 --- a/src/libcharon/tests/Makefile.am +++ b/src/libcharon/tests/Makefile.am @@ -3,7 +3,6 @@ TESTS = libcharon_tests exchange_tests check_PROGRAMS = $(TESTS) libcharon_tests_SOURCES = \ - suites/test_proposal.c \ suites/test_ike_cfg.c \ suites/test_mem_pool.c \ suites/test_message_chapoly.c \ diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in index 66d2431c9..24552d201 100644 --- a/src/libcharon/tests/Makefile.in +++ b/src/libcharon/tests/Makefile.in @@ -138,7 +138,6 @@ exchange_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(exchange_tests_CFLAGS) $(CFLAGS) $(exchange_tests_LDFLAGS) \ $(LDFLAGS) -o $@ am_libcharon_tests_OBJECTS = \ - suites/libcharon_tests-test_proposal.$(OBJEXT) \ suites/libcharon_tests-test_ike_cfg.$(OBJEXT) \ suites/libcharon_tests-test_mem_pool.$(OBJEXT) \ suites/libcharon_tests-test_message_chapoly.$(OBJEXT) \ @@ -475,7 +474,6 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ libcharon_tests_SOURCES = \ - suites/test_proposal.c \ suites/test_ike_cfg.c \ suites/test_mem_pool.c \ suites/test_message_chapoly.c \ @@ -608,8 +606,6 @@ utils/exchange_tests-mock_sender.$(OBJEXT): utils/$(am__dirstamp) \ exchange_tests$(EXEEXT): $(exchange_tests_OBJECTS) $(exchange_tests_DEPENDENCIES) $(EXTRA_exchange_tests_DEPENDENCIES) @rm -f exchange_tests$(EXEEXT) $(AM_V_CCLD)$(exchange_tests_LINK) $(exchange_tests_OBJECTS) $(exchange_tests_LDADD) $(LIBS) -suites/libcharon_tests-test_proposal.$(OBJEXT): \ - suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_ike_cfg.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_mem_pool.$(OBJEXT): \ @@ -640,7 +636,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_proposal.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_dh.Po@am__quote@ @@ -854,20 +849,6 @@ exchange_tests-exchange_tests.obj: exchange_tests.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o exchange_tests-exchange_tests.obj `if test -f 'exchange_tests.c'; then $(CYGPATH_W) 'exchange_tests.c'; else $(CYGPATH_W) '$(srcdir)/exchange_tests.c'; fi` -suites/libcharon_tests-test_proposal.o: suites/test_proposal.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c - -suites/libcharon_tests-test_proposal.obj: suites/test_proposal.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` - suites/libcharon_tests-test_ike_cfg.o: suites/test_ike_cfg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_ike_cfg.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo -c -o suites/libcharon_tests-test_ike_cfg.o `test -f 'suites/test_ike_cfg.c' || echo '$(srcdir)/'`suites/test_ike_cfg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h index f770f464d..d17ea041d 100644 --- a/src/libcharon/tests/libcharon_tests.h +++ b/src/libcharon/tests/libcharon_tests.h @@ -24,7 +24,6 @@ * @ingroup libcharon-tests */ -TEST_SUITE(proposal_suite_create) TEST_SUITE(ike_cfg_suite_create) TEST_SUITE(mem_pool_suite_create) TEST_SUITE_DEPEND(message_chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32) diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c index ac169723f..44d004ab7 100644 --- a/src/libcharon/tests/suites/test_child_rekey.c +++ b/src/libcharon/tests/suites/test_child_rekey.c @@ -231,6 +231,61 @@ START_TEST(test_regular_ke_invalid) /* child_updown */ assert_hook(); + /* because the DH group should get reused another rekeying should complete + * without additional exchange */ + initiate_rekey(a, 5); + /* this should never get called as this results in a successful rekeying */ + assert_hook_not_called(child_updown); + + /* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */ + assert_hook_called(child_rekey); + assert_notify(IN, REKEY_SA); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_child_sa_state(b, 6, CHILD_REKEYED, CHILD_OUTBOUND_INSTALLED); + assert_child_sa_state(b, 8, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED); + assert_ipsec_sas_installed(b, 5, 6, 8); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */ + assert_hook_called(child_rekey); + assert_no_notify(IN, REKEY_SA); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_child_sa_state(a, 5, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED); + assert_child_sa_state(a, 7, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); + assert_ipsec_sas_installed(a, 5, 6, 7, 8); + assert_hook(); + + /* INFORMATIONAL { D } --> */ + assert_hook_not_called(child_rekey); + assert_single_payload(IN, PLV2_DELETE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_child_sa_state(b, 6, CHILD_DELETING, CHILD_OUTBOUND_NONE); + assert_child_sa_state(b, 8, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); + assert_child_sa_count(b, 2); + assert_ipsec_sas_installed(b, 6, 7, 8); + assert_hook(); + + /* <-- INFORMATIONAL { D } */ + assert_hook_not_called(child_rekey); + assert_single_payload(IN, PLV2_DELETE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_child_sa_state(a, 5, CHILD_DELETING, CHILD_OUTBOUND_NONE); + assert_child_sa_state(a, 7, CHILD_INSTALLED); + assert_child_sa_count(a, 2); + assert_ipsec_sas_installed(a, 5, 7, 8); + assert_hook(); + + /* simulate the execution of the scheduled jobs */ + destroy_rekeyed(a, 5); + assert_child_sa_count(a, 1); + assert_ipsec_sas_installed(a, 7, 8); + destroy_rekeyed(b, 6); + assert_child_sa_count(b, 1); + assert_ipsec_sas_installed(b, 7, 8); + + /* child_updown */ + assert_hook(); + call_ikesa(a, destroy); call_ikesa(b, destroy); } diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c index ba39657a4..e22a0c288 100644 --- a/src/libcharon/tests/suites/test_ike_rekey.c +++ b/src/libcharon/tests/suites/test_ike_rekey.c @@ -138,6 +138,8 @@ START_TEST(test_regular_ke_invalid) lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); initiate_rekey(a); @@ -382,6 +384,8 @@ START_TEST(test_collision_ke_invalid) lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); /* Six nonces and SPIs are needed (SPI 1 and 2 are used for the initial * IKE_SA): @@ -591,6 +595,8 @@ START_TEST(test_collision_ke_invalid_delayed_retry) lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); /* Five nonces and SPIs are needed (SPI 1 and 2 are used for the initial * IKE_SA): diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libcharon/tests/suites/test_proposal.c deleted file mode 100644 index f1591794a..000000000 --- a/src/libcharon/tests/suites/test_proposal.c +++ /dev/null @@ -1,171 +0,0 @@ -/* - * Copyright (C) 2016 Tobias Brunner - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "test_suite.h" - -#include <config/proposal.h> - -static struct { - protocol_id_t proto; - char *proposal; - char *expected; -} create_data[] = { - { PROTO_IKE, "", NULL }, - { PROTO_IKE, "sha256", NULL }, - { PROTO_IKE, "sha256-modp3072", NULL }, - { PROTO_IKE, "null-sha256-modp3072", "IKE:NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" }, - { PROTO_IKE, "aes128", NULL }, - { PROTO_IKE, "aes128-sha256", NULL }, - { PROTO_IKE, "aes128-sha256-modpnone", NULL }, - { PROTO_IKE, "aes128-sha256-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" }, - { PROTO_IKE, "aes128-sha256-prfsha384-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_384/MODP_3072" }, - { PROTO_IKE, "aes128gcm16-modp3072", NULL }, - { PROTO_IKE, "aes128gcm16-prfsha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" }, - { PROTO_IKE, "aes128gcm16-sha256-modp3072", "IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072" }, - { PROTO_IKE, "aes128gcm16-aes128-modp3072", NULL }, - { PROTO_IKE, "aes128gcm16-aes128-sha256-modp3072", NULL }, - { PROTO_ESP, "", NULL }, - { PROTO_ESP, "sha256", NULL }, - { PROTO_ESP, "aes128-sha256", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_ESP, "aes128-sha256-esn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ" }, - { PROTO_ESP, "aes128-sha256-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_ESP, "aes128-sha256-esn-noesn", "ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" }, - { PROTO_ESP, "aes128-sha256-prfsha256-modp3072", "ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ" }, - { PROTO_ESP, "aes128gcm16-aes128-sha256-modp3072", NULL }, - { PROTO_ESP, "aes128gmac", "ESP:NULL_AES_GMAC_128/NO_EXT_SEQ" }, - { PROTO_AH, "", NULL }, - { PROTO_AH, "aes128", NULL }, - { PROTO_AH, "aes128-sha256", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_AH, "sha256-sha1", "AH:HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ" }, - { PROTO_AH, "aes128gmac-sha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_AH, "aes128gmac-sha256-prfsha256", "AH:AES_128_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_AH, "aes128gmac-aes256gmac-aes128-sha256", "AH:AES_128_GMAC/AES_256_GMAC/HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_AH, "sha256-esn", "AH:HMAC_SHA2_256_128/EXT_SEQ" }, - { PROTO_AH, "sha256-noesn", "AH:HMAC_SHA2_256_128/NO_EXT_SEQ" }, - { PROTO_AH, "sha256-esn-noesn", "AH:HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" }, -}; - -START_TEST(test_create_from_string) -{ - proposal_t *proposal; - char str[BUF_LEN]; - - proposal = proposal_create_from_string(create_data[_i].proto, - create_data[_i].proposal); - if (!create_data[_i].expected) - { - ck_assert(!proposal); - return; - } - snprintf(str, sizeof(str), "%P", proposal); - ck_assert_str_eq(create_data[_i].expected, str); - proposal->destroy(proposal); -} -END_TEST - -static struct { - protocol_id_t proto; - char *self; - char *other; - char *expected; -} select_data[] = { - { PROTO_ESP, "aes128", "aes128", "aes128" }, - { PROTO_ESP, "aes128", "aes256", NULL }, - { PROTO_ESP, "aes128-aes256", "aes256-aes128", "aes128" }, - { PROTO_ESP, "aes256-aes128", "aes128-aes256", "aes256" }, - { PROTO_ESP, "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" }, - { PROTO_ESP, "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" }, - { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256", NULL }, - { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072", NULL }, - { PROTO_ESP, "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL }, - { PROTO_ESP, "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL }, - { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" }, - { PROTO_ESP, "aes128-sha256", "aes128-sha256-modp3072-modpnone", "aes128-sha256" }, - { PROTO_ESP, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072" }, - { PROTO_ESP, "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone" }, - { PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072", "aes128-sha256-modp3072" }, - { PROTO_IKE, "aes128-sha256-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072" }, - { PROTO_IKE, "aes128-sha256-modp3072-modpnone", "aes128-sha256-modp3072", "aes128-sha256-modp3072" }, -}; - -START_TEST(test_select) -{ - proposal_t *self, *other, *selected, *expected; - - self = proposal_create_from_string(select_data[_i].proto, - select_data[_i].self); - other = proposal_create_from_string(select_data[_i].proto, - select_data[_i].other); - selected = self->select(self, other, TRUE, FALSE); - if (select_data[_i].expected) - { - expected = proposal_create_from_string(select_data[_i].proto, - select_data[_i].expected); - ck_assert(selected); - ck_assert_msg(expected->equals(expected, selected), "proposal %P does " - "not match expected %P", selected, expected); - expected->destroy(expected); - } - else - { - ck_assert(!selected); - } - DESTROY_IF(selected); - other->destroy(other); - self->destroy(self); -} -END_TEST - -START_TEST(test_select_spi) -{ - proposal_t *self, *other, *selected; - - self = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072"); - other = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072"); - other->set_spi(other, 0x12345678); - - selected = self->select(self, other, TRUE, FALSE); - ck_assert(selected); - ck_assert_int_eq(selected->get_spi(selected), other->get_spi(other)); - selected->destroy(selected); - - selected = self->select(self, other, FALSE, FALSE); - ck_assert(selected); - ck_assert_int_eq(selected->get_spi(selected), self->get_spi(self)); - selected->destroy(selected); - - other->destroy(other); - self->destroy(self); -} -END_TEST - -Suite *proposal_suite_create() -{ - Suite *s; - TCase *tc; - - s = suite_create("proposal"); - - tc = tcase_create("create_from_string"); - tcase_add_loop_test(tc, test_create_from_string, 0, countof(create_data)); - suite_add_tcase(s, tc); - - tc = tcase_create("select"); - tcase_add_loop_test(tc, test_select, 0, countof(select_data)); - tcase_add_test(tc, test_select_spi); - suite_add_tcase(s, tc); - - return s; -} |