diff options
Diffstat (limited to 'src/libcharon')
158 files changed, 2722 insertions, 842 deletions
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 6cd1130f1..8df9c6fcf 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -897,7 +897,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -923,6 +922,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -943,8 +944,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -999,8 +998,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -1029,8 +1026,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/attributes/mem_pool.h b/src/libcharon/attributes/mem_pool.h index 06acbf8f8..519b1d303 100644 --- a/src/libcharon/attributes/mem_pool.h +++ b/src/libcharon/attributes/mem_pool.h @@ -31,7 +31,7 @@ typedef enum mem_pool_op_t mem_pool_op_t; * In-memory IP pool acquire operation. */ enum mem_pool_op_t { - /** Check for an exsiting lease */ + /** Check for an existing lease */ MEM_POOL_EXISTING, /** Get a new lease */ MEM_POOL_NEW, diff --git a/src/libcharon/bus/listeners/custom_logger.h b/src/libcharon/bus/listeners/custom_logger.h index a256ad1ec..4856163f4 100644 --- a/src/libcharon/bus/listeners/custom_logger.h +++ b/src/libcharon/bus/listeners/custom_logger.h @@ -49,12 +49,17 @@ struct custom_logger_t { * @param group debug group to set * @param level max level to log (0..4) */ - void (*set_level) (custom_logger_t *this, debug_t group, level_t level); + void (*set_level)(custom_logger_t *this, debug_t group, level_t level); + + /** + * Reload custom logger configuration. + */ + void (*reload)(custom_logger_t *this); /** * Destroy the custom_logger_t object. */ - void (*destroy) (custom_logger_t *this); + void (*destroy)(custom_logger_t *this); }; /** diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c index 02a41a5b3..47f62d59a 100644 --- a/src/libcharon/config/backend_manager.c +++ b/src/libcharon/config/backend_manager.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -129,15 +130,77 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other, return match; } -METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, - private_backend_manager_t *this, host_t *me, host_t *other, - ike_version_t version) +/** + * list element to help sorting + */ +typedef struct { + ike_cfg_match_t match; + ike_cfg_t *cfg; +} ike_match_entry_t; + +CALLBACK(ike_enum_filter, bool, + linked_list_t *configs, enumerator_t *orig, va_list args) +{ + ike_match_entry_t *entry; + ike_cfg_t **out; + + VA_ARGS_VGET(args, out); + + if (orig->enumerate(orig, &entry)) + { + *out = entry->cfg; + return TRUE; + } + return FALSE; +} + +CALLBACK(ike_match_entry_list_destroy, void, + linked_list_t *configs) +{ + ike_match_entry_t *entry; + + while (configs->remove_last(configs, (void**)&entry) == SUCCESS) + { + entry->cfg->destroy(entry->cfg); + free(entry); + } + configs->destroy(configs); +} + +/** + * Insert entry into match-sorted list + */ +static void insert_sorted_ike(ike_match_entry_t *entry, linked_list_t *list) +{ + enumerator_t *enumerator; + ike_match_entry_t *current; + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (entry->match > current->match) + { + break; + } + } + list->insert_before(list, enumerator, entry); + enumerator->destroy(enumerator); +} + +/** + * Create a sorted list of all matching IKE configs + */ +static linked_list_t *get_matching_ike_cfgs(private_backend_manager_t *this, + host_t *me, host_t *other, + ike_version_t version) { - ike_cfg_t *current, *found = NULL; + ike_cfg_t *current; char *my_addr, *other_addr; enumerator_t *enumerator; - ike_cfg_match_t match, best = MATCH_ANY; ike_data_t *data; + linked_list_t *configs; + ike_cfg_match_t match; + ike_match_entry_t *entry; INIT(data, .this = this, @@ -145,44 +208,82 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, .other = other, ); - DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other); + configs = linked_list_create(); this->lock->read_lock(this->lock); enumerator = enumerator_create_nested( this->backends->create_enumerator(this->backends), (void*)ike_enum_create, data, (void*)free); - while (enumerator->enumerate(enumerator, (void**)¤t)) + + while (enumerator->enumerate(enumerator, ¤t)) { + my_addr = current->get_my_addr(current); + other_addr = current->get_other_addr(current); match = get_ike_match(current, me, other, version); - DBG3(DBG_CFG, "ike config match: %d (%H %H %N)", - match, me, other, ike_version_names, version); + DBG3(DBG_CFG, "ike config match: %d (%s...%s %N)", match, my_addr, + other_addr, ike_version_names, current->get_version(current)); + if (match) { - my_addr = current->get_my_addr(current); - other_addr = current->get_other_addr(current); DBG2(DBG_CFG, " candidate: %s...%s, prio %d", my_addr, other_addr, match); - if (match > best) - { - DESTROY_IF(found); - found = current; - found->get_ref(found); - best = match; - } + + INIT(entry, + .match = match, + .cfg = current->get_ref(current), + ); + insert_sorted_ike(entry, configs); } } enumerator->destroy(enumerator); this->lock->unlock(this->lock); - if (found) + + return configs; +} + +METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, + private_backend_manager_t *this, host_t *me, host_t *other, + ike_version_t version) +{ + linked_list_t *configs; + ike_match_entry_t *entry; + ike_cfg_t *found = NULL; + char *my_addr, *other_addr; + + DBG2(DBG_CFG, "looking for an %N config for %H...%H", ike_version_names, + version, me, other); + + configs = get_matching_ike_cfgs(this, me, other, version); + if (configs->get_first(configs, (void**)&entry) == SUCCESS) { + found = entry->cfg->get_ref(entry->cfg); + my_addr = found->get_my_addr(found); other_addr = found->get_other_addr(found); DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d", - my_addr, other_addr, best); + my_addr, other_addr, entry->match); } + ike_match_entry_list_destroy(configs); + return found; } +METHOD(backend_manager_t, create_ike_cfg_enumerator, enumerator_t*, + private_backend_manager_t *this, host_t *me, host_t *other, + ike_version_t version) +{ + linked_list_t *configs; + + DBG2(DBG_CFG, "looking for %N configs for %H...%H", ike_version_names, + version, me, other); + + configs = get_matching_ike_cfgs(this, me, other, version); + + return enumerator_create_filter(configs->create_enumerator(configs), + ike_enum_filter, configs, + ike_match_entry_list_destroy); +} + /** * Get the best ID match in one of the configs auth_cfg */ @@ -198,7 +299,7 @@ static id_match_t get_peer_match(identification_t *id, if (!id) { - DBG3(DBG_CFG, "peer config match %s: %d (%N)", + DBG3(DBG_CFG, " %s id match: %d (%N)", where, ID_MATCH_ANY, id_type_names, ID_ANY); return ID_MATCH_ANY; } @@ -225,7 +326,7 @@ static id_match_t get_peer_match(identification_t *id, enumerator->destroy(enumerator); data = id->get_encoding(id); - DBG3(DBG_CFG, "peer config match %s: %d (%N -> %#B)", + DBG3(DBG_CFG, " %s id match: %d (%N: %#B)", where, match, id_type_names, id->get_type(id), &data); return match; } @@ -295,34 +396,26 @@ CALLBACK(peer_enum_filter_destroy, void, } /** - * Insert entry into match-sorted list, using helper + * Insert entry into match-sorted list */ -static void insert_sorted(match_entry_t *entry, linked_list_t *list, - linked_list_t *helper) +static void insert_sorted(match_entry_t *entry, linked_list_t *list) { + enumerator_t *enumerator; match_entry_t *current; - while (list->remove_first(list, (void**)¤t) == SUCCESS) - { - helper->insert_last(helper, current); - } - while (helper->remove_first(helper, (void**)¤t) == SUCCESS) + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, ¤t)) { - if (entry && ( - (entry->match_ike > current->match_ike && - entry->match_peer >= current->match_peer) || - (entry->match_ike >= current->match_ike && - entry->match_peer > current->match_peer))) + if ((entry->match_ike > current->match_ike && + entry->match_peer >= current->match_peer) || + (entry->match_ike >= current->match_ike && + entry->match_peer > current->match_peer)) { - list->insert_last(list, entry); - entry = NULL; + break; } - list->insert_last(list, current); - } - if (entry) - { - list->insert_last(list, entry); } + list->insert_before(list, enumerator, entry); + enumerator->destroy(enumerator); } METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, @@ -332,7 +425,7 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, enumerator_t *enumerator; peer_data_t *data; peer_cfg_t *cfg; - linked_list_t *configs, *helper; + linked_list_t *configs; INIT(data, .lock = this->lock, @@ -352,35 +445,46 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, } configs = linked_list_create(); - /* only once allocated helper list for sorting */ - helper = linked_list_create(); while (enumerator->enumerate(enumerator, &cfg)) { - id_match_t match_peer_me, match_peer_other; + ike_cfg_t *ike_cfg = cfg->get_ike_cfg(cfg); ike_cfg_match_t match_ike; + id_match_t match_peer_me, match_peer_other; match_entry_t *entry; + char *my_addr, *other_addr; + + match_ike = get_ike_match(ike_cfg, me, other, version); + my_addr = ike_cfg->get_my_addr(ike_cfg); + other_addr = ike_cfg->get_other_addr(ike_cfg); + DBG3(DBG_CFG, "peer config \"%s\", ike match: %d (%s...%s %N)", + cfg->get_name(cfg), match_ike, my_addr, other_addr, + ike_version_names, ike_cfg->get_version(ike_cfg)); + + if (!match_ike) + { + continue; + } match_peer_me = get_peer_match(my_id, cfg, TRUE); + if (!match_peer_me) + { + continue; + } match_peer_other = get_peer_match(other_id, cfg, FALSE); - match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other, version); - DBG3(DBG_CFG, "ike config match: %d (%H %H %N)", - match_ike, me, other, ike_version_names, version); - if (match_peer_me && match_peer_other && match_ike) + if (match_peer_other) { DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)", cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike); - INIT(entry, .match_peer = match_peer_me + match_peer_other, .match_ike = match_ike, .cfg = cfg->get_ref(cfg), ); - insert_sorted(entry, configs, helper); + insert_sorted(entry, configs); } } enumerator->destroy(enumerator); - helper->destroy(helper); return enumerator_create_filter(configs->create_enumerator(configs), peer_enum_filter, configs, @@ -430,8 +534,7 @@ METHOD(backend_manager_t, destroy, void, } /* - * Described in header-file - + * Described in header */ backend_manager_t *backend_manager_create() { @@ -440,6 +543,7 @@ backend_manager_t *backend_manager_create() INIT(this, .public = { .get_ike_cfg = _get_ike_cfg, + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, .get_peer_cfg_by_name = _get_peer_cfg_by_name, .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, .add_backend = _add_backend, diff --git a/src/libcharon/config/backend_manager.h b/src/libcharon/config/backend_manager.h index 8ec79ce28..ada295f0d 100644 --- a/src/libcharon/config/backend_manager.h +++ b/src/libcharon/config/backend_manager.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2007 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -64,6 +65,20 @@ struct backend_manager_t { ike_version_t version); /** + * Create an enumerator over all matching IKE configs. + * + * Pass NULL as parameters to match any. The enumerator enumerates over + * ike_cfgs, ordered by priority (best match first). + * + * @param me local address + * @param other remote address + * @param version IKE version to get a config for + * @return enumerator over ike_cfg + */ + enumerator_t* (*create_ike_cfg_enumerator)(backend_manager_t *this, + host_t *me, host_t *other, ike_version_t version); + + /** * Get a peer_config identified by it's name. * * @param name name of the peer_config diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index bc417f936..14148ed03 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -124,6 +124,16 @@ struct private_child_cfg_t { mark_t mark_out; /** + * Optional mark to set to packets after inbound processing + */ + mark_t set_mark_in; + + /** + * Optional mark to set to packets after outbound processing + */ + mark_t set_mark_out; + + /** * Traffic Flow Confidentiality padding, if enabled */ uint32_t tfc; @@ -147,6 +157,11 @@ struct private_child_cfg_t { * HW offload mode */ hw_offload_t hw_offload; + + /** + * DS header field copy mode + */ + dscp_copy_t copy_dscp; }; METHOD(child_cfg_t, get_name, char*, @@ -254,7 +269,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, { DBG2(DBG_CFG, "received proposals: %#P", proposals); DBG2(DBG_CFG, "configured proposals: %#P", this->proposals); - DBG2(DBG_CFG, "selected proposal: %P", selected); + DBG1(DBG_CFG, "selected proposal: %P", selected); break; } } @@ -289,7 +304,7 @@ METHOD(child_cfg_t, add_traffic_selector, void, METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, private_child_cfg_t *this, bool local, linked_list_t *supplied, - linked_list_t *hosts) + linked_list_t *hosts, bool log) { enumerator_t *e1, *e2; traffic_selector_t *ts1, *ts2, *selected; @@ -334,13 +349,19 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, } e1->destroy(e1); - DBG2(DBG_CFG, "%s traffic selectors for %s:", - supplied ? "selecting" : "proposing", local ? "us" : "other"); - if (supplied == NULL) + if (log) + { + DBG2(DBG_CFG, "%s traffic selectors for %s:", + supplied ? "selecting" : "proposing", local ? "us" : "other"); + } + if (!supplied) { while (derived->remove_first(derived, (void**)&ts1) == SUCCESS) { - DBG2(DBG_CFG, " %R", ts1); + if (log) + { + DBG2(DBG_CFG, " %R", ts1); + } result->insert_last(result, ts1); } derived->destroy(derived); @@ -358,11 +379,14 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, selected = ts1->get_subset(ts1, ts2); if (selected) { - DBG2(DBG_CFG, " config: %R, received: %R => match: %R", - ts1, ts2, selected); + if (log) + { + DBG2(DBG_CFG, " config: %R, received: %R => match: %R", + ts1, ts2, selected); + } result->insert_last(result, selected); } - else + else if (log) { DBG2(DBG_CFG, " config: %R, received: %R => no match", ts1, ts2); @@ -478,6 +502,12 @@ METHOD(child_cfg_t, get_hw_offload, hw_offload_t, return this->hw_offload; } +METHOD(child_cfg_t, get_copy_dscp, dscp_copy_t, + private_child_cfg_t *this) +{ + return this->copy_dscp; +} + METHOD(child_cfg_t, get_dpd_action, action_t, private_child_cfg_t *this) { @@ -527,6 +557,12 @@ METHOD(child_cfg_t, get_mark, mark_t, return inbound ? this->mark_in : this->mark_out; } +METHOD(child_cfg_t, get_set_mark, mark_t, + private_child_cfg_t *this, bool inbound) +{ + return inbound ? this->set_mark_in : this->set_mark_out; +} + METHOD(child_cfg_t, get_tfc, uint32_t, private_child_cfg_t *this) { @@ -600,9 +636,15 @@ METHOD(child_cfg_t, equals, bool, this->mark_in.mask == other->mark_in.mask && this->mark_out.value == other->mark_out.value && this->mark_out.mask == other->mark_out.mask && + this->set_mark_in.value == other->set_mark_in.value && + this->set_mark_in.mask == other->set_mark_in.mask && + this->set_mark_out.value == other->set_mark_out.value && + this->set_mark_out.mask == other->set_mark_out.mask && this->tfc == other->tfc && this->manual_prio == other->manual_prio && this->replay_window == other->replay_window && + this->hw_offload == other->hw_offload && + this->copy_dscp == other->copy_dscp && streq(this->updown, other->updown) && streq(this->interface, other->interface); } @@ -654,6 +696,7 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data) .get_inactivity = _get_inactivity, .get_reqid = _get_reqid, .get_mark = _get_mark, + .get_set_mark = _get_set_mark, .get_tfc = _get_tfc, .get_manual_prio = _get_manual_prio, .get_interface = _get_interface, @@ -664,6 +707,7 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data) .get_ref = _get_ref, .destroy = _destroy, .get_hw_offload = _get_hw_offload, + .get_copy_dscp = _get_copy_dscp, }, .name = strdup(name), .options = data->options, @@ -675,6 +719,8 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data) .close_action = data->close_action, .mark_in = data->mark_in, .mark_out = data->mark_out, + .set_mark_in = data->set_mark_in, + .set_mark_out = data->set_mark_out, .lifetime = data->lifetime, .inactivity = data->inactivity, .tfc = data->tfc, @@ -687,6 +733,7 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data) .replay_window = lib->settings->get_int(lib->settings, "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns), .hw_offload = data->hw_offload, + .copy_dscp = data->copy_dscp, ); return &this->public; diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index d566da3ec..e3b59e656 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -135,11 +135,13 @@ struct child_cfg_t { * @param local TRUE for TS on local side, FALSE for remote * @param supplied list with TS to select from, or NULL * @param hosts addresses to use for narrowing "dynamic" TS', host_t + * @param log FALSE to avoid logging details about the selection * @return list containing the traffic selectors */ linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, linked_list_t *supplied, - linked_list_t *hosts); + linked_list_t *hosts, bool log); + /** * Get the updown script to run for the CHILD_SA. * @@ -190,6 +192,13 @@ struct child_cfg_t { hw_offload_t (*get_hw_offload) (child_cfg_t *this); /** + * Get the copy mode for the DS header field to use for the CHILD_SA. + * + * @return IP header copy mode + */ + dscp_copy_t (*get_copy_dscp) (child_cfg_t *this); + + /** * Action to take if CHILD_SA gets closed. * * @return close action @@ -218,7 +227,7 @@ struct child_cfg_t { uint32_t (*get_reqid)(child_cfg_t *this); /** - * Optional mark for CHILD_SA. + * Optional mark to set on policies/SAs. * * @param inbound TRUE for inbound, FALSE for outbound * @return mark @@ -226,6 +235,14 @@ struct child_cfg_t { mark_t (*get_mark)(child_cfg_t *this, bool inbound); /** + * Optional mark the SAs should apply after processing packets. + * + * @param inbound TRUE for inbound, FALSE for outbound + * @return mark + */ + mark_t (*get_set_mark)(child_cfg_t *this, bool inbound); + + /** * Get the TFC padding value to use for CHILD_SA. * * @return TFC padding, 0 to disable, -1 for MTU @@ -317,6 +334,12 @@ enum child_cfg_option_t { /** Set mark on inbound SAs */ OPT_MARK_IN_SA = (1<<6), + + /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */ + OPT_NO_COPY_DF = (1<<7), + + /** Disable copying the ECN header field in tunnel mode */ + OPT_NO_COPY_ECN = (1<<8), }; /** @@ -331,6 +354,10 @@ struct child_cfg_create_t { mark_t mark_in; /** Optional outbound mark */ mark_t mark_out; + /** Optional inbound mark the SA should apply to traffic */ + mark_t set_mark_in; + /** Optional outbound mark the SA should apply to traffic */ + mark_t set_mark_out; /** Mode to propose for CHILD_SA */ ipsec_mode_t mode; /** TFC padding size, 0 to disable, -1 to pad to PMTU */ @@ -353,6 +380,8 @@ struct child_cfg_create_t { char *updown; /** HW offload mode */ hw_offload_t hw_offload; + /** How to handle the DS header field in tunnel mode */ + dscp_copy_t copy_dscp; }; /** diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index a73a5b5e2..357c4a73b 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -309,6 +309,25 @@ METHOD(ike_cfg_t, get_proposals, linked_list_t*, return proposals; } +METHOD(ike_cfg_t, has_proposal, bool, + private_ike_cfg_t *this, proposal_t *match, bool private) +{ + enumerator_t *enumerator; + proposal_t *proposal; + + enumerator = this->proposals->create_enumerator(this->proposals); + while (enumerator->enumerate(enumerator, &proposal)) + { + if (proposal->matches(proposal, match, private)) + { + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + return FALSE; +} + METHOD(ike_cfg_t, select_proposal, proposal_t*, private_ike_cfg_t *this, linked_list_t *proposals, bool private, bool prefer_self) @@ -344,7 +363,7 @@ METHOD(ike_cfg_t, select_proposal, proposal_t*, { DBG2(DBG_CFG, "received proposals: %#P", proposals); DBG2(DBG_CFG, "configured proposals: %#P", this->proposals); - DBG2(DBG_CFG, "selected proposal: %P", selected); + DBG1(DBG_CFG, "selected proposal: %P", selected); break; } } @@ -618,6 +637,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, .add_proposal = _add_proposal, .get_proposals = _get_proposals, .select_proposal = _select_proposal, + .has_proposal = _has_proposal, .get_dh_group = _get_dh_group, .equals = _equals, .get_ref = _get_ref, diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index ac2deef70..49690c892 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -180,6 +180,15 @@ struct ike_cfg_t { bool private, bool prefer_self); /** + * Check if the config has a matching proposal. + * + * @param match proposal to check + * @param private accept algorithms from a private range + * @return TRUE if a matching proposal is contained + */ + bool(*has_proposal)(ike_cfg_t *this, proposal_t *match, bool private); + + /** * Should we send a certificate request in IKE_SA_INIT? * * @return certificate request sending policy diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 29f067858..e7dfb5f62 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2017 Tobias Brunner + * Copyright (C) 2007-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -126,12 +126,12 @@ struct private_peer_cfg_t { uint32_t over_time; /** - * DPD check intervall + * DPD check interval */ uint32_t dpd; /** - * DPD timeout intervall (used for IKEv1 only) + * DPD timeout interval (used for IKEv1 only) */ uint32_t dpd_timeout; @@ -155,6 +155,16 @@ struct private_peer_cfg_t { */ linked_list_t *remote_auth; + /** + * PPK ID + */ + identification_t *ppk_id; + + /** + * Whether a PPK is required + */ + bool ppk_required; + #ifdef ME /** * Is this a mediation connection? @@ -258,48 +268,44 @@ METHOD(peer_cfg_t, replace_child_cfgs, enumerator_t*, private_peer_cfg_t *this, peer_cfg_t *other_pub) { private_peer_cfg_t *other = (private_peer_cfg_t*)other_pub; - linked_list_t *removed, *added; + linked_list_t *new_cfgs, *removed, *added; enumerator_t *mine, *others; child_cfg_t *my_cfg, *other_cfg; child_cfgs_replace_enumerator_t *enumerator; bool found; - removed = linked_list_create(); + added = linked_list_create(); other->lock->read_lock(other->lock); - added = linked_list_create_from_enumerator( + new_cfgs = linked_list_create_from_enumerator( other->child_cfgs->create_enumerator(other->child_cfgs)); - added->invoke_offset(added, offsetof(child_cfg_t, get_ref)); + new_cfgs->invoke_offset(new_cfgs, offsetof(child_cfg_t, get_ref)); other->lock->unlock(other->lock); this->lock->write_lock(this->lock); - others = added->create_enumerator(added); - mine = this->child_cfgs->create_enumerator(this->child_cfgs); - while (mine->enumerate(mine, &my_cfg)) + removed = this->child_cfgs; + this->child_cfgs = new_cfgs; + others = new_cfgs->create_enumerator(new_cfgs); + mine = removed->create_enumerator(removed); + while (others->enumerate(others, &other_cfg)) { found = FALSE; - while (others->enumerate(others, &other_cfg)) + while (mine->enumerate(mine, &my_cfg)) { if (my_cfg->equals(my_cfg, other_cfg)) { - added->remove_at(added, others); - other_cfg->destroy(other_cfg); + removed->remove_at(removed, mine); + my_cfg->destroy(my_cfg); found = TRUE; break; } } - added->reset_enumerator(added, others); + removed->reset_enumerator(removed, mine); if (!found) { - this->child_cfgs->remove_at(this->child_cfgs, mine); - removed->insert_last(removed, my_cfg); + added->insert_last(added, other_cfg->get_ref(other_cfg)); } } - while (others->enumerate(others, &other_cfg)) - { - this->child_cfgs->insert_last(this->child_cfgs, - other_cfg->get_ref(other_cfg)); - } others->destroy(others); mine->destroy(mine); this->lock->unlock(this->lock); @@ -379,7 +385,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local, int match = 0, round; /* fetch configured TS list, narrowing dynamic TS */ - cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, hosts); + cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, hosts, TRUE); /* use a round counter to rate leading TS with higher priority */ round = sup_list->get_count(sup_list); @@ -581,6 +587,18 @@ METHOD(peer_cfg_t, create_auth_cfg_enumerator, enumerator_t*, return this->remote_auth->create_enumerator(this->remote_auth); } +METHOD(peer_cfg_t, get_ppk_id, identification_t*, + private_peer_cfg_t *this) +{ + return this->ppk_id; +} + +METHOD(peer_cfg_t, ppk_required, bool, + private_peer_cfg_t *this) +{ + return this->ppk_required; +} + #ifdef ME METHOD(peer_cfg_t, is_mediation, bool, private_peer_cfg_t *this) @@ -655,6 +673,14 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other) return equal; } +/** + * Check if two identities are equal, or both are not set + */ +static bool id_equal(identification_t *this, identification_t *other) +{ + return this == other || (this && other && this->equals(this, other)); +} + METHOD(peer_cfg_t, equals, bool, private_peer_cfg_t *this, private_peer_cfg_t *other) { @@ -688,13 +714,13 @@ METHOD(peer_cfg_t, equals, bool, this->dpd == other->dpd && this->aggressive == other->aggressive && this->pull_mode == other->pull_mode && - auth_cfg_equal(this, other) + auth_cfg_equal(this, other) && + this->ppk_required == other->ppk_required && + id_equal(this->ppk_id, other->ppk_id) #ifdef ME && this->mediation == other->mediation && streq(this->mediated_by, other->mediated_by) && - (this->peer_id == other->peer_id || - (this->peer_id && other->peer_id && - this->peer_id->equals(this->peer_id, other->peer_id))) + id_equal(this->peer_id, other->peer_id) #endif /* ME */ ); } @@ -724,6 +750,7 @@ METHOD(peer_cfg_t, destroy, void, DESTROY_IF(this->peer_id); free(this->mediated_by); #endif /* ME */ + DESTROY_IF(this->ppk_id); this->lock->destroy(this->lock); free(this->name); free(this); @@ -778,6 +805,8 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, .create_pool_enumerator = _create_pool_enumerator, .add_auth_cfg = _add_auth_cfg, .