summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins')
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/aes/aes_plugin.c4
-rw-r--r--src/libstrongswan/plugins/af_alg/Makefile.am20
-rw-r--r--src/libstrongswan/plugins/af_alg/Makefile.in612
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_crypter.c237
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_crypter.h54
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_hasher.c170
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_hasher.h52
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_ops.c226
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_ops.h92
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_plugin.c74
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_plugin.h42
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_prf.c211
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_prf.h52
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_signer.c206
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_signer.h52
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish_plugin.c4
-rw-r--r--src/libstrongswan/plugins/ccm/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/ccm/ccm_plugin.c37
-rw-r--r--src/libstrongswan/plugins/constraints/Makefile.am16
-rw-r--r--src/libstrongswan/plugins/constraints/Makefile.in604
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_plugin.c65
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_plugin.h42
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_validator.c578
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_validator.h49
-rw-r--r--src/libstrongswan/plugins/ctr/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/ctr/ctr_plugin.c22
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/curl/curl_fetcher.c16
-rw-r--r--src/libstrongswan/plugins/curl/curl_plugin.c16
-rw-r--r--src/libstrongswan/plugins/des/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/des/des_plugin.c8
-rw-r--r--src/libstrongswan/plugins/dnskey/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/dnskey/dnskey_plugin.c19
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/fips_prf/fips_prf.c55
-rw-r--r--src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c28
-rw-r--r--src/libstrongswan/plugins/gcm/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/gcm/gcm_plugin.c20
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c68
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_plugin.c26
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/hmac/hmac_plugin.c88
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/ldap/ldap_fetcher.c35
-rw-r--r--src/libstrongswan/plugins/ldap/ldap_plugin.c16
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/md4/md4_plugin.c20
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/md5/md5_plugin.c20
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/mysql/mysql_database.c40
-rw-r--r--src/libstrongswan/plugins/mysql/mysql_plugin.c15
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crl.c11
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c74
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x509.c100
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/padlock/padlock_plugin.c12
-rw-r--r--src/libstrongswan/plugins/pem/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/pem/pem_encoder.c2
-rw-r--r--src/libstrongswan/plugins/pem/pem_plugin.c18
-rw-r--r--src/libstrongswan/plugins/pgp/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/pgp/pgp_plugin.c21
-rw-r--r--src/libstrongswan/plugins/pkcs1/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c16
-rw-r--r--src/libstrongswan/plugins/pkcs11/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_creds.c23
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_library.c67
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_library.h21
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_manager.c5
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c14
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c18
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c111
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/pubkey/pubkey_plugin.c18
-rw-r--r--src/libstrongswan/plugins/random/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/random/random_plugin.c22
-rw-r--r--src/libstrongswan/plugins/random/random_rng.c37
-rw-r--r--src/libstrongswan/plugins/revocation/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/revocation/revocation_validator.c279
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/sha1/sha1_plugin.c22
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/sha2/sha2_plugin.c26
-rw-r--r--src/libstrongswan/plugins/soup/Makefile.am16
-rw-r--r--src/libstrongswan/plugins/soup/Makefile.in601
-rw-r--r--src/libstrongswan/plugins/soup/soup_fetcher.c159
-rw-r--r--src/libstrongswan/plugins/soup/soup_fetcher.h44
-rw-r--r--src/libstrongswan/plugins/soup/soup_plugin.c72
-rw-r--r--src/libstrongswan/plugins/soup/soup_plugin.h42
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/sqlite/sqlite_database.c45
-rw-r--r--src/libstrongswan/plugins/sqlite/sqlite_plugin.c18
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c16
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c1192
-rw-r--r--src/libstrongswan/plugins/x509/x509_crl.c173
-rw-r--r--src/libstrongswan/plugins/x509/x509_plugin.c16
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.in4
-rw-r--r--src/libstrongswan/plugins/xcbc/xcbc_plugin.c30
106 files changed, 6572 insertions, 908 deletions
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 99a520852..9835cd5b9 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 22b47e334..1c060b6c8 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "aes_crypter.h"
+static const char *plugin_name = "aes";
+
typedef struct private_aes_plugin_t private_aes_plugin_t;
/**
@@ -54,7 +56,7 @@ plugin_t *aes_plugin_create()
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
(crypter_constructor_t)aes_crypter_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.am b/src/libstrongswan/plugins/af_alg/Makefile.am
new file mode 100644
index 000000000..a33fd30b6
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-af-alg.la
+else
+plugin_LTLIBRARIES = libstrongswan-af-alg.la
+endif
+
+libstrongswan_af_alg_la_SOURCES = \
+ af_alg_plugin.h af_alg_plugin.c \
+ af_alg_ops.h af_alg_ops.c \
+ af_alg_hasher.h af_alg_hasher.c \
+ af_alg_signer.h af_alg_signer.c \
+ af_alg_prf.h af_alg_prf.c \
+ af_alg_crypter.h af_alg_crypter.c
+
+libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
new file mode 100644
index 000000000..aa8df979e
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -0,0 +1,612 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/af_alg
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_af_alg_la_LIBADD =
+am_libstrongswan_af_alg_la_OBJECTS = af_alg_plugin.lo af_alg_ops.lo \
+ af_alg_hasher.lo af_alg_signer.lo af_alg_prf.lo \
+ af_alg_crypter.lo
+libstrongswan_af_alg_la_OBJECTS = \
+ $(am_libstrongswan_af_alg_la_OBJECTS)
+libstrongswan_af_alg_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_af_alg_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_af_alg_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_af_alg_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_af_alg_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-af-alg.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-af-alg.la
+libstrongswan_af_alg_la_SOURCES = \
+ af_alg_plugin.h af_alg_plugin.c \
+ af_alg_ops.h af_alg_ops.c \
+ af_alg_hasher.h af_alg_hasher.c \
+ af_alg_signer.h af_alg_signer.c \
+ af_alg_prf.h af_alg_prf.c \
+ af_alg_crypter.h af_alg_crypter.c
+
+libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES)
+ $(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_ops.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_signer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
new file mode 100644
index 000000000..3416ad8d2
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_crypter.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_crypter_t private_af_alg_crypter_t;
+
+/**
+ * Private data of af_alg_crypter_t
+ */
+struct private_af_alg_crypter_t {
+
+ /**
+ * Public part of this class.
+ */
+ af_alg_crypter_t public;
+
+ /**
+ * AF_ALG operations
+ */
+ af_alg_ops_t *ops;
+
+ /**
+ * Size of the truncated signature
+ */
+ size_t block_size;
+
+ /**
+ * Size of the keymat
+ */
+ size_t keymat_size;
+
+ /**
+ * Size of initialization vector
+ */
+ size_t iv_size;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+ encryption_algorithm_t id;
+ char *name;
+ size_t block_size;
+ /* key size of the algorithm */
+ size_t key_size;
+ /* size of the keying material (key + nonce for ctr mode) */
+ size_t keymat_size;
+ size_t iv_size;
+} algs[] = {
+ {ENCR_DES, "cbc(des)", 8, 8, 8, 8, },
+ {ENCR_3DES, "cbc(des3_ede)", 8, 24, 24, 8, },
+ {ENCR_AES_CBC, "cbc(aes)", 16, 16, 16, 16, },
+ {ENCR_AES_CBC, "cbc(aes)", 16, 24, 24, 16, },
+ {ENCR_AES_CBC, "cbc(aes)", 16, 32, 32, 16, },
+ {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 16, 20, 8, },
+ {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 24, 28, 8, },
+ {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 32, 36, 8, },
+ {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 16, 16, 16, },
+ {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 24, 24, 16, },
+ {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 32, 32, 16, },
+ {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 16, 20, 8, },
+ {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 24, 28, 8, },
+ {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 32, 36, 8, },
+ {ENCR_CAST, "cbc(cast5)", 8, 16, 16, 8, },
+ {ENCR_BLOWFISH, "cbc(blowfish)", 8, 16, 16, 8, },
+ {ENCR_BLOWFISH, "cbc(blowfish)", 8, 24, 24, 8, },
+ {ENCR_BLOWFISH, "cbc(blowfish)", 8, 32, 32, 8, },
+ {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 16, 16, 16, },
+ {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 24, 24, 16, },
+ {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 32, 32, 16, },
+ {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 16, 16, 16, },
+ {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 24, 24, 16, },
+ {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 32, 32, 16, },
+};
+
+/**
+ * See header.
+ */
+void af_alg_crypter_probe()
+{
+ encryption_algorithm_t prev = -1;
+ af_alg_ops_t *ops;
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ if (prev != algs[i].id)
+ {
+ ops = af_alg_ops_create("skcipher", algs[i].name);
+ if (ops)
+ {
+ ops->destroy(ops);
+ lib->crypto->add_crypter(lib->crypto, algs[i].id, af_alg_plugin_name,
+ (crypter_constructor_t)af_alg_crypter_create);
+ }
+ }
+ prev = algs[i].id;
+ }
+}
+
+/**
+ * Get the kernel algorithm string and block/key size for our identifier
+ */
+static size_t lookup_alg(encryption_algorithm_t algo, char **name,
+ size_t key_size, size_t *keymat_size, size_t *iv_size)
+{
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ if (algs[i].id == algo &&
+ (key_size == 0 || algs[i].key_size == key_size))
+ {
+ *name = algs[i].name;
+ *keymat_size = algs[i].keymat_size;
+ *iv_size = algs[i].iv_size;
+ return algs[i].block_size;
+ }
+ }
+ return 0;
+}
+
+METHOD(crypter_t, decrypt, void,
+ private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
+{
+ if (dst)
+ {
+ *dst = chunk_alloc(data.len);
+ this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, dst->ptr);
+ }
+ else
+ {
+ this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr);
+ }
+}
+
+METHOD(crypter_t, encrypt, void,
+ private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
+{
+ if (dst)
+ {
+ *dst = chunk_alloc(data.len);
+ this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, dst->ptr);
+ }
+ else
+ {
+ this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, data.ptr);
+ }
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+ private_af_alg_crypter_t *this)
+{
+ return this->block_size;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+ private_af_alg_crypter_t *this)
+{
+ return this->iv_size;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+ private_af_alg_crypter_t *this)
+{
+ return this->keymat_size;
+}
+
+METHOD(crypter_t, set_key, void,
+ private_af_alg_crypter_t *this, chunk_t key)
+{
+ this->ops->set_key(this->ops, key);
+}
+
+METHOD(crypter_t, destroy, void,
+ private_af_alg_crypter_t *this)
+{
+ this->ops->destroy(this->ops);
+ free(this);
+}
+
+/*
+ * Described in header
+ */
+af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo,
+ size_t key_size)
+{
+ private_af_alg_crypter_t *this;
+ size_t block_size, keymat_size, iv_size;
+ char *name;
+
+ block_size = lookup_alg(algo, &name, key_size, &keymat_size, &iv_size);
+ if (!block_size)
+ { /* not supported by kernel */
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .crypter = {
+ .encrypt = _encrypt,
+ .decrypt = _decrypt,
+ .get_block_size = _get_block_size,
+ .get_iv_size = _get_iv_size,
+ .get_key_size = _get_key_size,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ },
+ .block_size = block_size,
+ .keymat_size = keymat_size,
+ .iv_size = iv_size,
+ .ops = af_alg_ops_create("skcipher", name),
+ );
+
+ if (!this->ops)
+ {
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.h b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
new file mode 100644
index 000000000..711d2fc35
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_crypter af_alg_crypter
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_CRYPTER_H_
+#define AF_ALG_CRYPTER_H_
+
+typedef struct af_alg_crypter_t af_alg_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Implementation of signers using AF_ALG.
+ */
+struct af_alg_crypter_t {
+
+ /**
+ * The crypter_t interface.
+ */
+ crypter_t crypter;
+};
+
+/**
+ * Constructor to create af_alg_crypter_t.
+ *
+ * @param algo algorithm to implement
+ * @param key_size key size in bytes
+ * @return af_alg_crypter_t, NULL if not supported
+ */
+af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo,
+ size_t key_size);
+
+/**
+ * Probe algorithms and register af_alg_crypter_create().
+ */
+void af_alg_crypter_probe();
+
+#endif /** AF_ALG_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
new file mode 100644
index 000000000..7c6297d44
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_hasher.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_hasher_t private_af_alg_hasher_t;
+
+/**
+ * Private data of af_alg_hasher_t
+ */
+struct private_af_alg_hasher_t {
+
+ /**
+ * Public part of this class.
+ */
+ af_alg_hasher_t public;
+
+ /**
+ * AF_ALG operations
+ */
+ af_alg_ops_t *ops;
+
+ /**
+ * Size of the hash
+ */
+ size_t size;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+ hash_algorithm_t id;
+ char *name;
+ size_t size;
+} algs[] = {
+ {HASH_SHA1, "sha1", HASH_SIZE_SHA1 },
+ {HASH_MD5, "md5", HASH_SIZE_MD5 },
+ {HASH_SHA224, "sha224", HASH_SIZE_SHA224 },
+ {HASH_SHA256, "sha256", HASH_SIZE_SHA256 },
+ {HASH_SHA384, "sha384", HASH_SIZE_SHA384 },
+ {HASH_SHA512, "sha512", HASH_SIZE_SHA512 },
+ {HASH_MD4, "md4", HASH_SIZE_MD4 },
+};
+
+/**
+ * See header.
+ */
+void af_alg_hasher_probe()
+{
+ af_alg_ops_t *ops;
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ ops = af_alg_ops_create("hash", algs[i].name);
+ if (ops)
+ {
+ ops->destroy(ops);
+ lib->crypto->add_hasher(lib->crypto, algs[i].id, af_alg_plugin_name,
+ (hasher_constructor_t)af_alg_hasher_create);
+ }
+ }
+}
+
+/**
+ * Get the kernel algorithm string and hash size for our identifier
+ */
+static size_t lookup_alg(hash_algorithm_t algo, char **name)
+{
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ if (algs[i].id == algo)
+ {
+ *name = algs[i].name;
+ return algs[i].size;
+ }
+ }
+ return 0;
+}
+
+METHOD(hasher_t, get_hash_size, size_t,
+ private_af_alg_hasher_t *this)
+{
+ return this->size;
+}
+
+METHOD(hasher_t, reset, void,
+ private_af_alg_hasher_t *this)
+{
+ this->ops->reset(this->ops);
+}
+
+METHOD(hasher_t, get_hash, void,
+ private_af_alg_hasher_t *this, chunk_t chunk, u_int8_t *hash)
+{
+ this->ops->hash(this->ops, chunk, hash, this->size);
+}
+
+METHOD(hasher_t, allocate_hash, void,
+ private_af_alg_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+ if (hash)
+ {
+ *hash = chunk_alloc(get_hash_size(this));
+ get_hash(this, chunk, hash->ptr);
+ }
+ else
+ {
+ get_hash(this, chunk, NULL);
+ }
+}
+
+METHOD(hasher_t, destroy, void,
+ private_af_alg_hasher_t *this)
+{
+ this->ops->destroy(this->ops);
+ free(this);
+}
+
+/*
+ * Described in header
+ */
+af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo)
+{
+ private_af_alg_hasher_t *this;
+ char *name;
+ size_t size;
+
+ size = lookup_alg(algo, &name);
+ if (!size)
+ { /* not supported by kernel */
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .hasher = {
+ .get_hash = _get_hash,
+ .allocate_hash = _allocate_hash,
+ .get_hash_size = _get_hash_size,
+ .reset = _reset,
+ .destroy = _destroy,
+ },
+ },
+ .ops = af_alg_ops_create("hash", name),
+ .size = size,
+ );
+ if (!this->ops)
+ {
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.h b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
new file mode 100644
index 000000000..e0833e23a
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_hasher af_alg_hasher
+ * @{ @ingroup af_alg
+ */
+
+#ifndef af_alg_HASHER_H_
+#define af_alg_HASHER_H_
+
+typedef struct af_alg_hasher_t af_alg_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hashers using AF_ALG.
+ */
+struct af_alg_hasher_t {
+
+ /**
+ * Implements hasher_t interface.
+ */
+ hasher_t hasher;
+};
+
+/**
+ * Constructor to create af_alg_hasher_t.
+ *
+ * @param algo algorithm
+ * @return af_alg_hasher_t, NULL if not supported
+ */
+af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo);
+
+/**
+ * Probe algorithms and register af_alg_hasher_create().
+ */
+void af_alg_hasher_probe();
+
+#endif /** af_alg_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
new file mode 100644
index 000000000..7bf1d90db
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_ops.h"
+
+#include <unistd.h>
+#include <errno.h>
+#include <linux/socket.h>
+
+#include <debug.h>
+
+const char *af_alg_plugin_name = "af-alg";
+
+typedef struct private_af_alg_ops_t private_af_alg_ops_t;
+
+/**
+ * Private data of an af_alg_ops_t object.
+ */
+struct private_af_alg_ops_t {
+
+ /**
+ * Public af_alg_ops_t interface.
+ */
+ af_alg_ops_t public;
+
+ /**
+ * Transform FD
+ */
+ int tfm;
+
+ /**
+ * Operation FD
+ */
+ int op;
+};
+
+METHOD(af_alg_ops_t, reset, void,
+ private_af_alg_ops_t *this)
+{
+ if (this->op != -1)
+ {
+ close(this->op);
+ this->op = -1;
+ }
+}
+
+METHOD(af_alg_ops_t, hash, void,
+ private_af_alg_ops_t *this, chunk_t data, char *out, size_t outlen)
+{
+ ssize_t len;
+
+ while (this->op == -1)
+ {
+ this->op = accept(this->tfm, NULL, 0);
+ if (this->op == -1)
+ {
+ DBG1(DBG_LIB, "opening AF_ALG hasher failed: %s", strerror(errno));
+ sleep(1);
+ }
+ }
+ do
+ {
+ len = send(this->op, data.ptr, data.len, out ? 0 : MSG_MORE);
+ if (len == -1)
+ {
+ DBG1(DBG_LIB, "writing to AF_ALG hasher failed: %s", strerror(errno));
+ sleep(1);
+ }
+ else
+ {
+ data = chunk_skip(data, len);
+ }
+ }
+ while (data.len);
+
+ if (out)
+ {
+ while (read(this->op, out, outlen) != outlen)
+ {
+ DBG1(DBG_LIB, "reading AF_ALG hasher failed: %s", strerror(errno));
+ sleep(1);
+ }
+ reset(this);
+ }
+}
+
+METHOD(af_alg_ops_t, crypt, void,
+ private_af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
+ char *out)
+{
+ struct msghdr msg = {};
+ struct cmsghdr *cmsg;
+ struct af_alg_iv *ivm;
+ struct iovec iov;
+ char buf[CMSG_SPACE(sizeof(type)) +
+ CMSG_SPACE(offsetof(struct af_alg_iv, iv) + iv.len)];
+ ssize_t len;
+ int op;
+
+ while ((op = accept(this->tfm, NULL, 0)) == -1)
+ {
+ DBG1(DBG_LIB, "accepting AF_ALG crypter failed: %s", strerror(errno));
+ sleep(1);
+ }
+
+ memset(buf, 0, sizeof(buf));
+
+ msg.msg_control = buf;
+ msg.msg_controllen = sizeof(buf);
+
+ cmsg = CMSG_FIRSTHDR(&msg);
+ cmsg->cmsg_level = SOL_ALG;
+ cmsg->cmsg_type = ALG_SET_OP;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(type));
+ *(u_int32_t*)CMSG_DATA(cmsg) = type;
+
+ cmsg = CMSG_NXTHDR(&msg, cmsg);
+ cmsg->cmsg_level = SOL_ALG;
+ cmsg->cmsg_type = ALG_SET_IV;
+ cmsg->cmsg_len = CMSG_LEN(offsetof(struct af_alg_iv, iv) + iv.len);
+ ivm = (void*)CMSG_DATA(cmsg);
+ ivm->ivlen = iv.len;
+ memcpy(ivm->iv, iv.ptr, iv.len);
+
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+
+ while (data.len)
+ {
+ iov.iov_base = data.ptr;
+ iov.iov_len = data.len;
+
+ len = sendmsg(op, &msg, 0);
+ if (len == -1)
+ {
+ DBG1(DBG_LIB, "writing to AF_ALG crypter failed: %s",
+ strerror(errno));
+ sleep(1);
+ continue;
+ }
+ if (read(op, out, len) != len)
+ {
+ DBG1(DBG_LIB, "reading from AF_ALG crypter failed: %s",
+ strerror(errno));
+ }
+ data = chunk_skip(data, len);
+ /* no IV for subsequent data chunks */
+ msg.msg_controllen = 0;
+ }
+ close(op);
+}
+
+METHOD(af_alg_ops_t, set_key, void,
+ private_af_alg_ops_t *this, chunk_t key)
+{
+ if (setsockopt(this->tfm, SOL_ALG, ALG_SET_KEY, key.ptr, key.len) == -1)
+ {
+ DBG1(DBG_LIB, "setting AF_ALG key failed: %s", strerror(errno));
+ }
+}
+
+METHOD(af_alg_ops_t, destroy, void,
+ private_af_alg_ops_t *this)
+{
+ close(this->tfm);
+ if (this->op != -1)
+ {
+ close(this->op);
+ }
+ free(this);
+}
+
+/**
+ * See header
+ */
+af_alg_ops_t *af_alg_ops_create(char *type, char *alg)
+{
+ private_af_alg_ops_t *this;
+ struct sockaddr_alg sa = {
+ .salg_family = AF_ALG,
+ };
+
+ strncpy(sa.salg_type, type, sizeof(sa.salg_type));
+ strncpy(sa.salg_name, alg, sizeof(sa.salg_name));
+
+ INIT(this,
+ .public = {
+ .hash = _hash,
+ .reset = _reset,
+ .crypt = _crypt,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ .tfm = socket(AF_ALG, SOCK_SEQPACKET, 0),
+ .op = -1,
+ );
+ if (this->tfm == -1)
+ {
+ DBG1(DBG_LIB, "opening AF_ALG socket failed: %s", strerror(errno));
+ free(this);
+ return NULL;
+ }
+ if (bind(this->tfm, (struct sockaddr*)&sa, sizeof(sa)) == -1)
+ {
+ if (errno != ENOENT)
+ { /* fail silently if algorithm not supported */
+ DBG1(DBG_LIB, "binding AF_ALG socket for '%s' failed: %s",
+ sa.salg_name, strerror(errno));
+ }
+ destroy(this);
+ return NULL;
+ }
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.h b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
new file mode 100644
index 000000000..b7d642c00
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+* @defgroup af_alg_ops af_alg_ops
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_OPS_H_
+#define AF_ALG_OPS_H_
+
+#include <library.h>
+
+#include <linux/if_alg.h>
+
+#ifndef AF_ALG
+#define AF_ALG 38
+#endif /* AF_ALG */
+
+#ifndef SOL_ALG
+#define SOL_ALG 279
+#endif /* SOL_ALG */
+
+extern const char *af_alg_plugin_name;
+
+typedef struct af_alg_ops_t af_alg_ops_t;
+
+/**
+ * Helper to run AF_ALG operations.
+ */
+struct af_alg_ops_t {
+
+ /**
+ * Hash a chunk of data.
+ *
+ * @param data data to hash
+ * @param out buffer to write hash to, NULL for append mode
+ * @param outlen number of bytes to read into out
+ */
+ void (*hash)(af_alg_ops_t *this, chunk_t data, char *out, size_t outlen);
+
+ /**
+ * Reset hasher state.
+ */
+ void (*reset)(af_alg_ops_t *this);
+
+ /**
+ * En-/Decrypt a chunk of data.
+ *
+ * @param type crypto operation (ALG_OP_DECRYPT/ALG_OP_ENCRYPT)
+ * @param iv iv to use
+ * @param data data to encrypt/decrypt
+ * @param out buffer write processed data to
+ */
+ void (*crypt)(af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
+ char *out);
+
+ /**
+ * Set the key for en-/decryption or HMAC/XCBC operations.
+ *
+ * @param key key to set for transform
+ */
+ void (*set_key)(af_alg_ops_t *this, chunk_t key);
+
+ /**
+ * Destroy a af_alg_ops_t.
+ */
+ void (*destroy)(af_alg_ops_t *this);
+};
+
+/**
+ * Create a af_alg_ops instance.
+ *
+ * @param type algorithm type (hash, skcipher)
+ * @param alg algorithm name
+ * @return TRUE if AF_ALG socket bound successfully
+ */
+af_alg_ops_t *af_alg_ops_create(char *type, char *alg);
+
+#endif /** AF_ALG_OPS_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.c b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
new file mode 100644
index 000000000..54e39f1a0
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_plugin.h"
+
+#include <library.h>
+
+#include "af_alg_hasher.h"
+#include "af_alg_signer.h"
+#include "af_alg_prf.h"
+#include "af_alg_crypter.h"
+
+typedef struct private_af_alg_plugin_t private_af_alg_plugin_t;
+
+/**
+ * private data of af_alg_plugin
+ */
+struct private_af_alg_plugin_t {
+
+ /**
+ * public functions
+ */
+ af_alg_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+ private_af_alg_plugin_t *this)
+{
+ lib->crypto->remove_hasher(lib->crypto,
+ (hasher_constructor_t)af_alg_hasher_create);
+ lib->crypto->remove_signer(lib->crypto,
+ (signer_constructor_t)af_alg_signer_create);
+ lib->crypto->remove_prf(lib->crypto,
+ (prf_constructor_t)af_alg_prf_create);
+ lib->crypto->remove_crypter(lib->crypto,
+ (crypter_constructor_t)af_alg_crypter_create);
+
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *af_alg_plugin_create()
+{
+ private_af_alg_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ af_alg_hasher_probe();
+ af_alg_signer_probe();
+ af_alg_prf_probe();
+ af_alg_crypter_probe();
+
+ return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.h b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h
new file mode 100644
index 000000000..18c069831
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg af_alg
+ * @ingroup plugins
+ *
+ * @defgroup af_alg_plugin af_alg_plugin
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_PLUGIN_H_
+#define AF_ALG_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct af_alg_plugin_t af_alg_plugin_t;
+
+/**
+ * Plugin providing the AF_ALG interface to the Linux Crypto API.
+ */
+struct af_alg_plugin_t {
+
+ /**
+ * Implements plugin interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** AF_ALG_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
new file mode 100644
index 000000000..575906bae
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_prf.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_prf_t private_af_alg_prf_t;
+
+/**
+ * Private data of a af_alg_prf_t object.
+ */
+struct private_af_alg_prf_t {
+
+ /**
+ * Public af_alg_prf_t interface.
+ */
+ af_alg_prf_t public;
+
+ /**
+ * AF_ALG operations
+ */
+ af_alg_ops_t *ops;
+
+ /**
+ * Size of the PRF output
+ */
+ size_t block_size;
+
+ /**
+ * Default key size
+ */
+ size_t key_size;
+
+ /**
+ * Using an XCBC algorithm?
+ */
+ bool xcbc;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+ pseudo_random_function_t id;
+ char *name;
+ size_t block_size;
+ bool xcbc;
+} algs[] = {
+ {PRF_HMAC_SHA1, "hmac(sha1)", 20, FALSE, },
+ {PRF_HMAC_SHA2_256, "hmac(sha256)", 32, FALSE, },
+ {PRF_HMAC_MD5, "hmac(md5)", 16, FALSE, },
+ {PRF_HMAC_SHA2_384, "hmac(sha384)", 48, FALSE, },
+ {PRF_HMAC_SHA2_512, "hmac(sha512)", 64, FALSE, },
+ {PRF_AES128_XCBC, "xcbc(aes)", 16, TRUE, },
+ {PRF_CAMELLIA128_XCBC, "xcbc(camellia)", 16, TRUE, },
+};
+
+/**
+ * See header.
+ */
+void af_alg_prf_probe()
+{
+ af_alg_ops_t *ops;
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ ops = af_alg_ops_create("hash", algs[i].name);
+ if (ops)
+ {
+ ops->destroy(ops);
+ lib->crypto->add_prf(lib->crypto, algs[i].id, af_alg_plugin_name,
+ (prf_constructor_t)af_alg_prf_create);
+ }
+ }
+}
+
+/**
+ * Get the kernel algorithm string and block size for our identifier
+ */
+static size_t lookup_alg(integrity_algorithm_t algo, char **name, bool *xcbc)
+{
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ if (algs[i].id == algo)
+ {
+ *name = algs[i].name;
+ *xcbc = algs[i].xcbc;
+ return algs[i].block_size;
+ }
+ }
+ return 0;
+}
+
+METHOD(prf_t, get_bytes, void,
+ private_af_alg_prf_t *this, chunk_t seed, u_int8_t *buffer)
+{
+ this->ops->hash(this->ops, seed, buffer, this->block_size);
+}
+
+METHOD(prf_t, allocate_bytes, void,
+ private_af_alg_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+ if (chunk)
+ {
+ *chunk = chunk_alloc(this->block_size);
+ get_bytes(this, seed, chunk->ptr);
+ }
+ else
+ {
+ get_bytes(this, seed, NULL);
+ }
+}
+
+METHOD(prf_t, get_block_size, size_t,
+ private_af_alg_prf_t *this)
+{
+ return this->block_size;
+}
+
+METHOD(prf_t, get_key_size, size_t,
+ private_af_alg_prf_t *this)
+{
+ return this->block_size;
+}
+
+METHOD(prf_t, set_key, void,
+ private_af_alg_prf_t *this, chunk_t key)
+{
+ char buf[this->block_size];
+
+ if (this->xcbc)
+ {
+ /* The kernel currently does not support variable length XCBC keys,
+ * do RFC4434 key padding/reduction manually. */
+ if (key.len < this->block_size)
+ {
+ memset(buf, 0, this->block_size);
+ memcpy(buf, key.ptr, key.len);
+ key = chunk_from_thing(buf);
+ }
+ else if (key.len > this->block_size)
+ {
+ memset(buf, 0, this->block_size);
+ this->ops->set_key(this->ops, chunk_from_thing(buf));
+ this->ops->hash(this->ops, key, buf, this->block_size);
+ key = chunk_from_thing(buf);
+ }
+ }
+ this->ops->set_key(this->ops, key);
+}
+
+METHOD(prf_t, destroy, void,
+ private_af_alg_prf_t *this)
+{
+ this->ops->destroy(this->ops);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo)
+{
+ private_af_alg_prf_t *this;
+ size_t block_size;
+ bool xcbc;
+ char *name;
+
+ block_size = lookup_alg(algo, &name, &xcbc);
+ if (!block_size)
+ { /* not supported by kernel */
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .prf = {
+ .get_bytes = _get_bytes,
+ .allocate_bytes = _allocate_bytes,
+ .get_block_size = _get_block_size,
+ .get_key_size = _get_key_size,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ },
+ .ops = af_alg_ops_create("hash", name),
+ .block_size = block_size,
+ .xcbc = xcbc,
+ );
+ if (!this->ops)
+ {
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.h b/src/libstrongswan/plugins/af_alg/af_alg_prf.h
new file mode 100644
index 000000000..a3dea5649
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_prf af_alg_prf
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_PRF_H_
+#define AF_ALG_PRF_H_
+
+typedef struct af_alg_prf_t af_alg_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * Implementation of PRFs using AF_ALG.
+ */
+struct af_alg_prf_t {
+
+ /**
+ * Implements prf_t interface.
+ */
+ prf_t prf;
+};
+
+/**
+ * Creates a new af_alg_prf_t object.
+ *
+ * @param algo algorithm to implement
+ * @return af_alg_prf_t object, NULL if hash not supported
+ */
+af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo);
+
+/**
+ * Probe algorithms and register af_alg_prf_create().
+ */
+void af_alg_prf_probe();
+
+#endif /** AF_ALG_PRF_H_ @}*/
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
new file mode 100644
index 000000000..3d6f907bf
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "af_alg_signer.h"
+#include "af_alg_ops.h"
+
+typedef struct private_af_alg_signer_t private_af_alg_signer_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_af_alg_signer_t {
+
+ /**
+ * Public interface of af_alg_signer_t.
+ */
+ af_alg_signer_t public;
+
+ /**
+ * AF_ALG operations
+ */
+ af_alg_ops_t *ops;
+
+ /**
+ * Size of the truncated signature
+ */
+ size_t block_size;
+
+ /**
+ * Default key size
+ */
+ size_t key_size;
+};
+
+/**
+ * Algorithm database
+ */
+static struct {
+ integrity_algorithm_t id;
+ char *name;
+ size_t block_size;
+ size_t key_size;
+} algs[] = {
+ {AUTH_HMAC_SHA1_96, "hmac(sha1)", 12, 20, },
+ {AUTH_HMAC_SHA1_128, "hmac(sha1)", 16, 20, },
+ {AUTH_HMAC_SHA1_160, "hmac(sha1)", 20, 20, },
+ {AUTH_HMAC_SHA2_256_96, "hmac(sha256)", 12, 32, },
+ {AUTH_HMAC_SHA2_256_128, "hmac(sha256)", 16, 32, },
+ {AUTH_HMAC_MD5_96, "hmac(md5)", 12, 16, },
+ {AUTH_HMAC_MD5_128, "hmac(md5)", 16, 16, },
+ {AUTH_HMAC_SHA2_256_256, "hmac(sha384)", 32, 32, },
+ {AUTH_HMAC_SHA2_384_192, "hmac(sha384)", 24, 48, },
+ {AUTH_HMAC_SHA2_384_384, "hmac(sha384)", 48, 48, },
+ {AUTH_HMAC_SHA2_512_256, "hmac(sha512)", 32, 64, },
+ {AUTH_AES_XCBC_96, "xcbc(aes)", 12, 16, },
+ {AUTH_CAMELLIA_XCBC_96, "xcbc(camellia)", 12, 16, },
+};
+
+/**
+ * See header.
+ */
+void af_alg_signer_probe()
+{
+ af_alg_ops_t *ops;
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ ops = af_alg_ops_create("hash", algs[i].name);
+ if (ops)
+ {
+ ops->destroy(ops);
+ lib->crypto->add_signer(lib->crypto, algs[i].id, af_alg_plugin_name,
+ (signer_constructor_t)af_alg_signer_create);
+ }
+ }
+}
+
+/**
+ * Get the kernel algorithm string and block/key size for our identifier
+ */
+static size_t lookup_alg(integrity_algorithm_t algo, char **name,
+ size_t *key_size)
+{
+ int i;
+
+ for (i = 0; i < countof(algs); i++)
+ {
+ if (algs[i].id == algo)
+ {
+ *name = algs[i].name;
+ *key_size = algs[i].key_size;
+ return algs[i].block_size;
+ }
+ }
+ return 0;
+}
+
+METHOD(signer_t, get_signature, void,
+ private_af_alg_signer_t *this, chunk_t data, u_int8_t *buffer)
+{
+ this->ops->hash(this->ops, data, buffer, this->block_size);
+}
+
+METHOD(signer_t, allocate_signature, void,
+ private_af_alg_signer_t *this, chunk_t data, chunk_t *chunk)
+{
+ if (chunk)
+ {
+ *chunk = chunk_alloc(this->block_size);
+ get_signature(this, data, chunk->ptr);
+ }
+ else
+ {
+ get_signature(this, data, NULL);
+ }
+}
+
+METHOD(signer_t, verify_signature, bool,
+ private_af_alg_signer_t *this, chunk_t data, chunk_t signature)
+{
+ char sig[this->block_size];
+
+ if (signature.len != this->block_size)
+ {
+ return FALSE;
+ }
+ get_signature(this, data, sig);
+ return memeq(signature.ptr, sig, signature.len);
+}
+
+METHOD(signer_t, get_key_size, size_t,
+ private_af_alg_signer_t *this)
+{
+ return this->key_size;
+}
+
+METHOD(signer_t, get_block_size, size_t,
+ private_af_alg_signer_t *this)
+{
+ return this->block_size;
+}
+
+METHOD(signer_t, set_key, void,
+ private_af_alg_signer_t *this, chunk_t key)
+{
+ this->ops->set_key(this->ops, key);
+}
+
+METHOD(signer_t, destroy, void,
+ private_af_alg_signer_t *this)
+{
+ this->ops->destroy(this->ops);
+ free(this);
+}
+
+/*
+ * Described in header
+ */
+af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo)
+{
+ private_af_alg_signer_t *this;
+ size_t block_size, key_size;
+ char *name;
+
+ block_size = lookup_alg(algo, &name, &key_size);
+ if (!block_size)
+ { /* not supported by kernel */
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .signer = {
+ .get_signature = _get_signature,
+ .allocate_signature = _allocate_signature,
+ .verify_signature = _verify_signature,
+ .get_key_size = _get_key_size,
+ .get_block_size = _get_block_size,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ },
+ .ops = af_alg_ops_create("hash", name),
+ .block_size = block_size,
+ .key_size = key_size,
+ );
+ if (!this->ops)
+ {
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
new file mode 100644
index 000000000..b1d90707f
--- /dev/null
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup af_alg_signer af_alg_signer
+ * @{ @ingroup af_alg
+ */
+
+#ifndef AF_ALG_SIGNER_H_
+#define AF_ALG_SIGNER_H_
+
+typedef struct af_alg_signer_t af_alg_signer_t;
+
+#include <crypto/signers/signer.h>
+
+/**
+ * Implementation of signers using AF_ALG.
+ */
+struct af_alg_signer_t {
+
+ /**
+ * Implements signer_t interface.
+ */
+ signer_t signer;
+};
+
+/**
+ * Creates a new af_alg_signer_t.
+ *
+ * @param algo algorithm to implement
+ * @return af_alg_signer_t, NULL if not supported
+ */
+af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo);
+
+/**
+ * Probe algorithms and register af_alg_signer_create().
+ */
+void af_alg_signer_probe();
+
+#endif /** AF_ALG_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 9f65f4ffb..1a3533f03 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index d310843ac..251722f60 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 6ab093d7b..5232eca28 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -19,6 +19,8 @@
#include <library.h>
#include "blowfish_crypter.h"
+static const char *plugin_name = "blowfish";
+
typedef struct private_blowfish_plugin_t private_blowfish_plugin_t;
/**
@@ -55,7 +57,7 @@ plugin_t *blowfish_plugin_create()
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+ lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
(crypter_constructor_t)blowfish_crypter_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 017d75c48..371e5b2f4 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c
index 5fc3b14d7..a4c89b548 100644
--- a/src/libstrongswan/plugins/ccm/ccm_plugin.c
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c
@@ -19,6 +19,8 @@
#include "ccm_aead.h"
+static const char *plugin_name = "ccm";
+
typedef struct private_ccm_plugin_t private_ccm_plugin_t;
/**
@@ -47,23 +49,34 @@ METHOD(plugin_t, destroy, void,
plugin_t *ccm_plugin_create()
{
private_ccm_plugin_t *this;
+ crypter_t *crypter;
INIT(this,
.public.plugin.destroy = _destroy,
);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8,
- (aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12,
- (aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16,
- (aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8,
- (aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12,
- (aead_constructor_t)ccm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16,
- (aead_constructor_t)ccm_aead_create);
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, plugin_name,
+ (aead_constructor_t)ccm_aead_create);
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, plugin_name,
+ (aead_constructor_t)ccm_aead_create);
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, plugin_name,
+ (aead_constructor_t)ccm_aead_create);
+ }
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 0);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, plugin_name,
+ (aead_constructor_t)ccm_aead_create);
+ lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, plugin_name,
+ (aead_constructor_t)ccm_aead_create);
+ lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, plugin_name,
+ (aead_constructor_t)ccm_aead_create);
+ }
return &this->public.plugin;
}
diff --git a/src/libstrongswan/plugins/constraints/Makefile.am b/src/libstrongswan/plugins/constraints/Makefile.am
new file mode 100644
index 000000000..d80d39a2d
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-constraints.la
+else
+plugin_LTLIBRARIES = libstrongswan-constraints.la
+endif
+
+libstrongswan_constraints_la_SOURCES = \
+ constraints_plugin.h constraints_plugin.c \
+ constraints_validator.h constraints_validator.c
+
+libstrongswan_constraints_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
new file mode 100644
index 000000000..382bfef98
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -0,0 +1,604 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/constraints
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_constraints_la_LIBADD =
+am_libstrongswan_constraints_la_OBJECTS = constraints_plugin.lo \
+ constraints_validator.lo
+libstrongswan_constraints_la_OBJECTS = \
+ $(am_libstrongswan_constraints_la_OBJECTS)
+libstrongswan_constraints_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_constraints_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_constraints_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_constraints_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_constraints_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-constraints.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-constraints.la
+libstrongswan_constraints_la_SOURCES = \
+ constraints_plugin.h constraints_plugin.c \
+ constraints_validator.h constraints_validator.c
+
+libstrongswan_constraints_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES)
+ $(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c
new file mode 100644
index 000000000..1c3f0c835
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "constraints_plugin.h"
+
+#include <library.h>
+#include "constraints_validator.h"
+
+typedef struct private_constraints_plugin_t private_constraints_plugin_t;
+
+/**
+ * private data of constraints_plugin
+ */
+struct private_constraints_plugin_t {
+
+ /**
+ * public functions
+ */
+ constraints_plugin_t public;
+
+ /**
+ * Validator implementation instance.
+ */
+ constraints_validator_t *validator;
+};
+
+METHOD(plugin_t, destroy, void,
+ private_constraints_plugin_t *this)
+{
+ lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+ this->validator->destroy(this->validator);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *constraints_plugin_create()
+{
+ private_constraints_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ .validator = constraints_validator_create(),
+ );
+ lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+
+ return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.h b/src/libstrongswan/plugins/constraints/constraints_plugin.h
new file mode 100644
index 000000000..7042a4d92
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup constraints constraints
+ * @ingroup plugins
+ *
+ * @defgroup constraints_plugin constraints_plugin
+ * @{ @ingroup constraints
+ */
+
+#ifndef CONSTRAINTS_PLUGIN_H_
+#define CONSTRAINTS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct constraints_plugin_t constraints_plugin_t;
+
+/**
+ * Advanced X509 constraint checking.
+ */
+struct constraints_plugin_t {
+
+ /**
+ * Implements plugin_t. interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** CONSTRAINTS_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
new file mode 100644
index 000000000..b54d813df
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -0,0 +1,578 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "constraints_validator.h"
+
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <utils/linked_list.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_constraints_validator_t private_constraints_validator_t;
+
+/**
+ * Private data of an constraints_validator_t object.
+ */
+struct private_constraints_validator_t {
+
+ /**
+ * Public constraints_validator_t interface.