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, + .get_ppk_id = _get_ppk_id, + .ppk_required = _ppk_required, .equals = (void*)_equals, .get_ref = _get_ref, .destroy = _destroy, @@ -803,6 +832,8 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, .pull_mode = !data->push_mode, .dpd = data->dpd, .dpd_timeout = data->dpd_timeout, + .ppk_id = data->ppk_id, + .ppk_required = data->ppk_required, .vips = linked_list_create(), .pools = linked_list_create(), .local_auth = linked_list_create(), diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index 6074a7cd4..49c4d1492 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2017 Tobias Brunner + * Copyright (C) 2007-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -157,11 +157,9 @@ struct peer_cfg_t { /** * Replace the CHILD configs with those in the given PEER config. * - * Configs that are equal are not replaced. - * * The enumerator enumerates the removed and added CHILD configs * (child_cfg_t*, bool), where the flag is FALSE for removed configs and - * TRUE for added configs. + * TRUE for added configs. Configs that are equal are not enumerated. * * @param other other config to get CHILD configs from * @return an enumerator over removed/added CHILD configs @@ -313,6 +311,20 @@ struct peer_cfg_t { */ enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this); + /** + * Get the PPK ID to use with this peer. + * + * @return PPK id + */ + identification_t *(*get_ppk_id)(peer_cfg_t *this); + + /** + * Whether a PPK is required with this peer. + * + * @return TRUE, if a PPK is required + */ + bool (*ppk_required)(peer_cfg_t *this); + #ifdef ME /** * Is this a mediation connection? @@ -395,6 +407,10 @@ struct peer_cfg_create_t { uint32_t dpd; /** DPD timeout interval (IKEv1 only), if 0 default applies */ uint32_t dpd_timeout; + /** Postquantum Preshared Key ID (adopted) */ + identification_t *ppk_id; + /** TRUE if a PPK is required, FALSE if it's optional */ + bool ppk_required; #ifdef ME /** TRUE if this is a mediation connection */ bool mediation; diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index e4b819710..d2f3afdd3 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -480,25 +480,27 @@ static void load_sys_logger(private_daemon_t *this, char *facility, /** * Load the given file logger configured in strongswan.conf */ -static void load_file_logger(private_daemon_t *this, char *filename, +static void load_file_logger(private_daemon_t *this, char *section, linked_list_t *current_loggers) { file_logger_t *file_logger; debug_t group; level_t def; bool add_ms, ike_name, flush_line, append; - char *time_format; + char *time_format, *filename; time_format = lib->settings->get_str(lib->settings, - "%s.filelog.%s.time_format", NULL, lib->ns, filename); + "%s.filelog.%s.time_format", NULL, lib->ns, section); add_ms = lib->settings->get_bool(lib->settings, - "%s.filelog.%s.time_add_ms", FALSE, lib->ns, filename); + "%s.filelog.%s.time_add_ms", FALSE, lib->ns, section); ike_name = lib->settings->get_bool(lib->settings, - "%s.filelog.%s.ike_name", FALSE, lib->ns, filename); + "%s.filelog.%s.ike_name", FALSE, lib->ns, section); flush_line = lib->settings->get_bool(lib->settings, - "%s.filelog.%s.flush_line", FALSE, lib->ns, filename); + "%s.filelog.%s.flush_line", FALSE, lib->ns, section); append = lib->settings->get_bool(lib->settings, - "%s.filelog.%s.append", TRUE, lib->ns, filename); + "%s.filelog.%s.append", TRUE, lib->ns, section); + filename = lib->settings->get_str(lib->settings, + "%s.filelog.%s.path", section, lib->ns, section); file_logger = add_file_logger(this, filename, current_loggers); if (!file_logger) @@ -510,12 +512,12 @@ static void load_file_logger(private_daemon_t *this, char *filename, file_logger->open(file_logger, flush_line, append); def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1, - lib->ns, filename); + lib->ns, section); for (group = 0; group < DBG_MAX; group++) { file_logger->set_level(file_logger, group, lib->settings->get_int(lib->settings, "%s.filelog.%s.%N", def, - lib->ns, filename, debug_lower_names, group)); + lib->ns, section, debug_lower_names, group)); } charon->bus->add_logger(charon->bus, &file_logger->logger); } @@ -545,6 +547,10 @@ static void load_custom_logger(private_daemon_t *this, lib->settings->get_int(lib->settings, "%s.customlog.%s.%N", def, lib->ns, entry->name, debug_lower_names, group)); } + if (custom_logger->reload) + { + custom_logger->reload(custom_logger); + } charon->bus->add_logger(charon->bus, &custom_logger->logger); } diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index 1b8cd76f4..b72a2bf2d 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2014 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG * Copyright (C) 2006 Daniel Roethlisberger @@ -2095,8 +2095,8 @@ METHOD(message_t, fragment, status_t, count = data.len / frag_len + (data.len % frag_len ? 1 : 0); this->fragments = array_create(0, count); - DBG1(DBG_ENC, "splitting IKE message with length of %zu bytes into " - "%hu fragments", len, count); + DBG1(DBG_ENC, "splitting IKE message (%zu bytes) into %hu fragments", len, + count); for (num = 1; num <= count; num++) { len = min(data.len, frag_len); @@ -2821,11 +2821,11 @@ METHOD(message_t, add_fragment_v1, status_t, return NEED_MORE; } - DBG1(DBG_ENC, "received fragment #%hhu, reassembling fragmented IKE " - "message", num); - data = merge_fragments(this, message); this->packet->set_data(this->packet, data); + DBG1(DBG_ENC, "received fragment #%hhu, reassembled fragmented IKE " + "message (%zu bytes)", num, data.len); + this->parser = parser_create(data); if (parse_header(this) != SUCCESS) @@ -2842,9 +2842,11 @@ METHOD(message_t, add_fragment_v2, status_t, encrypted_fragment_payload_t *encrypted_fragment; encrypted_payload_t *encrypted; payload_t *payload; + aead_t *aead; enumerator_t *enumerator; chunk_t data; uint16_t total, num; + size_t len; status_t status; if (!this->frag) @@ -2904,15 +2906,30 @@ METHOD(message_t, add_fragment_v2, status_t, return NEED_MORE; } - DBG1(DBG_ENC, "received fragment #%hu of %hu, reassembling fragmented IKE " - "message", num, total); + encrypted = (encrypted_payload_t*)encrypted_fragment; + aead = encrypted->get_transform(encrypted); data = merge_fragments(this, message); + encrypted = encrypted_payload_create_from_plain(this->first_payload, data); + encrypted->set_transform(encrypted, aead); this->payloads->insert_last(this->payloads, encrypted); /* update next payload type (could be an unencrypted payload) */ this->payloads->get_first(this->payloads, (void**)&payload); this->first_payload = payload->get_type(payload); + + /* we report the length of the complete IKE message when splitting, do the + * same here, so add the IKEv2 header len to the reassembled payload data */ + len = 28; + enumerator = create_payload_enumerator(this); + while (enumerator->enumerate(enumerator, &payload)) + { + len += payload->get_length(payload); + } + enumerator->destroy(enumerator); + + DBG1(DBG_ENC, "received fragment #%hu of %hu, reassembled fragmented IKE " + "message (%zu bytes)", num, total, len); return SUCCESS; } diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c index 4f4b1d1d6..ba56ace55 100644 --- a/src/libcharon/encoding/payloads/encrypted_payload.c +++ b/src/libcharon/encoding/payloads/encrypted_payload.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Tobias Brunner + * Copyright (C) 2011-2018 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter @@ -326,6 +326,21 @@ METHOD2(payload_t, encrypted_payload_t, get_length, size_t, return this->payload_length; } +METHOD2(payload_t, encrypted_payload_t, get_length_plain, size_t, + private_encrypted_payload_t *this) +{ + /* contains only the decrypted payload data, no IV, padding or ICV */ + this->payload_length = this->encrypted.len; + + if (this->aead) + { + this->payload_length += compute_overhead(this->aead, + this->payload_length); + } + this->payload_length += get_header_length(this); + return this->payload_length; +} + METHOD(encrypted_payload_t, add_payload, void, private_encrypted_payload_t *this, payload_t *payload) { @@ -727,6 +742,12 @@ METHOD(encrypted_payload_t, set_transform, void, this->aead = aead; } +METHOD(encrypted_payload_t, get_transform, aead_t*, + private_encrypted_payload_t *this) +{ + return this->aead; +} + METHOD2(payload_t, encrypted_payload_t, destroy, void, private_encrypted_payload_t *this) { @@ -759,6 +780,7 @@ encrypted_payload_t *encrypted_payload_create(payload_type_t type) .remove_payload = _remove_payload, .generate_payloads = _generate_payloads, .set_transform = _set_transform, + .get_transform = _get_transform, .encrypt = _encrypt, .decrypt = _decrypt, .destroy = _destroy, @@ -787,10 +809,11 @@ encrypted_payload_t *encrypted_payload_create_from_plain(payload_type_t next, private_encrypted_payload_t *this; this = (private_encrypted_payload_t*)encrypted_payload_create(PLV2_ENCRYPTED); + this->public.payload_interface.get_length = _get_length_plain; + this->public.get_length = _get_length_plain; this->public.decrypt = _decrypt_plain; this->next_payload = next; this->encrypted = plain; - compute_length(this); return &this->public; } @@ -899,6 +922,12 @@ METHOD(encrypted_payload_t, frag_set_transform, void, this->aead = aead; } +METHOD(encrypted_payload_t, frag_get_transform, aead_t*, + private_encrypted_fragment_payload_t *this) +{ + return this->aead; +} + /** * Append the encrypted fragment payload header to the associated data */ @@ -996,6 +1025,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create() .remove_payload = (void*)return_null, .generate_payloads = nop, .set_transform = _frag_set_transform, + .get_transform = _frag_get_transform, .encrypt = _frag_encrypt, .decrypt = _frag_decrypt, .destroy = _frag_destroy, diff --git a/src/libcharon/encoding/payloads/encrypted_payload.h b/src/libcharon/encoding/payloads/encrypted_payload.h index 72a256553..be7a24f43 100644 --- a/src/libcharon/encoding/payloads/encrypted_payload.h +++ b/src/libcharon/encoding/payloads/encrypted_payload.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Tobias Brunner + * Copyright (C) 2014-2018 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter @@ -74,9 +74,16 @@ struct encrypted_payload_t { /** * Set the AEAD transform to use. * - * @param aead aead transform to use + * @param aead aead transform to use */ - void (*set_transform) (encrypted_payload_t *this, aead_t *aead); + void (*set_transform)(encrypted_payload_t *this, aead_t *aead); + + /** + * Get the AEAD transform that to use (or was used). + * + * @param aead aead transform to use (or was used) + */ + aead_t *(*get_transform)(encrypted_payload_t *this); /** * Generate, encrypt and sign contained payloads. diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index 0c6f010b5..a69db9357 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -1,7 +1,7 @@ /* + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG - * Copyright (C) 2006-2008 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -114,7 +114,11 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTI "SENDER_REQUEST_ID", "FRAGMENTATION_SUPPORTED", "SIGNATURE_HASH_ALGORITHMS"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS, +ENUM_NEXT(notify_type_names, USE_PPK, NO_PPK_AUTH, SIGNATURE_HASH_ALGORITHMS, + "USE_PPK", + "PPK_IDENTITY", + "NO_PPK_AUTH"); +ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, NO_PPK_AUTH, "INITIAL_CONTACT"); ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1, "DPD_R_U_THERE", @@ -224,7 +228,11 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, M "SENDER_REQ_ID", "FRAG_SUP", "HASH_ALG"); -ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS, +ENUM_NEXT(notify_type_short_names, USE_PPK, NO_PPK_AUTH, SIGNATURE_HASH_ALGORITHMS, + "USE_PPK", + "PPK_ID", + "NO_PPK"); +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, NO_PPK_AUTH, "INITIAL_CONTACT"); ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1, "DPD", diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h index 39e4c915b..b0cf69d02 100644 --- a/src/libcharon/encoding/payloads/notify_payload.h +++ b/src/libcharon/encoding/payloads/notify_payload.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -153,6 +153,12 @@ enum notify_type_t { FRAGMENTATION_SUPPORTED = 16430, /* Signature Hash Algorithms, RFC 7427 */ SIGNATURE_HASH_ALGORITHMS = 16431, + /* Use Postquantum Preshared Key (draft-ietf-ipsecme-qr-ikev2) */ + USE_PPK = 16435, + /* Postquantum Preshared Key Identity (draft-ietf-ipsecme-qr-ikev2) */ + PPK_IDENTITY = 16436, + /* No Postquantum Preshared Key Auth (draft-ietf-ipsecme-qr-ikev2) */ + NO_PPK_AUTH = 16437, /* IKEv1 initial contact */ INITIAL_CONTACT_IKEV1 = 24578, /* IKEv1 DPD */ diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index 94b9c284b..4158eb45e 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2016 Andreas Steffen - * Copyright (C) 2006-2016 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -93,8 +93,16 @@ struct kernel_ipsec_add_sa_t { bool encap; /** no (disabled), yes (enabled), auto (enabled if supported) */ hw_offload_t hw_offload; + /** Mark the SA should apply to packets after processing */ + mark_t mark; /** TRUE to use Extended Sequence Numbers */ bool esn; + /** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */ + bool copy_df; + /** TRUE to copy the ECN header field to/from the outer header */ + bool copy_ecn; + /** Whether to copy the DSCP header field to/from the outer header */ + dscp_copy_t copy_dscp; /** TRUE if initiator of the exchange creating the SA */ bool initiator; /** TRUE if this is an inbound SA */ diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index 4c72b5609..acdba345c 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -646,13 +646,13 @@ receiver_t *receiver_create() this->receive_delay = lib->settings->get_int(lib->settings, "%s.receive_delay", 0, lib->ns); this->receive_delay_type = lib->settings->get_int(lib->settings, - "%s.receive_delay_type", 0, lib->ns), + "%s.receive_delay_type", 0, lib->ns); this->receive_delay_request = lib->settings->get_bool(lib->settings, - "%s.receive_delay_request", TRUE, lib->ns), + "%s.receive_delay_request", TRUE, lib->ns); this->receive_delay_response = lib->settings->get_bool(lib->settings, - "%s.receive_delay_response", TRUE, lib->ns), + "%s.receive_delay_response", TRUE, lib->ns); this->initiator_only = lib->settings->get_bool(lib->settings, - "%s.initiator_only", FALSE, lib->ns), + "%s.initiator_only", FALSE, lib->ns); this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!this->hasher) diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 62ce323d0..c16899048 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in index bba9591ec..4cecc1431 100644 --- a/src/libcharon/plugins/android_dns/Makefile.in +++ b/src/libcharon/plugins/android_dns/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in index 0a5c7ec8d..5d0c826f5 100644 --- a/src/libcharon/plugins/android_log/Makefile.in +++ b/src/libcharon/plugins/android_log/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in index 2e7170472..af810b959 100644 --- a/src/libcharon/plugins/attr/Makefile.in +++ b/src/libcharon/plugins/attr/Makefile.in @@ -310,7 +310,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -336,6 +335,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -356,8 +357,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -412,8 +411,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -442,8 +439,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in index b8b9885f2..cc2c22ddc 100644 --- a/src/libcharon/plugins/attr_sql/Makefile.in +++ b/src/libcharon/plugins/attr_sql/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/bypass_lan/Makefile.in b/src/libcharon/plugins/bypass_lan/Makefile.in index f882f6bc0..84b3bb3b2 100644 --- a/src/libcharon/plugins/bypass_lan/Makefile.in +++ b/src/libcharon/plugins/bypass_lan/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in index cbfb07597..f057d25c2 100644 --- a/src/libcharon/plugins/certexpire/Makefile.in +++ b/src/libcharon/plugins/certexpire/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in index 6f0a2bddf..b88af5a24 100644 --- a/src/libcharon/plugins/connmark/Makefile.in +++ b/src/libcharon/plugins/connmark/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/counters/Makefile.in b/src/libcharon/plugins/counters/Makefile.in index 491ba80b3..e58c467bf 100644 --- a/src/libcharon/plugins/counters/Makefile.in +++ b/src/libcharon/plugins/counters/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in index 5859a21ee..1d9a7cbc7 100644 --- a/src/libcharon/plugins/coupling/Makefile.in +++ b/src/libcharon/plugins/coupling/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index f8e2d7398..5975ea98b 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -311,7 +311,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -337,6 +336,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -357,8 +358,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -413,8 +412,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -443,8 +440,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index c26fcc920..1e208d094 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -800,7 +800,10 @@ dhcp_socket_t *dhcp_socket_create() destroy(this); return NULL; } - if (!is_broadcast(this->dst)) + if (!is_broadcast(this->dst) && + lib->settings->get_bool(lib->settings, + "%s.plugins.dhcp.use_server_port", FALSE, + lib->ns)) { /* when setting giaddr (which we do when we don't broadcast), the server * should respond to the server port on that IP, according to RFC 2131, @@ -808,7 +811,9 @@ dhcp_socket_t *dhcp_socket_create() * kernel will respond with an ICMP port unreachable if there is no * socket bound to that port, which might be problematic with certain * DHCP servers. instead of opening an additional socket, that we don't - * actually use, we can also just send our requests from port 67 */ + * actually use, we can also just send our requests from port 67. + * we don't do this by default, as it might cause conflicts with DHCP + * servers running on the same host */ src.sin_port = htons(DHCP_SERVER_PORT); } if (bind(this->send, (struct sockaddr*)&src, sizeof(src)) == -1) diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in index d0a4d7fc3..d9f80a7ba 100644 --- a/src/libcharon/plugins/dnscert/Makefile.in +++ b/src/libcharon/plugins/dnscert/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in index 9be0c495b..93ed6609a 100644 --- a/src/libcharon/plugins/duplicheck/Makefile.in +++ b/src/libcharon/plugins/duplicheck/Makefile.in @@ -320,7 +320,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -346,6 +345,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -366,8 +367,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -422,8 +421,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -452,8 +449,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index dd66b65b7..202051fdd 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_aka_3gpp/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp/Makefile.in index d8515c05b..8aef51cef 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp/Makefile.in @@ -321,7 +321,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -347,6 +346,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -367,8 +368,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -423,8 +422,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -453,8 +450,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in index 65b86199c..5c45477ad 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in @@ -308,7 +308,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -334,6 +333,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -354,8 +355,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -410,8 +409,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -440,8 +437,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index f5fc3fb48..b60fbd03b 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in index 494f0a8c5..0ebde2034 100644 --- a/src/libcharon/plugins/eap_dynamic/Makefile.in +++ b/src/libcharon/plugins/eap_dynamic/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 4dc68f94f..f8b9580e8 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -312,7 +312,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -338,6 +337,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -358,8 +359,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -414,8 +413,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -444,8 +441,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 44f097ef4..405660c8c 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 3c634db82..5e6da5e1b 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -312,7 +312,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -338,6 +337,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -358,8 +359,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -414,8 +413,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -444,8 +441,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 505d6ea52..9ac83b0eb 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in index 20f2ecab1..e3d498c5b 100644 --- a/src/libcharon/plugins/eap_peap/Makefile.in +++ b/src/libcharon/plugins/eap_peap/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index f5100fc53..832c7d0dd 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index ae25d21c2..2996eaa8a 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index a02cbbd23..3792f24aa 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in index d9cfda351..3992a0f19 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in +++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in @@ -316,7 +316,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -342,6 +341,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -362,8 +363,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -418,8 +417,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -448,8 +445,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c index dbf660889..141b123ae 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c +++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c @@ -124,6 +124,7 @@ METHOD(simaka_card_t, get_triplet, bool, if (rv != SCARD_S_SUCCESS) { DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv)); + free(mszReaders); return FALSE; } diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 9f56b01da..8bc917d2a 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -316,7 +316,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -342,6 +341,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -362,8 +363,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -418,8 +417,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -448,8 +445,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 9e41bf270..9a3aeb813 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 0f6b7e95a..3f4b66735 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index 83726b645..a5c69c5fb 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index 1047ea0e0..f979c523a 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index 1a779c60b..135d5e1b1 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in index 7439befbc..66b7cad89 100644 --- a/src/libcharon/plugins/error_notify/Makefile.in +++ b/src/libcharon/plugins/error_notify/Makefile.in @@ -321,7 +321,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -347,6 +346,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -367,8 +368,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -423,8 +422,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -453,8 +450,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in index d669b5707..f7904fdde 100644 --- a/src/libcharon/plugins/ext_auth/Makefile.in +++ b/src/libcharon/plugins/ext_auth/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index dc07f34c1..752fba7e6 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -311,7 +311,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -337,6 +336,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -357,8 +358,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -413,8 +412,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -443,8 +440,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in index f89ed736d..7e2f2a3c3 100644 --- a/src/libcharon/plugins/forecast/Makefile.in +++ b/src/libcharon/plugins/forecast/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 455108834..05093df22 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index 7fdcfef28..20cf04844 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -240,7 +240,7 @@ static void enable_disable(private_ha_kernel_t *this, u_int segment, } /** - * Get the currenlty active segments in the kernel for a clusterip file + * Get the currently active segments in the kernel for a clusterip file */ static segment_mask_t get_active(private_ha_kernel_t *this, char *file) { diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in index b212e2e33..74b3729c7 100644 --- a/src/libcharon/plugins/ipseckey/Makefile.in +++ b/src/libcharon/plugins/ipseckey/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in index cc4450a95..fa8b093ca 100644 --- a/src/libcharon/plugins/kernel_iph/Makefile.in +++ b/src/libcharon/plugins/kernel_iph/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in index 09c03ed33..478d53dba 100644 --- a/src/libcharon/plugins/kernel_libipsec/Makefile.in +++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in index 7ec64084b..b6b3af6d5 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libcharon/plugins/kernel_netlink/Makefile.in @@ -355,7 +355,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -381,6 +380,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -401,8 +402,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -457,8 +456,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -487,8 +484,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 4926c3de8..1292e0895 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1131,7 +1131,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd, watcher_event_t event) { - char response[1024]; + char response[netlink_get_buflen()]; struct nlmsghdr *hdr = (struct nlmsghdr*)response; struct sockaddr_nl addr; socklen_t addr_len = sizeof(addr); @@ -1336,6 +1336,23 @@ static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark) } /** + * Add a uint32 attribute to message + */ +static bool add_uint32(struct nlmsghdr *hdr, int buflen, + enum xfrm_attr_type_t type, uint32_t value) +{ + uint32_t *xvalue; + + xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue)); + if (!xvalue) + { + return FALSE; + } + *xvalue = value; + return TRUE; +} + +/** * Check if kernel supports HW offload */ static void netlink_find_offload_feature(const char *ifname, int query_socket) @@ -1586,6 +1603,49 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->id.proto = id->proto; sa->family = id->src->get_family(id->src); sa->mode = mode2kernel(mode); + + if (!data->copy_df) + { + sa->flags |= XFRM_STATE_NOPMTUDISC; + } + + if (!data->copy_ecn) + { + sa->flags |= XFRM_STATE_NOECN; + } + + if (data->inbound) + { + switch (data->copy_dscp) + { + case DSCP_COPY_YES: + case DSCP_COPY_IN_ONLY: + sa->flags |= XFRM_STATE_DECAP_DSCP; + break; + default: + break; + } + } + else + { + switch (data->copy_dscp) + { + case DSCP_COPY_IN_ONLY: + case DSCP_COPY_NO: + { + /* currently the only extra flag */ + if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS, + XFRM_SA_XFLAG_DONT_ENCAP_DSCP)) + { + goto failed; + } + break; + } + default: + break; + } + } + switch (mode) { case MODE_TUNNEL: @@ -1829,17 +1889,23 @@ METHOD(kernel_ipsec_t, add_sa, status_t, goto failed; } + if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask)) + { + if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK, + data->mark.value) || + !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK, + data->mark.mask)) + { + goto failed; + } + } + if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL) { /* the kernel supports TFC padding only for tunnel mode ESP SAs */ - uint32_t *tfcpad; - - tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD, - sizeof(*tfcpad)); - if (!tfcpad) + if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc)) { goto failed; } - *tfcpad = data->tfc; } if (id->proto != IPPROTO_COMP) diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c index b6eb54370..760a875ca 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1504,7 +1504,7 @@ static void process_rule(private_kernel_netlink_net_t *this, struct nlmsghdr *hd static bool receive_events(private_kernel_netlink_net_t *this, int fd, watcher_event_t event) { - char response[1536]; + char response[netlink_get_buflen()]; struct nlmsghdr *hdr = (struct nlmsghdr*)response; struct sockaddr_nl addr; socklen_t addr_len = sizeof(addr); @@ -2586,11 +2586,11 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, memset(half_net.ptr, 0, half_net.len); half_prefixlen = 1; - status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen, - gateway, src_ip, if_name); + status = manage_srcroute(this, nlmsg_type, flags, half_net, + half_prefixlen, gateway, src_ip, if_name); half_net.ptr[0] |= 0x80; - status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen, - gateway, src_ip, if_name); + status |= manage_srcroute(this, nlmsg_type, flags, half_net, + half_prefixlen, gateway, src_ip, if_name); return status; } @@ -2925,7 +2925,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type, msg->rtm_flags |= FIB_RULE_INVERT; fwmark++; } - if (mark_from_string(fwmark, &mark)) + if (mark_from_string(fwmark, MARK_OP_NONE, &mark)) { chunk = chunk_from_thing(mark.value); netlink_add_attribute(hdr, FRA_FWMARK, chunk, sizeof(request)); diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c index 441c0c482..84d78eca2 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -381,7 +381,7 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in, for (i = 0, *out_len = 0; i < array_count(entry->hdrs); i++) { array_get(entry->hdrs, i, &hdr); - *out_len += hdr->nlmsg_len; + *out_len += NLMSG_ALIGN(hdr->nlmsg_len); } ptr = malloc(*out_len); *out = (struct nlmsghdr*)ptr; @@ -394,7 +394,7 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in, hdr->nlmsg_seq, hdr, hdr->nlmsg_len); } memcpy(ptr, hdr, hdr->nlmsg_len); - ptr += hdr->nlmsg_len; + ptr += NLMSG_ALIGN(hdr->nlmsg_len); free(hdr); } destroy_entry(entry); @@ -587,8 +587,31 @@ METHOD(netlink_socket_t, destroy, void, free(this); } -/** - * Described in header. +/* + * Described in header + */ +u_int netlink_get_buflen() +{ + u_int buflen; + + buflen = lib->settings->get_int(lib->settings, + "%s.plugins.kernel-netlink.buflen", 0, lib->ns); + if (!buflen) + { + long pagesize = sysconf(_SC_PAGESIZE); + + if (pagesize == -1) + { + pagesize = 4096; + } + /* base this on NLMSG_GOODSIZE */ + buflen = min(pagesize, 8192); + } + return buflen; +} + +/* + * Described in header */ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, bool parallel) @@ -612,8 +635,7 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, .entries = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4), .protocol = protocol, .names = names, - .buflen = lib->settings->get_int(lib->settings, - "%s.plugins.kernel-netlink.buflen", 0, lib->ns), + .buflen = netlink_get_buflen(), .timeout = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.timeout", 0, lib->ns), .retries = lib->settings->get_int(lib->settings, @@ -624,16 +646,6 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, .parallel = parallel, ); - if (!this->buflen) - { - long pagesize = sysconf(_SC_PAGESIZE); - if (pagesize == -1) - { - pagesize = 4096; - } - /* base this on NLMSG_GOODSIZE */ - this->buflen = min(pagesize, 8192); - } if (this->socket == -1) { DBG1(DBG_KNL, "unable to create netlink socket: %s (%d)", diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h index 7056e6ccc..82dce4c5c 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h @@ -101,4 +101,11 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, */ void* netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len); +/** + * Determine buffer size for received messages (e.g. events). + * + * @return buffer size + */ +u_int netlink_get_buflen(); + #endif /* KERNEL_NETLINK_SHARED_H_ */ diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in index 0d3d3775b..539d1dc46 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 80c484b47..dbe409a62 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -890,10 +890,15 @@ static kernel_algorithm_t encryption_algs[] = { {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, +#elif defined(SADB_X_EALG_AES_GCM) /* macOS */ + {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM }, #endif #ifdef SADB_X_EALG_CAMELLIACBC {ENCR_CAMELLIA_CBC, SADB_X_EALG_CAMELLIACBC }, #endif +#ifdef SADB_X_EALG_CHACHA20POLY1305 + {ENCR_CHACHA20_POLY1305, SADB_X_EALG_CHACHA20POLY1305}, +#endif {END_OF_LIST, 0 }, }; @@ -2456,6 +2461,45 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, } /** + * Check if any significant data has changed to warrant sending an update to + * the kernel. + */ +static bool policy_update_required(policy_sa_t *current, policy_sa_t *updated) +{ + if (current->type != updated->type +#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY + || current->priority != updated->priority +#endif + ) + { + return TRUE; + } + if (current->type == POLICY_IPSEC) + { + ipsec_sa_cfg_t *cur = ¤t->sa->cfg, *upd = &updated->sa->cfg; + + /* we don't use ipsec_sa_cfg_equals() here as e.g. SPIs are not + * relevant for this kernel interface, so we don't have to update the + * policy during a rekeying */ + if (cur->mode != upd->mode || + cur->reqid != upd->reqid || + cur->esp.use != upd->esp.use || + cur->ah.use != upd->ah.use || + cur->ipcomp.transform != upd->ipcomp.transform) + { + return TRUE; + } + if (cur->mode == MODE_TUNNEL && + (!current->sa->src->ip_equals(current->sa->src, updated->sa->src) || + !current->sa->dst->ip_equals(current->sa->dst, updated->sa->dst))) + { + return TRUE; + } + } + return FALSE; +} + +/** * Add or update a policy in the kernel. * * Note: The mutex has to be locked when entering this function. @@ -2629,7 +2673,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, kernel_ipsec_manage_policy_t *data) { policy_entry_t *policy, *found = NULL; - policy_sa_t *assigned_sa, *current_sa; + policy_sa_t *assigned_sa, *current_sa = NULL; enumerator_t *enumerator; bool update = TRUE; @@ -2692,6 +2736,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa); enumerator->destroy(enumerator); + if (update && current_sa) + { /* check if there are actually any relevant changes, if not, we don't + * send an update to the kernel as e.g. FreeBSD doesn't do that + * atomically, causing unnecessary traffic loss during rekeyings */ + update = policy_update_required(current_sa, assigned_sa); + } + if (!update) { /* we don't update the policy if the priority is lower than that of the * currently installed one */ @@ -2889,22 +2940,28 @@ METHOD(kernel_ipsec_t, del_policy, status_t, return SUCCESS; } policy->used_by->remove(policy->used_by, to_remove, NULL); - mapping = to_remove; if (policy->used_by->get_count(policy->used_by) > 0) { /* policy is used by more SAs, keep in kernel */ DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - policy_sa_destroy(mapping, id->dir, this); + + if (is_installed) + { /* check if there are actually any relevant changes, if not, we do + * not send an update to the kernel as e.g. FreeBSD doesn't do that + * atomically, causing unnecessary traffic loss during rekeyings */ + policy->used_by->get_first(policy->used_by, (void**)&mapping); + is_installed = policy_update_required(mapping, to_remove); + } + policy_sa_destroy(to_remove, id->dir, this); if (!is_installed) - { /* no need to update as the policy was not installed for this SA */ + { /* no need to update as the policy */ this->mutex->unlock(this->mutex); return SUCCESS; } DBG2(DBG_KNL, "updating policy %R === %R %N", id->src_ts, id->dst_ts, policy_dir_names, id->dir); - policy->used_by->get_first(policy->used_by, (void**)&mapping); if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS) { DBG1(DBG_KNL, "unable to update policy %R === %R %N", @@ -2926,7 +2983,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY; pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); pol->sadb_x_policy_dir = dir2kernel(id->dir); - pol->sadb_x_policy_type = type2kernel(mapping->type); + pol->sadb_x_policy_type = type2kernel(to_remove->type); PFKEY_EXT_ADD(msg, pol); add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto, @@ -2949,7 +3006,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, } this->policies->remove(this->policies, found, NULL); - policy_sa_destroy(mapping, id->dir, this); + policy_sa_destroy(to_remove, id->dir, this); policy_entry_destroy(policy, this); this->mutex->unlock(this->mutex); diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in index dc4d1c852..b75e0bcde 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in index 98e147717..36c3b828c 100644 --- a/src/libcharon/plugins/kernel_wfp/Makefile.in +++ b/src/libcharon/plugins/kernel_wfp/Makefile.in @@ -321,7 +321,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -347,6 +346,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -367,8 +368,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -423,8 +422,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -453,8 +450,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index 7abb83daa..d500bc704 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -310,7 +310,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -336,6 +335,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -356,8 +357,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -412,8 +411,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -442,8 +439,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 42ad9abf3..deb3620c7 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -323,7 +323,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -349,6 +348,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -369,8 +370,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -425,8 +424,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -455,8 +452,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c index 24076d443..8e89ab435 100644 --- a/src/libcharon/plugins/load_tester/load_tester_control.c +++ b/src/libcharon/plugins/load_tester/load_tester_control.c @@ -69,7 +69,7 @@ struct init_listener_t { hashtable_t *initiated; /** - * IKE_SAs we have completed to initate (success or failure) + * IKE_SAs we have completed to initiate (success or failure) */ hashtable_t *completed; diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in index b8c5d2249..905ff8d35 100644 --- a/src/libcharon/plugins/lookip/Makefile.in +++ b/src/libcharon/plugins/lookip/Makefile.in @@ -319,7 +319,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -345,6 +344,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -365,8 +366,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -421,8 +420,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -451,8 +448,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 47175b4b9..84d0b86ce 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 176e2a5cb..7300a774b 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in index ec1916aba..7795ac7a6 100644 --- a/src/libcharon/plugins/osx_attr/Makefile.in +++ b/src/libcharon/plugins/osx_attr/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in index 9afed4111..5500bdcba 100644 --- a/src/libcharon/plugins/p_cscf/Makefile.in +++ b/src/libcharon/plugins/p_cscf/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in index ee16cceb8..f12e54e72 100644 --- a/src/libcharon/plugins/radattr/Makefile.in +++ b/src/libcharon/plugins/radattr/Makefile.in @@ -314,7 +314,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -340,6 +339,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -360,8 +361,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -416,8 +415,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -446,8 +443,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in index 45e2723cc..ec5c0d420 100644 --- a/src/libcharon/plugins/resolve/Makefile.in +++ b/src/libcharon/plugins/resolve/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/save_keys/Makefile.in b/src/libcharon/plugins/save_keys/Makefile.in index a56d8eacd..7b1ad145d 100644 --- a/src/libcharon/plugins/save_keys/Makefile.in +++ b/src/libcharon/plugins/save_keys/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 33484587b..9b476f807 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -311,7 +311,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -337,6 +336,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -357,8 +358,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -413,8 +412,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -443,8 +440,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c index 86296443d..29d3d2dad 100644 --- a/src/libcharon/plugins/smp/smp.c +++ b/src/libcharon/plugins/smp/smp.c @@ -76,7 +76,8 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i switch (id->get_type(id)) { { - char *type = ""; + char *type; + while (TRUE) { case ID_ANY: @@ -324,10 +325,12 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write xmlTextWriterStartElement(writer, "childconfig"); xmlTextWriterWriteElement(writer, "name", child_cfg->get_name(child_cfg)); - list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); + list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, + NULL, FALSE); write_networks(writer, "local", list); list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); - list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); + list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, + NULL, FALSE); write_networks(writer, "remote", list); list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); xmlTextWriterEndElement(writer); diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 05684706e..50529c480 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index 57e092968..68e5a7a0e 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -745,7 +745,7 @@ static int open_socket(private_socket_default_socket_t *this, fwmark = lib->settings->get_str(lib->settings, "%s.plugins.socket-default.fwmark", NULL, lib->ns); - if (fwmark && mark_from_string(fwmark, &mark)) + if (fwmark && mark_from_string(fwmark, MARK_OP_NONE, &mark)) { if (setsockopt(skt, SOL_SOCKET, SO_MARK, &mark.value, sizeof(mark.value)) < 0) diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 39558dc24..6ffcafa98 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in index bb349c0a3..5c67e15fd 100644 --- a/src/libcharon/plugins/socket_win/Makefile.in +++ b/src/libcharon/plugins/socket_win/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 96733406e..a0fcd8857 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -311,7 +311,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -337,6 +336,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -357,8 +358,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -413,8 +412,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -443,8 +440,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 3cf95f9a9..4124da4a6 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -315,7 +315,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -341,6 +340,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -361,8 +362,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -417,8 +416,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -447,8 +444,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index d1bf139c2..d7671481d 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -580,8 +580,10 @@ METHOD(stroke_list_t, status, void, children = peer_cfg->create_child_cfg_enumerator(peer_cfg); while (children->enumerate(children, &child_cfg)) { - my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); - other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); + my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, + NULL, NULL, FALSE); + other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, + NULL, NULL, FALSE); fprintf(out, "%12s: child: %#R === %#R %N", child_cfg->get_name(child_cfg), my_ts, other_ts, ipsec_mode_names, child_cfg->get_mode(child_cfg)); @@ -614,8 +616,10 @@ METHOD(stroke_list_t, status, void, fprintf(out, "Shunted Connections:\n"); first = FALSE; } - my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); - other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); + my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, + NULL, FALSE); + other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, + NULL, FALSE); fprintf(out, "%12s: %#R === %#R %N\n", child_cfg->get_name(child_cfg), my_ts, other_ts, ipsec_mode_names, child_cfg->get_mode(child_cfg)); @@ -1055,7 +1059,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, fprintf(out, "Leases in pool '%s', usage: %u/%u, %u online\n", pool, online + offline, size, online); enumerator = this->attribute->create_lease_enumerator(this->attribute, pool); - while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on)) + while (enumerator->enumerate(enumerator, &id, &lease, &on)) { if (!address || address->ip_equals(address, lease)) { diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in index 0667d359c..aef21673b 100644 --- a/src/libcharon/plugins/systime_fix/Makefile.in +++ b/src/libcharon/plugins/systime_fix/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in index dcf2c5858..6f1a4a356 100644 --- a/src/libcharon/plugins/tnc_ifmap/Makefile.in +++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in @@ -316,7 +316,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -342,6 +341,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -362,8 +363,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -418,8 +417,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -448,8 +445,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in index 02587d1f0..13cb136ab 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.in +++ b/src/libcharon/plugins/tnc_pdp/Makefile.in @@ -317,7 +317,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -343,6 +342,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -363,8 +364,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -419,8 +418,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -449,8 +446,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c index 17f0cd464..bdad67ba5 100644 --- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c +++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c @@ -665,7 +665,7 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even server_ip = host_create_any(client_ip->get_family(client_ip)); /* At this moment the client identity is not known yet */ - client_id = identification_create_from_encoding(ID_ANY, chunk_empty), + client_id = identification_create_from_encoding(ID_ANY, chunk_empty); tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE, this->server, client_id, server_ip, diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index a01a5f74e..da8e2a7c2 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -311,7 +311,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -337,6 +336,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -357,8 +358,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -413,8 +412,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -443,8 +440,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in index fd29de336..08924353c 100644 --- a/src/libcharon/plugins/unity/Makefile.in +++ b/src/libcharon/plugins/unity/Makefile.in @@ -312,7 +312,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -338,6 +337,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -358,8 +359,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -414,8 +413,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -444,8 +441,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c index 05ae8d504..afbd6cc7e 100644 --- a/src/libcharon/plugins/unity/unity_narrow.c +++ b/src/libcharon/plugins/unity/unity_narrow.c @@ -56,7 +56,7 @@ static void narrow_ts(child_cfg_t *cfg, traffic_selector_t *ts, received = linked_list_create(); received->insert_last(received, ts); - selected = cfg->get_traffic_selectors(cfg, FALSE, received, NULL); + selected = cfg->get_traffic_selectors(cfg, FALSE, received, NULL, FALSE); while (selected->remove_first(selected, (void**)&ts) == SUCCESS) { list->insert_last(list, ts); @@ -140,7 +140,8 @@ static void narrow_responder_post(child_cfg_t *child_cfg, linked_list_t *local) { ts->destroy(ts); } - configured = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); + configured = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL, + FALSE); while (configured->remove_first(configured, (void**)&ts) == SUCCESS) { diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c index b52ffeeb1..76aad47e6 100644 --- a/src/libcharon/plugins/unity/unity_provider.c +++ b/src/libcharon/plugins/unity/unity_provider.c @@ -160,7 +160,8 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); while (enumerator->enumerate(enumerator, &child_cfg)) { - current = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); + current = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL, + FALSE); while (current->remove_first(current, (void**)&ts) == SUCCESS) { if (use_ts(ts)) diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index 0f2a055d2..4927e945a 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in index d28223dca..31054634a 100644 --- a/src/libcharon/plugins/vici/Makefile.in +++ b/src/libcharon/plugins/vici/Makefile.in @@ -409,7 +409,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -435,6 +434,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -455,8 +456,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -511,8 +510,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -541,8 +538,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index 0038f0844..5bd8c1727 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -75,7 +75,7 @@ for example. The defined packet types optionally wrap a message with additional data. Messages are currently used in CMD_REQUEST/CMD_RESPONSE, and in EVENT packets. -A message uses a hierarchial tree of sections. Each section (or the implicit +A message uses a hierarchical tree of sections. Each section (or the implicit root section) contains an arbitrary set of key/value pairs, lists and sub-sections. The length of a message is not part of the message itself, but the wrapping layer, usually calculated from the transport byte sequence length. @@ -140,7 +140,7 @@ Consider the following structure using pseudo-markup for this example: list1 = [ item1, item2 ] } -The example above reprensents a valid tree structure, that gets encoded as +The example above represents a valid tree structure, that gets encoded as the following C array: char msg[] = { @@ -302,6 +302,7 @@ Initiate the rekeying of an SA. ike = <rekey an IKE_SA by configuration name> child-id = <rekey a CHILD_SA by its reqid> ike-id = <rekey an IKE_SA by its unique id> + reauth = <reauthenticate instead of rekey an IKEv2 SA> } => { success = <yes or no> matches = <number of matched SAs> diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in index 59b0774b8..42e35745e 100644 --- a/src/libcharon/plugins/vici/perl/Makefile.in +++ b/src/libcharon/plugins/vici/perl/Makefile.in @@ -227,7 +227,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -253,6 +252,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -273,8 +274,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -329,8 +328,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -359,8 +356,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm index b0a942c04..d0700fa97 100644 --- a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm +++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm @@ -29,7 +29,9 @@ sub from_data { my $data = shift; my %hash = (); - parse($data, \%hash); + open my $data_fd, '<', \$data; + parse($data_fd, \%hash); + close $data_fd; my $self = { Hash => \%hash @@ -62,29 +64,30 @@ sub result { # private functions sub parse { - my $data = shift; + my $fd = shift; my $hash = shift; + my $data; - while (length($data) > 0) + until ( eof $fd ) { - (my $type, $data) = unpack('Ca*', $data); + my $type = unpack('C', read_data($fd, 1)); - if ($type == SECTION_END) - { - return $data; - } + if ( $type == SECTION_END ) + { + return; + } - (my $key, $data) = unpack('C/a*a*', $data); + my $key = read_len_data($fd, 1); if ( $type == KEY_VALUE ) { - (my $value, $data) = unpack('n/a*a*', $data); + my $value = read_len_data($fd, 2); $hash->{$key} = $value; } elsif ( $type == SECTION_START ) { my %section = (); - $data = parse($data, \%section); + parse($fd, \%section); $hash->{$key} = \%section; } elsif ( $type == LIST_START ) @@ -92,19 +95,20 @@ sub parse { my @list = (); my $more = 1; - while (length($data) > 0 and $more) + while ( !eof($fd) and $more ) { - (my $type, $data) = unpack('Ca*', $data); + my $type = unpack('C', read_data($fd, 1)); + if ( $type == LIST_ITEM ) { - (my $value, $data) = unpack('n/a*a*', $data); + my $value = read_len_data($fd, 2); push(@list, $value); } elsif ( $type == LIST_END ) { $more = 0; $hash->{$key} = \@list; - } + } else { die "message parsing error: ", $type, "\n" @@ -116,9 +120,28 @@ sub parse { die "message parsing error: ", $type, "\n" } } +} + +sub read_data { + my $fd = shift; + my $len = shift; + my $data; + + my $res = read $fd, $data, $len; + unless (defined $res and $res == $len) + { + die "message parsing error: unable to read ", $len, " bytes\n"; + } return $data; } +sub read_len_data { + my $fd = shift; + my $len = shift; + + $len = unpack($len == 1 ? 'C' : 'n', read_data($fd, $len)); + return read_data($fd, $len); +} sub encode_hash { my $hash = shift; diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in index 057ea88f4..6592a1ae0 100644 --- a/src/libcharon/plugins/vici/python/Makefile.in +++ b/src/libcharon/plugins/vici/python/Makefile.in @@ -249,7 +249,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -275,6 +274,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -295,8 +296,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -351,8 +350,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -381,8 +378,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index ff4e07d2d..fb9d348d1 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -227,7 +227,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -253,6 +252,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -273,8 +274,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -329,8 +328,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -359,8 +356,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb index f846a14af..61de99a1f 100644 --- a/src/libcharon/plugins/vici/ruby/lib/vici.rb +++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb @@ -450,7 +450,7 @@ module Vici ## # Flush credential cache. - def flush_certs((match = nil) + def flush_certs(match = nil) check_success(@transp.request("flush-certs", Message.new(match))) end diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c index 4d174253d..f7c7ce13a 100644 --- a/src/libcharon/plugins/vici/vici_attribute.c +++ b/src/libcharon/plugins/vici/vici_attribute.c @@ -705,7 +705,7 @@ CALLBACK(get_pools, vici_message_t*, i = 0; builder->begin_section(builder, "leases"); leases = vips->create_lease_enumerator(vips); - while (leases && leases->enumerate(leases, &uid, &lease, &on)) + while (leases->enumerate(leases, &uid, &lease, &on)) { snprintf(buf, sizeof(buf), "%d", i++); builder->begin_section(builder, buf); diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index f4e9e33ee..10c62dc89 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2,8 +2,8 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * - * Copyright (C) 2015-2017 Tobias Brunner - * Copyright (C) 2015-2016 Andreas Steffen + * Copyright (C) 2015-2018 Tobias Brunner + * Copyright (C) 2015-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -304,6 +304,8 @@ typedef struct { bool mobike; bool send_certreq; bool pull; + identification_t *ppk_id; + bool ppk_required; cert_policy_t send_cert; uint64_t dpd_delay; uint64_t dpd_timeout; @@ -403,6 +405,8 @@ static void log_peer_data(peer_data_t *data) DBG2(DBG_CFG, " remote_port = %u", data->remote_port); DBG2(DBG_CFG, " send_certreq = %u", data->send_certreq); DBG2(DBG_CFG, " send_cert = %N", cert_policy_names, data->send_cert); + DBG2(DBG_CFG, " ppk_id = %Y", data->ppk_id); + DBG2(DBG_CFG, " ppk_required = %u", data->ppk_required); DBG2(DBG_CFG, " mobike = %u", data->mobike); DBG2(DBG_CFG, " aggressive = %u", data->aggressive); DBG2(DBG_CFG, " dscp = 0x%.2x", data->dscp); @@ -469,6 +473,7 @@ static void free_peer_data(peer_data_t *data) free(data->pools); free(data->local_addrs); free(data->remote_addrs); + DESTROY_IF(data->ppk_id); #ifdef ME free(data->mediated_by); DESTROY_IF(data->peer_id); @@ -484,7 +489,6 @@ typedef struct { linked_list_t *local_ts; linked_list_t *remote_ts; uint32_t replay_window; - bool policies; child_cfg_create_t cfg; } child_data_t; @@ -511,7 +515,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP)); DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode, has_opt(OPT_PROXY_MODE) ? "_PROXY" : ""); - DBG2(DBG_CFG, " policies = %u", data->policies); + DBG2(DBG_CFG, " policies = %u", !has_opt(OPT_NO_POLICIES)); DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES)); if (data->replay_window != REPLAY_UNDEFINED) { @@ -529,12 +533,19 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA)); DBG2(DBG_CFG, " mark_out = %u/%u", cfg->mark_out.value, cfg->mark_out.mask); + DBG2(DBG_CFG, " set_mark_in = %u/%u", + cfg->set_mark_in.value, cfg->set_mark_in.mask); + DBG2(DBG_CFG, " set_mark_out = %u/%u", + cfg->set_mark_out.value, cfg->set_mark_out.mask); DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity); DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); DBG2(DBG_CFG, " hw_offload = %N", hw_offload_names, cfg->hw_offload); DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96)); + DBG2(DBG_CFG, " copy_df = %u", !has_opt(OPT_NO_COPY_DF)); + DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(OPT_NO_COPY_ECN)); + DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp); } /** @@ -847,16 +858,17 @@ CALLBACK(parse_mode, bool, } /** - * Enable a child_cfg_option_t + * Enable a child_cfg_option_t, the flag controls whether the option is enabled + * if the parsed value is TRUE or FALSE. */ static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt, - chunk_t v) + chunk_t v, bool add_if_true) { bool val; if (parse_bool(&val, v)) { - if (val) + if (val == add_if_true) { *out |= opt; } @@ -871,7 +883,16 @@ static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt, CALLBACK(parse_opt_haccess, bool, child_cfg_option_t *out, chunk_t v) { - return parse_option(out, OPT_HOSTACCESS, v); + return parse_option(out, OPT_HOSTACCESS, v, TRUE); +} + +/** + * Parse OPT_NO_POLICIES option + */ +CALLBACK(parse_opt_policies, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_NO_POLICIES, v, FALSE); } /** @@ -880,7 +901,7 @@ CALLBACK(parse_opt_haccess, bool, CALLBACK(parse_opt_fwd_out, bool, child_cfg_option_t *out, chunk_t v) { - return parse_option(out, OPT_FWD_OUT_POLICIES, v); + return parse_option(out, OPT_FWD_OUT_POLICIES, v, TRUE); } /** @@ -889,17 +910,16 @@ CALLBACK(parse_opt_fwd_out, bool, CALLBACK(parse_opt_ipcomp, bool, child_cfg_option_t *out, chunk_t v) { - return parse_option(out, OPT_IPCOMP, v); + return parse_option(out, OPT_IPCOMP, v, TRUE); } - /** * Parse OPT_SHA256_96 option */ CALLBACK(parse_opt_sha256_96, bool, child_cfg_option_t *out, chunk_t v) { - return parse_option(out, OPT_SHA256_96, v); + return parse_option(out, OPT_SHA256_96, v, TRUE); } /** @@ -908,7 +928,47 @@ CALLBACK(parse_opt_sha256_96, bool, CALLBACK(parse_opt_mark_in, bool, child_cfg_option_t *out, chunk_t v) { - return parse_option(out, OPT_MARK_IN_SA, v); + return parse_option(out, OPT_MARK_IN_SA, v, TRUE); +} + +/** + * Parse OPT_NO_COPY_DF option + */ +CALLBACK(parse_opt_copy_df, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_NO_COPY_DF, v, FALSE); +} + +/** + * Parse OPT_NO_COPY_ECN option + */ +CALLBACK(parse_opt_copy_ecn, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_NO_COPY_ECN, v, FALSE); +} + +/** + * Parse a dscp_copy_t + */ +CALLBACK(parse_copy_dscp, bool, + dscp_copy_t *out, chunk_t v) +{ + enum_map_t map[] = { + { "no", DSCP_COPY_NO }, + { "in", DSCP_COPY_IN_ONLY }, + { "out", DSCP_COPY_OUT_ONLY }, + { "yes", DSCP_COPY_YES }, + }; + int d; + + if (parse_map(map, countof(map), &d, v)) + { + *out = d; + return TRUE; + } + return FALSE; } /** @@ -1126,7 +1186,22 @@ CALLBACK(parse_mark, bool, { return FALSE; } - return mark_from_string(buf, out); + return mark_from_string(buf, MARK_OP_UNIQUE, out); +} + +/** + * Parse a mark_t when using it as set_mark. + */ +CALLBACK(parse_set_mark, bool, + mark_t *out, chunk_t v) +{ + char buf[32]; + + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + return mark_from_string(buf, MARK_OP_SAME, out); } /** @@ -1514,9 +1589,8 @@ CALLBACK(parse_hosts, bool, return TRUE; } -#ifdef ME /** - * Parse peer ID + * Parse peer/ppk ID */ CALLBACK(parse_peer_id, bool, identification_t **out, chunk_t v) @@ -1530,7 +1604,7 @@ CALLBACK(parse_peer_id, bool, *out = identification_create_from_string(buf); return TRUE; } -#endif /* ME */ + CALLBACK(cert_kv, bool, cert_data_t *cert, vici_message_t *message, char *name, chunk_t value) @@ -1567,7 +1641,7 @@ CALLBACK(child_kv, bool, { "updown", parse_string, &child->cfg.updown }, { "hostaccess", parse_opt_haccess, &child->cfg.options }, { "mode", parse_mode, &child->cfg }, - { "policies", parse_bool, &child->policies }, + { "policies", parse_opt_policies, &child->cfg.options }, { "policies_fwd_out", parse_opt_fwd_out, &child->cfg.options }, { "replay_window", parse_uint32, &child->replay_window }, { "rekey_time", parse_time, &child->cfg.lifetime.time.rekey }, @@ -1588,11 +1662,16 @@ CALLBACK(child_kv, bool, { "mark_in", parse_mark, &child->cfg.mark_in }, { "mark_in_sa", parse_opt_mark_in, &child->cfg.options }, { "mark_out", parse_mark, &child->cfg.mark_out }, + { "set_mark_in", parse_set_mark, &child->cfg.set_mark_in }, + { "set_mark_out", parse_set_mark, &child->cfg.set_mark_out }, { "tfc_padding", parse_tfc, &child->cfg.tfc }, { "priority", parse_uint32, &child->cfg.priority }, { "interface", parse_string, &child->cfg.interface }, { "hw_offload", parse_hw_offload, &child->cfg.hw_offload }, { "sha256_96", parse_opt_sha256_96,&child->cfg.options }, + { "copy_df", parse_opt_copy_df, &child->cfg.options }, + { "copy_ecn", parse_opt_copy_ecn, &child->cfg.options }, + { "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp }, }; return parse_rules(rules, countof(rules), name, value, @@ -1604,7 +1683,7 @@ CALLBACK(auth_li, bool, { parse_rule_t rules[] = { { "groups", parse_group, auth->cfg }, - { "cert_policy", parse_cert_policy, auth }, + { "cert_policy", parse_cert_policy, auth->cfg }, { "certs", parse_certs, auth }, { "cacerts", parse_cacerts, auth }, { "pubkeys", parse_pubkeys, auth }, @@ -1669,6 +1748,8 @@ CALLBACK(peer_kv, bool, { "rekey_time", parse_time, &peer->rekey_time }, { "over_time", parse_time, &peer->over_time }, { "rand_time", parse_time, &peer->rand_time }, + { "ppk_id", parse_peer_id, &peer->ppk_id }, + { "ppk_required", parse_bool, &peer->ppk_required }, #ifdef ME { "mediation", parse_bool, &peer->mediation }, { "mediated_by", parse_string, &peer->mediated_by }, @@ -1802,7 +1883,6 @@ CALLBACK(children_sn, bool, .proposals = linked_list_create(), .local_ts = linked_list_create(), .remote_ts = linked_list_create(), - .policies = TRUE, .replay_window = REPLAY_UNDEFINED, .cfg = { .mode = MODE_TUNNEL, @@ -1858,7 +1938,6 @@ CALLBACK(children_sn, bool, child.proposals->insert_last(child.proposals, proposal); } } - child.cfg.options |= child.policies ? 0 : OPT_NO_POLICIES; check_lifetimes(&child.cfg.lifetime); @@ -2212,8 +2291,8 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg) { DBG1(DBG_CFG, "replaced vici connection: %s", peer_cfg->get_name(peer_cfg)); + this->conns->insert_before(this->conns, enumerator, peer_cfg); this->conns->remove_at(this->conns, enumerator); - this->conns->insert_last(this->conns, peer_cfg); handle_start_actions(this, current, TRUE); handle_start_actions(this, peer_cfg, FALSE); current->destroy(current); @@ -2407,6 +2486,8 @@ CALLBACK(config_sn, bool, .push_mode = !peer.pull, .dpd = peer.dpd_delay, .dpd_timeout = peer.dpd_timeout, + .