+ */
+ constraints_validator_t public;
+};
+
+/**
+ * Check pathlen constraint of issuer certificate
+ */
+static bool check_pathlen(x509_t *issuer, int pathlen)
+{
+ u_int pathlen_constraint;
+
+ pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
+ if (pathlen_constraint != X509_NO_CONSTRAINT &&
+ pathlen > pathlen_constraint)
+ {
+ DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+ pathlen, pathlen_constraint);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Check if a FQDN/RFC822 constraint matches (suffix match)
+ */
+static bool suffix_matches(identification_t *constraint, identification_t *id)
+{
+ chunk_t c, i;
+
+ c = constraint->get_encoding(constraint);
+ i = id->get_encoding(id);
+
+ return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len));
+}
+
+/**
+ * Check if a DN constraint matches (RDN prefix match)
+ */
+static bool dn_matches(identification_t *constraint, identification_t *id)
+{
+ enumerator_t *ec, *ei;
+ id_part_t pc, pi;
+ chunk_t cc, ci;
+ bool match = TRUE;
+
+ ec = constraint->create_part_enumerator(constraint);
+ ei = id->create_part_enumerator(id);
+ while (ec->enumerate(ec, &pc, &cc))
+ {
+ if (!ei->enumerate(ei, &pi, &ci) ||
+ pi != pc || !chunk_equals(cc, ci))
+ {
+ match = FALSE;
+ break;
+ }
+ }
+ ec->destroy(ec);
+ ei->destroy(ei);
+
+ return match;
+}
+
+/**
+ * Check if a certificate matches to a NameConstraint
+ */
+static bool name_constraint_matches(identification_t *constraint,
+ certificate_t *cert, bool permitted)
+{
+ x509_t *x509 = (x509_t*)cert;
+ enumerator_t *enumerator;
+ identification_t *id;
+ id_type_t type;
+ bool matches = permitted;
+
+ type = constraint->get_type(constraint);
+ if (type == ID_DER_ASN1_DN)
+ {
+ matches = dn_matches(constraint, cert->get_subject(cert));
+ if (matches != permitted)
+ {
+ return matches;
+ }
+ }
+
+ enumerator = x509->create_subjectAltName_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (id->get_type(id) == type)
+ {
+ switch (type)
+ {
+ case ID_FQDN:
+ case ID_RFC822_ADDR:
+ matches = suffix_matches(constraint, id);
+ break;
+ case ID_DER_ASN1_DN:
+ matches = dn_matches(constraint, id);
+ break;
+ default:
+ DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
+ id_type_names, type);
+ matches = FALSE;
+ break;
+ }
+ }
+ if (matches != permitted)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return matches;
+}
+
+/**
+ * Check if a permitted or excluded NameConstraint has been inherited to sub-CA
+ */
+static bool name_constraint_inherited(identification_t *constraint,
+ x509_t *x509, bool permitted)
+{
+ enumerator_t *enumerator;
+ identification_t *id;
+ bool inherited = FALSE;
+ id_type_t type;
+
+ if (!(x509->get_flags(x509) & X509_CA))
+ { /* not a sub-CA, not required */
+ return TRUE;
+ }
+
+ type = constraint->get_type(constraint);
+ enumerator = x509->create_name_constraint_enumerator(x509, permitted);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (id->get_type(id) == type)
+ {
+ switch (type)
+ {
+ case ID_FQDN:
+ case ID_RFC822_ADDR:
+ if (permitted)
+ { /* permitted constraint can be narrowed */
+ inherited = suffix_matches(constraint, id);
+ }
+ else
+ { /* excluded constraint can be widened */
+ inherited = suffix_matches(id, constraint);
+ }
+ break;
+ case ID_DER_ASN1_DN:
+ if (permitted)
+ {
+ inherited = dn_matches(constraint, id);
+ }
+ else
+ {
+ inherited = dn_matches(id, constraint);
+ }
+ break;
+ default:
+ DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
+ id_type_names, type);
+ inherited = FALSE;
+ break;
+ }
+ }
+ if (inherited)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return inherited;
+}
+
+/**
+ * Check name constraints
+ */
+static bool check_name_constraints(certificate_t *subject, x509_t *issuer)
+{
+ enumerator_t *enumerator;
+ identification_t *constraint;
+
+ enumerator = issuer->create_name_constraint_enumerator(issuer, TRUE);
+ while (enumerator->enumerate(enumerator, &constraint))
+ {
+ if (!name_constraint_matches(constraint, subject, TRUE))
+ {
+ DBG1(DBG_CFG, "certificate '%Y' does not match permitted name "
+ "constraint '%Y'", subject->get_subject(subject), constraint);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ if (!name_constraint_inherited(constraint, (x509_t*)subject, TRUE))
+ {
+ DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit permitted name "
+ "constraint '%Y'", subject->get_subject(subject), constraint);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = issuer->create_name_constraint_enumerator(issuer, FALSE);
+ while (enumerator->enumerate(enumerator, &constraint))
+ {
+ if (name_constraint_matches(constraint, subject, FALSE))
+ {
+ DBG1(DBG_CFG, "certificate '%Y' matches excluded name "
+ "constraint '%Y'", subject->get_subject(subject), constraint);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ if (!name_constraint_inherited(constraint, (x509_t*)subject, FALSE))
+ {
+ DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit excluded name "
+ "constraint '%Y'", subject->get_subject(subject), constraint);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return TRUE;
+}
+
+/**
+ * Special OID for anyPolicy
+ */
+static chunk_t any_policy = chunk_from_chars(0x55,0x1d,0x20,0x00);
+
+/**
+ * Check if an issuer certificate has a given policy OID
+ */
+static bool has_policy(x509_t *issuer, chunk_t oid)
+{
+ x509_policy_mapping_t *mapping;
+ x509_cert_policy_t *policy;
+ enumerator_t *enumerator;
+
+ enumerator = issuer->create_cert_policy_enumerator(issuer);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ if (chunk_equals(oid, policy->oid) ||
+ chunk_equals(any_policy, policy->oid))
+ {
+ enumerator->destroy(enumerator);
+ return TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* fall back to a mapped policy */
+ enumerator = issuer->create_policy_mapping_enumerator(issuer);
+ while (enumerator->enumerate(enumerator, &mapping))
+ {
+ if (chunk_equals(mapping->subject, oid))
+ {
+ enumerator->destroy(enumerator);
+ return TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return FALSE;
+}
+
+/**
+ * Check certificatePolicies.
+ */
+static bool check_policy(x509_t *subject, x509_t *issuer, bool check,
+ auth_cfg_t *auth)
+{
+ certificate_t *cert = (certificate_t*)subject;
+ x509_policy_mapping_t *mapping;
+ x509_cert_policy_t *policy;
+ enumerator_t *enumerator;
+ char *oid;
+
+ /* verify if policyMappings in subject are valid */
+ enumerator = subject->create_policy_mapping_enumerator(subject);
+ while (enumerator->enumerate(enumerator, &mapping))
+ {
+ if (!has_policy(issuer, mapping->issuer))
+ {
+ oid = asn1_oid_to_string(mapping->issuer);
+ DBG1(DBG_CFG, "certificate '%Y' maps policy from %s, but issuer "
+ "misses it", cert->get_subject(cert), oid);
+ free(oid);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (check)
+ {
+ enumerator = subject->create_cert_policy_enumerator(subject);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ if (!has_policy(issuer, policy->oid))
+ {
+ oid = asn1_oid_to_string(policy->oid);
+ DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'",
+ oid, cert->get_issuer(cert));
+ free(oid);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ if (auth)
+ {
+ oid = asn1_oid_to_string(policy->oid);
+ if (oid)
+ {
+ auth->add(auth, AUTH_RULE_CERT_POLICY, oid);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ return TRUE;
+}
+
+/**
+ * Check len certificates in trustchain for inherited policies
+ */
+static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len)
+{
+ enumerator_t *enumerator;
+ x509_t *issuer;
+ bool valid = TRUE;
+
+ enumerator = chain->create_enumerator(chain);
+ while (len-- > 0 && enumerator->enumerate(enumerator, &issuer))
+ {
+ if (!check_policy(subject, issuer, TRUE, NULL))
+ {
+ valid = FALSE;
+ break;
+ }
+ subject = issuer;
+ }
+ enumerator->destroy(enumerator);
+ return valid;
+}
+
+/**
+ * Check len certificates in trustchain to have no policyMappings
+ */
+static bool has_no_policy_mapping(linked_list_t *chain, int len)
+{
+ enumerator_t *enumerator, *mappings;
+ x509_policy_mapping_t *mapping;
+ certificate_t *cert;
+ x509_t *x509;
+ bool valid = TRUE;
+
+ enumerator = chain->create_enumerator(chain);
+ while (len-- > 0 && enumerator->enumerate(enumerator, &x509))
+ {
+ mappings = x509->create_policy_mapping_enumerator(x509);
+ valid = !mappings->enumerate(mappings, &mapping);
+ mappings->destroy(mappings);
+ if (!valid)
+ {
+ cert = (certificate_t*)x509;
+ DBG1(DBG_CFG, "found policyMapping in certificate '%Y', but "
+ "inhibitPolicyMapping in effect", cert->get_subject(cert));
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return valid;
+}
+
+/**
+ * Check len certificates in trustchain to have no anyPolicies
+ */
+static bool has_no_any_policy(linked_list_t *chain, int len)
+{
+ enumerator_t *enumerator, *policies;
+ x509_cert_policy_t *policy;
+ certificate_t *cert;
+ x509_t *x509;
+ bool valid = TRUE;
+
+ enumerator = chain->create_enumerator(chain);
+ while (len-- > 0 && enumerator->enumerate(enumerator, &x509))
+ {
+ policies = x509->create_cert_policy_enumerator(x509);
+ while (policies->enumerate(policies, &policy))
+ {
+ if (chunk_equals(policy->oid, any_policy))
+ {
+ cert = (certificate_t*)x509;
+ DBG1(DBG_CFG, "found anyPolicy in certificate '%Y', but "
+ "inhibitAnyPolicy in effect", cert->get_subject(cert));
+ valid = FALSE;
+ break;
+ }
+ }
+ policies->destroy(policies);
+ }
+ enumerator->destroy(enumerator);
+ return valid;
+}
+
+/**
+ * Check requireExplicitPolicy and inhibitPolicyMapping constraints
+ */
+static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
+ auth_cfg_t *auth)
+{
+ certificate_t *subject;
+ bool valid = TRUE;
+
+ subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (subject)
+ {
+ if (subject->get_type(subject) == CERT_X509)
+ {
+ enumerator_t *enumerator;
+ linked_list_t *chain;
+ certificate_t *cert;
+ auth_rule_t rule;
+ x509_t *x509;
+ int len = 0;
+ u_int expl, inh;
+
+ /* prepare trustchain to validate */
+ chain = linked_list_create();
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &cert))
+ {
+ if (rule == AUTH_RULE_IM_CERT &&
+ cert->get_type(cert) == CERT_X509)
+ {
+ chain->insert_last(chain, cert);
+ }
+ }
+ enumerator->destroy(enumerator);
+ chain->insert_last(chain, issuer);
+
+ /* search for requireExplicitPolicy constraints */
+ enumerator = chain->create_enumerator(chain);
+ while (enumerator->enumerate(enumerator, &x509))
+ {
+ expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+ if (expl != X509_NO_CONSTRAINT)
+ {
+ if (!has_policy_chain(chain, (x509_t*)subject, len - expl))
+ {
+ valid = FALSE;
+ break;
+ }
+ }
+ len++;
+ }
+ enumerator->destroy(enumerator);
+
+ /* search for inhibitPolicyMapping/inhibitAnyPolicy constraints */
+ len = 0;
+ chain->insert_first(chain, subject);
+ enumerator = chain->create_enumerator(chain);
+ while (enumerator->enumerate(enumerator, &x509))
+ {
+ inh = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+ if (inh != X509_NO_CONSTRAINT)
+ {
+ if (!has_no_policy_mapping(chain, len - inh))
+ {
+ valid = FALSE;
+ break;
+ }
+ }
+ inh = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+ if (inh != X509_NO_CONSTRAINT)
+ {
+ if (!has_no_any_policy(chain, len - inh))
+ {
+ valid = FALSE;
+ break;
+ }
+ }
+ len++;
+ }
+ enumerator->destroy(enumerator);
+
+ chain->destroy(chain);
+ }
+ }
+ return valid;
+}
+
+METHOD(cert_validator_t, validate, bool,
+ private_constraints_validator_t *this, certificate_t *subject,
+ certificate_t *issuer, bool online, u_int pathlen, bool anchor,
+ auth_cfg_t *auth)
+{
+ if (issuer->get_type(issuer) == CERT_X509 &&
+ subject->get_type(subject) == CERT_X509)
+ {
+ if (!check_pathlen((x509_t*)issuer, pathlen))
+ {
+ return FALSE;
+ }
+ if (!check_name_constraints(subject, (x509_t*)issuer))
+ {
+ return FALSE;
+ }
+ if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth))
+ {
+ return FALSE;
+ }
+ if (anchor)
+ {
+ if (!check_policy_constraints((x509_t*)issuer, pathlen, auth))
+ {
+ return FALSE;
+ }
+ }
+ }
+ return TRUE;
+}
+
+METHOD(constraints_validator_t, destroy, void,
+ private_constraints_validator_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+constraints_validator_t *constraints_validator_create()
+{
+ private_constraints_validator_t *this;
+
+ INIT(this,
+ .public = {
+ .validator.validate = _validate,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.h b/src/libstrongswan/plugins/constraints/constraints_validator.h
new file mode 100644
index 000000000..44582d6c8
--- /dev/null
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup constraints_validator constraints_validator
+ * @{ @ingroup constraints
+ */
+
+#ifndef CONSTRAINTS_VALIDATOR_H_
+#define CONSTRAINTS_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct constraints_validator_t constraints_validator_t;
+
+/**
+ * Certificate validator doing advanced X509 constraint checking.
+ */
+struct constraints_validator_t {
+
+ /**
+ * Implements cert_validator_t interface.
+ */
+ cert_validator_t validator;
+
+ /**
+ * Destroy a constraints_validator_t.
+ */
+ void (*destroy)(constraints_validator_t *this);
+};
+
+/**
+ * Create a constraints_validator instance.
+ */
+constraints_validator_t *constraints_validator_create();
+
+#endif /** CONSTRAINTS_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index b51f57113..2f6be07e2 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c
index 5e47f23ec..9f1bf957f 100644
--- a/src/libstrongswan/plugins/ctr/ctr_plugin.c
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c
@@ -19,6 +19,8 @@
#include "ctr_ipsec_crypter.h"
+static const char *plugin_name = "ctr";
+
typedef struct private_ctr_plugin_t private_ctr_plugin_t;
/**
@@ -47,6 +49,7 @@ METHOD(plugin_t, destroy, void,
plugin_t *ctr_plugin_create()
{
private_ctr_plugin_t *this;
+ crypter_t *crypter;
INIT(this,
.public = {
@@ -56,10 +59,19 @@ plugin_t *ctr_plugin_create()
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
- (crypter_constructor_t)ctr_ipsec_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
- (crypter_constructor_t)ctr_ipsec_crypter_create);
-
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name,
+ (crypter_constructor_t)ctr_ipsec_crypter_create);
+ }
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name,
+ (crypter_constructor_t)ctr_ipsec_crypter_create);
+ }
return &this->public.plugin;
}
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 9cc99063c..e61c73041 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 4835f6461..82e24e810 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -104,6 +104,7 @@ METHOD(fetcher_t, fetch, status_t,
METHOD(fetcher_t, set_option, bool,
private_curl_fetcher_t *this, fetcher_option_t option, ...)
{
+ bool supported = TRUE;
va_list args;
va_start(args, option);
@@ -115,7 +116,7 @@ METHOD(fetcher_t, set_option, bool,
curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr);
curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len);
- return TRUE;
+ break;
}
case FETCH_REQUEST_TYPE:
{
@@ -124,30 +125,33 @@ METHOD(fetcher_t, set_option, bool,
snprintf(header, BUF_LEN, "Content-Type: %s", request_type);
this->headers = curl_slist_append(this->headers, header);
- return TRUE;
+ break;
}
case FETCH_REQUEST_HEADER:
{
char *header = va_arg(args, char*);
this->headers = curl_slist_append(this->headers, header);
- return TRUE;
+ break;
}
case FETCH_HTTP_VERSION_1_0:
{
curl_easy_setopt(this->curl, CURLOPT_HTTP_VERSION,
CURL_HTTP_VERSION_1_0);
- return TRUE;
+ break;
}
case FETCH_TIMEOUT:
{
curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT,
va_arg(args, u_int));
- return TRUE;
+ break;
}
default:
- return FALSE;
+ supported = FALSE;
+ break;
}
+ va_end(args);
+ return supported;
}
METHOD(fetcher_t, destroy, void,
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index e00fcfc03..387da03aa 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -34,10 +34,8 @@ struct private_curl_plugin_t {
curl_plugin_t public;
};
-/**
- * Implementation of curl_plugin_t.curltroy
- */
-static void destroy(private_curl_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_curl_plugin_t *this)
{
lib->fetcher->remove_fetcher(lib->fetcher,
(fetcher_constructor_t)curl_fetcher_create);
@@ -51,9 +49,15 @@ static void destroy(private_curl_plugin_t *this)
plugin_t *curl_plugin_create()
{
CURLcode res;
- private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t);
+ private_curl_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
res = curl_global_init(CURL_GLOBAL_NOTHING);
if (res == CURLE_OK)
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 0e8fa7315..e45988ca9 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index 43b457ce2..d420d789e 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "des_crypter.h"
+static const char *plugin_name = "des";
+
typedef struct private_des_plugin_t private_des_plugin_t;
/**
@@ -54,11 +56,11 @@ plugin_t *des_plugin_create()
},
);
- lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+ lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
(crypter_constructor_t)des_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
(crypter_constructor_t)des_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
(crypter_constructor_t)des_crypter_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 7f4529211..d1dce4679 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index bc0ee30ae..d11b149df 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -31,10 +31,8 @@ struct private_dnskey_plugin_t {
dnskey_plugin_t public;
};
-/**
- * Implementation of dnskey_plugin_t.dnskeytroy
- */
-static void destroy(private_dnskey_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_dnskey_plugin_t *this)
{
lib->creds->remove_builder(lib->creds,
(builder_function_t)dnskey_public_key_load);
@@ -46,10 +44,15 @@ static void destroy(private_dnskey_plugin_t *this)
*/
plugin_t *dnskey_plugin_create()
{
- private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+ private_dnskey_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
(builder_function_t)dnskey_public_key_load);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 7e2a1ccdf..ab1ed6d00 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index ad03fa585..ee71f6efd 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -106,7 +106,8 @@ static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[])
* 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
* 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
*/
-static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
+METHOD(prf_t, get_bytes, void,
+ private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
{
int i;
u_int8_t xval[this->b];
@@ -139,34 +140,26 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
/* 3.3 done already, mod q not used */
}
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_fips_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+ private_fips_prf_t *this)
{
return 2 * this->b;
}
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+ private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
{
*chunk = chunk_alloc(get_block_size(this));
get_bytes(this, seed, chunk->ptr);
}
-/**
- * Implementation of prf_t.get_key_size.
- */
-static size_t get_key_size(private_fips_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+ private_fips_prf_t *this)
{
return this->b;
}
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_fips_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+ private_fips_prf_t *this, chunk_t key)
{
/* save key as "key mod 2^b" */
chunk_mod(this->b, key, this->key);
@@ -198,10 +191,8 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
this->keyed_prf->get_bytes(this->keyed_prf, c, res);
}
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_fips_prf_t *this)
+METHOD(prf_t, destroy, void,
+ private_fips_prf_t *this)
{
this->keyed_prf->destroy(this->keyed_prf);
free(this->key);
@@ -213,14 +204,20 @@ static void destroy(private_fips_prf_t *this)
*/
fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
{
- private_fips_prf_t *this = malloc_thing(private_fips_prf_t);
-
- this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
- this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
- this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
- this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
- this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
- this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+ private_fips_prf_t *this;
+
+ INIT(this,
+ .public = {
+ .prf_interface = {
+ .get_bytes = _get_bytes,
+ .allocate_bytes = _allocate_bytes,
+ .get_block_size = _get_block_size,
+ .get_key_size = _get_key_size,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ },
+ );
switch (algo)
{
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
index f41265637..3cce6ad91 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "fips_prf.h"
+static const char *plugin_name = "fips-prf";
+
typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t;
/**
@@ -31,10 +33,8 @@ struct private_fips_prf_plugin_t {
fips_prf_plugin_t public;
};
-/**
- * Implementation of fips_prf_plugin_t.destroy
- */
-static void destroy(private_fips_prf_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_fips_prf_plugin_t *this)
{
lib->crypto->remove_prf(lib->crypto,
(prf_constructor_t)fips_prf_create);
@@ -46,12 +46,24 @@ static void destroy(private_fips_prf_plugin_t *this)
*/
plugin_t *fips_prf_plugin_create()
{
- private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t);
+ private_fips_prf_plugin_t *this;
+ prf_t *prf;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
- lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
- (prf_constructor_t)fips_prf_create);
+ prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1);
+ if (prf)
+ {
+ prf->destroy(prf);
+ lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, plugin_name,
+ (prf_constructor_t)fips_prf_create);
+ }
return &this->public.plugin;
}
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index a4de9ea77..9e0b49776 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
index 061001b30..a438fb073 100644
--- a/src/libstrongswan/plugins/gcm/gcm_plugin.c
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c
@@ -19,6 +19,8 @@
#include "gcm_aead.h"
+static const char *plugin_name = "gcm";
+
typedef struct private_gcm_plugin_t private_gcm_plugin_t;
/**
@@ -47,17 +49,23 @@ METHOD(plugin_t, destroy, void,
plugin_t *gcm_plugin_create()
{
private_gcm_plugin_t *this;
+ crypter_t *crypter;
INIT(this,
.public.plugin.destroy = _destroy,
);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
- (aead_constructor_t)gcm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
- (aead_constructor_t)gcm_aead_create);
- lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
- (aead_constructor_t)gcm_aead_create);
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, plugin_name,
+ (aead_constructor_t)gcm_aead_create);
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, plugin_name,
+ (aead_constructor_t)gcm_aead_create);
+ lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, plugin_name,
+ (aead_constructor_t)gcm_aead_create);
+ }
return &this->public.plugin;
}
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 00c49c487..1bcada7dc 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 590add5c8..a53fed448 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -29,6 +29,8 @@
#include <errno.h>
#include <gcrypt.h>
+static const char *plugin_name = "gcrypt";
+
typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t;
/**
@@ -148,79 +150,79 @@ plugin_t *gcrypt_plugin_create()
);
/* hashers */
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
(hasher_constructor_t)gcrypt_hasher_create);
/* crypters */
- lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+ lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAST,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+ lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
#ifdef HAVE_GCRY_CIPHER_CAMELLIA
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
- lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, plugin_name,
(crypter_constructor_t)gcrypt_crypter_create);
/* random numbers */
- lib->crypto->add_rng(lib->crypto, RNG_WEAK,
+ lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name,
(rng_constructor_t)gcrypt_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
(rng_constructor_t)gcrypt_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
(rng_constructor_t)gcrypt_rng_create);
/* diffie hellman groups, using modp */
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+ lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
(dh_constructor_t)gcrypt_dh_create_custom);
/* RSA */
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index b4ec1ed8d..f73bfb406 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index 9b4fad3da..e9bfbcc28 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -20,6 +20,8 @@
#include "gmp_rsa_private_key.h"
#include "gmp_rsa_public_key.h"
+static const char *plugin_name = "gmp";
+
typedef struct private_gmp_plugin_t private_gmp_plugin_t;
/**
@@ -64,30 +66,30 @@ plugin_t *gmp_plugin_create()
},
);
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+ lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
(dh_constructor_t)gmp_diffie_hellman_create_custom);
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 42a7d3747..72cc23b72 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index 73df4dc6c..76d6157ae 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -19,6 +19,8 @@
#include "hmac_signer.h"
#include "hmac_prf.h"
+static const char *plugin_name = "hmac";
+
typedef struct private_hmac_plugin_t private_hmac_plugin_t;
/**
@@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void,
plugin_t *hmac_plugin_create()
{
private_hmac_plugin_t *this;
+ hasher_t *hasher;
INIT(this,
.public = {
@@ -57,37 +60,62 @@ plugin_t *hmac_plugin_create()
},
);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
- (prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1,
- (prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5,
- (prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384,
- (prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512,
- (prf_constructor_t)hmac_prf_create);
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (hasher)
+ {
+ hasher->destroy(hasher);
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, plugin_name,
+ (prf_constructor_t)hmac_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ }
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA256);
+ if (hasher)
+ {
+ hasher->destroy(hasher);
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, plugin_name,
+ (prf_constructor_t)hmac_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384,
- (signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
- (signer_constructor_t)hmac_signer_create);
+ }
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+ if (hasher)
+ {
+ hasher->destroy(hasher);
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, plugin_name,
+ (prf_constructor_t)hmac_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ }
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA384);
+ if (hasher)
+ {
+ hasher->destroy(hasher);
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, plugin_name,
+ (prf_constructor_t)hmac_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ }
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+ if (hasher)
+ {
+ hasher->destroy(hasher);
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, plugin_name,
+ (prf_constructor_t)hmac_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, plugin_name,
+ (signer_constructor_t)hmac_signer_create);
+ }
return &this->public.plugin;
}
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 65a135e76..7235784e2 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index 59e655cd5..e6c592217 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -100,8 +100,8 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response)
}
-static status_t fetch(private_ldap_fetcher_t *this, char *url,
- chunk_t *result, va_list args)
+METHOD(fetcher_t, fetch, status_t,
+ private_ldap_fetcher_t *this, char *url, chunk_t *result)
{
LDAP *ldap;
LDAPURLDesc *lurl;
@@ -166,10 +166,8 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url,
}
-/**
- * Implementation of fetcher_t.set_option.
- */
-static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...)
+METHOD(fetcher_t, set_option, bool,
+ private_ldap_fetcher_t *this, fetcher_option_t option, ...)
{
va_list args;
@@ -186,10 +184,8 @@ static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ..
}
}
-/**
- * Implements ldap_fetcher_t.destroy
- */
-static void destroy(private_ldap_fetcher_t *this)
+METHOD(fetcher_t, destroy, void,
+ private_ldap_fetcher_t *this)
{
free(this);
}
@@ -199,13 +195,18 @@ static void destroy(private_ldap_fetcher_t *this)
*/
ldap_fetcher_t *ldap_fetcher_create()
{
- private_ldap_fetcher_t *this = malloc_thing(private_ldap_fetcher_t);
-
- this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
- this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
- this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-
- this->timeout = DEFAULT_TIMEOUT;
+ private_ldap_fetcher_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .fetch = _fetch,
+ .set_option = _set_option,
+ .destroy = _destroy,
+ },
+ },
+ .timeout = DEFAULT_TIMEOUT,
+ );
return &this->public;
}
diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c
index 372ac9f93..3682ddd1f 100644
--- a/src/libstrongswan/plugins/ldap/ldap_plugin.c
+++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c
@@ -31,10 +31,8 @@ struct private_ldap_plugin_t {
ldap_plugin_t public;
};
-/**
- * Implementation of ldap_plugin_t.destroy
- */
-static void destroy(private_ldap_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_ldap_plugin_t *this)
{
lib->fetcher->remove_fetcher(lib->fetcher,
(fetcher_constructor_t)ldap_fetcher_create);
@@ -46,9 +44,15 @@ static void destroy(private_ldap_plugin_t *this)
*/
plugin_t *ldap_plugin_create()
{
- private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t);
+ private_ldap_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)ldap_fetcher_create, "ldap://");
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index a78dad97c..ea1a7a69a 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c
index 38ae0d4bc..cea1a61f3 100644
--- a/src/libstrongswan/plugins/md4/md4_plugin.c
+++ b/src/libstrongswan/plugins/md4/md4_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "md4_hasher.h"
+static const char *plugin_name = "md4";
+
typedef struct private_md4_plugin_t private_md4_plugin_t;
/**
@@ -31,10 +33,8 @@ struct private_md4_plugin_t {
md4_plugin_t public;
};
-/**
- * Implementation of md4_plugin_t.destroy
- */
-static void destroy(private_md4_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_md4_plugin_t *this)
{
lib->crypto->remove_hasher(lib->crypto,
(hasher_constructor_t)md4_hasher_create);
@@ -46,11 +46,17 @@ static void destroy(private_md4_plugin_t *this)
*/
plugin_t *md4_plugin_create()
{
- private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t);
+ private_md4_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
- lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
(hasher_constructor_t)md4_hasher_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 6de400e8e..05f101564 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index cfbf6acea..d11173817 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "md5_hasher.h"
+static const char *plugin_name = "md5";
+
typedef struct private_md5_plugin_t private_md5_plugin_t;
/**
@@ -31,10 +33,8 @@ struct private_md5_plugin_t {
md5_plugin_t public;
};
-/**
- * Implementation of md5_plugin_t.destroy
- */
-static void destroy(private_md5_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_md5_plugin_t *this)
{
lib->crypto->remove_hasher(lib->crypto,
(hasher_constructor_t)md5_hasher_create);
@@ -46,11 +46,17 @@ static void destroy(private_md5_plugin_t *this)
*/
plugin_t *md5_plugin_create()
{
- private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t);
+ private_md5_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
- lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
(hasher_constructor_t)md5_hasher_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 7d4d42c14..4880415b3 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 8005b9149..5fbfa0f28 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -474,10 +474,8 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
return TRUE;
}
-/**
- * Implementation of database_t.query.
- */
-static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
+METHOD(database_t, query, enumerator_t*,
+ private_mysql_database_t *this, char *sql, ...)
{
MYSQL_STMT *stmt;
va_list args;
@@ -563,10 +561,8 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...)
return (enumerator_t*)enumerator;
}
-/**
- * Implementation of database_t.execute.
- */
-static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
+METHOD(database_t, execute, int,
+ private_mysql_database_t *this, int *rowid, char *sql, ...)
{
MYSQL_STMT *stmt;
va_list args;
@@ -594,18 +590,14 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...)
return affected;
}
-/**
- * Implementation of database_t.get_driver
- */
-static db_driver_t get_driver(private_mysql_database_t *this)
+METHOD(database_t, get_driver,db_driver_t,
+ private_mysql_database_t *this)
{
return DB_MYSQL;
}
-/**
- * Implementation of database_t.destroy
- */
-static void destroy(private_mysql_database_t *this)
+METHOD(database_t, destroy, void,
+ private_mysql_database_t *this)
{
this->pool->destroy_function(this->pool, (void*)conn_destroy);
this->mutex->destroy(this->mutex);
@@ -677,12 +669,16 @@ mysql_database_t *mysql_database_create(char *uri)
return NULL;
}
- this = malloc_thing(private_mysql_database_t);
-
- this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
- this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
- this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
- this->public.db.destroy = (void(*)(database_t*))destroy;
+ INIT(this,
+ .public = {
+ .db = {
+ .query = _query,
+ .execute = _execute,
+ .get_driver = _get_driver,
+ .destroy = _destroy,
+ },
+ },
+ );
if (!parse_uri(this, uri))
{
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index a13aa8091..65d8681cb 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -32,10 +32,8 @@ struct private_mysql_plugin_t {
mysql_plugin_t public;
};
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_mysql_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_mysql_plugin_t *this)
{
lib->db->remove_database(lib->db,
(database_constructor_t)mysql_database_create);
@@ -56,8 +54,13 @@ plugin_t *mysql_plugin_create()
return NULL;
}
- this = malloc_thing(private_mysql_plugin_t);
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->db->add_database(lib->db,
(database_constructor_t)mysql_database_create);
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index a32418b16..b43be29f1 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -226,9 +226,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -267,6 +265,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index b9d97a901..58401faa5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -382,6 +382,8 @@ static private_openssl_crl_t *create_empty()
},
.get_serial = _get_serial,
.get_authKeyIdentifier = _get_authKeyIdentifier,
+ .is_delta_crl = (void*)return_false,
+ .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty,
.create_enumerator = _create_enumerator,
},
},
@@ -458,7 +460,14 @@ static bool parse_extensions(private_openssl_crl_t *this)
ok = parse_crlNumber_ext(this, ext);
break;
default:
- ok = TRUE;
+ ok = X509_EXTENSION_get_critical(ext) == 0 ||
+ !lib->settings->get_bool(lib->settings,
+ "libstrongswan.x509.enforce_critical", TRUE);
+ if (!ok)
+ {
+ DBG1(DBG_LIB, "found unsupported critical X.509 "
+ "CRL extension");
+ }
break;
}
if (!ok)
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 0ab4eda9c..0050572ee 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -41,6 +41,8 @@
#include "openssl_x509.h"
#include "openssl_crl.h"
+static const char *plugin_name = "openssl";
+
typedef struct private_openssl_plugin_t private_openssl_plugin_t;
/**
@@ -272,85 +274,85 @@ plugin_t *openssl_plugin_create()
}
/* crypter */
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
+ lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_RC5,
+ lib->crypto->add_crypter(lib->crypto, ENCR_RC5, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_IDEA,
+ lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_CAST,
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
+ lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
+ lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
- lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
+ lib->crypto->add_crypter(lib->crypto, ENCR_NULL, plugin_name,
(crypter_constructor_t)openssl_crypter_create);
/* hasher */
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD4,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
(hasher_constructor_t)openssl_hasher_create);
/* prf */
- lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+ lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name,
(prf_constructor_t)openssl_sha1_prf_create);
/* (ec) diffie hellman */
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_224,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_2048_256,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
#ifndef OPENSSL_NO_EC
- lib->crypto->add_dh(lib->crypto, ECP_256_BIT,
+ lib->crypto->add_dh(lib->crypto, ECP_256_BIT, plugin_name,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_384_BIT,
+ lib->crypto->add_dh(lib->crypto, ECP_384_BIT, plugin_name,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
+ lib->crypto->add_dh(lib->crypto, ECP_521_BIT, plugin_name,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_224_BIT,
+ lib->crypto->add_dh(lib->crypto, ECP_224_BIT, plugin_name,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
+ lib->crypto->add_dh(lib->crypto, ECP_192_BIT, plugin_name,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
#endif /* OPENSSL_NO_EC */
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1024_160,
+ lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+ lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name,
(dh_constructor_t)openssl_diffie_hellman_create);
/* rsa */
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index aa39bc93d..f7495b2ae 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -84,7 +84,7 @@ struct private_openssl_x509_t {
/**
* Pathlen constraint
*/
- int pathlen;
+ u_char pathlen;
/**
* certificate subject
@@ -137,7 +137,7 @@ struct private_openssl_x509_t {
linked_list_t *issuerAltNames;
/**
- * List of CRL URIs
+ * List of CRL URIs, as x509_cdp_t
*/
linked_list_t *crl_uris;
@@ -153,6 +153,16 @@ struct private_openssl_x509_t {
};
/**
+ * Destroy a CRL URI struct
+ */
+static void crl_uri_destroy(x509_cdp_t *this)
+{
+ free(this->uri);
+ DESTROY_IF(this->issuer);
+ free(this);
+}
+
+/**
* Convert a GeneralName to an identification_t.
*/
static identification_t *general_name2id(GENERAL_NAME *name)
@@ -240,10 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
return chunk_empty;
}
-METHOD(x509_t, get_pathLenConstraint, int,
- private_openssl_x509_t *this)
+METHOD(x509_t, get_constraint, u_int,
+ private_openssl_x509_t *this, x509_constraint_t type)
{
- return this->pathlen;
+ switch (type)
+ {
+ case X509_PATH_LEN:
+ return this->pathlen;
+ default:
+ return X509_NO_CONSTRAINT;
+ }
}
METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
@@ -264,13 +280,6 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
return this->ocsp_uris->create_enumerator(this->ocsp_uris);
}
-METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
- private_openssl_x509_t *this)
-{
- /* TODO */
- return enumerator_create_empty();
-}
-
METHOD(certificate_t, get_type, certificate_type_t,
private_openssl_x509_t *this)
{
@@ -483,7 +492,7 @@ METHOD(certificate_t, destroy, void,
offsetof(identification_t, destroy));
this->issuerAltNames->destroy_offset(this->issuerAltNames,
offsetof(identification_t, destroy));
- this->crl_uris->destroy_function(this->crl_uris, free);
+ this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
this->ocsp_uris->destroy_function(this->ocsp_uris, free);
free(this);
}
@@ -517,18 +526,21 @@ static private_openssl_x509_t *create_empty()
.get_serial = _get_serial,
.get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
.get_authKeyIdentifier = _get_authKeyIdentifier,
- .get_pathLenConstraint = _get_pathLenConstraint,
+ .get_constraint = _get_constraint,
.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
.create_crl_uri_enumerator = _create_crl_uri_enumerator,
.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
- .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+ .create_ipAddrBlock_enumerator = (void*)enumerator_create_empty,
+ .create_name_constraint_enumerator = (void*)enumerator_create_empty,
+ .create_cert_policy_enumerator = (void*)enumerator_create_empty,
+ .create_policy_mapping_enumerator = (void*)enumerator_create_empty,
},
},
.subjectAltNames = linked_list_create(),
.issuerAltNames = linked_list_create(),
.crl_uris = linked_list_create(),
.ocsp_uris = linked_list_create(),
- .pathlen = X509_NO_PATH_LEN_CONSTRAINT,
+ .pathlen = X509_NO_CONSTRAINT,
.ref = 1,
);
@@ -574,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
X509_EXTENSION *ext)
{
BASIC_CONSTRAINTS *constraints;
+ long pathlen;
constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
if (constraints)
@@ -584,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
}
if (constraints->pathlen)
{
- this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
+
+ pathlen = ASN1_INTEGER_get(constraints->pathlen);
+ this->pathlen = (pathlen >= 0 && pathlen < 128) ?
+ pathlen : X509_NO_CONSTRAINT;
}
BASIC_CONSTRAINTS_free(constraints);
return TRUE;
@@ -600,9 +616,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
{
CRL_DIST_POINTS *cdps;
DIST_POINT *cdp;
- identification_t *id;
+ identification_t *id, *issuer;
+ x509_cdp_t *entry;
char *uri;
- int i, j, point_num, name_num;
+ int i, j, k, point_num, name_num, issuer_num;
cdps = X509V3_EXT_d2i(ext);
if (!cdps)
@@ -627,12 +644,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
{
if (asprintf(&uri, "%Y", id) > 0)
{
- this->crl_uris->insert_first(this->crl_uris, uri);
+ if (cdp->CRLissuer)
+ {
+ issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer);
+ for (k = 0; k < issuer_num; k++)
+ {
+ issuer = general_name2id(
+ sk_GENERAL_NAME_value(cdp->CRLissuer, k));
+ if (issuer)
+ {
+ INIT(entry,
+ .uri = strdup(uri),
+ .issuer = issuer,
+ );
+ this->crl_uris->insert_last(
+ this->crl_uris, entry);
+ }
+ }
+ free(uri);
+ }
+ else
+ {
+ INIT(entry,
+ .uri = uri,
+ );
+ this->crl_uris->insert_last(this->crl_uris, entry);
+ }
}
id->destroy(id);
}
}
}
+
DIST_POINT_free(cdp);
}
}
@@ -765,7 +808,13 @@ static bool parse_extensions(private_openssl_x509_t *this)
ok = parse_crlDistributionPoints_ext(this, ext);
break;
default:
- ok = TRUE;
+ ok = X509_EXTENSION_get_critical(ext) == 0 ||
+ !lib->settings->get_bool(lib->settings,
+ "libstrongswan.x509.enforce_critical", TRUE);
+ if (!ok)
+ {
+ DBG1(DBG_LIB, "found unsupported critical X.509 extension");
+ }
break;
}
if (!ok)
@@ -823,6 +872,13 @@ static bool parse_certificate(private_openssl_x509_t *this)
{
return FALSE;
}
+ if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2)
+ {
+ DBG1(DBG_LIB, "unsupported x509 version: %d",
+ X509_get_version(this->x509) + 1);
+ return FALSE;
+ }
+
this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
@@ -866,7 +922,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
if (!parse_extensions(this))
{
- return TRUE;
+ return FALSE;
}
parse_extKeyUsage(this);
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 46953f681..7c89d0abd 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 027c53c7b..695823acf 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -23,6 +23,8 @@
#include <library.h>
#include <debug.h>
+static const char *plugin_name = "padlock";
+
typedef struct private_padlock_plugin_t private_padlock_plugin_t;
typedef enum padlock_feature_t padlock_feature_t;
@@ -161,21 +163,21 @@ plugin_t *padlock_plugin_create()
if (this->features & PADLOCK_RNG_ENABLED)
{
- lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
(rng_constructor_t)padlock_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
(rng_constructor_t)padlock_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_WEAK,
+ lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name,
(rng_constructor_t)padlock_rng_create);
}
if (this->features & PADLOCK_ACE2_ENABLED)
{
- lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
+ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name,
(crypter_constructor_t)padlock_aes_crypter_create);
}
if (this->features & PADLOCK_PHE_ENABLED)
{
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
(hasher_constructor_t)padlock_sha1_hasher_create);
}
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index cf5acdd1c..60740eb35 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index e255d6fd0..9c8237e4d 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -111,7 +111,7 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
}
/* compute and allocate maximum size of PEM object */
- pem_chars = 4*(asn1.len + 2)/3;
+ pem_chars = 4 * ((asn1.len + 2) / 3);
pem_lines = (asn1.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE;
*encoding = chunk_alloc(5 + 2*(6 + strlen(label) + 6) + 3 + pem_chars + pem_lines);
pos = encoding->ptr;
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index 83efb155b..f2415a318 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -33,10 +33,8 @@ struct private_pem_plugin_t {
pem_plugin_t public;
};
-/**
- * Implementation of pem_plugin_t.pemtroy
- */
-static void destroy(private_pem_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_pem_plugin_t *this)
{
lib->creds->remove_builder(lib->creds,
(builder_function_t)pem_private_key_load);
@@ -52,9 +50,15 @@ static void destroy(private_pem_plugin_t *this)
*/
plugin_t *pem_plugin_create()
{
- private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_pem_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
/* register private key PEM decoding builders */
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 0098147a9..ab14f8ced 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index 41e0a5df6..eaf0a1088 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -33,10 +33,8 @@ struct private_pgp_plugin_t {
pgp_plugin_t public;
};
-/**
- * Implementation of pgp_plugin_t.pgptroy
- */
-static void destroy(private_pgp_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_pgp_plugin_t *this)
{
lib->creds->remove_builder(lib->creds,
(builder_function_t)pgp_public_key_load);
@@ -56,10 +54,15 @@ static void destroy(private_pgp_plugin_t *this)
*/
plugin_t *pgp_plugin_create()
{
- private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+ private_pgp_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
(builder_function_t)pgp_public_key_load);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
@@ -68,10 +71,8 @@ plugin_t *pgp_plugin_create()
(builder_function_t)pgp_private_key_load);
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
(builder_function_t)pgp_private_key_load);
-
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
(builder_function_t)pgp_cert_load);
-
lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 8b41499a7..8ed4a08e9 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index d3afb5c67..33732f8a4 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -32,10 +32,8 @@ struct private_pkcs1_plugin_t {
pkcs1_plugin_t public;
};
-/**
- * Implementation of pkcs1_plugin_t.pkcs1troy
- */
-static void destroy(private_pkcs1_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_pkcs1_plugin_t *this)
{
lib->creds->remove_builder(lib->creds,
(builder_function_t)pkcs1_public_key_load);
@@ -52,9 +50,15 @@ static void destroy(private_pkcs1_plugin_t *this)
*/
plugin_t *pkcs1_plugin_create()
{
- private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t);
+ private_pkcs1_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
(builder_function_t)pkcs1_public_key_load);
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index c27310910..6c03b0497 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
index 1b1448c6a..a81ec1147 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -55,19 +55,20 @@ struct private_pkcs11_creds_t {
* Find certificates, optionally trusted
*/
static void find_certificates(private_pkcs11_creds_t *this,
- CK_SESSION_HANDLE session, CK_BBOOL trusted)
+ CK_SESSION_HANDLE session)
{
CK_OBJECT_CLASS class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE type = CKC_X_509;
+ CK_BBOOL trusted = TRUE;
CK_ATTRIBUTE tmpl[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
- {CKA_TRUSTED, &trusted, sizeof(trusted)},
};
CK_OBJECT_HANDLE object;
CK_ATTRIBUTE attr[] = {
{CKA_VALUE, NULL, 0},
{CKA_LABEL, NULL, 0},
+ {CKA_TRUSTED, &trusted, sizeof(trusted)}
};
enumerator_t *enumerator;
linked_list_t *raw;
@@ -75,11 +76,19 @@ static void find_certificates(private_pkcs11_creds_t *this,
struct {
chunk_t value;
chunk_t label;
+ bool trusted;
} *entry;
+ int count = countof(attr);
+ /* store result in a temporary list, avoid recursive operation */
raw = linked_list_create();
+ /* do not use trusted argument if not supported */
+ if (!(this->lib->get_features(this->lib) & PKCS11_TRUSTED_CERTS))
+ {
+ count--;
+ }
enumerator = this->lib->create_object_enumerator(this->lib,
- session, tmpl, countof(tmpl), attr, countof(attr));
+ session, tmpl, countof(tmpl), attr, count);
while (enumerator->enumerate(enumerator, &object))
{
entry = malloc(sizeof(*entry));
@@ -87,6 +96,7 @@ static void find_certificates(private_pkcs11_creds_t *this,
chunk_create(attr[0].pValue, attr[0].ulValueLen));
entry->label = chunk_clone(
chunk_create(attr[1].pValue, attr[1].ulValueLen));
+ entry->trusted = trusted;
raw->insert_last(raw, entry);
}
enumerator->destroy(enumerator);
@@ -99,10 +109,10 @@ static void find_certificates(private_pkcs11_creds_t *this,
if (cert)
{
DBG1(DBG_CFG, " loaded %strusted cert '%.*s'",
- trusted ? "" : "un", entry->label.len, entry->label.ptr);
+ entry->trusted ? "" : "un", entry->label.len, entry->label.ptr);
/* trusted certificates are also returned as untrusted */
this->untrusted->insert_last(this->untrusted, cert);
- if (trusted)
+ if (entry->trusted)
{
this->trusted->insert_last(this->trusted, cert->get_ref(cert));
}
@@ -135,8 +145,7 @@ static bool load_certificates(private_pkcs11_creds_t *this)
return FALSE;
}
- find_certificates(this, session, CK_TRUE);
- find_certificates(this, session, CK_FALSE);
+ find_certificates(this, session);
this->lib->f->C_CloseSession(session);
return TRUE;
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 9fb1b7769..6f7926808 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -466,6 +466,11 @@ struct private_pkcs11_library_t {
* Name as passed to the constructor
*/
char *name;
+
+ /**
+ * Supported feature set
+ */
+ pkcs11_feature_t features;
};
METHOD(pkcs11_library_t, get_name, char*,
@@ -474,6 +479,12 @@ METHOD(pkcs11_library_t, get_name, char*,
return this->name;
}
+METHOD(pkcs11_library_t, get_features, pkcs11_feature_t,
+ private_pkcs11_library_t *this)
+{
+ return this->features;
+}
+
/**
* Object enumerator
*/
@@ -766,19 +777,45 @@ static CK_RV UnlockMutex(CK_VOID_PTR data)
}
/**
+ * Check if the library has at least a given cryptoki version
+ */
+static bool has_version(CK_INFO *info, int major, int minor)
+{
+ return info->cryptokiVersion.major > major ||
+ (info->cryptokiVersion.major == major &&
+ info->cryptokiVersion.minor >= minor);
+}
+
+/**
+ * Check for optional PKCS#11 library functionality
+ */
+static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
+{
+ if (has_version(info, 2, 20))
+ {
+ this->features |= PKCS11_TRUSTED_CERTS;
+ this->features |= PKCS11_ALWAYS_AUTH_KEYS;
+ }
+}
+
+/**
* Initialize a PKCS#11 library
*/
-static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file,
+ bool os_locking)
{
CK_C_GetFunctionList pC_GetFunctionList;
CK_INFO info;
CK_RV rv;
- CK_C_INITIALIZE_ARGS args = {
+ static CK_C_INITIALIZE_ARGS args = {
.CreateMutex = CreateMutex,
.DestroyMutex = DestroyMutex,
.LockMutex = LockMutex,
.UnlockMutex = UnlockMutex,
};
+ static CK_C_INITIALIZE_ARGS args_os = {
+ .flags = CKF_OS_LOCKING_OK,
+ };
pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList");
if (!pC_GetFunctionList)
@@ -793,14 +830,19 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
name, ck_rv_names, rv);
return FALSE;
}
-
- rv = this->public.f->C_Initialize(&args);
- if (rv == CKR_CANT_LOCK)
- { /* try OS locking */
- memset(&args, 0, sizeof(args));
- args.flags = CKF_OS_LOCKING_OK;
+ if (os_locking)
+ {
+ rv = CKR_CANT_LOCK;
+ }
+ else
+ {
rv = this->public.f->C_Initialize(&args);
}
+ if (rv == CKR_CANT_LOCK)
+ { /* fallback to OS locking */
+ os_locking = TRUE;
+ rv = this->public.f->C_Initialize(&args_os);
+ }
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "C_Initialize() error for '%s': %N",
@@ -826,23 +868,26 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
DBG1(DBG_CFG, " %s: %s v%d.%d",
info.manufacturerID, info.libraryDescription,
info.libraryVersion.major, info.libraryVersion.minor);
- if (args.flags & CKF_OS_LOCKING_OK)
+ if (os_locking)
{
DBG1(DBG_CFG, " uses OS locking functions");
}
+
+ check_features(this, &info);
return TRUE;
}
/**
* See header
*/
-pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
{
private_pkcs11_library_t *this;
INIT(this,
.public = {
.get_name = _get_name,
+ .get_features = _get_features,
.create_object_enumerator = _create_object_enumerator,
.create_mechanism_enumerator = _create_mechanism_enumerator,
.destroy = _destroy,
@@ -858,7 +903,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file)
return NULL;
}
- if (!initialize(this, name, file))
+ if (!initialize(this, name, file, os_locking))
{
dlclose(this->handle);
free(this);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 1457d24d4..abe023448 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -21,6 +21,7 @@
#ifndef PKCS11_LIBRARY_H_
#define PKCS11_LIBRARY_H_
+typedef enum pkcs11_feature_t pkcs11_feature_t;
typedef struct pkcs11_library_t pkcs11_library_t;
#include "pkcs11.h"
@@ -29,6 +30,16 @@ typedef struct pkcs11_library_t pkcs11_library_t;
#include <utils/enumerator.h>
/**
+ * Optional PKCS#11 features some libraries support, some not
+ */
+enum pkcs11_feature_t {
+ /** CKA_TRUSTED attribute supported for certificate objects */
+ PKCS11_TRUSTED_CERTS = (1<<0),
+ /** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */
+ PKCS11_ALWAYS_AUTH_KEYS = (1<<1),
+};
+
+/**
* A loaded and initialized PKCS#11 library.