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL, + .ppk_required = peer.ppk_required, }; #ifdef ME cfg.mediation = peer.mediation; diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c index ce19608dc..16e49fdbc 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -373,11 +373,13 @@ CALLBACK(rekey, vici_message_t*, ike_sa_t *ike_sa; child_sa_t *child_sa; vici_builder_t *builder; + bool reauth; child = request->get_str(request, NULL, "child"); ike = request->get_str(request, NULL, "ike"); child_id = request->get_int(request, 0, "child-id"); ike_id = request->get_int(request, 0, "ike-id"); + reauth = request->get_bool(request, FALSE, "reauth"); if (!child && !ike && !ike_id && !child_id) { @@ -438,7 +440,7 @@ CALLBACK(rekey, vici_message_t*, (ike_id && ike_id == ike_sa->get_unique_id(ike_sa))) { lib->processor->queue_job(lib->processor, - (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE)); + (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), reauth)); found++; } } diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index ec6c80a5b..038338805 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -442,6 +442,10 @@ CALLBACK(load_shared, vici_message_t*, { type = SHARED_NT_HASH; } + else if (strcaseeq(str, "ppk")) + { + type = SHARED_PPK; + } else { return create_reply("invalid shared key type: %s", str); diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c index 13761f59d..df5b85c64 100644 --- a/src/libcharon/plugins/vici/vici_message.c +++ b/src/libcharon/plugins/vici/vici_message.c @@ -102,18 +102,10 @@ bool vici_verify_type(vici_type_t type, u_int section, bool list) DBG1(DBG_ENC, "'%N' outside of section", vici_type_names, type); return FALSE; } - if (type == VICI_END) + if (type == VICI_END && section) { - if (section) - { - DBG1(DBG_ENC, "'%N' within section", vici_type_names, type); - return FALSE; - } - if (list) - { - DBG1(DBG_ENC, "'%N' within list", vici_type_names, type); - return FALSE; - } + DBG1(DBG_ENC, "'%N' within section", vici_type_names, type); + return FALSE; } return TRUE; } diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 82c3d7855..d7b61ca72 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015-2017 Tobias Brunner - * Copyright (C) 2015 Andreas Steffen + * Copyright (C) 2015-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2014 Martin Willi @@ -417,6 +417,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, b->add_kv(b, "dh-group", "%N", diffie_hellman_group_names, alg); } } + add_condition(b, ike_sa, "ppk", COND_PPK); if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) { @@ -570,7 +571,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike, list_mode(b, NULL, cfg); b->begin_list(b, "local-ts"); - list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL); + list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL, FALSE); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &ts)) { @@ -581,7 +582,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike, b->end_list(b /* local-ts */); b->begin_list(b, "remote-ts"); - list = cfg->get_traffic_selectors(cfg, FALSE, NULL, NULL); + list = cfg->get_traffic_selectors(cfg, FALSE, NULL, NULL, FALSE); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &ts)) { @@ -737,6 +738,18 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b) rules->destroy(rules); b->end_list(b); + b->begin_list(b, "cert_policy"); + rules = auth->create_enumerator(auth); + while (rules->enumerate(rules, &rule, &v)) + { + if (rule == AUTH_RULE_CERT_POLICY) + { + b->add_li(b, "%s", v.str); + } + } + rules->destroy(rules); + b->end_list(b); + b->begin_list(b, "certs"); rules = auth->create_enumerator(auth); while (rules->enumerate(rules, &rule, &v)) @@ -775,6 +788,7 @@ CALLBACK(list_conns, vici_message_t*, child_cfg_t *child_cfg; char *ike, *str, *interface; uint32_t manual_prio, dpd_delay, dpd_timeout; + identification_t *ppk_id; linked_list_t *list; traffic_selector_t *ts; lifetime_cfg_t *lft; @@ -837,6 +851,16 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "dpd_timeout", "%u", dpd_timeout); } + ppk_id = peer_cfg->get_ppk_id(peer_cfg); + if (ppk_id) + { + b->add_kv(b, "ppk_id", "%Y", ppk_id); + } + if (peer_cfg->ppk_required(peer_cfg)) + { + b->add_kv(b, "ppk_required", "yes"); + } + build_auth_cfgs(peer_cfg, TRUE, b); build_auth_cfgs(peer_cfg, FALSE, b); @@ -861,7 +885,8 @@ CALLBACK(list_conns, vici_message_t*, child_cfg->get_close_action(child_cfg)); b->begin_list(b, "local-ts"); - list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); + list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, + NULL, FALSE); selectors = list->create_enumerator(list); while (selectors->enumerate(selectors, &ts)) { @@ -872,7 +897,8 @@ CALLBACK(list_conns, vici_message_t*, b->end_list(b /* local-ts */); b->begin_list(b, "remote-ts"); - list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); + list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, + NULL, FALSE); selectors = list->create_enumerator(list); while (selectors->enumerate(selectors, &ts)) { diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in index ad9a092cc..9a661077e 100644 --- a/src/libcharon/plugins/whitelist/Makefile.in +++ b/src/libcharon/plugins/whitelist/Makefile.in @@ -320,7 +320,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -346,6 +345,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -366,8 +367,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -422,8 +421,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -452,8 +449,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in index d702a01a6..f9b387d45 100644 --- a/src/libcharon/plugins/xauth_eap/Makefile.in +++ b/src/libcharon/plugins/xauth_eap/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in index eeeb4190a..b26065c8c 100644 --- a/src/libcharon/plugins/xauth_generic/Makefile.in +++ b/src/libcharon/plugins/xauth_generic/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in index 87a6c872a..cd5848cf3 100644 --- a/src/libcharon/plugins/xauth_noauth/Makefile.in +++ b/src/libcharon/plugins/xauth_noauth/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in index a224ffba4..26ab290c3 100644 --- a/src/libcharon/plugins/xauth_pam/Makefile.in +++ b/src/libcharon/plugins/xauth_pam/Makefile.in @@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -339,6 +338,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -359,8 +360,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,8 +414,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -445,8 +442,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c index 497ad3dd9..f979d1103 100644 --- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c +++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c @@ -89,7 +89,7 @@ METHOD(plugin_t, get_features, int, METHOD(plugin_t, destroy, void, private_xauth_pam_plugin_t *this) { - this->listener->destroy(this->listener), + this->listener->destroy(this->listener); free(this); } diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h index 42d9ce32e..58a8ca04f 100644 --- a/src/libcharon/sa/authenticator.h +++ b/src/libcharon/sa/authenticator.h @@ -1,6 +1,6 @@ /* + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil * @@ -157,6 +157,17 @@ struct authenticator_t { status_t (*build)(authenticator_t *this, message_t *message); /** + * Optional method to set a Postquantum Preshared Key (PPK) to be used + * during authentication. + * + * Has to be called before the final call to process()/build(). + * + * @param ppk PPK to use + * @param no_ppk_auth whether to add a NO_PPK_AUTH notify in build() + */ + void (*use_ppk)(authenticator_t *this, chunk_t ppk, bool no_ppk_auth); + + /** * Check if the authenticator is capable of mutual authentication. * * Some authenticator authenticate both peers, e.g. EAP. To support diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 7eeb578f3..c33398bee 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -890,12 +890,21 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, .cpi = cpi, .encap = this->encap, .hw_offload = this->config->get_hw_offload(this->config), + .mark = this->config->get_set_mark(this->config, inbound), .esn = esn, + .copy_df = !this->config->has_option(this->config, OPT_NO_COPY_DF), + .copy_ecn = !this->config->has_option(this->config, OPT_NO_COPY_ECN), + .copy_dscp = this->config->get_copy_dscp(this->config), .initiator = initiator, .inbound = inbound, .update = update, }; + if (sa.mark.value == MARK_SAME) + { + sa.mark.value = inbound ? this->mark_in.value : this->mark_out.value; + } + status = charon->kernel->add_sa(charon->kernel, &id, &sa); my_ts->destroy(my_ts); @@ -1723,7 +1732,7 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local) traffic_selector_t *ts; list = linked_list_create_with_items(ike, NULL); - ts_list = config->get_traffic_selectors(config, local, NULL, list); + ts_list = config->get_traffic_selectors(config, local, NULL, list, FALSE); list->destroy(list); enumerator = ts_list->create_enumerator(ts_list); diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index f39fed6f0..a4ad866d3 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -674,6 +674,7 @@ METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, METHOD(ike_sa_t, set_ike_cfg, void, private_ike_sa_t *this, ike_cfg_t *ike_cfg) { + DESTROY_IF(this->ike_cfg); ike_cfg->get_ref(ike_cfg); this->ike_cfg = ike_cfg; } diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 316b713ee..c1d3e1d7a 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -156,6 +156,11 @@ enum ike_extension_t { * IKEv2 Message ID sync, RFC 6311 */ EXT_IKE_MESSAGE_ID_SYNC = (1<<14), + + /** + * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2 + */ + EXT_PPK = (1<<15), }; /** @@ -227,6 +232,11 @@ enum ike_condition_t { * Online certificate revocation checking is suspended for this IKE_SA */ COND_ONLINE_VALIDATION_SUSPENDED = (1<<12), + + /** + * A Postquantum Preshared Key was used when this IKE_SA was created + */ + COND_PPK = (1<<13), }; /** diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 2a499db40..c50c70860 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -2,7 +2,7 @@ * Copyright (C) 2005-2011 Martin Willi * Copyright (C) 2011 revosec AG * - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil * @@ -1620,17 +1620,6 @@ METHOD(ike_sa_manager_t, new_initiator_spi, bool, unlock_single_segment(this, segment); return FALSE; } - /* threads waiting for this entry do so using the (soon) wrong IKE_SA - * ID and, therefore, likely on the wrong segment, so drive them out */ - entry->driveout_waiting_threads = TRUE; - entry->driveout_new_threads = TRUE; - while (entry->waiting_threads) - { - entry->condvar->broadcast(entry->condvar); - entry->condvar->wait(entry->condvar, this->segments[segment].mutex); - } - remove_entry(this, entry); - unlock_single_segment(this, segment); } else { @@ -1638,7 +1627,19 @@ METHOD(ike_sa_manager_t, new_initiator_spi, bool, return FALSE; } + /* the hashtable row and segment are determined by the local SPI as + * initiator, so if we change it the row and segment derived from it might + * change as well. This could be a problem for threads waiting for the + * entry (in particular those enumerating entries to check them out by + * unique ID or name). In order to avoid having to drive them out and thus + * preventing them from checking out the entry (even though the ID or name + * will not change and enumerating it is also fine), we mask the new SPI and + * merge it with the old SPI so the entry ends up in the same row/segment. + * Since SPIs are 64-bit and the number of rows/segments is usually + * relatively low this should not be a problem. */ spi = ike_sa_id->get_initiator_spi(ike_sa_id); + new_spi = (spi & (uint64_t)this->table_mask) | + (new_spi & ~(uint64_t)this->table_mask); DBG2(DBG_MGR, "change initiator SPI of IKE_SA %s[%u] from %.16"PRIx64" to " "%.16"PRIx64, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), @@ -1647,10 +1648,7 @@ METHOD(ike_sa_manager_t, new_initiator_spi, bool, ike_sa_id->set_initiator_spi(ike_sa_id, new_spi); entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa_id); - entry->driveout_waiting_threads = FALSE; - entry->driveout_new_threads = FALSE; - - segment = put_entry(this, entry); + entry->condvar->signal(entry->condvar); unlock_single_segment(this, segment); return TRUE; } @@ -2017,6 +2015,8 @@ static status_t enforce_replace(private_ike_sa_manager_t *this, * CHILD_SAs to keep connectivity up. */ lib->scheduler->schedule_job(lib->scheduler, (job_t*) delete_ike_sa_job_create(duplicate->get_id(duplicate), TRUE), 10); + DBG1(DBG_IKE, "schedule delete of duplicate IKE_SA for peer '%Y' due " + "to uniqueness policy and suspected reauthentication", other); return SUCCESS; } DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer '%Y' due to " diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 1de05b4ec..bcea1f388 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -219,7 +219,6 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e, encryption_algorithm_names, alg, key_size); return NULL; } - key_size = crypter->get_key_size(crypter); if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka)) { return NULL; diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index 5856f829e..b99d75142 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -311,7 +311,7 @@ static void save_auth_cfg(private_phase1_t *this, return; } auth = auth_cfg_create(); - /* for local config, we _copy_ entires from the config, as it contains + /* for local config, we _copy_ entries from the config, as it contains * certificates we must send later. */ auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local); this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 3472d2c35..5f6c3bbe8 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -721,6 +721,7 @@ METHOD(task_manager_t, initiate, status_t, { case IKE_CONNECTING: /* close after sending an INFORMATIONAL when unestablished */ + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return FAILED; case IKE_DELETING: /* close after sending a DELETE */ @@ -920,15 +921,16 @@ static bool process_dpd(private_task_manager_t *this, message_t *message) } else /* DPD_R_U_THERE_ACK */ { - if (seq == this->dpd_send - 1) + if (seq == this->dpd_send) { + this->dpd_send++; this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL)); } else { DBG1(DBG_IKE, "received invalid DPD sequence number %u " - "(expected %u), ignored", seq, this->dpd_send - 1); + "(expected %u), ignored", seq, this->dpd_send); } } return TRUE; @@ -1843,7 +1845,7 @@ METHOD(task_manager_t, queue_dpd, void, uint32_t t, retransmit; queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE, - this->dpd_send++)); + this->dpd_send)); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); /* compute timeout in milliseconds */ diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 82d647a6c..023119dd4 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -270,11 +270,6 @@ METHOD(task_t, build_i, status_t, return FAILED; } id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return FAILED; - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); this->id_data = id_payload->get_encoded(id_payload); @@ -302,6 +297,7 @@ METHOD(task_t, build_i, status_t, this->id_data)) { this->id_data = chunk_empty; + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } this->id_data = chunk_empty; @@ -330,6 +326,7 @@ METHOD(task_t, build_i, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } break; @@ -428,6 +425,7 @@ METHOD(task_t, process_r, status_t, { DBG1(DBG_IKE, "Aggressive Mode PSK disabled for " "security reasons"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } break; @@ -455,6 +453,7 @@ METHOD(task_t, process_r, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDii payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, INVALID_PAYLOAD_TYPE); } @@ -465,6 +464,7 @@ METHOD(task_t, process_r, status_t, this->method, TRUE, id); if (!this->peer_cfg) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); @@ -493,6 +493,7 @@ METHOD(task_t, process_r, status_t, this->method, TRUE, NULL); if (!this->peer_cfg) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); @@ -502,6 +503,7 @@ METHOD(task_t, process_r, status_t, { DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids " "IKE_SA, cancelling"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } @@ -528,6 +530,7 @@ METHOD(task_t, process_r, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } job = adopt_children_job_create( @@ -602,11 +605,6 @@ METHOD(task_t, build_r, status_t, } id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return send_notify(this, INVALID_ID_INFORMATION); - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); @@ -615,6 +613,7 @@ METHOD(task_t, build_r, status_t, if (!this->ph1->build_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } return NEED_MORE; @@ -679,6 +678,7 @@ METHOD(task_t, process_i, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDir payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } id = id_payload->get_identification(id_payload); @@ -687,6 +687,7 @@ METHOD(task_t, process_i, status_t, { DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid); id->destroy(id); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, INVALID_ID_INFORMATION); } this->ike_sa->set_other_id(this->ike_sa, id); @@ -698,6 +699,7 @@ METHOD(task_t, process_i, status_t, if (!this->ph1->verify_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } if (!charon->bus->authorize(charon->bus, FALSE)) diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c index 6a296f221..b26a11bb4 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c @@ -59,7 +59,7 @@ struct private_isakmp_vendor_t { ike_sa_t *ike_sa; /** - * Are we the inititator of this task + * Are we the initiator of this task */ bool initiator; diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 1f764e547..b60c84992 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -332,11 +332,6 @@ METHOD(task_t, build_i, status_t, identification_t *id; id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return send_notify(this, INVALID_ID_INFORMATION); - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); message->add_payload(message, &id_payload->payload_interface); @@ -344,6 +339,7 @@ METHOD(task_t, build_i, status_t, if (!this->ph1->build_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } @@ -445,6 +441,7 @@ METHOD(task_t, process_r, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDii payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, INVALID_PAYLOAD_TYPE); } id = id_payload->get_identification(id_payload); @@ -457,6 +454,7 @@ METHOD(task_t, process_r, status_t, this->method, FALSE, id); if (!this->peer_cfg) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); @@ -472,6 +470,7 @@ METHOD(task_t, process_r, status_t, { DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, " "cancelling"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } @@ -523,11 +522,6 @@ METHOD(task_t, build_r, status_t, xauth_t *xauth = NULL; id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return send_notify(this, INVALID_ID_INFORMATION); - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); @@ -536,6 +530,7 @@ METHOD(task_t, build_r, status_t, if (!this->ph1->build_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } @@ -562,6 +557,7 @@ METHOD(task_t, build_r, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } job = adopt_children_job_create( @@ -688,6 +684,7 @@ METHOD(task_t, process_i, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDir payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } id = id_payload->get_identification(id_payload); @@ -696,6 +693,7 @@ METHOD(task_t, process_i, status_t, { DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid); id->destroy(id); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } this->ike_sa->set_other_id(this->ike_sa, id); @@ -703,12 +701,14 @@ METHOD(task_t, process_i, status_t, if (!this->ph1->verify_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, " "cancelling"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } @@ -736,6 +736,7 @@ METHOD(task_t, process_i, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } break; diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 43897c304..9b692588d 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -583,7 +583,6 @@ static status_t build_ack(private_mode_config_t *this, message_t *message) enumerator = this->vips->create_enumerator(this->vips); while (enumerator->enumerate(enumerator, &host)) { - type = INTERNAL_IP6_ADDRESS; if (host->get_family(host) == AF_INET6) { type = INTERNAL_IP6_ADDRESS; diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 5e5b61e7f..007e94d96 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -544,7 +544,7 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local, hosts = get_dynamic_hosts(this->ike_sa, local); list = this->config->get_traffic_selectors(this->config, - local, supplied, hosts); + local, supplied, hosts, TRUE); hosts->destroy(hosts); if (list->get_first(list, (void**)&ts) == SUCCESS) { diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index 968b4386c..bec2cfe7d 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -226,7 +226,7 @@ static bool select_compliant_config(private_xauth_t *this) { /* current config is fine */ return TRUE; } - DBG1(DBG_CFG, "selected peer config '%s' inacceptable", + DBG1(DBG_CFG, "selected peer config '%s' unacceptable", old->get_name(old)); aggressive = old->use_aggressive(old); diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index bcf262725..e1e6cd7ee 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -65,6 +65,16 @@ struct private_eap_authenticator_t { char reserved[3]; /** + * PPK to use + */ + chunk_t ppk; + + /** + * Add a NO_PPK_AUTH notify + */ + bool no_ppk_auth; + + /** * Current EAP method processing */ eap_method_t *method; @@ -444,6 +454,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, chunk_t nonce, chunk_t init) { auth_payload_t *auth_payload; + notify_payload_t *notify; chunk_t auth_data, recv_auth_data; identification_t *other_id; auth_cfg_t *auth; @@ -458,14 +469,26 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, DBG1(DBG_IKE, "AUTH payload missing"); return FALSE; } + recv_auth_data = auth_payload->get_data(auth_payload); + + if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK) && + !this->ppk.ptr) + { /* look for a NO_PPK_AUTH notify if we have no PPK */ + notify = message->get_notify(message, NO_PPK_AUTH); + if (notify) + { + DBG1(DBG_IKE, "no PPK available, using NO_PPK_AUTH notify"); + recv_auth_data = notify->get_notification_data(notify); + } + } + other_id = this->ike_sa->get_other_id(this->ike_sa); keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); - if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, - this->msk, other_id, this->reserved, &auth_data)) + if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, this->msk, this->ppk, + other_id, this->reserved, &auth_data)) { return FALSE; } - recv_auth_data = auth_payload->get_data(auth_payload); if (!auth_data.len || !chunk_equals_const(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed", @@ -507,8 +530,8 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message, DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); - if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, - this->msk, my_id, this->reserved, &auth_data)) + if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, this->ppk, + my_id, this->reserved, &auth_data)) { return FALSE; } @@ -517,6 +540,18 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message, auth_payload->set_data(auth_payload, auth_data); message->add_payload(message, (payload_t*)auth_payload); chunk_free(&auth_data); + + if (this->no_ppk_auth) + { + if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, + chunk_empty, my_id, this->reserved, &auth_data)) + { + DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify"); + return FALSE; + } + message->add_notify(message, FALSE, NO_PPK_AUTH, auth_data); + chunk_free(&auth_data); + } return TRUE; } @@ -698,6 +733,13 @@ METHOD(authenticator_t, is_mutual, bool, return TRUE; } +METHOD(authenticator_t, use_ppk, void, + private_eap_authenticator_t *this, chunk_t ppk, bool no_ppk_auth) +{ + this->ppk = ppk; + this->no_ppk_auth = no_ppk_auth; +} + METHOD(authenticator_t, destroy, void, private_eap_authenticator_t *this) { @@ -723,6 +765,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, .authenticator = { .build = _build_client, .process = _process_client, + .use_ppk = _use_ppk, .is_mutual = _is_mutual, .destroy = _destroy, }, @@ -753,6 +796,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, .authenticator = { .build = _build_server, .process = _process_server, + .use_ppk = _use_ppk, .is_mutual = _is_mutual, .destroy = _destroy, }, diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index c1decb130..76571e702 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -51,6 +52,16 @@ struct private_psk_authenticator_t { * Reserved bytes of ID payload */ char reserved[3]; + + /** + * PPK to use + */ + chunk_t ppk; + + /** + * Add a NO_PPK_AUTH notify + */ + bool no_ppk_auth; }; METHOD(authenticator_t, build, status_t, @@ -68,18 +79,19 @@ METHOD(authenticator_t, build, status_t, DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_method_names, AUTH_PSK); key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id); - if (key == NULL) + if (!key) { DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce, - key->get_key(key), my_id, this->reserved, &auth_data)) + key->get_key(key), this->ppk, my_id, + this->reserved, &auth_data)) { key->destroy(key); return FAILED; } - key->destroy(key); + DBG2(DBG_IKE, "successfully created shared key MAC"); auth_payload = auth_payload_create(); auth_payload->set_auth_method(auth_payload, AUTH_PSK); @@ -87,6 +99,21 @@ METHOD(authenticator_t, build, status_t, chunk_free(&auth_data); message->add_payload(message, (payload_t*)auth_payload); + if (this->no_ppk_auth) + { + if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce, + key->get_key(key), chunk_empty, my_id, + this->reserved, &auth_data)) + { + DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify"); + key->destroy(key); + return SUCCESS; + } + DBG2(DBG_IKE, "successfully created shared key MAC without PPK"); + message->add_notify(message, FALSE, NO_PPK_AUTH, auth_data); + chunk_free(&auth_data); + } + key->destroy(key); return SUCCESS; } @@ -96,6 +123,7 @@ METHOD(authenticator_t, process, status_t, chunk_t auth_data, recv_auth_data; identification_t *my_id, *other_id; auth_payload_t *auth_payload; + notify_payload_t *notify; auth_cfg_t *auth; shared_key_t *key; enumerator_t *enumerator; @@ -108,8 +136,20 @@ METHOD(authenticator_t, process, status_t, { return FAILED; } - keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); recv_auth_data = auth_payload->get_data(auth_payload); + + if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK) && + !this->ppk.ptr) + { /* look for a NO_PPK_AUTH notify if we have no PPK */ + notify = message->get_notify(message, NO_PPK_AUTH); + if (notify) + { + DBG1(DBG_IKE, "no PPK available, using NO_PPK_AUTH notify"); + recv_auth_data = notify->get_notification_data(notify); + } + } + + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, @@ -119,7 +159,8 @@ METHOD(authenticator_t, process, status_t, keys_found++; if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce, - key->get_key(key), other_id, this->reserved, &auth_data)) + key->get_key(key), this->ppk, other_id, + this->reserved, &auth_data)) { continue; } @@ -150,6 +191,13 @@ METHOD(authenticator_t, process, status_t, return SUCCESS; } +METHOD(authenticator_t, use_ppk, void, + private_psk_authenticator_t *this, chunk_t ppk, bool no_ppk_auth) +{ + this->ppk = ppk; + this->no_ppk_auth = no_ppk_auth; +} + METHOD(authenticator_t, destroy, void, private_psk_authenticator_t *this) { @@ -170,6 +218,7 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, .authenticator = { .build = _build, .process = (void*)return_failed, + .use_ppk = _use_ppk, .is_mutual = (void*)return_false, .destroy = _destroy, }, @@ -197,6 +246,7 @@ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, .authenticator = { .build = (void*)return_failed, .process = _process, + .use_ppk = _use_ppk, .is_mutual = (void*)return_false, .destroy = _destroy, }, diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 652b837fe..1fcef03cc 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -56,6 +56,16 @@ struct private_pubkey_authenticator_t { * Reserved bytes of ID payload */ char reserved[3]; + + /** + * PPK to use + */ + chunk_t ppk; + + /** + * Add a NO_PPK_AUTH notify + */ + bool no_ppk_auth; }; /** @@ -204,17 +214,42 @@ CALLBACK(destroy_scheme, void, } /** + * Adds the given auth data to the message, either in an AUTH payload or + * a NO_PPK_AUTH notify. + * + * The data is freed. + */ +static void add_auth_to_message(message_t *message, auth_method_t method, + chunk_t data, bool notify) +{ + auth_payload_t *auth_payload; + + if (notify) + { + message->add_notify(message, FALSE, NO_PPK_AUTH, data); + } + else + { + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, method); + auth_payload->set_data(auth_payload, data); + message->add_payload(message, (payload_t*)auth_payload); + } + chunk_free(&data); +} + +/** * Create a signature using RFC 7427 signature authentication */ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, - auth_cfg_t *auth, private_key_t *private, - identification_t *id, chunk_t *auth_data) + auth_cfg_t *auth, private_key_t *private, + identification_t *id, message_t *message) { enumerator_t *enumerator; keymat_v2_t *keymat; signature_params_t *params = NULL; array_t *schemes; - chunk_t octets = chunk_empty; + chunk_t octets = chunk_empty, auth_data; status_t status = FAILED; keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); @@ -227,26 +262,46 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, return FAILED; } - if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, - this->nonce, id, this->reserved, &octets, - schemes)) + if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, this->nonce, + this->ppk, id, this->reserved, &octets, schemes)) { enumerator = array_create_enumerator(schemes); while (enumerator->enumerate(enumerator, ¶ms)) { - if (private->sign(private, params->scheme, params->params, octets, - auth_data) && - build_signature_auth_data(auth_data, params)) - { - status = SUCCESS; - break; - } - else + if (!private->sign(private, params->scheme, params->params, octets, + &auth_data) || + !build_signature_auth_data(&auth_data, params)) { DBG2(DBG_IKE, "unable to create %N signature for %N key", signature_scheme_names, params->scheme, key_type_names, private->get_type(private)); + continue; } + add_auth_to_message(message, AUTH_DS, auth_data, FALSE); + status = SUCCESS; + + if (this->no_ppk_auth) + { + chunk_free(&octets); + + if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, + this->nonce, chunk_empty, id, + this->reserved, &octets, schemes) && + private->sign(private, params->scheme, params->params, + octets, &auth_data) && + build_signature_auth_data(&auth_data, params)) + { + add_auth_to_message(message, AUTH_DS, auth_data, TRUE); + } + else + { + DBG2(DBG_IKE, "unable to create %N signature for %N key " + "without PPK", signature_scheme_names, params->scheme, + key_type_names, private->get_type(private)); + status = FAILED; + } + } + break; } enumerator->destroy(enumerator); } @@ -281,8 +336,8 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, * keymat). */ static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this, - bool verify, identification_t *id, - chunk_t *octets, signature_params_t **scheme) + bool verify, identification_t *id, chunk_t ppk, + chunk_t *octets, signature_params_t **scheme) { keymat_v2_t *keymat; array_t *schemes; @@ -293,7 +348,8 @@ static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this, keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce, - id, this->reserved, octets, schemes) && + ppk, id, this->reserved, octets, + schemes) && array_remove(schemes, 0, scheme)) { success = TRUE; @@ -311,19 +367,19 @@ static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this, */ static status_t sign_classic(private_pubkey_authenticator_t *this, auth_cfg_t *auth, private_key_t *private, - identification_t *id, auth_method_t *auth_method, - chunk_t *auth_data) + identification_t *id, message_t *message) { signature_scheme_t scheme; signature_params_t *params; - chunk_t octets = chunk_empty; + auth_method_t auth_method = AUTH_NONE; + chunk_t octets = chunk_empty, auth_data; status_t status = FAILED; switch (private->get_type(private)) { case KEY_RSA: scheme = SIGN_RSA_EMSA_PKCS1_SHA1; - *auth_method = AUTH_RSA; + auth_method = AUTH_RSA; break; case KEY_ECDSA: /* deduct the signature scheme from the keysize */ @@ -331,15 +387,15 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, { case 256: scheme = SIGN_ECDSA_256; - *auth_method = AUTH_ECDSA_256; + auth_method = AUTH_ECDSA_256; break; case 384: scheme = SIGN_ECDSA_384; - *auth_method = AUTH_ECDSA_384; + auth_method = AUTH_ECDSA_384; break; case 521: scheme = SIGN_ECDSA_521; - *auth_method = AUTH_ECDSA_521; + auth_method = AUTH_ECDSA_521; break; default: DBG1(DBG_IKE, "%d bit ECDSA private key size not supported", @@ -356,17 +412,34 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, INIT(params, .scheme = scheme, ); - if (get_auth_octets_scheme(this, FALSE, id, &octets, ¶ms) && - private->sign(private, params->scheme, NULL, octets, auth_data)) + if (get_auth_octets_scheme(this, FALSE, id, this->ppk, &octets, ¶ms) && + private->sign(private, params->scheme, NULL, octets, &auth_data)) { + add_auth_to_message(message, auth_method, auth_data, FALSE); status = SUCCESS; + + if (this->no_ppk_auth) + { + chunk_free(&octets); + if (get_auth_octets_scheme(this, FALSE, id, chunk_empty, &octets, + ¶ms) && + private->sign(private, params->scheme, NULL, octets, + &auth_data)) + { + add_auth_to_message(message, auth_method, auth_data, TRUE); + } + else + { + status = FAILED; + } + } } if (params) { signature_params_destroy(params); } DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, - auth_method_names, *auth_method, + auth_method_names, auth_method, status == SUCCESS ? "successful" : "failed"); chunk_free(&octets); return status; @@ -378,10 +451,7 @@ METHOD(authenticator_t, build, status_t, private_key_t *private; identification_t *id; auth_cfg_t *auth; - chunk_t auth_data; status_t status; - auth_payload_t *auth_payload; - auth_method_t auth_method = AUTH_NONE; id = this->ike_sa->get_my_id(this->ike_sa); auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); @@ -394,24 +464,13 @@ METHOD(authenticator_t, build, status_t, if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH)) { - auth_method = AUTH_DS; - status = sign_signature_auth(this, auth, private, id, &auth_data); + status = sign_signature_auth(this, auth, private, id, message); } else { - status = sign_classic(this, auth, private, id, &auth_method, - &auth_data); + status = sign_classic(this, auth, private, id, message); } private->destroy(private); - - if (status == SUCCESS) - { - auth_payload = auth_payload_create(); - auth_payload->set_auth_method(auth_payload, auth_method); - auth_payload->set_data(auth_payload, auth_data); - chunk_free(&auth_data); - message->add_payload(message, (payload_t*)auth_payload); - } return status; } @@ -444,6 +503,7 @@ METHOD(authenticator_t, process, status_t, public_key_t *public; auth_method_t auth_method; auth_payload_t *auth_payload; + notify_payload_t *notify; chunk_t auth_data, octets; identification_t *id; auth_cfg_t *auth, *current_auth; @@ -459,9 +519,21 @@ METHOD(authenticator_t, process, status_t, { return FAILED; } - INIT(params); auth_method = auth_payload->get_auth_method(auth_payload); auth_data = auth_payload->get_data(auth_payload); + + if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK) && + !this->ppk.ptr) + { /* look for a NO_PPK_AUTH notify if we have no PPK */ + notify = message->get_notify(message, NO_PPK_AUTH); + if (notify) + { + DBG1(DBG_IKE, "no PPK available, using NO_PPK_AUTH notify"); + auth_data = notify->get_notification_data(notify); + } + } + + INIT(params); switch (auth_method) { case AUTH_RSA: @@ -491,7 +563,7 @@ METHOD(authenticator_t, process, status_t, return INVALID_ARG; } id = this->ike_sa->get_other_id(this->ike_sa); - if (!get_auth_octets_scheme(this, TRUE, id, &octets, ¶ms)) + if (!get_auth_octets_scheme(this, TRUE, id, this->ppk, &octets, ¶ms)) { return FAILED; } @@ -551,6 +623,13 @@ METHOD(authenticator_t, process, status_t, return status; } +METHOD(authenticator_t, use_ppk, void, + private_pubkey_authenticator_t *this, chunk_t ppk, bool no_ppk_auth) +{ + this->ppk = ppk; + this->no_ppk_auth = no_ppk_auth; +} + METHOD(authenticator_t, destroy, void, private_pubkey_authenticator_t *this) { @@ -571,6 +650,7 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, .authenticator = { .build = _build, .process = (void*)return_failed, + .use_ppk = _use_ppk, .is_mutual = (void*)return_false, .destroy = _destroy, }, @@ -598,6 +678,7 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, .authenticator = { .build = (void*)return_failed, .process = _process, + .use_ppk = _use_ppk, .is_mutual = (void*)return_false, .destroy = _destroy, }, diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index f8b23b66e..db46b816b 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -491,6 +491,93 @@ failure: return this->skp_build.len && this->skp_verify.len; } +/** + * Derives a key from the given key and a PRF that was initialized with a PPK + */ +static bool derive_ppk_key(prf_t *prf, char *name, chunk_t key, + chunk_t *new_key) +{ + prf_plus_t *prf_plus; + + prf_plus = prf_plus_create(prf, TRUE, key); + if (!prf_plus || + !prf_plus->allocate_bytes(prf_plus, key.len, new_key)) + { + DBG1(DBG_IKE, "unable to derive %s with PPK", name); + DESTROY_IF(prf_plus); + return FALSE; + } + prf_plus->destroy(prf_plus); + return TRUE; +} + +/** + * Use the given PPK to derive a new SK_pi/r + */ +static bool derive_skp_ppk(private_keymat_v2_t *this, chunk_t ppk, chunk_t skp, + chunk_t *new_skp) +{ + if (!this->prf->set_key(this->prf, ppk)) + { + DBG1(DBG_IKE, "unable to set PPK in PRF"); + return FALSE; + } + return derive_ppk_key(this->prf, "SK_p", skp, new_skp); +} + +METHOD(keymat_v2_t, derive_ike_keys_ppk, bool, + private_keymat_v2_t *this, chunk_t ppk) +{ + chunk_t skd = chunk_empty, new_skpi = chunk_empty, new_skpr = chunk_empty; + chunk_t *skpi, *skpr; + + if (!this->skd.ptr) + { + return FALSE; + } + + if (this->initiator) + { + skpi = &this->skp_build; + skpr = &this->skp_verify; + } + else + { + skpi = &this->skp_verify; + skpr = &this->skp_build; + } + + DBG4(DBG_IKE, "derive keys using PPK %B", &ppk); + + if (!this->prf->set_key(this->prf, ppk)) + { + DBG1(DBG_IKE, "unable to set PPK in PRF"); + return FALSE; + } + if (!derive_ppk_key(this->prf, "Sk_d", this->skd, &skd) || + !derive_ppk_key(this->prf, "Sk_pi", *skpi, &new_skpi) || + !derive_ppk_key(this->prf, "Sk_pr", *skpr, &new_skpr)) + { + chunk_clear(&skd); + chunk_clear(&new_skpi); + chunk_clear(&new_skpr); + return FALSE; + } + + DBG4(DBG_IKE, "Sk_d secret %B", &skd); + chunk_clear(&this->skd); + this->skd = skd; + + DBG4(DBG_IKE, "Sk_pi secret %B", &new_skpi); + chunk_clear(skpi); + *skpi = new_skpi; + + DBG4(DBG_IKE, "Sk_pr secret %B", &new_skpr); + chunk_clear(skpr); + *skpr = new_skpr; + return TRUE; +} + METHOD(keymat_v2_t, derive_child_keys, bool, private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, @@ -632,13 +719,23 @@ METHOD(keymat_t, get_aead, aead_t*, METHOD(keymat_v2_t, get_auth_octets, bool, private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets, - array_t *schemes) + chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3], + chunk_t *octets, array_t *schemes) { chunk_t chunk, idx; + chunk_t skp_ppk = chunk_empty; chunk_t skp; skp = verify ? this->skp_verify : this->skp_build; + if (ppk.ptr) + { + DBG4(DBG_IKE, "PPK %B", &ppk); + if (!derive_skp_ppk(this, ppk, skp, &skp_ppk)) + { + return FALSE; + } + skp = skp_ppk; + } chunk = chunk_alloca(4); chunk.ptr[0] = id->get_type(id); @@ -650,8 +747,10 @@ METHOD(keymat_v2_t, get_auth_octets, bool, if (!this->prf->set_key(this->prf, skp) || !this->prf->allocate_bytes(this->prf, idx, &chunk)) { + chunk_clear(&skp_ppk); return FALSE; } + chunk_clear(&skp_ppk); *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk); DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets); return TRUE; @@ -665,41 +764,53 @@ METHOD(keymat_v2_t, get_auth_octets, bool, METHOD(keymat_v2_t, get_psk_sig, bool, private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, - chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig) + chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3], + chunk_t *sig) { - chunk_t key_pad, key, octets; + chunk_t skp_ppk = chunk_empty, key = chunk_empty, octets = chunk_empty; + chunk_t key_pad; + bool success = FALSE; if (!secret.len) { /* EAP uses SK_p if no MSK has been established */ secret = verify ? this->skp_verify : this->skp_build; + if (ppk.ptr) + { + if (!derive_skp_ppk(this, ppk, secret, &skp_ppk)) + { + return FALSE; + } + secret = skp_ppk; + } } - if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, + if (!get_auth_octets(this, verify, ike_sa_init, nonce, ppk, id, reserved, &octets, NULL)) { - return FALSE; + goto failure; } /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */ key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH); if (!this->prf->set_key(this->prf, secret) || !this->prf->allocate_bytes(this->prf, key_pad, &key)) { - chunk_free(&octets); - return FALSE; + goto failure; } if (!this->prf->set_key(this->prf, key) || !this->prf->allocate_bytes(this->prf, octets, sig)) { - chunk_free(&key); - chunk_free(&octets); - return FALSE; + goto failure; } DBG4(DBG_IKE, "secret %B", &secret); DBG4(DBG_IKE, "prf(secret, keypad) %B", &key); DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig); + success = TRUE; + +failure: + chunk_clear(&skp_ppk); chunk_free(&octets); chunk_free(&key); + return success; - return TRUE; } METHOD(keymat_v2_t, hash_algorithm_supported, bool, @@ -752,6 +863,7 @@ keymat_v2_t *keymat_v2_create(bool initiator) .destroy = _destroy, }, .derive_ike_keys = _derive_ike_keys, + .derive_ike_keys_ppk = _derive_ike_keys_ppk, .derive_child_keys = _derive_child_keys, .get_skd = _get_skd, .get_auth_octets = _get_auth_octets, diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 5dc9cda38..3cc071aeb 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -58,6 +58,16 @@ struct keymat_v2_t { chunk_t rekey_skd); /** + * Derive SK_d, SK_pi and SK_pr after authentication using the given + * Postquantum Preshared Key and the previous values of these keys that + * were derived by derive_ike_keys(). + * + * @param ppk the postquantum preshared key + * @return TRUE on success + */ + bool (*derive_ike_keys_ppk)(keymat_v2_t *this, chunk_t ppk); + + /** * Derive keys for a CHILD_SA. * * The keys for the CHILD_SA are allocated in the integ and encr chunks. @@ -95,9 +105,10 @@ struct keymat_v2_t { * key. PSK and EAP authentication include a secret into the data, use * the get_psk_sig() method instead. * - * @param verify TRUE to create for verfification, FALSE to sign + * @param verify TRUE to create for verification, FALSE to sign * @param ike_sa_init encoded ike_sa_init message * @param nonce nonce value + * @param ppk optional postquantum preshared key * @param id identity * @param reserved reserved bytes of id_payload * @param octests chunk receiving allocated auth octets @@ -107,7 +118,7 @@ struct keymat_v2_t { * @return TRUE if octets created successfully */ bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id, + chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3], chunk_t *octets, array_t *schemes); /** @@ -117,17 +128,18 @@ struct keymat_v2_t { * includes the secret into the signature. If no secret is given, SK_p is * used as secret (used for EAP methods without MSK). * - * @param verify TRUE to create for verfification, FALSE to sign + * @param verify TRUE to create for verification, FALSE to sign * @param ike_sa_init encoded ike_sa_init message * @param nonce nonce value * @param secret optional secret to include into signature + * @param ppk optional postquantum preshared key * @param id identity * @param reserved reserved bytes of id_payload * @param sign chunk receiving allocated signature octets * @return TRUE if signature created successfully */ bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, + chunk_t nonce, chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3], chunk_t *sig); /** diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index fff567233..910c77a2d 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -109,7 +109,7 @@ struct private_task_manager_t { array_t *packets; /** - * type of the initated exchange + * type of the initiated exchange */ exchange_type_t type; @@ -1946,8 +1946,7 @@ METHOD(task_manager_t, queue_dpd, void, { ike_mobike_t *mobike; - if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) && - this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) + if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { #ifdef ME peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index c90af23b9..c7eb0c854 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -481,12 +481,14 @@ static linked_list_t* narrow_ts(private_child_create_t *this, bool local, this->ike_sa->has_condition(this->ike_sa, cond)) { nat = get_transport_nat_ts(this, local, in); - ts = this->config->get_traffic_selectors(this->config, local, nat, hosts); + ts = this->config->get_traffic_selectors(this->config, local, nat, + hosts, TRUE); nat->destroy_offset(nat, offsetof(traffic_selector_t, destroy)); } else { - ts = this->config->get_traffic_selectors(this->config, local, in, hosts); + ts = this->config->get_traffic_selectors(this->config, local, in, + hosts, TRUE); } hosts->destroy(hosts); @@ -497,8 +499,8 @@ static linked_list_t* narrow_ts(private_child_create_t *this, bool local, /** * Install a CHILD_SA for usage, return value: * - FAILED: no acceptable proposal - * - INVALID_ARG: diffie hellman group inacceptable - * - NOT_FOUND: TS inacceptable + * - INVALID_ARG: diffie hellman group unacceptable + * - NOT_FOUND: TS unacceptable */ static status_t select_and_install(private_child_create_t *this, bool no_dh, bool ike_auth) @@ -559,7 +561,7 @@ static status_t select_and_install(private_child_create_t *this, if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, &group, NULL)) { - DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N", + DBG1(DBG_IKE, "DH group %N unacceptable, requesting %N", diffie_hellman_group_names, this->dh_group, diffie_hellman_group_names, group); this->dh_group = group; @@ -1075,7 +1077,7 @@ METHOD(task_t, build_i, status_t, if (list->get_count(list)) { this->tsi = this->config->get_traffic_selectors(this->config, - TRUE, NULL, list); + TRUE, NULL, list, TRUE); list->destroy_offset(list, offsetof(host_t, destroy)); } else @@ -1083,12 +1085,12 @@ METHOD(task_t, build_i, status_t, list->destroy(list); list = get_dynamic_hosts(this->ike_sa, TRUE); this->tsi = this->config->get_traffic_selectors(this->config, - TRUE, NULL, list); + TRUE, NULL, list, TRUE); list->destroy(list); } list = get_dynamic_hosts(this->ike_sa, FALSE); this->tsr = this->config->get_traffic_selectors(this->config, - FALSE, NULL, list); + FALSE, NULL, list, TRUE); list->destroy(list); if (this->packet_tsi) @@ -1356,7 +1358,7 @@ METHOD(task_t, build_r, status_t, } if (this->config == NULL) { - DBG1(DBG_IKE, "traffic selectors %#R === %#R inacceptable", + DBG1(DBG_IKE, "traffic selectors %#R === %#R unacceptable", this->tsr, this->tsi); charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr); message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 6b63197d5..b055ff064 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -24,6 +24,7 @@ #include <encoding/payloads/auth_payload.h> #include <encoding/payloads/eap_payload.h> #include <encoding/payloads/nonce_payload.h> +#include <sa/ikev2/keymat_v2.h> #include <sa/ikev2/authenticators/eap_authenticator.h> #include <processing/jobs/delete_ike_sa_job.h> @@ -60,6 +61,16 @@ struct private_ike_auth_t { chunk_t other_nonce; /** + * PPK_ID sent or received + */ + identification_t *ppk_id; + + /** + * Optional PPK to use + */ + chunk_t ppk; + + /** * IKE_SA_INIT message sent by us */ packet_t *my_packet; @@ -144,7 +155,7 @@ static status_t collect_my_init_data(private_ike_auth_t *this, /* get the nonce that was generated in ike_init */ nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE); - if (nonce == NULL) + if (!nonce) { return FAILED; } @@ -170,7 +181,7 @@ static status_t collect_other_init_data(private_ike_auth_t *this, /* get the nonce that was generated in ike_init */ nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE); - if (nonce == NULL) + if (!nonce) { return FAILED; } @@ -279,19 +290,47 @@ static bool do_another_auth(private_ike_auth_t *this) } /** + * Check if this is the first authentication round + */ +static bool is_first_round(private_ike_auth_t *this, bool local) +{ + enumerator_t *done; + auth_cfg_t *cfg; + + if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH)) + { + return TRUE; + } + + done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local); + if (done->enumerate(done, &cfg)) + { + done->destroy(done); + return FALSE; + } + done->destroy(done); + return TRUE; +} + +/** * Get peer configuration candidates from backends */ static bool load_cfg_candidates(private_ike_auth_t *this) { enumerator_t *enumerator; peer_cfg_t *peer_cfg; + ike_cfg_t *ike_cfg; host_t *me, *other; identification_t *my_id, *other_id; + proposal_t *ike_proposal; + bool private; me = this->ike_sa->get_my_host(this->ike_sa); other = this->ike_sa->get_other_host(this->ike_sa); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); + ike_proposal = this->ike_sa->get_proposal(this->ike_sa); + private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN); DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]", me, my_id, other, other_id); @@ -299,11 +338,18 @@ static bool load_cfg_candidates(private_ike_auth_t *this) me, other, my_id, other_id, IKEV2); while (enumerator->enumerate(enumerator, &peer_cfg)) { + /* ignore all configs that have no matching IKE proposal */ + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + if (!ike_cfg->has_proposal(ike_cfg, ike_proposal, private)) + { + DBG2(DBG_CFG, "ignore candidate '%s' without matching IKE proposal", + peer_cfg->get_name(peer_cfg)); + continue; + } peer_cfg->get_ref(peer_cfg); - if (this->peer_cfg == NULL) + if (!this->peer_cfg) { /* best match */ this->peer_cfg = peer_cfg; - this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg); } else { @@ -313,6 +359,7 @@ static bool load_cfg_candidates(private_ike_auth_t *this) enumerator->destroy(enumerator); if (this->peer_cfg) { + this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); DBG1(DBG_CFG, "selected peer config '%s'", this->peer_cfg->get_name(this->peer_cfg)); return TRUE; @@ -369,7 +416,7 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) { break; } - DBG1(DBG_CFG, "selected peer config '%s' inacceptable: %s", + DBG1(DBG_CFG, "selected peer config '%s' unacceptable: %s", this->peer_cfg->get_name(this->peer_cfg), comply_error); this->peer_cfg->destroy(this->peer_cfg); } @@ -391,6 +438,149 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) return this->peer_cfg != NULL; } +/** + * Currently defined PPK_ID types + */ +#define PPK_ID_OPAQUE 1 +#define PPK_ID_FIXED 2 + +/** + * Parse the payload data of the given PPK_IDENTITY notify + */ +static bool parse_ppk_identity(notify_payload_t *notify, identification_t **id) +{ + chunk_t data; + + data = notify->get_notification_data(notify); + if (data.len < 2) + { + return FALSE; + } + switch (data.ptr[0]) + { + case PPK_ID_FIXED: + data = chunk_skip(data, 1); + break; + default: + return FALSE; + } + *id = identification_create_from_data(data); + return TRUE; +} + +/** + * Add a PPK_IDENTITY with the given PPK_ID to the given message + */ +static void add_ppk_identity(identification_t *id, message_t *msg) +{ + chunk_t data; + uint8_t type = PPK_ID_FIXED; + + /* we currently only support one type */ + data = chunk_cata("cc", chunk_from_thing(type), id->get_encoding(id)); + msg->add_notify(msg, FALSE, PPK_IDENTITY, data); +} + +/** + * Use the given PPK_ID to find a PPK and store it and the ID in the task + */ +static bool get_ppk(private_ike_auth_t *this, identification_t *ppk_id) +{ + shared_key_t *key; + + key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL); + if (!key) + { + if (this->peer_cfg->ppk_required(this->peer_cfg)) + { + DBG1(DBG_CFG, "PPK required but no PPK found for '%Y'", ppk_id); + return FALSE; + } + DBG1(DBG_CFG, "no PPK for '%Y' found, ignored because PPK is not " + "required", ppk_id); + return TRUE; + } + this->ppk = chunk_clone(key->get_key(key)); + this->ppk_id = ppk_id->clone(ppk_id); + key->destroy(key); + return TRUE; +} + +/** + * Check if we have a PPK available and, if not, whether we require one as + * initiator + */ +static bool get_ppk_i(private_ike_auth_t *this) +{ + identification_t *ppk_id; + + if (!this->ike_sa->supports_extension(this->ike_sa, EXT_PPK)) + { + if (this->peer_cfg->ppk_required(this->peer_cfg)) + { + DBG1(DBG_CFG, "PPK required but peer does not support PPK"); + return FALSE; + } + return TRUE; + } + + ppk_id = this->peer_cfg->get_ppk_id(this->peer_cfg); + if (!ppk_id) + { + if (this->peer_cfg->ppk_required(this->peer_cfg)) + { + DBG1(DBG_CFG, "PPK required but no PPK_ID configured"); + return FALSE; + } + return TRUE; + } + return get_ppk(this, ppk_id); +} + +/** + * Check if we have a PPK available and if not whether we require one as + * responder + */ +static bool get_ppk_r(private_ike_auth_t *this, message_t *msg) +{ + notify_payload_t *notify; + identification_t *ppk_id, *ppk_id_cfg; + bool result; + + if (!this->ike_sa->supports_extension(this->ike_sa, EXT_PPK)) + { + if (this->peer_cfg->ppk_required(this->peer_cfg)) + { + DBG1(DBG_CFG, "PPK required but peer does not support PPK"); + return FALSE; + } + return TRUE; + } + + notify = msg->get_notify(msg, PPK_IDENTITY); + if (!notify || !parse_ppk_identity(notify, &ppk_id)) + { + if (this->peer_cfg->ppk_required(this->peer_cfg)) + { + DBG1(DBG_CFG, "PPK required but no PPK_IDENTITY received"); + return FALSE; + } + return TRUE; + } + + ppk_id_cfg = this->peer_cfg->get_ppk_id(this->peer_cfg); + if (ppk_id_cfg && !ppk_id->matches(ppk_id, ppk_id_cfg)) + { + DBG1(DBG_CFG, "received PPK_ID '%Y', but require '%Y'", ppk_id, + ppk_id_cfg); + ppk_id->destroy(ppk_id); + return FALSE; + } + result = get_ppk(this, ppk_id); + ppk_id->destroy(ppk_id); + return result; +} + METHOD(task_t, build_i, status_t, private_ike_auth_t *this, message_t *message) { @@ -401,7 +591,7 @@ METHOD(task_t, build_i, status_t, return collect_my_init_data(this, message); } - if (this->peer_cfg == NULL) + if (!this->peer_cfg) { this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); this->peer_cfg->get_ref(this->peer_cfg); @@ -420,6 +610,12 @@ METHOD(task_t, build_i, status_t, /* indicate support for RFC 6311 Message ID synchronization */ message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC_SUPPORTED, chunk_empty); + /* only use a PPK in the first round */ + if (!get_ppk_i(this)) + { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); + return FAILED; + } } if (!this->do_another_auth && !this->my_auth) @@ -428,7 +624,7 @@ METHOD(task_t, build_i, status_t, } /* check if an authenticator is in progress */ - if (this->my_auth == NULL) + if (!this->my_auth) { identification_t *idi, *idr = NULL; id_payload_t *id_payload; @@ -495,6 +691,14 @@ METHOD(task_t, build_i, status_t, return FAILED; } } + /* for authentication methods that return NEED_MORE, the PPK will be reset + * in process_i() for messages without PPK_ID notify, so we always set it + * during the first round (afterwards the PPK won't be available) */ + if (this->ppk.ptr && this->my_auth->use_ppk) + { + this->my_auth->use_ppk(this->my_auth, this->ppk, + !this->peer_cfg->ppk_required(this->peer_cfg)); + } switch (this->my_auth->build(this->my_auth, message)) { case SUCCESS: @@ -509,6 +713,12 @@ METHOD(task_t, build_i, status_t, return FAILED; } + /* add a PPK_IDENTITY notify to the message that contains AUTH */ + if (this->ppk_id && message->get_payload(message, PLV2_AUTH)) + { + add_ppk_identity(this->ppk_id, message); + } + /* check for additional authentication rounds */ if (do_another_auth(this)) { @@ -536,7 +746,7 @@ METHOD(task_t, process_r, status_t, return collect_other_init_data(this, message); } - if (this->my_auth == NULL && this->do_another_auth) + if (!this->my_auth && this->do_another_auth) { /* handle (optional) IDr payload, apply proposed identity */ id_payload = (id_payload_t*)message->get_payload(message, PLV2_ID_RESPONDER); @@ -573,7 +783,7 @@ METHOD(task_t, process_r, status_t, } } - if (this->other_auth == NULL) + if (!this->other_auth) { /* handle IDi payload */ id_payload = (id_payload_t*)message->get_payload(message, PLV2_ID_INITIATOR); @@ -588,7 +798,7 @@ METHOD(task_t, process_r, status_t, cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); - if (this->peer_cfg == NULL) + if (!this->peer_cfg) { if (!load_cfg_candidates(this)) { @@ -596,14 +806,14 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } } - if (message->get_payload(message, PLV2_AUTH) == NULL) + if (!message->get_payload(message, PLV2_AUTH)) { /* before authenticating with EAP, we need a EAP config */ cand = get_auth_cfg(this, FALSE); while (!cand || ( (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK && (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0)) { /* peer requested EAP, but current config does not match */ - DBG1(DBG_IKE, "peer requested EAP, config inacceptable"); + DBG1(DBG_IKE, "peer requested EAP, config unacceptable"); this->peer_cfg->destroy(this->peer_cfg); this->peer_cfg = NULL; if (!update_cfg_candidates(this, FALSE)) @@ -642,6 +852,19 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } } + if (message->get_payload(message, PLV2_AUTH) && + is_first_round(this, FALSE)) + { + if (!get_ppk_r(this, message)) + { + this->authentication_failed = TRUE; + return NEED_MORE; + } + else if (this->ppk.ptr && this->other_auth->use_ppk) + { + this->other_auth->use_ppk(this->other_auth, this->ppk, FALSE); + } + } switch (this->other_auth->process(this->other_auth, message)) { case SUCCESS: @@ -675,7 +898,7 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } - if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL) + if (!message->get_notify(message, ANOTHER_AUTH_FOLLOWS)) { this->expect_another_auth = FALSE; if (!update_cfg_candidates(this, TRUE)) @@ -687,6 +910,37 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } +/** + * Clear the PPK and PPK_ID + */ +static void clear_ppk(private_ike_auth_t *this) +{ + DESTROY_IF(this->ppk_id); + this->ppk_id = NULL; + chunk_clear(&this->ppk); +} + +/** + * Derive new keys and clear the PPK + */ +static bool apply_ppk(private_ike_auth_t *this) +{ + keymat_v2_t *keymat; + + if (this->ppk.ptr) + { + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); + if (!keymat->derive_ike_keys_ppk(keymat, this->ppk)) + { + return FALSE; + } + DBG1(DBG_CFG, "using PPK for PPK_ID '%Y'", this->ppk_id); + this->ike_sa->set_condition(this->ike_sa, COND_PPK, TRUE); + } + clear_ppk(this); + return TRUE; +} + METHOD(task_t, build_r, status_t, private_ike_auth_t *this, message_t *message) { @@ -703,12 +957,12 @@ METHOD(task_t, build_r, status_t, return collect_my_init_data(this, message); } - if (this->authentication_failed || this->peer_cfg == NULL) + if (this->authentication_failed || !this->peer_cfg) { goto peer_auth_failed; } - if (this->my_auth == NULL && this->do_another_auth) + if (!this->my_auth && this->do_another_auth) { identification_t *id, *id_cfg; id_payload_t *id_payload; @@ -793,6 +1047,10 @@ METHOD(task_t, build_r, status_t, } if (this->my_auth) { + if (this->ppk.ptr && this->my_auth->use_ppk) + { + this->my_auth->use_ppk(this->my_auth, this->ppk, FALSE); + } switch (this->my_auth->build(this->my_auth, message)) { case SUCCESS: @@ -807,6 +1065,16 @@ METHOD(task_t, build_r, status_t, } } + /* add a PPK_IDENTITY notify and derive new keys and clear the PPK */ + if (this->ppk.ptr) + { + message->add_notify(message, FALSE, PPK_IDENTITY, chunk_empty); + if (!apply_ppk(this)) + { + goto local_auth_failed; + } + } + /* check for additional authentication rounds */ if (do_another_auth(this)) { @@ -942,7 +1210,7 @@ METHOD(task_t, process_i, status_t, enumerator_t *enumerator; payload_t *payload; auth_cfg_t *cfg; - bool mutual_eap = FALSE; + bool mutual_eap = FALSE, ppk_id_received = FALSE; if (message->get_exchange_type(message) == IKE_SA_INIT) { @@ -998,6 +1266,9 @@ METHOD(task_t, process_i, status_t, this->ike_sa->enable_extension(this->ike_sa, EXT_IKE_MESSAGE_ID_SYNC); break; + case PPK_IDENTITY: + ppk_id_received = TRUE; + break; default: { if (type <= 16383) @@ -1019,7 +1290,7 @@ METHOD(task_t, process_i, status_t, if (this->expect_another_auth) { - if (this->other_auth == NULL) + if (!this->other_auth) { id_payload_t *id_payload; identification_t *id; @@ -1059,6 +1330,11 @@ METHOD(task_t, process_i, status_t, } if (this->other_auth) { + if (ppk_id_received && is_first_round(this, FALSE) && + this->other_auth->use_ppk) + { + this->other_auth->use_ppk(this->other_auth, this->ppk, FALSE); + } switch (this->other_auth->process(this->other_auth, message)) { case SUCCESS: @@ -1094,6 +1370,14 @@ METHOD(task_t, process_i, status_t, if (this->my_auth) { + /* while we already set the PPK in build_i(), we MUST not use it if + * the peer did not reply with a PPK_ID notify */ + if (this->ppk.ptr && this->my_auth->use_ppk) + { + this->my_auth->use_ppk(this->my_auth, + ppk_id_received ? this->ppk : chunk_empty, + FALSE); + } switch (this->my_auth->process(this->my_auth, message)) { case SUCCESS: @@ -1109,11 +1393,29 @@ METHOD(task_t, process_i, status_t, case NEED_MORE: break; default: - charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); - send_auth_failed_informational(this, message); - return FAILED; + goto local_auth_failed; + } + } + + /* change keys and clear PPK after we are done with our authentication, so + * we only explicitly use it for the first round, afterwards we just use the + * changed SK_p keys implicitly */ + if (!this->my_auth && this->ppk_id) + { + if (ppk_id_received) + { + if (!apply_ppk(this)) + { + goto local_auth_failed; + } + } + else + { + DBG1(DBG_CFG, "peer didn't use PPK for PPK_ID '%Y'", this->ppk_id); } + clear_ppk(this); } + if (mutual_eap) { if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth)) @@ -1124,7 +1426,7 @@ METHOD(task_t, process_i, status_t, DBG1(DBG_IKE, "allow mutual EAP-only authentication"); } - if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL) + if (!message->get_notify(message, ANOTHER_AUTH_FOLLOWS)) { this->expect_another_auth = FALSE; } @@ -1162,6 +1464,10 @@ peer_auth_failed: charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); send_auth_failed_informational(this, message); return FAILED; +local_auth_failed: + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); + send_auth_failed_informational(this, message); + return FAILED; } METHOD(task_t, get_type, task_type_t, @@ -1173,6 +1479,7 @@ METHOD(task_t, get_type, task_type_t, METHOD(task_t, migrate, void, private_ike_auth_t *this, ike_sa_t *ike_sa) { + clear_ppk(this); chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); DESTROY_IF(this->my_packet); @@ -1199,6 +1506,7 @@ METHOD(task_t, migrate, void, METHOD(task_t, destroy, void, private_ike_auth_t *this) { + clear_ppk(this); chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); DESTROY_IF(this->my_packet); diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h index f6862ca27..fd14e9faf 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h +++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h @@ -45,7 +45,7 @@ struct ike_auth_lifetime_t { * Create a new TASK_IKE_AUTH_LIFETIME task. * * @param ike_sa IKE_SA this task works for - * @param initiator TRUE if taks is initiated by us + * @param initiator TRUE if task is initiated by us * @return ike_auth_lifetime task to handle by the task_manager */ ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator); diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 3d73d728b..307d99264 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -55,11 +55,6 @@ struct private_ike_init_t { bool initiator; /** - * IKE config to establish - */ - ike_cfg_t *config; - - /** * diffie hellman group to use */ diffie_hellman_group_t dh_group; @@ -275,6 +270,38 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this, } /** + * Check whether to send a USE_PPK notify + */ +static bool send_use_ppk(private_ike_init_t *this) +{ + peer_cfg_t *peer; + enumerator_t *keys; + shared_key_t *key; + bool use_ppk = FALSE; + + if (this->initiator) + { + peer = this->ike_sa->get_peer_cfg(this->ike_sa); + if (peer->get_ppk_id(peer)) + { + use_ppk = TRUE; + } + } + else if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK)) + { + /* check if we have at least one PPK available */ + keys = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PPK, + NULL, NULL); + if (keys->enumerate(keys, &key, NULL, NULL)) + { + use_ppk = TRUE; + } + keys->destroy(keys); + } + return use_ppk; +} + +/** * build the payloads for the message */ static bool build_payloads(private_ike_init_t *this, message_t *message) @@ -286,14 +313,15 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) ike_sa_id_t *id; proposal_t *proposal; enumerator_t *enumerator; + ike_cfg_t *ike_cfg; id = this->ike_sa->get_id(this->ike_sa); - this->config = this->ike_sa->get_ike_cfg(this->ike_sa); + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); if (this->initiator) { - proposal_list = this->config->get_proposals(this->config); + proposal_list = ike_cfg->get_proposals(ike_cfg); other_dh_groups = linked_list_create(); enumerator = proposal_list->create_enumerator(proposal_list); while (enumerator->enumerate(enumerator, (void**)&proposal)) @@ -334,8 +362,6 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) } message->add_payload(message, (payload_t*)sa_payload); - nonce_payload = nonce_payload_create(PLV2_NONCE); - nonce_payload->set_nonce(nonce_payload, this->my_nonce); ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh); if (!ke_payload) @@ -343,6 +369,8 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) DBG1(DBG_IKE, "creating KE payload failed"); return FALSE; } + nonce_payload = nonce_payload_create(PLV2_NONCE); + nonce_payload->set_nonce(nonce_payload, this->my_nonce); if (this->old_sa) { /* payload order differs if we are rekeying */ @@ -357,7 +385,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) /* negotiate fragmentation if we are not rekeying */ if (!this->old_sa && - this->config->fragmentation(this->config) != FRAGMENTATION_NO) + ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO) { if (this->initiator || this->ike_sa->supports_extension(this->ike_sa, @@ -400,10 +428,77 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) chunk_empty); } } + /* notify the peer if we want to use/support PPK */ + if (!this->old_sa && send_use_ppk(this)) + { + message->add_notify(message, FALSE, USE_PPK, chunk_empty); + } return TRUE; } /** + * Process the SA payload and select a proposal + */ +static void process_sa_payload(private_ike_init_t *this, message_t *message, + sa_payload_t *sa_payload) +{ + ike_cfg_t *ike_cfg, *cfg, *alt_cfg = NULL; + enumerator_t *enumerator; + linked_list_t *proposal_list; + host_t *me, *other; + bool private, prefer_configured; + + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + + proposal_list = sa_payload->get_proposals(sa_payload); + private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN); + prefer_configured = lib->settings->get_bool(lib->settings, + "%s.prefer_configured_proposals", TRUE, lib->ns); + + this->proposal = ike_cfg->select_proposal(ike_cfg, proposal_list, private, + prefer_configured); + if (!this->proposal) + { + if (!this->initiator && !this->old_sa) + { + me = message->get_destination(message); + other = message->get_source(message); + enumerator = charon->backends->create_ike_cfg_enumerator( + charon->backends, me, other, IKEV2); + while (enumerator->enumerate(enumerator, &cfg)) + { + if (ike_cfg == cfg) + { /* already tried and failed */ + continue; + } + DBG1(DBG_IKE, "no matching proposal found, trying alternative " + "config"); + this->proposal = cfg->select_proposal(cfg, proposal_list, + private, prefer_configured); + if (this->proposal) + { + alt_cfg = cfg->get_ref(cfg); + break; + } + } + enumerator->destroy(enumerator); + } + if (alt_cfg) + { + this->ike_sa->set_ike_cfg(this->ike_sa, alt_cfg); + alt_cfg->destroy(alt_cfg); + } + else + { + charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, + proposal_list); + } + } + proposal_list->destroy_offset(proposal_list, + offsetof(proposal_t, destroy)); +} + +/** * Read payloads from message */ static void process_payloads(private_ike_init_t *this, message_t *message) @@ -419,24 +514,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message) { case PLV2_SECURITY_ASSOCIATION: { - sa_payload_t *sa_payload = (sa_payload_t*)payload; - linked_list_t *proposal_list; - bool private, prefer_configured; - - proposal_list = sa_payload->get_proposals(sa_payload); - private = this->ike_sa->supports_extension(this->ike_sa, - EXT_STRONGSWAN); - prefer_configured = lib->settings->get_bool(lib->settings, - "%s.prefer_configured_proposals", TRUE, lib->ns); - this->proposal = this->config->select_proposal(this->config, - proposal_list, private, prefer_configured); - if (!this->proposal) - { - charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, - proposal_list); - } - proposal_list->destroy_offset(proposal_list, - offsetof(proposal_t, destroy)); + process_sa_payload(this, message, (sa_payload_t*)payload); break; } case PLV2_KEY_EXCHANGE: @@ -469,6 +547,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message) handle_supported_hash_algorithms(this, notify); } break; + case USE_PPK: + if (!this->old_sa) + { + this->ike_sa->enable_extension(this->ike_sa, + EXT_PPK); + } + break; case REDIRECTED_FROM: { identification_t *gateway; @@ -533,7 +618,10 @@ static void process_payloads(private_ike_init_t *this, message_t *message) METHOD(task_t, build_i, status_t, private_ike_init_t *this, message_t *message) { - this->config = this->ike_sa->get_ike_cfg(this->ike_sa); + ike_cfg_t *ike_cfg; + + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), @@ -563,12 +651,12 @@ METHOD(task_t, build_i, status_t, } else { /* this shouldn't happen, but let's be safe */ - this->dh_group = this->config->get_dh_group(this->config); + this->dh_group = ike_cfg->get_dh_group(ike_cfg); } } else { - this->dh_group = this->config->get_dh_group(this->config); + this->dh_group = ike_cfg->get_dh_group(ike_cfg); } this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, this->dh_group); @@ -627,7 +715,6 @@ METHOD(task_t, build_i, status_t, METHOD(task_t, process_r, status_t, private_ike_init_t *this, message_t *message) { - this->config = this->ike_sa->get_ike_cfg(this->ike_sa); DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); @@ -699,7 +786,7 @@ METHOD(task_t, build_r, status_t, if (this->proposal == NULL || this->other_nonce.len == 0 || this->my_nonce.len == 0) { - DBG1(DBG_IKE, "received proposals inacceptable"); + DBG1(DBG_IKE, "received proposals unacceptable"); message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); return FAILED; } @@ -728,7 +815,7 @@ METHOD(task_t, build_r, status_t, if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, &group, NULL)) { - DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N", + DBG1(DBG_IKE, "DH group %N unacceptable, requesting %N", diffie_hellman_group_names, this->dh_group, diffie_hellman_group_names, group); this->dh_group = group; @@ -770,12 +857,14 @@ METHOD(task_t, build_r, status_t, */ static void raise_alerts(private_ike_init_t *this, notify_type_t type) { + ike_cfg_t *ike_cfg; linked_list_t *list; switch (type) { case NO_PROPOSAL_CHOSEN: - list = this->config->get_proposals(this->config); + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + list = ike_cfg->get_proposals(ike_cfg); charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, list); list->destroy_offset(list, offsetof(proposal_t, destroy)); break; diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index fe41a1cac..b2ad0a02a 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -193,7 +193,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) case NAT_DETECTION_DESTINATION_IP: { /* NAT check in this MOBIKE exchange, create subtask for it */ - if (this->natd == NULL) + if (!this->natd) { this->natd = ike_natd_create(this->ike_sa, this->initiator); } @@ -648,7 +648,7 @@ METHOD(ike_mobike_t, roam, void, METHOD(ike_mobike_t, dpd, void, private_ike_mobike_t *this) { - if (!this->natd) + if (!this->natd && this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) { this->natd = ike_natd_create(this->ike_sa, this->initiator); } diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h index 288b87178..8789ac0af 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h @@ -91,7 +91,7 @@ struct ike_mobike_t { * Create a new ike_mobike task. * * @param ike_sa IKE_SA this task works for - * @param initiator TRUE if taks is initiated by us + * @param initiator TRUE if task is initiated by us * @return ike_mobike task to handle by the task_manager */ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator); diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 11123b415..57f9a797e 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -259,7 +259,7 @@ METHOD(task_t, build_r, status_t, } if (this->new_sa == NULL) { - /* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */ + /* IKE_SA/a CHILD_SA is in an unacceptable state, deny rekeying */ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); return SUCCESS; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index 8d8969ea0..e81a18a14 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -59,7 +59,7 @@ struct private_ike_vendor_t { ike_sa_t *ike_sa; /** - * Are we the inititator of this task + * Are we the initiator of this task */ bool initiator; }; diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index a83da0480..d66e70937 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -117,8 +117,10 @@ static bool install_shunt_policy(child_cfg_t *child) host_any6 = host_create_any(AF_INET6); hosts = linked_list_create_with_items(host_any, host_any6, NULL); - my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts); - other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts); + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts, + FALSE); + other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts, + FALSE); hosts->destroy(hosts); manual_prio = child->get_manual_prio(child); @@ -287,8 +289,10 @@ static void uninstall_shunt_policy(child_cfg_t *child) host_any6 = host_create_any(AF_INET6); hosts = linked_list_create_with_items(host_any, host_any6, NULL); - my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts); - other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts); + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts, + FALSE); + other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts, + FALSE); hosts->destroy(hosts); manual_prio = child->get_manual_prio(child); diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h index 1a0a1acfa..987ac489d 100644 --- a/src/libcharon/sa/task.h +++ b/src/libcharon/sa/task.h @@ -115,7 +115,7 @@ extern enum_name_t *task_type_names; /** * Interface for a task, an operation handled within exchanges. * - * A task is an elemantary operation. It may be handled by a single or by + * A task is an elementary operation. It may be handled by a single or by * multiple exchanges. An exchange may even complete multiple tasks. * A task has a build() and an process() operation. The build() operation * creates payloads and adds it to the message. The process() operation @@ -128,7 +128,7 @@ extern enum_name_t *task_type_names; * that the task completed, even when the task completed unsuccessfully. The * manager then removes the task from the list. A NEED_MORE is returned when * the task needs further build()/process() calls to complete, the manager - * leaves the taks in the queue. A returned FAILED indicates a critical failure. + * leaves the task in the queue. A returned FAILED indicates a critical failure. * The manager closes the IKE_SA whenever a task returns FAILED. */ struct task_t { @@ -180,7 +180,7 @@ struct task_t { * Migrate a task to a new IKE_SA. * * After migrating a task, it goes back to a state where it can be - * used again to initate an exchange. This is useful when a task + * used again to initiate an exchange. This is useful when a task * has to get migrated to a new IKE_SA. * A special usage is when a INVALID_KE_PAYLOAD is received. A call * to reset resets the task, but uses another DH group for the next diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 979f9290a..148df3923 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -168,7 +168,7 @@ static bool dynamic_remote_ts(child_cfg_t *child) traffic_selector_t *ts; bool found = FALSE; - other_ts = child->get_traffic_selectors(child, FALSE, NULL, NULL); + other_ts = child->get_traffic_selectors(child, FALSE, NULL, NULL, FALSE); enumerator = other_ts->create_enumerator(other_ts); while (enumerator->enumerate(enumerator, &ts)) { @@ -296,11 +296,11 @@ METHOD(trap_manager_t, install, bool, child_sa = child_sa_create(me, other, child, 0, FALSE, 0, 0); list = linked_list_create_with_items(me, NULL); - my_ts = child->get_traffic_selectors(child, TRUE, NULL, list); + my_ts = child->get_traffic_selectors(child, TRUE, NULL, list, FALSE); list->destroy_offset(list, offsetof(host_t, destroy)); list = linked_list_create_with_items(other, NULL); - other_ts = child->get_traffic_selectors(child, FALSE, NULL, list); + other_ts = child->get_traffic_selectors(child, FALSE, NULL, list, FALSE); list->destroy_offset(list, offsetof(host_t, destroy)); /* We don't know the finally negotiated protocol (ESP|AH), we install diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am index 5ebd0456c..101b534f0 100644 --- a/src/libcharon/tests/Makefile.am +++ b/src/libcharon/tests/Makefile.am @@ -4,6 +4,7 @@ check_PROGRAMS = $(TESTS) libcharon_tests_SOURCES = \ suites/test_ike_cfg.c \ + suites/test_peer_cfg.c \ suites/test_mem_pool.c \ suites/test_message_chapoly.c \ libcharon_tests.h libcharon_tests.c @@ -35,6 +36,7 @@ exchange_tests_SOURCES = \ utils/job_asserts.h \ utils/mock_dh.h utils/mock_dh.c \ utils/mock_ipsec.h utils/mock_ipsec.c \ + utils/mock_net.h utils/mock_net.c \ utils/mock_nonce_gen.h utils/mock_nonce_gen.c \ utils/mock_sender.h utils/mock_sender.c \ utils/sa_asserts.h \ diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in index 24552d201..c545c6334 100644 --- a/src/libcharon/tests/Makefile.in +++ b/src/libcharon/tests/Makefile.in @@ -121,6 +121,7 @@ am_exchange_tests_OBJECTS = \ utils/exchange_tests-exchange_test_helper.$(OBJEXT) \ utils/exchange_tests-mock_dh.$(OBJEXT) \ utils/exchange_tests-mock_ipsec.$(OBJEXT) \ + utils/exchange_tests-mock_net.$(OBJEXT) \ utils/exchange_tests-mock_nonce_gen.$(OBJEXT) \ utils/exchange_tests-mock_sender.$(OBJEXT) \ exchange_tests-exchange_tests.$(OBJEXT) @@ -139,6 +140,7 @@ exchange_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(LDFLAGS) -o $@ am_libcharon_tests_OBJECTS = \ suites/libcharon_tests-test_ike_cfg.$(OBJEXT) \ + suites/libcharon_tests-test_peer_cfg.$(OBJEXT) \ suites/libcharon_tests-test_mem_pool.$(OBJEXT) \ suites/libcharon_tests-test_message_chapoly.$(OBJEXT) \ libcharon_tests-libcharon_tests.$(OBJEXT) @@ -334,7 +336,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -360,6 +361,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -380,8 +383,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -436,8 +437,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -466,8 +465,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ @@ -475,6 +478,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ libcharon_tests_SOURCES = \ suites/test_ike_cfg.c \ + suites/test_peer_cfg.c \ suites/test_mem_pool.c \ suites/test_message_chapoly.c \ libcharon_tests.h libcharon_tests.c @@ -505,6 +509,7 @@ exchange_tests_SOURCES = \ utils/job_asserts.h \ utils/mock_dh.h utils/mock_dh.c \ utils/mock_ipsec.h utils/mock_ipsec.c \ + utils/mock_net.h utils/mock_net.c \ utils/mock_nonce_gen.h utils/mock_nonce_gen.c \ utils/mock_sender.h utils/mock_sender.c \ utils/sa_asserts.h \ @@ -598,6 +603,8 @@ utils/exchange_tests-mock_dh.$(OBJEXT): utils/$(am__dirstamp) \ utils/$(DEPDIR)/$(am__dirstamp) utils/exchange_tests-mock_ipsec.$(OBJEXT): utils/$(am__dirstamp) \ utils/$(DEPDIR)/$(am__dirstamp) +utils/exchange_tests-mock_net.$(OBJEXT): utils/$(am__dirstamp) \ + utils/$(DEPDIR)/$(am__dirstamp) utils/exchange_tests-mock_nonce_gen.$(OBJEXT): utils/$(am__dirstamp) \ utils/$(DEPDIR)/$(am__dirstamp) utils/exchange_tests-mock_sender.$(OBJEXT): utils/$(am__dirstamp) \ @@ -608,6 +615,8 @@ exchange_tests$(EXEEXT): $(exchange_tests_OBJECTS) $(exchange_tests_DEPENDENCIES $(AM_V_CCLD)$(exchange_tests_LINK) $(exchange_tests_OBJECTS) $(exchange_tests_LDADD) $(LIBS) suites/libcharon_tests-test_ike_cfg.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/libcharon_tests-test_peer_cfg.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_mem_pool.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_message_chapoly.$(OBJEXT): \ @@ -636,10 +645,12 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_dh.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_ipsec.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_net.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_sender.Po@am__quote@ @@ -807,6 +818,20 @@ utils/exchange_tests-mock_ipsec.obj: utils/mock_ipsec.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_ipsec.obj `if test -f 'utils/mock_ipsec.c'; then $(CYGPATH_W) 'utils/mock_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_ipsec.c'; fi` +utils/exchange_tests-mock_net.o: utils/mock_net.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_net.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_net.Tpo -c -o utils/exchange_tests-mock_net.o `test -f 'utils/mock_net.c' || echo '$(srcdir)/'`utils/mock_net.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_net.Tpo utils/$(DEPDIR)/exchange_tests-mock_net.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='utils/mock_net.c' object='utils/exchange_tests-mock_net.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_net.o `test -f 'utils/mock_net.c' || echo '$(srcdir)/'`utils/mock_net.c + +utils/exchange_tests-mock_net.obj: utils/mock_net.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_net.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_net.Tpo -c -o utils/exchange_tests-mock_net.obj `if test -f 'utils/mock_net.c'; then $(CYGPATH_W) 'utils/mock_net.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_net.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_net.Tpo utils/$(DEPDIR)/exchange_tests-mock_net.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='utils/mock_net.c' object='utils/exchange_tests-mock_net.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_net.obj `if test -f 'utils/mock_net.c'; then $(CYGPATH_W) 'utils/mock_net.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_net.c'; fi` + utils/exchange_tests-mock_nonce_gen.o: utils/mock_nonce_gen.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_nonce_gen.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Tpo -c -o utils/exchange_tests-mock_nonce_gen.o `test -f 'utils/mock_nonce_gen.c' || echo '$(srcdir)/'`utils/mock_nonce_gen.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Tpo utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Po @@ -863,6 +888,20 @@ suites/libcharon_tests-test_ike_cfg.obj: suites/test_ike_cfg.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_ike_cfg.obj `if test -f 'suites/test_ike_cfg.c'; then $(CYGPATH_W) 'suites/test_ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_cfg.c'; fi` +suites/libcharon_tests-test_peer_cfg.o: suites/test_peer_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_peer_cfg.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Tpo -c -o suites/libcharon_tests-test_peer_cfg.o `test -f 'suites/test_peer_cfg.c' || echo '$(srcdir)/'`suites/test_peer_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_peer_cfg.c' object='suites/libcharon_tests-test_peer_cfg.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_peer_cfg.o `test -f 'suites/test_peer_cfg.c' || echo '$(srcdir)/'`suites/test_peer_cfg.c + +suites/libcharon_tests-test_peer_cfg.obj: suites/test_peer_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_peer_cfg.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Tpo -c -o suites/libcharon_tests-test_peer_cfg.obj `if test -f 'suites/test_peer_cfg.c'; then $(CYGPATH_W) 'suites/test_peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_peer_cfg.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_peer_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_peer_cfg.c' object='suites/libcharon_tests-test_peer_cfg.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_peer_cfg.obj `if test -f 'suites/test_peer_cfg.c'; then $(CYGPATH_W) 'suites/test_peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_peer_cfg.c'; fi` + suites/libcharon_tests-test_mem_pool.o: suites/test_mem_pool.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h index d17ea041d..bc0521a75 100644 --- a/src/libcharon/tests/libcharon_tests.h +++ b/src/libcharon/tests/libcharon_tests.h @@ -25,5 +25,6 @@ */ TEST_SUITE(ike_cfg_suite_create) +TEST_SUITE(peer_cfg_suite_create) TEST_SUITE(mem_pool_suite_create) TEST_SUITE_DEPEND(message_chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32) diff --git a/src/libcharon/tests/suites/test_peer_cfg.c b/src/libcharon/tests/suites/test_peer_cfg.c new file mode 100644 index 000000000..02e38a314 --- /dev/null +++ b/src/libcharon/tests/suites/test_peer_cfg.c @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include <config/peer_cfg.h> +#include <config/child_cfg.h> + +/** + * Create a simple IKE config + */ +static ike_cfg_t *create_ike_cfg() +{ + return ike_cfg_create(IKEV2, TRUE, FALSE, "127.0.0.1", 500, + "127.0.0.1", 500, FRAGMENTATION_NO, 0); +} + +/** + * Create a simple peer config + */ +static peer_cfg_t *create_peer_cfg() +{ + peer_cfg_create_t peer = {}; + + return peer_cfg_create("peer", create_ike_cfg(), &peer); +} + +static peer_cfg_t *peer_a, *peer_b; + +START_SETUP(setup_replace) +{ + peer_a = create_peer_cfg(); + peer_b = create_peer_cfg(); +} +END_SETUP + +START_TEARDOWN(teardown_replace) +{ + peer_a->destroy(peer_a); + peer_b->destroy(peer_b); +} +END_TEARDOWN + +/** + * Check if the changes are correctly reported + * All given objects are destroyed + */ +static void test_replace(enumerator_t *changes, linked_list_t *rem, + linked_list_t *add) +{ + child_cfg_t *child; + bool added; + + while (changes->enumerate(changes, &child, &added)) + { + if (added) + { + ck_assert_msg(add->remove(add, child, NULL) == 1, "child config " + "was unexpectedly added"); + } + else + { + ck_assert_msg(rem->remove(rem, child, NULL) == 1, "child config " + "was unexpectedly removed"); + } + } + changes->destroy(changes); + ck_assert_msg(!rem->get_count(rem), "expected child config was not removed"); + ck_assert_msg(!add->get_count(add), "expected child config was not added"); + rem->destroy(rem); + add->destroy(add); +} + +/** + * Check if the given child configs are contained in the peer config + * The list is destroyed + */ +static void test_child_cfgs(peer_cfg_t *peer, linked_list_t *children) +{ + enumerator_t *enumerator; + child_cfg_t *child; + + enumerator = peer->create_child_cfg_enumerator(peer); + while (enumerator->enumerate(enumerator, &child)) + { + ck_assert_msg(children->remove(children, child, NULL) == 1, "child " + "config was unexpectedly contained in peer config"); + } + enumerator->destroy(enumerator); + ck_assert_msg(!children->get_count(children), "expected child config was " + "not contained in peer config"); + children->destroy(children); +} + +START_TEST(replace_child_cfgs_empty) +{ + child_cfg_create_t cfg = {}; + child_cfg_t *child; + + child = child_cfg_create("c", &cfg); + peer_b->add_child_cfg(peer_b, child->get_ref(child)); + + test_replace(peer_a->replace_child_cfgs(peer_a, peer_b), + linked_list_create(), + linked_list_create_with_items(child, NULL)); + test_child_cfgs(peer_a, + linked_list_create_with_items(child, NULL)); + + child->destroy(child); +} +END_TEST + +START_TEST(replace_child_cfgs_same) +{ + child_cfg_create_t cfg = {}; + child_cfg_t *child; + + child = child_cfg_create("c", &cfg); + peer_a->add_child_cfg(peer_a, child->get_ref(child)); + peer_b->add_child_cfg(peer_b, child->get_ref(child)); + + test_replace(peer_a->replace_child_cfgs(peer_a, peer_b), + linked_list_create(), + linked_list_create()); + test_child_cfgs(peer_a, + linked_list_create_with_items(child, NULL)); + + child->destroy(child); +} +END_TEST + +START_TEST(replace_child_cfgs_same_replace) +{ + child_cfg_create_t cfg = {}; + child_cfg_t *c1, *c2; + + c1 = child_cfg_create("c1", &cfg); + peer_a->add_child_cfg(peer_a, c1->get_ref(c1)); + c2 = child_cfg_create("c2", &cfg); + peer_b->add_child_cfg(peer_b, c2->get_ref(c2)); + + test_replace(peer_a->replace_child_cfgs(peer_a, peer_b), + linked_list_create(), + linked_list_create()); + test_child_cfgs(peer_a, + linked_list_create_with_items(c2, NULL)); + + c1->destroy(c1); + c2->destroy(c2); +} +END_TEST + +START_TEST(replace_child_cfgs_clear) +{ + child_cfg_create_t cfg = {}; + child_cfg_t *child; + + child = child_cfg_create("c", &cfg); + peer_a->add_child_cfg(peer_a, child->get_ref(child)); + + test_replace(peer_a->replace_child_cfgs(peer_a, peer_b), + linked_list_create_with_items(child, NULL), + linked_list_create()); + test_child_cfgs(peer_a, + linked_list_create()); + + child->destroy(child); +} +END_TEST + +START_TEST(replace_child_cfgs_mixed) +{ + child_cfg_create_t cfg1 = {}, cfg2 = { .mode = MODE_TUNNEL, }; + child_cfg_create_t cfg3 = { .mode = MODE_TRANSPORT}; + child_cfg_t *c1, *c2, *c3, *c4; + + c1 = child_cfg_create("c1", &cfg1); + peer_a->add_child_cfg(peer_a, c1->get_ref(c1)); + c2 = child_cfg_create("c2", &cfg2); + peer_a->add_child_cfg(peer_a, c2->get_ref(c2)); + + c3 = child_cfg_create("c3", &cfg3); + peer_b->add_child_cfg(peer_b, c3->get_ref(c3)); + c4 = child_cfg_create("c4", &cfg2); + peer_b->add_child_cfg(peer_b, c4->get_ref(c4)); + + test_replace(peer_a->replace_child_cfgs(peer_a, peer_b), + linked_list_create_with_items(c1, NULL), + linked_list_create_with_items(c3, NULL)); + test_child_cfgs(peer_a, + linked_list_create_with_items(c3, c4, NULL)); + + c1->destroy(c1); + c2->destroy(c2); + c3->destroy(c3); + c4->destroy(c4); +} +END_TEST + +Suite *peer_cfg_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("peer_cfg"); + + tc = tcase_create("replace_child_cfgs"); + tcase_add_checked_fixture(tc, setup_replace, teardown_replace); + tcase_add_test(tc, replace_child_cfgs_empty); + tcase_add_test(tc, replace_child_cfgs_same); + tcase_add_test(tc, replace_child_cfgs_same_replace); + tcase_add_test(tc, replace_child_cfgs_clear); + tcase_add_test(tc, replace_child_cfgs_mixed); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c index fce0ccedf..bebf33463 100644 --- a/src/libcharon/tests/utils/exchange_test_helper.c +++ b/src/libcharon/tests/utils/exchange_test_helper.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -16,6 +16,7 @@ #include "exchange_test_helper.h" #include "mock_dh.h" #include "mock_ipsec.h" +#include "mock_net.h" #include "mock_nonce_gen.h" #include <collections/array.h> @@ -333,6 +334,7 @@ void exchange_test_helper_init(char *plugins) /* and there is no kernel plugin loaded * TODO: we'd have more control if we'd implement kernel_interface_t */ charon->kernel->add_ipsec_interface(charon->kernel, mock_ipsec_create); + charon->kernel->add_net_interface(charon->kernel, mock_net_create); /* like SPIs for IPsec SAs, make IKE SPIs predictable */ charon->ike_sa_manager->set_spi_cb(charon->ike_sa_manager, get_ike_spi, this); diff --git a/src/libcharon/tests/utils/mock_net.c b/src/libcharon/tests/utils/mock_net.c new file mode 100644 index 000000000..5b560871e --- /dev/null +++ b/src/libcharon/tests/utils/mock_net.c @@ -0,0 +1,115 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "mock_net.h" + +#include <daemon.h> + +#include <assert.h> + +typedef struct private_kernel_net_t private_kernel_net_t; + +/** + * Private data + */ +struct private_kernel_net_t { + + /** + * Public interface + */ + kernel_net_t public; + + /** + * Local IP address + */ + host_t *host; +}; + +/** + * Global instance + */ +static private_kernel_net_t *instance; + +METHOD(kernel_net_t, get_source_addr, host_t*, + private_kernel_net_t *this, host_t *dest, host_t *src) +{ + return this->host->clone(this->host); +} + +METHOD(kernel_net_t, get_nexthop, host_t*, + private_kernel_net_t *this, host_t *dest, int prefix, host_t *src, + char **iface) +{ + if (iface) + { + *iface = strdup("lo"); + } + return this->host->clone(this->host); +} + +METHOD(kernel_net_t, get_interface, bool, + private_kernel_net_t *this, host_t *host, char **name) +{ + if (host->ip_equals(host, this->host)) + { + if (name) + { + *name = strdup("lo"); + } + return TRUE; + } + return FALSE; +} + +METHOD(kernel_net_t, create_address_enumerator, enumerator_t*, + private_kernel_net_t *this, kernel_address_type_t which) +{ + return enumerator_create_single(this->host, NULL); +} + +METHOD(kernel_net_t, destroy, void, + private_kernel_net_t *this) +{ + this->host->destroy(this->host); + free(this); +} + +/* + * Described in header + */ +kernel_net_t *mock_net_create() +{ + private_kernel_net_t *this; + + INIT(this, + .public = { + .get_source_addr = _get_source_addr, + .get_nexthop = _get_nexthop, + .get_interface = _get_interface, + .create_address_enumerator = _create_address_enumerator, + .create_local_subnet_enumerator = (void*)enumerator_create_empty, + .add_ip = (void*)return_failed, + .del_ip = (void*)return_failed, + .add_route = (void*)return_failed, + .del_route = (void*)return_failed, + .destroy = _destroy, + }, + .host = host_create_from_string("127.0.0.1", 500), + ); + + instance = this; + + return &this->public; +} diff --git a/src/libcharon/tests/utils/mock_net.h b/src/libcharon/tests/utils/mock_net.h new file mode 100644 index 000000000..15ad1ac0c --- /dev/null +++ b/src/libcharon/tests/utils/mock_net.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * kernel_net_t implementation used for exchange unit tests. Simply returns + * an IP address so it seems we're connected. + * + * @defgroup mock_net mock_net + * @{ @ingroup test_utils_c + */ + +#ifndef MOCK_NET_H_ +#define MOCK_NET_H_ + +#include <kernel/kernel_net.h> + +/** + * Create an instance of kernel_net_t + * + * @return created object + */ +kernel_net_t *mock_net_create(); + +#endif /** MOCK_NET_H_ @}*/ |