*/
struct pkcs11_library_t {
@@ -46,6 +57,13 @@ struct pkcs11_library_t {
char* (*get_name)(pkcs11_library_t *this);
/**
+ * Get the feature set supported by this library.
+ *
+ * @return ORed set of features supported
+ */
+ pkcs11_feature_t (*get_features)(pkcs11_library_t *this);
+
+ /**
* Create an enumerator over CK_OBJECT_HANDLE using a search template.
*
* An optional attribute array is automatically filled in with the
@@ -103,8 +121,9 @@ void pkcs11_library_trim(char *str, int len);
*
* @param name an arbitrary name, for debugging
* @param file pkcs11 library file to dlopen()
+ * @param os_lock enforce OS Locking for this library
* @return library abstraction
*/
-pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock);
#endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 0c27600a6..9308e9c25 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -373,7 +373,10 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
free(entry);
continue;
}
- entry->lib = pkcs11_library_create(module, entry->path);
+ entry->lib = pkcs11_library_create(module, entry->path,
+ lib->settings->get_bool(lib->settings,
+ "libstrongswan.plugins.pkcs11.modules.%s.os_locking",
+ FALSE, module));
if (!entry->lib)
{
free(entry);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index ace405c23..071d2f782 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -26,6 +26,8 @@
#include "pkcs11_public_key.h"
#include "pkcs11_hasher.h"
+static const char *plugin_name = "pkcs11";
+
typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
/**
@@ -146,17 +148,17 @@ plugin_t *pkcs11_plugin_create()
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
{
- lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+ lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
(hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
(hasher_constructor_t)pkcs11_hasher_create);
}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index cabca3f54..b4cc7a805 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -401,30 +401,36 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
};
CK_OBJECT_HANDLE object;
CK_KEY_TYPE type;
- CK_BBOOL reauth;
+ CK_BBOOL reauth = FALSE;
CK_ATTRIBUTE attr[] = {
{CKA_KEY_TYPE, &type, sizeof(type)},
- {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
{CKA_MODULUS, NULL, 0},
{CKA_PUBLIC_EXPONENT, NULL, 0},
+ {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
};
enumerator_t *enumerator;
chunk_t modulus, pubexp;
+ int count = countof(attr);
+ /* do not use CKA_ALWAYS_AUTHENTICATE if not supported */
+ if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS))
+ {
+ count--;
+ }
enumerator = this->lib->create_object_enumerator(this->lib,
- this->session, tmpl, countof(tmpl), attr, countof(attr));
+ this->session, tmpl, countof(tmpl), attr, count);
if (enumerator->enumerate(enumerator, &object))
{
switch (type)
{
case CKK_RSA:
- if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1)
+ if (attr[1].ulValueLen == -1 || attr[2].ulValueLen == -1)
{
DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed");
break;
}
- modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen);
- pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen);
+ modulus = chunk_create(attr[1].pValue, attr[1].ulValueLen);
+ pubexp = chunk_create(attr[2].pValue, attr[2].ulValueLen);
this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
KEY_RSA, BUILD_RSA_MODULUS, modulus,
BUILD_RSA_PUB_EXP, pubexp, BUILD_END);
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index e1427bf15..473db5ccf 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -50,62 +50,77 @@ struct private_plugin_loader_t {
linked_list_t *names;
};
-#ifdef MONOLITHIC
/**
- * load a single plugin in monolithic mode
+ * create a plugin
+ * returns: NOT_FOUND, if the constructor was not found
+ * FAILED, if the plugin could not be constructed
*/
-static plugin_t* load_plugin(private_plugin_loader_t *this,
- char *path, char *name)
+static status_t create_plugin(private_plugin_loader_t *this, void *handle,
+ char *name, bool integrity, plugin_t **plugin)
{
char create[128];
- plugin_t *plugin;
plugin_constructor_t constructor;
if (snprintf(create, sizeof(create), "%s_plugin_create",
name) >= sizeof(create))
{
- return NULL;
+ return FAILED;
}
translate(create, "-", "_");
- constructor = dlsym(RTLD_DEFAULT, create);
+ constructor = dlsym(handle, create);
if (constructor == NULL)
{
- DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
+ DBG2(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
create);
- return NULL;
+ return NOT_FOUND;
}
- plugin = constructor();
- if (plugin == NULL)
+ if (integrity && lib->integrity)
+ {
+ if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+ {
+ DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name);
+ return FAILED;
+ }
+ DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests",
+ name);
+ }
+ *plugin = constructor();
+ if (*plugin == NULL)
{
DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name,
create);
- return NULL;
+ return FAILED;
}
DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
-
- return plugin;
+ return SUCCESS;
}
-#else
+
/**
* load a single plugin
*/
static plugin_t* load_plugin(private_plugin_loader_t *this,
char *path, char *name)
{
- char create[128];
char file[PATH_MAX];
void *handle;
plugin_t *plugin;
- plugin_constructor_t constructor;
+
+ switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, &plugin))
+ {
+ case SUCCESS:
+ return plugin;
+ case NOT_FOUND:
+ /* try to load the plugin from a file */
+ break;
+ default:
+ return NULL;
+ }
if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path,
- name) >= sizeof(file) ||
- snprintf(create, sizeof(create), "%s_plugin_create",
- name) >= sizeof(create))
+ name) >= sizeof(file))
{
return NULL;
}
- translate(create, "-", "_");
if (lib->integrity)
{
if (!lib->integrity->check_file(lib->integrity, name, file))
@@ -121,40 +136,37 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
return NULL;
}
- constructor = dlsym(handle, create);
- if (constructor == NULL)
+ if (create_plugin(this, handle, name, TRUE, &plugin) != SUCCESS)
{
- DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name,
- create);
dlclose(handle);
return NULL;
}
- if (lib->integrity)
+ /* we do not store or free dlopen() handles, leak_detective requires
+ * the modules to keep loaded until leak report */
+ return plugin;
+}
+
+/**
+ * Check if a plugin is already loaded
+ */
+static bool plugin_loaded(private_plugin_loader_t *this, char *name)
+{
+ enumerator_t *enumerator;
+ bool found = FALSE;
+ char *current;
+
+ enumerator = this->names->create_enumerator(this->names);
+ while (enumerator->enumerate(enumerator, &current))
{
- if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+ if (streq(name, current))
{
- DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name);
- dlclose(handle);
- return NULL;
+ found = TRUE;
+ break;
}
- DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests",
- name);
}
- plugin = constructor();
- if (plugin == NULL)
- {
- DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name,
- create);
- dlclose(handle);
- return NULL;
- }
- DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
-
- /* we do not store or free dlopen() handles, leak_detective requires
- * the modules to keep loaded until leak report */
- return plugin;
+ enumerator->destroy(enumerator);
+ return found;
}
-#endif
/**
* Implementation of plugin_loader_t.load_plugins.
@@ -165,12 +177,10 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
char *token;
bool critical_failed = FALSE;
-#ifndef MONOLITHIC
if (path == NULL)
{
path = PLUGINDIR;
}
-#endif
enumerator = enumerator_create_token(list, " ", " ");
while (!critical_failed && enumerator->enumerate(enumerator, &token))
@@ -186,6 +196,11 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
critical = TRUE;
token[len-1] = '\0';
}
+ if (plugin_loaded(this, token))
+ {
+ free(token);
+ continue;
+ }
plugin = load_plugin(this, path, token);
if (plugin)
{
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 495223855..46349f9ba 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index 6f41ada2a..cc12217a4 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -31,10 +31,8 @@ struct private_pubkey_plugin_t {
pubkey_plugin_t public;
};
-/**
- * Implementation of pubkey_plugin_t.pubkeytroy
- */
-static void destroy(private_pubkey_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_pubkey_plugin_t *this)
{
lib->creds->remove_builder(lib->creds,
(builder_function_t)pubkey_cert_wrap);
@@ -46,9 +44,15 @@ static void destroy(private_pubkey_plugin_t *this)
*/
plugin_t *pubkey_plugin_create()
{
- private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_pubkey_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
(builder_function_t)pubkey_cert_wrap);
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index efd24c761..21f8aff11 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 39678ba71..cc5cb0a3c 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "random_rng.h"
+static const char *plugin_name = "random";
+
typedef struct private_random_plugin_t private_random_plugin_t;
/**
@@ -31,10 +33,8 @@ struct private_random_plugin_t {
random_plugin_t public;
};
-/**
- * Implementation of random_plugin_t.gmptroy
- */
-static void destroy(private_random_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_random_plugin_t *this)
{
lib->crypto->remove_rng(lib->crypto,
(rng_constructor_t)random_rng_create);
@@ -46,13 +46,19 @@ static void destroy(private_random_plugin_t *this)
*/
plugin_t *random_plugin_create()
{
- private_random_plugin_t *this = malloc_thing(private_random_plugin_t);
+ private_random_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
- lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name,
(rng_constructor_t)random_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name,
(rng_constructor_t)random_rng_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index b09f3f57a..1d99a63d5 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -55,11 +55,8 @@ struct private_random_rng_t {
char *file;
};
-/**
- * Implementation of random_rng_t.get_bytes.
- */
-static void get_bytes(private_random_rng_t *this, size_t bytes,
- u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+ private_random_rng_t *this, size_t bytes, u_int8_t *buffer)
{
size_t done;
ssize_t got;
@@ -81,20 +78,15 @@ static void get_bytes(private_random_rng_t *this, size_t bytes,
}
}
-/**
- * Implementation of random_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_random_rng_t *this, size_t bytes,
- chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+ private_random_rng_t *this, size_t bytes, chunk_t *chunk)
{
*chunk = chunk_alloc(bytes);
get_bytes(this, chunk->len, chunk->ptr);
}
-/**
- * Implementation of random_rng_t.destroy.
- */
-static void destroy(private_random_rng_t *this)
+METHOD(rng_t, destroy, void,
+ private_random_rng_t *this)
{
close(this->dev);
free(this);
@@ -105,12 +97,17 @@ static void destroy(private_random_rng_t *this)
*/
random_rng_t *random_rng_create(rng_quality_t quality)
{
- private_random_rng_t *this = malloc_thing(private_random_rng_t);
-
- /* public functions */
- this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
- this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
- this->public.rng.destroy = (void (*) (rng_t *))destroy;
+ private_random_rng_t *this;
+
+ INIT(this,
+ .public = {
+ .rng = {
+ .get_bytes = _get_bytes,
+ .allocate_bytes = _allocate_bytes,
+ .destroy = _destroy,
+ },
+ },
+ );
if (quality == RNG_TRUE)
{
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 16a9d21c5..4ed4b9694 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -223,9 +223,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -264,6 +262,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 29d2bc128..def169275 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -93,12 +93,13 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
/**
* check the signature of an OCSP response
*/
-static bool verify_ocsp(ocsp_response_t *response)
+static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
{
certificate_t *issuer, *subject;
identification_t *responder;
ocsp_response_wrapper_t *wrapper;
enumerator_t *enumerator;
+ auth_cfg_t *current;
bool verified = FALSE;
wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
@@ -108,12 +109,16 @@ static bool verify_ocsp(ocsp_response_t *response)
responder = subject->get_issuer(subject);
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
KEY_ANY, responder, FALSE);
- while (enumerator->enumerate(enumerator, &issuer, NULL))
+ while (enumerator->enumerate(enumerator, &issuer, &current))
{
if (lib->credmgr->issued_by(lib->credmgr, subject, issuer))
{
DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"",
issuer->get_subject(issuer));
+ if (auth)
+ {
+ auth->merge(auth, current, FALSE);
+ }
verified = TRUE;
break;
}
@@ -129,7 +134,8 @@ static bool verify_ocsp(ocsp_response_t *response)
* Get the better of two OCSP responses, and check for usable OCSP info
*/
static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
- x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+ x509_t *subject, x509_t *issuer, cert_validation_t *valid,
+ auth_cfg_t *auth, bool cache)
{
ocsp_response_t *response;
time_t revocation, this_update, next_update, valid_until;
@@ -139,7 +145,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
response = (ocsp_response_t*)cand;
/* check ocsp signature */
- if (!verify_ocsp(response))
+ if (!verify_ocsp(response, auth))
{
DBG1(DBG_CFG, "ocsp response verification failed");
cand->destroy(cand);
@@ -220,7 +226,8 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
while (enumerator->enumerate(enumerator, &current))
{
current->get_ref(current);
- best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
+ best = get_better_ocsp(current, best, subject, issuer,
+ &valid, auth, FALSE);
if (best && valid != VALIDATION_STALE)
{
DBG1(DBG_CFG, " using cached ocsp response");
@@ -247,7 +254,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
if (current)
{
best = get_better_ocsp(current, best, subject, issuer,
- &valid, TRUE);
+ &valid, auth, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -269,7 +276,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
if (current)
{
best = get_better_ocsp(current, best, subject, issuer,
- &valid, TRUE);
+ &valid, auth, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -323,20 +330,25 @@ static certificate_t* fetch_crl(char *url)
/**
* check the signature of an CRL
*/
-static bool verify_crl(certificate_t *crl)
+static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
{
certificate_t *issuer;
enumerator_t *enumerator;
bool verified = FALSE;
+ auth_cfg_t *current;
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
KEY_ANY, crl->get_issuer(crl), FALSE);
- while (enumerator->enumerate(enumerator, &issuer, NULL))
+ while (enumerator->enumerate(enumerator, &issuer, &current))
{
if (lib->credmgr->issued_by(lib->credmgr, crl, issuer))
{
DBG1(DBG_CFG, " crl correctly signed by \"%Y\"",
issuer->get_subject(issuer));
+ if (auth)
+ {
+ auth->merge(auth, current, FALSE);
+ }
verified = TRUE;
break;
}
@@ -350,23 +362,41 @@ static bool verify_crl(certificate_t *crl)
* Get the better of two CRLs, and check for usable CRL info
*/
static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
- x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache)
+ x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth,
+ bool cache, crl_t *base)
{
enumerator_t *enumerator;
time_t revocation, valid_until;
crl_reason_t reason;
chunk_t serial;
- crl_t *crl;
+ crl_t *crl = (crl_t*)cand;
+
+ if (base)
+ {
+ if (!crl->is_delta_crl(crl, &serial) ||
+ !chunk_equals(serial, base->get_serial(base)))
+ {
+ cand->destroy(cand);
+ return best;
+ }
+ }
+ else
+ {
+ if (crl->is_delta_crl(crl, NULL))
+ {
+ cand->destroy(cand);
+ return best;
+ }
+ }
/* check CRL signature */
- if (!verify_crl(cand))
+ if (!verify_crl(cand, auth))
{
DBG1(DBG_CFG, "crl response verification failed");
cand->destroy(cand);
return best;
}
- crl = (crl_t*)cand;
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
{
@@ -411,79 +441,191 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
}
/**
- * validate a x509 certificate using CRL
+ * Find or fetch a certificate for a given crlIssuer
*/
-static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
- auth_cfg_t *auth)
+static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
+ auth_cfg_t *auth, crl_t *base,
+ certificate_t **best, bool *uri_found)
{
cert_validation_t valid = VALIDATION_SKIPPED;
- identification_t *keyid = NULL;
- certificate_t *best = NULL;
+ enumerator_t *enumerator;
certificate_t *current;
- public_key_t *public;
+ char *uri;
+
+ /* find a cached (delta) crl */
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+ CERT_X509_CRL, KEY_ANY, issuer, FALSE);
+ while (enumerator->enumerate(enumerator, &current))
+ {
+ current->get_ref(current);
+ *best = get_better_crl(current, *best, subject, &valid,
+ auth, FALSE, base);
+ if (*best && valid != VALIDATION_STALE)
+ {
+ DBG1(DBG_CFG, " using cached crl");
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* fallback to fetching crls from credential sets cdps */
+ if (!base && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+ {
+ enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr,
+ CERT_X509_CRL, issuer);
+ while (enumerator->enumerate(enumerator, &uri))
+ {
+ *uri_found = TRUE;
+ current = fetch_crl(uri);
+ if (current)
+ {
+ if (!current->has_issuer(current, issuer))
+ {
+ DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match CRL "
+ "issuer '%Y'", current->get_issuer(current), issuer);
+ current->destroy(current);
+ continue;
+ }
+ *best = get_better_crl(current, *best, subject,
+ &valid, auth, TRUE, base);
+ if (*best && valid != VALIDATION_STALE)
+ {
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ return valid;
+}
+
+/**
+ * Look for a delta CRL for a given base CRL
+ */
+static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
+ crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth)
+{
+ cert_validation_t valid = VALIDATION_SKIPPED;
+ certificate_t *best = NULL, *current;
enumerator_t *enumerator;
+ identification_t *id;
+ x509_cdp_t *cdp;
chunk_t chunk;
- char *uri = NULL;
+ bool uri;
- /* derive the authorityKeyIdentifier from the issuer's public key */
- current = &issuer->interface;
- public = current->get_public_key(current);
- if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
+ /* find cached delta CRL via subjectKeyIdentifier */
+ chunk = issuer->get_subjectKeyIdentifier(issuer);
+ if (chunk.len)
{
- keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+ id = identification_create_from_encoding(ID_KEY_ID, chunk);
+ valid = find_crl(subject, id, auth, base, &best, &uri);
+ id->destroy(id);
+ }
- /* find a cached crl by authorityKeyIdentifier */
- enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
- CERT_X509_CRL, KEY_ANY, keyid, FALSE);
- while (enumerator->enumerate(enumerator, &current))
+ /* find delta CRL by CRLIssuer */
+ enumerator = subject->create_crl_uri_enumerator(subject);
+ while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
+ enumerator->enumerate(enumerator, &cdp))
+ {
+ if (cdp->issuer)
{
- current->get_ref(current);
- best = get_better_crl(current, best, subject, issuer,
- &valid, FALSE);
+ valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* fetch from URIs found in Freshest CRL extension */
+ enumerator = base->create_delta_crl_uri_enumerator(base);
+ while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
+ enumerator->enumerate(enumerator, &cdp))
+ {
+ current = fetch_crl(cdp->uri);
+ if (current)
+ {
+ if (cdp->issuer && !current->has_issuer(current, cdp->issuer))
+ {
+ DBG1(DBG_CFG, "issuer of fetched delta CRL '%Y' does not match "
+ "certificates CRL issuer '%Y'",
+ current->get_issuer(current), cdp->issuer);
+ current->destroy(current);
+ continue;
+ }
+ best = get_better_crl(current, best, subject, &valid,
+ auth, TRUE, base);
if (best && valid != VALIDATION_STALE)
{
- DBG1(DBG_CFG, " using cached crl");
break;
}
}
- enumerator->destroy(enumerator);
+ }
+ enumerator->destroy(enumerator);
+
+ if (best)
+ {
+ best->destroy(best);
+ return valid;
+ }
+ return base_valid;
+}
+
+
+/**
+ * validate a x509 certificate using CRL
+ */
+static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
+ auth_cfg_t *auth)
+{
+ cert_validation_t valid = VALIDATION_SKIPPED;
+ certificate_t *best = NULL;
+ identification_t *id;
+ x509_cdp_t *cdp;
+ bool uri_found = FALSE;
+ certificate_t *current;
+ enumerator_t *enumerator;
+ chunk_t chunk;
+
+ /* use issuers subjectKeyIdentifier to find a cached CRL / fetch from CDP */
+ chunk = issuer->get_subjectKeyIdentifier(issuer);
+ if (chunk.len)
+ {
+ id = identification_create_from_encoding(ID_KEY_ID, chunk);
+ valid = find_crl(subject, id, auth, NULL, &best, &uri_found);
+ id->destroy(id);
+ }
- /* fallback to fetching crls from credential sets cdps */
- if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
+ /* find a cached CRL or fetch via configured CDP via CRLIssuer */
+ enumerator = subject->create_crl_uri_enumerator(subject);
+ while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED &&
+ enumerator->enumerate(enumerator, &cdp))
+ {
+ if (cdp->issuer)
{
- enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr,
- CERT_X509_CRL, keyid);
- while (enumerator->enumerate(enumerator, &uri))
- {
- current = fetch_crl(uri);
- if (current)
- {
- best = get_better_crl(current, best, subject, issuer,
- &valid, TRUE);
- if (best && valid != VALIDATION_STALE)
- {
- break;
- }
- }
- }
- enumerator->destroy(enumerator);
+ valid = find_crl(subject, cdp->issuer, auth, NULL,
+ &best, &uri_found);
}
- keyid->destroy(keyid);
}
- DESTROY_IF(public);
+ enumerator->destroy(enumerator);
- /* fallback to fetching crls from cdps from subject's certificate */
+ /* fallback to fetching CRLs from CDPs found in subjects certificate */
if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
{
enumerator = subject->create_crl_uri_enumerator(subject);
-
- while (enumerator->enumerate(enumerator, &uri))
+ while (enumerator->enumerate(enumerator, &cdp))
{
- current = fetch_crl(uri);
+ uri_found = TRUE;
+ current = fetch_crl(cdp->uri);
if (current)
{
- best = get_better_crl(current, best, subject, issuer,
- &valid, TRUE);
+ if (cdp->issuer && !current->has_issuer(current, cdp->issuer))
+ {
+ DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match "
+ "certificates CRL issuer '%Y'",
+ current->get_issuer(current), cdp->issuer);
+ current->destroy(current);
+ continue;
+ }
+ best = get_better_crl(current, best, subject, &valid,
+ auth, TRUE, NULL);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -493,8 +635,14 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
enumerator->destroy(enumerator);
}
+ /* look for delta CRLs */
+ if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE))
+ {
+ valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth);
+ }
+
/* an uri was found, but no result. switch validation state to failed */
- if (valid == VALIDATION_SKIPPED && uri)
+ if (valid == VALIDATION_SKIPPED && uri_found)
{
valid = VALIDATION_FAILED;
}
@@ -517,7 +665,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
METHOD(cert_validator_t, validate, bool,
private_revocation_validator_t *this, certificate_t *subject,
- certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth)
+ certificate_t *issuer, bool online, u_int pathlen, bool anchor,
+ auth_cfg_t *auth)
{
if (subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509 &&
@@ -525,7 +674,8 @@ METHOD(cert_validator_t, validate, bool,
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
- switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
+ switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
{
case VALIDATION_GOOD:
DBG1(DBG_CFG, "certificate status is good");
@@ -543,7 +693,8 @@ METHOD(cert_validator_t, validate, bool,
DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
break;
}
- switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
+ switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
{
case VALIDATION_GOOD:
DBG1(DBG_CFG, "certificate status is good");
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 1036bedfc..3d96f4339 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c
index 7b9cf878f..dda2cbc1a 100644
--- a/src/libstrongswan/plugins/sha1/sha1_plugin.c
+++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c
@@ -19,6 +19,8 @@
#include "sha1_hasher.h"
#include "sha1_prf.h"
+static const char *plugin_name = "sha1";
+
typedef struct private_sha1_plugin_t private_sha1_plugin_t;
/**
@@ -32,10 +34,8 @@ struct private_sha1_plugin_t {
sha1_plugin_t public;
};
-/**
- * Implementation of sha1_plugin_t.destroy
- */
-static void destroy(private_sha1_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_sha1_plugin_t *this)
{
lib->crypto->remove_hasher(lib->crypto,
(hasher_constructor_t)sha1_hasher_create);
@@ -49,13 +49,19 @@ static void destroy(private_sha1_plugin_t *this)
*/
plugin_t *sha1_plugin_create()
{
- private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t);
+ private_sha1_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
(hasher_constructor_t)sha1_hasher_create);
- lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
+ lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name,
(prf_constructor_t)sha1_prf_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 579e6f9b0..fcbfa0c44 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -219,9 +219,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -260,6 +258,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 810d9922a..a5937dbb2 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -18,6 +18,8 @@
#include <library.h>
#include "sha2_hasher.h"
+static const char *plugin_name = "sha2";
+
typedef struct private_sha2_plugin_t private_sha2_plugin_t;
/**
@@ -31,10 +33,8 @@ struct private_sha2_plugin_t {
sha2_plugin_t public;
};
-/**
- * Implementation of sha2_plugin_t.destroy
- */
-static void destroy(private_sha2_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_sha2_plugin_t *this)
{
lib->crypto->remove_hasher(lib->crypto,
(hasher_constructor_t)sha2_hasher_create);
@@ -46,17 +46,23 @@ static void destroy(private_sha2_plugin_t *this)
*/
plugin_t *sha2_plugin_create()
{
- private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t);
+ private_sha2_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
- lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name,
(hasher_constructor_t)sha2_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
(hasher_constructor_t)sha2_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
(hasher_constructor_t)sha2_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
(hasher_constructor_t)sha2_hasher_create);
return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/soup/Makefile.am b/src/libstrongswan/plugins/soup/Makefile.am
new file mode 100644
index 000000000..9006f1b7c
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-soup.la
+else
+plugin_LTLIBRARIES = libstrongswan-soup.la
+endif
+
+libstrongswan_soup_la_SOURCES = \
+ soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h
+
+libstrongswan_soup_la_LDFLAGS = -module -avoid-version
+libstrongswan_soup_la_LIBADD = ${soup_LIBS}
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
new file mode 100644
index 000000000..35d175f95
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -0,0 +1,601 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/soup
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_soup_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_soup_la_OBJECTS = soup_plugin.lo soup_fetcher.lo
+libstrongswan_soup_la_OBJECTS = $(am_libstrongswan_soup_la_OBJECTS)
+libstrongswan_soup_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_soup_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_soup_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_soup_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_soup_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_soup_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-soup.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-soup.la
+libstrongswan_soup_la_SOURCES = \
+ soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h
+
+libstrongswan_soup_la_LDFLAGS = -module -avoid-version
+libstrongswan_soup_la_LIBADD = ${soup_LIBS}
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES)
+ $(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c
new file mode 100644
index 000000000..fd97631bd
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "soup_fetcher.h"
+
+#include <libsoup/soup.h>
+
+#include <library.h>
+#include <debug.h>
+
+#define DEFAULT_TIMEOUT 10
+
+typedef struct private_soup_fetcher_t private_soup_fetcher_t;
+
+/**
+ * private data of a soup_fetcher_t object.
+ */
+struct private_soup_fetcher_t {
+
+ /**
+ * Public data
+ */
+ soup_fetcher_t public;
+
+ /**
+ * HTTP request method
+ */
+ const char *method;
+
+ /**
+ * Request content type
+ */
+ char *type;
+
+ /**
+ * Request data
+ */
+ chunk_t data;
+
+ /**
+ * Request timeout
+ */
+ u_int timeout;
+
+ /**
+ * HTTP request version
+ */
+ SoupHTTPVersion version;
+};
+
+METHOD(fetcher_t, fetch, status_t,
+ private_soup_fetcher_t *this, char *uri, chunk_t *result)
+{
+ SoupSession *session;
+ SoupMessage *message;
+ status_t status = FAILED;
+
+ message = soup_message_new(this->method, uri);
+ if (!message)
+ {
+ return NOT_SUPPORTED;
+ }
+ if (this->type)
+ {
+ soup_message_set_request(message, this->type, SOUP_MEMORY_STATIC,
+ this->data.ptr, this->data.len);
+ }
+ soup_message_set_http_version(message, this->version);
+ session = soup_session_sync_new();
+ g_object_set(G_OBJECT(session),
+ SOUP_SESSION_TIMEOUT, (guint)this->timeout, NULL);
+
+ DBG2(DBG_LIB, "sending http request to '%s'...", uri);
+ soup_session_send_message(session, message);
+ if (SOUP_STATUS_IS_SUCCESSFUL(message->status_code))
+ {
+ *result = chunk_clone(chunk_create((u_char*)message->response_body->data,
+ message->response_body->length));
+ status = SUCCESS;
+ }
+ else
+ {
+ DBG1(DBG_LIB, "HTTP request failed, code %d", message->status_code);
+ }
+ g_object_unref(G_OBJECT(message));
+ g_object_unref(G_OBJECT(session));
+ return status;
+}
+
+METHOD(fetcher_t, set_option, bool,
+ private_soup_fetcher_t *this, fetcher_option_t option, ...)
+{
+ bool supported = TRUE;
+ va_list args;
+
+ va_start(args, option);
+ switch (option)
+ {
+ case FETCH_REQUEST_DATA:
+ this->method = SOUP_METHOD_POST;
+ this->data = va_arg(args, chunk_t);
+ break;
+ case FETCH_REQUEST_TYPE:
+ this->type = va_arg(args, char*);
+ break;
+ case FETCH_HTTP_VERSION_1_0:
+ this->version = SOUP_HTTP_1_0;
+ break;
+ case FETCH_TIMEOUT:
+ this->timeout = va_arg(args, u_int);
+ break;
+ default:
+ supported = FALSE;
+ break;
+ }
+ va_end(args);
+ return supported;
+}
+
+METHOD(fetcher_t, destroy, void,
+ private_soup_fetcher_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+soup_fetcher_t *soup_fetcher_create()
+{
+ private_soup_fetcher_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .fetch = _fetch,
+ .set_option = _set_option,
+ .destroy = _destroy,
+ },
+ },
+ .method = SOUP_METHOD_GET,
+ .version = SOUP_HTTP_1_1,
+ .timeout = DEFAULT_TIMEOUT,
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.h b/src/libstrongswan/plugins/soup/soup_fetcher.h
new file mode 100644
index 000000000..9b2579515
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup soup_fetcher soup_fetcher
+ * @{ @ingroup soup_p
+ */
+
+#ifndef SOUP_FETCHER_H_
+#define SOUP_FETCHER_H_
+
+#include <library.h>
+
+typedef struct soup_fetcher_t soup_fetcher_t;
+
+/**
+ * Fetcher implementation for HTTP using libsoup.
+ */
+struct soup_fetcher_t {
+
+ /**
+ * Implements fetcher interface.
+ */
+ fetcher_t interface;
+};
+
+/**
+ * Create a soup_fetcher instance.
+ */
+soup_fetcher_t *soup_fetcher_create();
+
+#endif /** SOUP_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
new file mode 100644
index 000000000..970e32472
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "soup_plugin.h"
+#include "soup_fetcher.h"
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include <library.h>
+
+typedef struct private_soup_plugin_t private_soup_plugin_t;
+
+/**
+ * private data of soup_plugin
+ */
+struct private_soup_plugin_t {
+
+ /**
+ * public functions
+ */
+ soup_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+ private_soup_plugin_t *this)
+{
+ lib->fetcher->remove_fetcher(lib->fetcher,
+ (fetcher_constructor_t)soup_fetcher_create);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *soup_plugin_create()
+{
+ private_soup_plugin_t *this;
+
+ g_type_init();
+ if (!g_thread_get_initialized())
+ {
+ g_thread_init(NULL);
+ }
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ lib->fetcher->add_fetcher(lib->fetcher,
+ (fetcher_constructor_t)soup_fetcher_create, "http://");
+ lib->fetcher->add_fetcher(lib->fetcher,
+ (fetcher_constructor_t)soup_fetcher_create, "https://");
+
+ return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.h b/src/libstrongswan/plugins/soup/soup_plugin.h
new file mode 100644
index 000000000..2dfa1d243
--- /dev/null
+++ b/src/libstrongswan/plugins/soup/soup_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup soup_p soup
+ * @ingroup plugins
+ *
+ * @defgroup soup_plugin soup_plugin
+ * @{ @ingroup soup_p
+ */
+
+#ifndef SOUP_PLUGIN_H_
+#define SOUP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct soup_plugin_t soup_plugin_t;
+
+/**
+ * Plugin implementing fetcher interface for HTTP using libsoup.
+ */
+struct soup_plugin_t {
+
+ /**
+ * Implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** SOUP_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 9c9b57f98..ae015d1a8 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -222,9 +222,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -263,6 +261,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 3e20dbb51..f9e06199e 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -213,10 +213,8 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
return TRUE;
}
-/**
- * Implementation of database_t.query.
- */
-static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
+METHOD(database_t, query, enumerator_t*,
+ private_sqlite_database_t *this, char *sql, ...)
{
sqlite3_stmt *stmt;
va_list args;
@@ -248,10 +246,8 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...)
return (enumerator_t*)enumerator;
}
-/**
- * Implementation of database_t.execute.
- */
-static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
+METHOD(database_t, execute, int,
+ private_sqlite_database_t *this, int *rowid, char *sql, ...)
{
sqlite3_stmt *stmt;
int affected = -1;
@@ -283,10 +279,8 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...)
return affected;
}
-/**
- * Implementation of database_t.get_driver
- */
-static db_driver_t get_driver(private_sqlite_database_t *this)
+METHOD(database_t, get_driver, db_driver_t,
+ private_sqlite_database_t *this)
{
return DB_SQLITE;
}
@@ -302,10 +296,8 @@ static int busy_handler(private_sqlite_database_t *this, int count)
return 1;
}
-/**
- * Implementation of database_t.destroy
- */
-static void destroy(private_sqlite_database_t *this)
+METHOD(database_t, destroy, void,
+ private_sqlite_database_t *this)
{
sqlite3_close(this->db);
this->mutex->destroy(this->mutex);
@@ -329,20 +321,23 @@ sqlite_database_t *sqlite_database_create(char *uri)
}
file = uri + 9;
- this = malloc_thing(private_sqlite_database_t);
-
- this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
- this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
- this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
- this->public.db.destroy = (void(*)(database_t*))destroy;
-
- this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+ INIT(this,
+ .public = {
+ .db = {
+ .query = _query,
+ .execute = _execute,
+ .get_driver = _get_driver,
+ .destroy = _destroy,
+ },
+ },
+ .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+ );
if (sqlite3_open(file, &this->db) != SQLITE_OK)
{
DBG1(DBG_LIB, "opening SQLite database '%s' failed: %s",
file, sqlite3_errmsg(this->db));
- destroy(this);
+ _destroy(this);
return NULL;
}
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
index 332d82318..e0b8e6ce1 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c
@@ -31,10 +31,8 @@ struct private_sqlite_plugin_t {
sqlite_plugin_t public;
};
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_sqlite_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_sqlite_plugin_t *this)
{
lib->db->remove_database(lib->db,
(database_constructor_t)sqlite_database_create);
@@ -46,9 +44,15 @@ static void destroy(private_sqlite_plugin_t *this)
*/
plugin_t *sqlite_plugin_create()
{
- private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ private_sqlite_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->db->add_database(lib->db,
(database_constructor_t)sqlite_database_create);
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 9be3f825a..9dccb05e3 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -227,9 +227,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -268,6 +266,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index f3a254d8d..176bc438d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -104,10 +104,8 @@ struct private_test_vectors_plugin_t {
test_vectors_plugin_t public;
};
-/**
- * Implementation of test_vectors_plugin_t.test_vectorstroy
- */
-static void destroy(private_test_vectors_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_test_vectors_plugin_t *this)
{
free(this);
}
@@ -117,10 +115,16 @@ static void destroy(private_test_vectors_plugin_t *this)
*/
plugin_t *test_vectors_plugin_create()
{
- private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t);
+ private_test_vectors_plugin_t *this;
int i;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
for (i = 0; i < countof(crypter); i++)
{
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index b1cc2f168..57deab98e 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -221,9 +221,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -262,6 +260,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 559090aa0..526dbe8c6 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -117,7 +117,7 @@ struct private_x509_cert_t {
linked_list_t *subjectAltNames;
/**
- * List of crlDistributionPoints as allocated char*
+ * List of crlDistributionPoints as x509_cdp_t*
*/
linked_list_t *crl_uris;
@@ -132,6 +132,26 @@ struct private_x509_cert_t {
linked_list_t *ipAddrBlocks;
/**
+ * List of permitted name constraints
+ */
+ linked_list_t *permitted_names;
+
+ /**
+ * List of exluced name constraints
+ */
+ linked_list_t *excluded_names;
+
+ /**
+ * List of certificatePolicies, as x509_cert_policy_t
+ */
+ linked_list_t *cert_policies;
+
+ /**
+ * List of policyMappings, as x509_policy_mapping_t
+ */
+ linked_list_t *policy_mappings;
+
+ /**
* certificate's embedded public key
*/
public_key_t *public_key;
@@ -154,7 +174,22 @@ struct private_x509_cert_t {
/**
* Path Length Constraint
*/
- int pathLenConstraint;
+ u_char pathLenConstraint;
+
+ /**
+ * requireExplicitPolicy Constraint
+ */
+ u_char require_explicit;
+
+ /**
+ * inhibitPolicyMapping Constraint
+ */
+ u_char inhibit_mapping;
+
+ /**
+ * inhibitAnyPolicy Constraint
+ */
+ u_char inhibit_any;
/**
* x509 constraints and other flags
@@ -187,6 +222,53 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars(
);
/**
+ * Destroy a CertificateDistributionPoint
+ */
+static void crl_uri_destroy(x509_cdp_t *this)
+{
+ free(this->uri);
+ DESTROY_IF(this->issuer);
+ free(this);
+}
+
+/**
+ * Destroy a CertificatePolicy
+ */
+static void cert_policy_destroy(x509_cert_policy_t *this)
+{
+ free(this->oid.ptr);
+ free(this->cps_uri);
+ free(this->unotice_text);
+ free(this);
+}
+
+/**
+ * Free policy mapping
+ */
+static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
+{
+ free(mapping->issuer.ptr);
+ free(mapping->subject.ptr);
+ free(mapping);
+}
+
+/**
+ * Parse a length constraint from an unwrapped integer
+ */
+static u_int parse_constraint(chunk_t object)
+{
+ switch (object.len)
+ {
+ case 0:
+ return 0;
+ case 1:
+ return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
+ default:
+ return X509_NO_CONSTRAINT;
+ }
+}
+
+/**
* ASN.1 definition of a basicConstraints extension
*/
static const asn1Object_t basicConstraintsObjects[] = {
@@ -228,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0,
case BASIC_CONSTRAINTS_PATH_LEN:
if (isCA)
{
- if (object.len == 0)
- {
- this->pathLenConstraint = 0;
- }
- else if (object.len == 1)
- {
- this->pathLenConstraint = *object.ptr;
- }
- /* we ignore path length constraints > 127 */
+ this->pathLenConstraint = parse_constraint(object);
}
break;
default:
@@ -574,7 +648,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0,
}
break;
default:
- /* unkown accessMethod, ignoring */
+ /* unknown accessMethod, ignoring */
break;
}
break;
@@ -589,6 +663,60 @@ end:
}
/**
+ * Extract KeyUsage flags
+ */
+static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
+{
+ enum {
+ KU_DIGITAL_SIGNATURE = 0,
+ KU_NON_REPUDIATION = 1,
+ KU_KEY_ENCIPHERMENT = 2,
+ KU_DATA_ENCIPHERMENT = 3,
+ KU_KEY_AGREEMENT = 4,
+ KU_KEY_CERT_SIGN = 5,
+ KU_CRL_SIGN = 6,
+ KU_ENCIPHER_ONLY = 7,
+ KU_DECIPHER_ONLY = 8,
+ };
+
+ if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
+ {
+ int bit, byte, unused = blob.ptr[0];
+
+ blob = chunk_skip(blob, 1);
+ for (byte = 0; byte < blob.len; byte++)
+ {
+ for (bit = 0; bit < 8; bit++)
+ {
+ if (byte == blob.len - 1 && bit > (7 - unused))
+ {
+ break;
+ }
+ if (blob.ptr[byte] & 1 << (7 - bit))
+ {
+ switch (byte * 8 + bit)
+ {
+ case KU_CRL_SIGN:
+ this->flags |= X509_CRL_SIGN;
+ break;
+ case KU_KEY_CERT_SIGN:
+ /* we use the caBasicConstraint, MUST be set */
+ case KU_DIGITAL_SIGNATURE:
+ case KU_NON_REPUDIATION:
+ case KU_KEY_ENCIPHERMENT:
+ case KU_DATA_ENCIPHERMENT:
+ case KU_KEY_AGREEMENT:
+ case KU_ENCIPHER_ONLY:
+ case KU_DECIPHER_ONLY:
+ break;
+ }
+ }
+ }
+ }
+ }
+}
+
+/**
* ASN.1 definition of a extendedKeyUsage extension
*/
static const asn1Object_t extendedKeyUsageObjects[] = {
@@ -600,7 +728,7 @@ static const asn1Object_t extendedKeyUsageObjects[] = {
#define EXT_KEY_USAGE_PURPOSE_ID 1
/**
- * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
+ * Extracts extendedKeyUsage OIDs
*/
static void parse_extendedKeyUsage(chunk_t blob, int level0,
private_x509_cert_t *this)
@@ -649,51 +777,328 @@ static const asn1Object_t crlDistributionPointsObjects[] = {
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
{ 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */
+ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
{ 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
+#define CRL_DIST_POINTS 1
#define CRL_DIST_POINTS_FULLNAME 3
+#define CRL_DIST_POINTS_ISSUER 10
+
+/**
+ * Add entry to the list of each pairing of URI and Issuer
+ */
+static void add_cdps(linked_list_t *list, linked_list_t *uris,
+ linked_list_t *issuers)
+{
+ identification_t *issuer, *id;
+ enumerator_t *enumerator;
+ x509_cdp_t *cdp;
+ char *uri;
+
+ while (uris->remove_last(uris, (void**)&id) == SUCCESS)
+ {
+ if (asprintf(&uri, "%Y", id) > 0)
+ {
+ if (issuers->get_count(issuers))
+ {
+ enumerator = issuers->create_enumerator(issuers);
+ while (enumerator->enumerate(enumerator, &issuer))
+ {
+ INIT(cdp,
+ .uri = strdup(uri),
+ .issuer = issuer->clone(issuer),
+ );
+ list->insert_last(list, cdp);
+ }
+ enumerator->destroy(enumerator);
+ free(uri);
+ }
+ else
+ {
+ INIT(cdp,
+ .uri = uri,
+ );
+ list->insert_last(list, cdp);
+ }
+ }
+ id->destroy(id);
+ }
+ while (issuers->remove_last(issuers, (void**)&id) == SUCCESS)
+ {
+ id->destroy(id);
+ }
+}
/**
* Extracts one or several crlDistributionPoints into a list
*/
-static void parse_crlDistributionPoints(chunk_t blob, int level0,
- private_x509_cert_t *this)
+void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
+ linked_list_t *list)
{
+ linked_list_t *uris, *issuers;
asn1_parser_t *parser;
chunk_t object;
int objectID;
- linked_list_t *list = linked_list_create();
+ uris = linked_list_create();
+ issuers = linked_list_create();
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
parser->set_top_level(parser, level0);
while (parser->iterate(parser, &objectID, &object))
{
- if (objectID == CRL_DIST_POINTS_FULLNAME)
+ switch (objectID)
{
- identification_t *id;
+ case CRL_DIST_POINTS:
+ add_cdps(list, uris, issuers);
+ break;
+ case CRL_DIST_POINTS_FULLNAME:
+ x509_parse_generalNames(object, parser->get_level(parser) + 1,
+ TRUE, uris);
+ break;
+ case CRL_DIST_POINTS_ISSUER:
+ x509_parse_generalNames(object, parser->get_level(parser) + 1,
+ TRUE, issuers);
+ break;
+ default:
+ break;
+ }
+ }
+ parser->destroy(parser);
- /* append extracted generalNames to existing chained list */
- x509_parse_generalNames(object, parser->get_level(parser)+1,
- TRUE, list);
+ add_cdps(list, uris, issuers);
- while (list->remove_last(list, (void**)&id) == SUCCESS)
- {
- char *uri;
+ uris->destroy(uris);
+ issuers->destroy(issuers);
+}
+
+/**
+ * ASN.1 definition of nameConstraints
+ */
+static const asn1Object_t nameConstraintsObjects[] = {
+ { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
+ { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
+ { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
+ { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define NAME_CONSTRAINT_PERMITTED 2
+#define NAME_CONSTRAINT_EXCLUDED 5
+
+/**
+ * Parse permitted/excluded nameConstraints
+ */
+static void parse_nameConstraints(chunk_t blob, int level0,
+ private_x509_cert_t *this)
+{
+ asn1_parser_t *parser;
+ identification_t *id;
+ chunk_t object;
+ int objectID;
+
+ parser = asn1_parser_create(nameConstraintsObjects, blob);
+ parser->set_top_level(parser, level0);
- if (asprintf(&uri, "%Y", id) > 0)
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case NAME_CONSTRAINT_PERMITTED:
+ id = parse_generalName(object, parser->get_level(parser) + 1);
+ if (id)
{
- this->crl_uris->insert_last(this->crl_uris, uri);
+ this->permitted_names->insert_last(this->permitted_names, id);
}
- id->destroy(id);
- }
+ break;
+ case NAME_CONSTRAINT_EXCLUDED:
+ id = parse_generalName(object, parser->get_level(parser) + 1);
+ if (id)
+ {
+ this->excluded_names->insert_last(this->excluded_names, id);
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a certificatePolicies extension
+ */
+static const asn1Object_t certificatePoliciesObject[] = {
+ { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
+ { 2, "qualifier", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 3 */
+ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
+ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
+ { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
+ { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+ { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
+ { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
+ { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define CERT_POLICY_ID 2
+#define CERT_POLICY_QUALIFIER_ID 5
+#define CERT_POLICY_CPS_URI 6
+#define CERT_POLICY_EXPLICIT_TEXT 9
+
+/**
+ * Parse certificatePolicies
+ */
+static void parse_certificatePolicies(chunk_t blob, int level0,
+ private_x509_cert_t *this)
+{
+ x509_cert_policy_t *policy = NULL;
+ asn1_parser_t *parser;
+ chunk_t object;
+ int objectID, qualifier = OID_UNKNOWN;
+
+ parser = asn1_parser_create(certificatePoliciesObject, blob);
+ parser->set_top_level(parser, level0);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case CERT_POLICY_ID:
+ INIT(policy,
+ .oid = chunk_clone(object),
+ );
+ this->cert_policies->insert_last(this->cert_policies, policy);
+ break;
+ case CERT_POLICY_QUALIFIER_ID:
+ qualifier = asn1_known_oid(object);
+ break;
+ case CERT_POLICY_CPS_URI:
+ if (policy && !policy->cps_uri && object.len &&
+ qualifier == OID_POLICY_QUALIFIER_CPS &&
+ chunk_printable(object, NULL, 0))
+ {
+ policy->cps_uri = strndup(object.ptr, object.len);
+ }
+ break;
+ case CERT_POLICY_EXPLICIT_TEXT:
+ /* TODO */
+ break;
+ default:
+ break;
+ }
+ }
+ parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a policyMappings extension
+ */
+static const asn1Object_t policyMappingsObjects[] = {
+ { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */
+ { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define POLICY_MAPPING 1
+#define POLICY_MAPPING_ISSUER 2
+#define POLICY_MAPPING_SUBJECT 3
+
+/**
+ * Parse policyMappings
+ */
+static void parse_policyMappings(chunk_t blob, int level0,
+ private_x509_cert_t *this)
+{
+ x509_policy_mapping_t *map = NULL;
+ asn1_parser_t *parser;
+ chunk_t object;
+ int objectID;
+
+ parser = asn1_parser_create(policyMappingsObjects, blob);
+ parser->set_top_level(parser, level0);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case POLICY_MAPPING:
+ INIT(map);
+ this->policy_mappings->insert_last(this->policy_mappings, map);
+ break;
+ case POLICY_MAPPING_ISSUER:
+ if (map && !map->issuer.len)
+ {
+ map->issuer = chunk_clone(object);
+ }
+ break;
+ case POLICY_MAPPING_SUBJECT:
+ if (map && !map->subject.len)
+ {
+ map->subject = chunk_clone(object);
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ parser->destroy(parser);
+}
+
+/**
+ * ASN.1 definition of a policyConstraints extension
+ */
+static const asn1Object_t policyConstraintsObjects[] = {
+ { 0, "policyConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_NONE }, /* 1 */
+ { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 2 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
+ { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_NONE }, /* 4 */
+ { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 5 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define POLICY_CONSTRAINT_EXPLICIT 2
+#define POLICY_CONSTRAINT_INHIBIT 5
+
+/**
+ * Parse policyConstraints
+ */
+static void parse_policyConstraints(chunk_t blob, int level0,
+ private_x509_cert_t *this)
+{
+ asn1_parser_t *parser;
+ chunk_t object;
+ int objectID;
+
+ parser = asn1_parser_create(policyConstraintsObjects, blob);
+ parser->set_top_level(parser, level0);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case POLICY_CONSTRAINT_EXPLICIT:
+ this->require_explicit = parse_constraint(object);
+ break;
+ case POLICY_CONSTRAINT_INHIBIT:
+ this->inhibit_mapping = parse_constraint(object);
+ break;
+ default:
+ break;
}
}
parser->destroy(parser);
- list->destroy(list);
}
/**
@@ -888,11 +1293,6 @@ static const asn1Object_t certObjects[] = {
#define X509_OBJ_SIGNATURE 25
/**
- * forward declaration
- */
-static bool issued_by(private_x509_cert_t *this, certificate_t *issuer);
-
-/**
* Parses an X.509v3 certificate
*/
static bool parse_certificate(private_x509_cert_t *this)
@@ -992,7 +1392,8 @@ static bool parse_certificate(private_x509_cert_t *this)
parse_basicConstraints(object, level, this);
break;
case OID_CRL_DISTRIBUTION_POINTS:
- parse_crlDistributionPoints(object, level, this);
+ x509_parse_crlDistributionPoints(object, level,
+ this->crl_uris);
break;
case OID_AUTHORITY_KEY_ID:
this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
@@ -1002,7 +1403,7 @@ static bool parse_certificate(private_x509_cert_t *this)
parse_authorityInfoAccess(object, level, this);
break;
case OID_KEY_USAGE:
- /* TODO parse the flags */
+ parse_keyUsage(object, this);
break;
case OID_EXTENDED_KEY_USAGE:
parse_extendedKeyUsage(object, level, this);
@@ -1010,6 +1411,26 @@ static bool parse_certificate(private_x509_cert_t *this)
case OID_IP_ADDR_BLOCKS:
parse_ipAddrBlocks(object, level, this);
break;
+ case OID_NAME_CONSTRAINTS:
+ parse_nameConstraints(object, level, this);
+ break;
+ case OID_CERTIFICATE_POLICIES:
+ parse_certificatePolicies(object, level, this);
+ break;
+ case OID_POLICY_MAPPINGS:
+ parse_policyMappings(object, level, this);
+ break;
+ case OID_POLICY_CONSTRAINTS:
+ parse_policyConstraints(object, level, this);
+ break;
+ case OID_INHIBIT_ANY_POLICY:
+ if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+ level, "inhibitAnyPolicy"))
+ {
+ goto end;
+ }
+ this->inhibit_any = parse_constraint(object);
+ break;
case OID_NS_REVOCATION_URL:
case OID_NS_CA_REVOCATION_URL:
case OID_NS_CA_POLICY_URL:
@@ -1022,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this)
break;
default:
if (critical && lib->settings->get_bool(lib->settings,
- "libstrongswan.plugins.x509.enforce_critical", FALSE))
+ "libstrongswan.x509.enforce_critical", TRUE))
{
- DBG1(DBG_LIB, "critical %s extension not supported",
+ DBG1(DBG_LIB, "critical '%s' extension not supported",
(extn_oid == OID_UNKNOWN) ? "unknown" :
(char*)oid_names[extn_oid].name);
goto end;
@@ -1057,7 +1478,9 @@ end:
hasher_t *hasher;
/* check if the certificate is self-signed */
- if (issued_by(this, &this->public.interface.interface))
+ if (this->public.interface.interface.issued_by(
+ &this->public.interface.interface,
+ &this->public.interface.interface))
{
this->flags |= X509_SELF_SIGNED;
}
@@ -1074,34 +1497,26 @@ end:
return success;
}
-/**
- * Implementation of certificate_t.get_type
- */
-static certificate_type_t get_type(private_x509_cert_t *this)
+METHOD(certificate_t, get_type, certificate_type_t,
+ private_x509_cert_t *this)
{
return CERT_X509;
}
-/**
- * Implementation of certificate_t.get_subject
- */
-static identification_t* get_subject(private_x509_cert_t *this)
+METHOD(certificate_t, get_subject, identification_t*,
+ private_x509_cert_t *this)
{
return this->subject;
}
-/**
- * Implementation of certificate_t.get_issuer
- */
-static identification_t* get_issuer(private_x509_cert_t *this)
+METHOD(certificate_t, get_issuer, identification_t*,
+ private_x509_cert_t *this)
{
return this->issuer;
}
-/**
- * Implementation of certificate_t.has_subject.
- */
-static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject)
+METHOD(certificate_t, has_subject, id_match_t,
+ private_x509_cert_t *this, identification_t *subject)
{
identification_t *current;
enumerator_t *enumerator;
@@ -1142,19 +1557,15 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
return best;
}
-/**
- * Implementation of certificate_t.has_issuer.
- */
-static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer)
+METHOD(certificate_t, has_issuer, id_match_t,
+ private_x509_cert_t *this, identification_t *issuer)
{
/* issuerAltNames currently not supported */
return this->issuer->matches(this->issuer, issuer);
}
-/**
- * Implementation of certificate_t.issued_by.
- */
-static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
+METHOD(certificate_t, issued_by, bool,
+ private_x509_cert_t *this, certificate_t *issuer)
{
public_key_t *key;
signature_scheme_t scheme;
@@ -1201,37 +1612,23 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer)
return valid;
}
-/**
- * Implementation of certificate_t.get_public_key
- */
-static public_key_t* get_public_key(private_x509_cert_t *this)
+METHOD(certificate_t, get_public_key, public_key_t*,
+ private_x509_cert_t *this)
{
this->public_key->get_ref(this->public_key);
return this->public_key;
}
-/**
- * Implementation of certificate_t.get_ref
- */
-static private_x509_cert_t* get_ref(private_x509_cert_t *this)
+METHOD(certificate_t, get_ref, certificate_t*,
+ private_x509_cert_t *this)
{
ref_get(&this->ref);
- return this;
+ return &this->public.interface.interface;
}
-/**
- * Implementation of x509_cert_t.get_flags.
- */
-static x509_flag_t get_flags(private_x509_cert_t *this)
-{
- return this->flags;
-}
-
-/**
- * Implementation of x509_cert_t.get_validity.
- */
-static bool get_validity(private_x509_cert_t *this, time_t *when,
- time_t *not_before, time_t *not_after)
+METHOD(certificate_t, get_validity, bool,
+ private_x509_cert_t *this, time_t *when, time_t *not_before,
+ time_t *not_after)
{
time_t t = when ? *when : time(NULL);
@@ -1246,11 +1643,8 @@ static bool get_validity(private_x509_cert_t *this, time_t *when,
return (t >= this->notBefore && t <= this->notAfter);
}
-/**
- * Implementation of certificate_t.get_encoding.
- */
-static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type,
- chunk_t *encoding)
+METHOD(certificate_t, get_encoding, bool,
+ private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
{
if (type == CERT_ASN1_DER)
{
@@ -1261,10 +1655,8 @@ static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type,
CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END);
}
-/**
- * Implementation of certificate_t.equals.
- */
-static bool equals(private_x509_cert_t *this, certificate_t *other)
+METHOD(certificate_t, equals, bool,
+ private_x509_cert_t *this, certificate_t *other)
{
chunk_t encoding;
bool equal;
@@ -1290,18 +1682,20 @@ static bool equals(private_x509_cert_t *this, certificate_t *other)
return equal;
}
-/**
- * Implementation of x509_t.get_serial.
- */
-static chunk_t get_serial(private_x509_cert_t *this)
+METHOD(x509_t, get_flags, x509_flag_t,
+ private_x509_cert_t *this)
+{
+ return this->flags;
+}
+
+METHOD(x509_t, get_serial, chunk_t,
+ private_x509_cert_t *this)
{
return this->serialNumber;
}
-/**
- * Implementation of x509_t.get_subjectKeyIdentifier.
- */
-static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
+METHOD(x509_t, get_subjectKeyIdentifier, chunk_t,
+ private_x509_cert_t *this)
{
if (this->subjectKeyIdentifier.ptr)
{
@@ -1323,66 +1717,95 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
}
}
-/**
- * Implementation of x509_t.get_authKeyIdentifier.
- */
-static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
+METHOD(x509_t, get_authKeyIdentifier, chunk_t,
+ private_x509_cert_t *this)
{
return this->authKeyIdentifier;
}
-/**
- * Implementation of x509_t.get_pathLenConstraint.
- */
-static int get_pathLenConstraint(private_x509_cert_t *this)
+METHOD(x509_t, get_constraint, u_int,
+ private_x509_cert_t *this, x509_constraint_t type)
{
- return this->pathLenConstraint;
+ switch (type)
+ {
+ case X509_PATH_LEN:
+ return this->pathLenConstraint;
+ case X509_REQUIRE_EXPLICIT_POLICY:
+ return this->require_explicit;
+ case X509_INHIBIT_POLICY_MAPPING:
+ return this->inhibit_mapping;
+ case X509_INHIBIT_ANY_POLICY:
+ return this->inhibit_any;
+ default:
+ return X509_NO_CONSTRAINT;
+ }
}
-/**
- * Implementation of x509_cert_t.create_subjectAltName_enumerator.
- */
-static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*,
+ private_x509_cert_t *this)
{
return this->subjectAltNames->create_enumerator(this->subjectAltNames);
}
-/**
- * Implementation of x509_cert_t.create_ocsp_uri_enumerator.
- */
-static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
+ private_x509_cert_t *this)
{
return this->ocsp_uris->create_enumerator(this->ocsp_uris);
}
-/**
- * Implementation of x509_cert_t.create_crl_uri_enumerator.
- */
-static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*,
+ private_x509_cert_t *this)
{
return this->crl_uris->create_enumerator(this->crl_uris);
}
-/**
- * Implementation of x509_cert_t.create_ipAddrBlock_enumerator.
- */
-static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this)
+METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
+ private_x509_cert_t *this)
{
return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
}
-/**
- * Implementation of certificate_t.destroy.
- */
-static void destroy(private_x509_cert_t *this)
+METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*,
+ private_x509_cert_t *this, bool perm)
+{
+ if (perm)
+ {
+ return this->permitted_names->create_enumerator(this->permitted_names);
+ }
+ return this->excluded_names->create_enumerator(this->excluded_names);
+}
+
+METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*,
+ private_x509_cert_t *this)
+{
+ return this->cert_policies->create_enumerator(this->cert_policies);
+}
+
+METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*,
+ private_x509_cert_t *this)
+{
+ return this->policy_mappings->create_enumerator(this->policy_mappings);
+}
+
+METHOD(certificate_t, destroy, void,
+ private_x509_cert_t *this)
{
if (ref_put(&this->ref))
{
this->subjectAltNames->destroy_offset(this->subjectAltNames,
offsetof(identification_t, destroy));
- this->crl_uris->destroy_function(this->crl_uris, free);
+ this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
this->ocsp_uris->destroy_function(this->ocsp_uris, free);
- this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy));
+ this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
+ offsetof(traffic_selector_t, destroy));
+ this->permitted_names->destroy_offset(this->permitted_names,
+ offsetof(identification_t, destroy));
+ this->excluded_names->destroy_offset(this->excluded_names,
+ offsetof(identification_t, destroy));
+ this->cert_policies->destroy_function(this->cert_policies,
+ (void*)cert_policy_destroy);
+ this->policy_mappings->destroy_function(this->policy_mappings,
+ (void*)policy_mapping_destroy);
DESTROY_IF(this->issuer);
DESTROY_IF(this->subject);
DESTROY_IF(this->public_key);
@@ -1404,63 +1827,93 @@ static void destroy(private_x509_cert_t *this)
*/
static private_x509_cert_t* create_empty(void)
{
- private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
-
- this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
- this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
- this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
- this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject;
- this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer;
- this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by;
- this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key;
- this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity;
- this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding;
- this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals;
- this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref;
- this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
- this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
- this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
- this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier;
- this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
- this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint;
- this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
- this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
- this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
- this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator;
-
- this->encoding = chunk_empty;
- this->encoding_hash = chunk_empty;
- this->tbsCertificate = chunk_empty;
- this->version = 1;
- this->serialNumber = chunk_empty;
- this->notBefore = 0;
- this->notAfter = 0;
- this->public_key = NULL;
- this->subject = NULL;
- this->issuer = NULL;
- this->subjectAltNames = linked_list_create();
- this->crl_uris = linked_list_create();
- this->ocsp_uris = linked_list_create();
- this->ipAddrBlocks = linked_list_create();
- this->subjectKeyIdentifier = chunk_empty;
- this->authKeyIdentifier = chunk_empty;
- this->authKeySerialNumber = chunk_empty;
- this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
- this->algorithm = 0;
- this->signature = chunk_empty;
- this->flags = 0;
- this->ref = 1;
- this->parsed = FALSE;
-
+ private_x509_cert_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .interface = {
+ .get_type = _get_type,
+ .get_subject = _get_subject,
+ .get_issuer = _get_issuer,
+ .has_subject = _has_subject,
+ .has_issuer = _has_issuer,
+ .issued_by = _issued_by,
+ .get_public_key = _get_public_key,
+ .get_validity = _get_validity,
+ .get_encoding = _get_encoding,
+ .equals = _equals,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .get_flags = _get_flags,
+ .get_serial = _get_serial,
+ .get_subjectKeyIdentifier = _get_subjectKeyIdentifier,
+ .get_authKeyIdentifier = _get_authKeyIdentifier,
+ .get_constraint = _get_constraint,
+ .create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
+ .create_crl_uri_enumerator = _create_crl_uri_enumerator,
+ .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
+ .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
+ .create_name_constraint_enumerator = _create_name_constraint_enumerator,
+ .create_cert_policy_enumerator = _create_cert_policy_enumerator,
+ .create_policy_mapping_enumerator = _create_policy_mapping_enumerator,
+ },
+ },
+ .version = 1,
+ .subjectAltNames = linked_list_create(),
+ .crl_uris = linked_list_create(),
+ .ocsp_uris = linked_list_create(),
+ .ipAddrBlocks = linked_list_create(),
+ .permitted_names = linked_list_create(),
+ .excluded_names = linked_list_create(),
+ .cert_policies = linked_list_create(),
+ .policy_mappings = linked_list_create(),
+ .pathLenConstraint = X509_NO_CONSTRAINT,
+ .require_explicit = X509_NO_CONSTRAINT,
+ .inhibit_mapping = X509_NO_CONSTRAINT,
+ .inhibit_any = X509_NO_CONSTRAINT,
+ .ref = 1,
+ );
return this;
}
/**
+ * Build a generalName from an id
+ */
+chunk_t build_generalName(identification_t *id)
+{
+ int context;
+
+ switch (id->get_type(id))
+ {
+ case ID_RFC822_ADDR:
+ context = ASN1_CONTEXT_S_1;
+ break;
+ case ID_FQDN:
+ context = ASN1_CONTEXT_S_2;
+ break;
+ case ID_DER_ASN1_DN:
+ context = ASN1_CONTEXT_C_4;
+ break;
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ context = ASN1_CONTEXT_S_7;
+ break;
+ default:
+ DBG1(DBG_LIB, "encoding %N as generalName not supported",
+ id_type_names, id->get_type(id));
+ return chunk_empty;
+ }
+ return asn1_wrap(context, "c", id->get_encoding(id));
+}
+
+/**
* Encode a linked list of subjectAltNames
*/
chunk_t x509_build_subjectAltNames(linked_list_t *list)
{
- chunk_t subjectAltNames = chunk_empty;
+ chunk_t subjectAltNames = chunk_empty, name;
enumerator_t *enumerator;
identification_t *id;
@@ -1472,29 +1925,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &id))
{
- int context;
- chunk_t name;
-
- switch (id->get_type(id))
- {
- case ID_RFC822_ADDR:
- context = ASN1_CONTEXT_S_1;
- break;
- case ID_FQDN:
- context = ASN1_CONTEXT_S_2;
- break;
- case ID_IPV4_ADDR:
- case ID_IPV6_ADDR:
- context = ASN1_CONTEXT_S_7;
- break;
- default:
- DBG1(DBG_LIB, "encoding %N as subjectAltName not supported",
- id_type_names, id->get_type(id));
- enumerator->destroy(enumerator);
- free(subjectAltNames.ptr);
- return chunk_empty;
- }
- name = asn1_wrap(context, "c", id->get_encoding(id));
+ name = build_generalName(id);
subjectAltNames = chunk_cat("mm", subjectAltNames, name);
}
enumerator->destroy(enumerator);
@@ -1508,6 +1939,47 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
}
/**
+ * Encode CRL distribution points extension from a x509_cdp_t list
+ */
+chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn)
+{
+ chunk_t crlDistributionPoints = chunk_empty;
+ enumerator_t *enumerator;
+ x509_cdp_t *cdp;
+
+ if (list->get_count(list) == 0)
+ {
+ return chunk_empty;
+ }
+
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &cdp))
+ {
+ chunk_t distributionPoint, crlIssuer = chunk_empty;
+
+ if (cdp->issuer)
+ {
+ crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m",
+ build_generalName(cdp->issuer));
+ }
+ distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_CONTEXT_C_0, "m",
+ asn1_wrap(ASN1_CONTEXT_C_0, "m",
+ asn1_wrap(ASN1_CONTEXT_S_6, "c",
+ chunk_create(cdp->uri, strlen(cdp->uri))))),
+ crlIssuer);
+ crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
+ distributionPoint);
+ }
+ enumerator->destroy(enumerator);
+
+ return asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(extn),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
+}
+
+/**
* Generate and sign a new certificate
*/
static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
@@ -1515,12 +1987,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
{
chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
- chunk_t ocspSigning = chunk_empty;
- chunk_t basicConstraints = chunk_empty;
- chunk_t keyUsage = chunk_empty;
- chunk_t subjectAltNames = chunk_empty;
+ chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
+ chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty;
+ chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty;
+ chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
+ chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
identification_t *issuer, *subject;
chunk_t key_info;
signature_scheme_t scheme;
@@ -1574,29 +2047,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
/* encode subjectAltNames */
subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames);
- /* encode CRL distribution points extension */
- enumerator = cert->crl_uris->create_enumerator(cert->crl_uris);
- while (enumerator->enumerate(enumerator, &uri))
- {
- chunk_t distributionPoint;
-
- distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m",
- asn1_wrap(ASN1_CONTEXT_C_0, "m",
- asn1_wrap(ASN1_CONTEXT_C_0, "m",
- asn1_wrap(ASN1_CONTEXT_S_6, "c",
- chunk_create(uri, strlen(uri))))));
-
- crlDistributionPoints = chunk_cat("mm", crlDistributionPoints,
- distributionPoint);
- }
- enumerator->destroy(enumerator);
- if (crlDistributionPoints.ptr)
- {
- crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS),
- asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
- }
+ crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris,
+ OID_CRL_DISTRIBUTION_POINTS);
/* encode OCSP URIs in authorityInfoAccess extension */
enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris);
@@ -1625,11 +2077,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
{
chunk_t pathLenConstraint = chunk_empty;
- if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
+ if (cert->pathLenConstraint != X509_NO_CONSTRAINT)
{
- char pathlen = (char)cert->pathLenConstraint;
-
- pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
+ pathLenConstraint = asn1_integer("c",
+ chunk_from_thing(cert->pathLenConstraint));
}
basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
@@ -1640,13 +2091,20 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_BOOLEAN, "c",
chunk_from_chars(0xFF)),
pathLenConstraint)));
+ /* set CertificateSign and implicitly CRLsign */
+ keyUsageBits = chunk_from_chars(0x01, 0x06);
+ }
+ else if (cert->flags & X509_CRL_SIGN)
+ {
+ keyUsageBits = chunk_from_chars(0x01, 0x02);
+ }
+ if (keyUsageBits.len)
+ {
keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
- asn1_build_known_oid(OID_KEY_USAGE),
- asn1_wrap(ASN1_BOOLEAN, "c",
- chunk_from_chars(0xFF)),
- asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_BIT_STRING, "c",
- chunk_from_chars(0x01, 0x06))));
+ asn1_build_known_oid(OID_KEY_USAGE),
+ asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
}
/* add serverAuth extendedKeyUsage flag */
@@ -1675,7 +2133,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
- if (cert->flags & (X509_CA | X509_OCSP_SIGNER))
+ if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN))
{
chunk_t keyid;
@@ -1703,15 +2161,153 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid))));
}
}
+
+ if (cert->permitted_names->get_count(cert->permitted_names) ||
+ cert->excluded_names->get_count(cert->excluded_names))
+ {
+ chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree;
+ identification_t *id;
+
+ enumerator = create_name_constraint_enumerator(cert, TRUE);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
+ permitted = chunk_cat("mm", permitted, subtree);
+ }
+ enumerator->destroy(enumerator);
+ if (permitted.ptr)
+ {
+ permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted);
+ }
+
+ enumerator = create_name_constraint_enumerator(cert, FALSE);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id));
+ excluded = chunk_cat("mm", excluded, subtree);
+ }
+ enumerator->destroy(enumerator);
+ if (excluded.ptr)
+ {
+ excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded);
+ }
+
+ nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_NAME_CONSTRAINTS),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ permitted, excluded)));
+ }
+
+ if (cert->cert_policies->get_count(cert->cert_policies))
+ {
+ x509_cert_policy_t *policy;
+
+ enumerator = create_cert_policy_enumerator(cert);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty;
+
+ if (policy->cps_uri)
+ {
+ cps = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS),
+ asn1_wrap(ASN1_IA5STRING, "c",
+ chunk_create(policy->cps_uri,
+ strlen(policy->cps_uri))));
+ }
+ if (policy->unotice_text)
+ {
+ notice = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE),
+ asn1_wrap(ASN1_SEQUENCE, "m",
+ asn1_wrap(ASN1_VISIBLESTRING, "c",
+ chunk_create(policy->unotice_text,
+ strlen(policy->unotice_text)))));
+ }
+ if (cps.len || notice.len)
+ {
+ chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice);
+ }
+ chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_OID, "c", policy->oid), chunk);
+ certPolicies = chunk_cat("mm", certPolicies, chunk);
+ }
+ enumerator->destroy(enumerator);
+
+ certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_CERTIFICATE_POLICIES),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "m", certPolicies)));
+ }
+
+ if (cert->policy_mappings->get_count(cert->policy_mappings))
+ {
+ x509_policy_mapping_t *mapping;
+
+ enumerator = create_policy_mapping_enumerator(cert);
+ while (enumerator->enumerate(enumerator, &mapping))
+ {
+ chunk_t chunk;
+
+ chunk = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_OID, "c", mapping->issuer),
+ asn1_wrap(ASN1_OID, "c", mapping->subject));
+ policyMappings = chunk_cat("mm", policyMappings, chunk);
+ }
+ enumerator->destroy(enumerator);
+
+ policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_POLICY_MAPPINGS),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "m", policyMappings)));
+ }
+
+ if (cert->inhibit_mapping != X509_NO_CONSTRAINT ||
+ cert->require_explicit != X509_NO_CONSTRAINT)
+ {
+ chunk_t inhibit = chunk_empty, explicit = chunk_empty;
+
+ if (cert->require_explicit != X509_NO_CONSTRAINT)
+ {
+ explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+ asn1_integer("c",
+ chunk_from_thing(cert->require_explicit)));
+ }
+ if (cert->inhibit_mapping != X509_NO_CONSTRAINT)
+ {
+ inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m",
+ asn1_integer("c",
+ chunk_from_thing(cert->inhibit_mapping)));
+ }
+ policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
+ asn1_build_known_oid(OID_POLICY_CONSTRAINTS),
+ asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ explicit, inhibit)));
+ }
+
+ if (cert->inhibit_any != X509_NO_CONSTRAINT)
+ {
+ inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm",
+ asn1_build_known_oid(OID_INHIBIT_ANY_POLICY),
+ asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_integer("c",
+ chunk_from_thing(cert->inhibit_any))));
+ }
+
if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
- crlDistributionPoints.ptr)
+ crlDistributionPoints.ptr || nameConstraints.ptr)
{
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
basicConstraints, keyUsage, subjectKeyIdentifier,
authKeyIdentifier, subjectAltNames,
extendedKeyUsage, crlDistributionPoints,
- authorityInfoAccess));
+ authorityInfoAccess, nameConstraints, certPolicies,
+ policyMappings, policyConstraints, inhibitAnyPolicy));
}
cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -1794,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
certificate_t *sign_cert = NULL;
private_key_t *sign_key = NULL;
hash_algorithm_t digest_alg = HASH_SHA1;
+ u_int constraint;
cert = create_empty();
while (TRUE)
@@ -1837,13 +2434,17 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
{
enumerator_t *enumerator;
linked_list_t *list;
- char *uri;
+ x509_cdp_t *in, *cdp;
list = va_arg(args, linked_list_t*);
enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &uri))
+ while (enumerator->enumerate(enumerator, &in))
{
- cert->crl_uris->insert_last(cert->crl_uris, strdup(uri));
+ INIT(cdp,
+ .uri = strdup(in->uri),
+ .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
+ );
+ cert->crl_uris->insert_last(cert->crl_uris, cdp);
}
enumerator->destroy(enumerator);
continue;
@@ -1864,11 +2465,96 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
continue;
}
case BUILD_PATHLEN:
- cert->pathLenConstraint = va_arg(args, int);
- if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
+ constraint = va_arg(args, u_int);
+ cert->pathLenConstraint = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
+ continue;
+ case BUILD_PERMITTED_NAME_CONSTRAINTS:
+ {
+ enumerator_t *enumerator;
+ linked_list_t *list;
+ identification_t *constraint;
+
+ list = va_arg(args, linked_list_t*);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &constraint))
+ {
+ cert->permitted_names->insert_last(cert->permitted_names,
+ constraint->clone(constraint));
+ }
+ enumerator->destroy(enumerator);
+ continue;
+ }
+ case BUILD_EXCLUDED_NAME_CONSTRAINTS:
+ {
+ enumerator_t *enumerator;
+ linked_list_t *list;
+ identification_t *constraint;
+
+ list = va_arg(args, linked_list_t*);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &constraint))
+ {
+ cert->excluded_names->insert_last(cert->excluded_names,
+ constraint->clone(constraint));
+ }
+ enumerator->destroy(enumerator);
+ continue;
+ }
+ case BUILD_CERTIFICATE_POLICIES:
+ {
+ enumerator_t *enumerator;
+ linked_list_t *list;
+ x509_cert_policy_t *policy, *in;
+
+ list = va_arg(args, linked_list_t*);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &in))
+ {
+ INIT(policy,
+ .oid = chunk_clone(in->oid),
+ .cps_uri = strdupnull(in->cps_uri),
+ .unotice_text = strdupnull(in->unotice_text),
+ );
+ cert->cert_policies->insert_last(cert->cert_policies, policy);
+ }
+ enumerator->destroy(enumerator);
+ continue;
+ }
+ case BUILD_POLICY_MAPPINGS:
+ {
+ enumerator_t *enumerator;
+ linked_list_t *list;
+ x509_policy_mapping_t* mapping, *in;
+
+ list = va_arg(args, linked_list_t*);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &in))
{
- cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
+ INIT(mapping,
+ .issuer = chunk_clone(in->issuer),
+ .subject = chunk_clone(in->subject),
+ );
+ cert->policy_mappings->insert_last(cert->policy_mappings,
+ mapping);
}
+ enumerator->destroy(enumerator);
+ continue;
+ }
+ case BUILD_POLICY_REQUIRE_EXPLICIT:
+ constraint = va_arg(args, u_int);
+ cert->require_explicit = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
+ continue;
+ case BUILD_POLICY_INHIBIT_MAPPING:
+ constraint = va_arg(args, u_int);
+ cert->inhibit_mapping = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
+ continue;
+ case BUILD_POLICY_INHIBIT_ANY:
+ constraint = va_arg(args, u_int);
+ cert->inhibit_any = (constraint < 128) ?
+ constraint : X509_NO_CONSTRAINT;
continue;
case BUILD_NOT_BEFORE_TIME:
cert->notBefore = va_arg(args, time_t);
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 4bd0470d3..758505ab5 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -100,6 +100,11 @@ struct private_x509_crl_t {
linked_list_t *revoked;
/**
+ * List of Freshest CRL distribution points
+ */
+ linked_list_t *crl_uris;
+
+ /**
* Authority Key Identifier
*/
chunk_t authKeyIdentifier;
@@ -110,6 +115,11 @@ struct private_x509_crl_t {
chunk_t authKeySerialNumber;
/**
+ * Number of BaseCRL, if a delta CRL
+ */
+ chunk_t baseCrlNumber;
+
+ /**
* Signature algorithm
*/
int algorithm;
@@ -133,9 +143,19 @@ struct private_x509_crl_t {
/**
* from x509_cert
*/
-extern chunk_t x509_parse_authorityKeyIdentifier(
- chunk_t blob, int level0,
- chunk_t *authKeySerialNumber);
+extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+ chunk_t *authKeySerialNumber);
+
+/**
+ * from x509_cert
+ */
+extern void x509_parse_crlDistributionPoints(chunk_t blob, int level0,
+ linked_list_t *list);
+
+/**
+ * from x509_cert
+ */
+extern chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn);
/**
* ASN.1 definition of an X.509 certificate revocation list
@@ -206,7 +226,7 @@ static bool parse(private_x509_crl_t *this)
int objectID;
int sig_alg = OID_UNKNOWN;
bool success = FALSE;
- bool critical;
+ bool critical = FALSE;
revoked_t *revoked = NULL;
parser = asn1_parser_create(crlObjects, this->encoding);
@@ -258,35 +278,61 @@ static bool parse(private_x509_crl_t *this)
break;
case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
case CRL_OBJ_EXTN_VALUE:
- {
- int extn_oid = asn1_known_oid(extnID);
+ {
+ int extn_oid = asn1_known_oid(extnID);
- if (revoked && extn_oid == OID_CRL_REASON_CODE)
- {
- if (*object.ptr == ASN1_ENUMERATED &&
- asn1_length(&object) == 1)
+ switch (extn_oid)
+ {
+ case OID_CRL_REASON_CODE:
+ if (revoked)
{
- revoked->reason = *object.ptr;
+ if (object.len && *object.ptr == ASN1_ENUMERATED &&
+ asn1_length(&object) == 1)
+ {
+ revoked->reason = *object.ptr;
+ }
+ DBG2(DBG_LIB, " '%N'", crl_reason_names,
+ revoked->reason);
}
- DBG2(DBG_LIB, " '%N'", crl_reason_names,
- revoked->reason);
- }
- else if (extn_oid == OID_AUTHORITY_KEY_ID)
- {
- this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
- level, &this->authKeySerialNumber);
- }
- else if (extn_oid == OID_CRL_NUMBER)
- {
+ break;
+ case OID_AUTHORITY_KEY_ID:
+ this->authKeyIdentifier =
+ x509_parse_authorityKeyIdentifier(
+ object, level, &this->authKeySerialNumber);
+ break;
+ case OID_CRL_NUMBER:
if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
level, "crlNumber"))
{
goto end;
}
this->crlNumber = object;
- }
+ break;
+ case OID_FRESHEST_CRL:
+ x509_parse_crlDistributionPoints(object, level,
+ this->crl_uris);
+ break;
+ case OID_DELTA_CRL_INDICATOR:
+ if (!asn1_parse_simple_object(&object, ASN1_INTEGER,
+ level, "deltaCrlIndicator"))
+ {
+ goto end;
+ }
+ this->baseCrlNumber = object;
+ break;
+ default:
+ if (critical && lib->settings->get_bool(lib->settings,
+ "libstrongswan.x509.enforce_critical", TRUE))
+ {
+ DBG1(DBG_LIB, "critical '%s' extension not supported",
+ (extn_oid == OID_UNKNOWN) ? "unknown" :
+ (char*)oid_names[extn_oid].name);
+ goto end;
+ }
+ break;
}
break;
+ }
case CRL_OBJ_ALGORITHM:
{
this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
@@ -344,6 +390,26 @@ METHOD(crl_t, get_authKeyIdentifier, chunk_t,
return this->authKeyIdentifier;
}
+METHOD(crl_t, is_delta_crl, bool,
+ private_x509_crl_t *this, chunk_t *base_crl)
+{
+ if (this->baseCrlNumber.len)
+ {
+ if (base_crl)
+ {
+ *base_crl = this->baseCrlNumber;
+ }
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*,
+ private_x509_crl_t *this)
+{
+ return this->crl_uris->create_enumerator(this->crl_uris);
+}
+
METHOD(crl_t, create_enumerator, enumerator_t*,
private_x509_crl_t *this)
{
@@ -388,7 +454,7 @@ METHOD(certificate_t, issued_by, bool,
{
return FALSE;
}
- if (!(x509->get_flags(x509) & X509_CA))
+ if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
{
return FALSE;
}
@@ -501,18 +567,30 @@ static void revoked_destroy(revoked_t *revoked)
free(revoked);
}
+/**
+ * Destroy a CDP entry
+ */
+static void cdp_destroy(x509_cdp_t *this)
+{
+ free(this->uri);
+ DESTROY_IF(this->issuer);
+ free(this);
+}
+
METHOD(certificate_t, destroy, void,
private_x509_crl_t *this)
{
if (ref_put(&this->ref))
{
this->revoked->destroy_function(this->revoked, (void*)revoked_destroy);
+ this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy);
DESTROY_IF(this->issuer);
free(this->authKeyIdentifier.ptr);
free(this->encoding.ptr);
if (this->generated)
{
free(this->crlNumber.ptr);
+ free(this->baseCrlNumber.ptr);
free(this->signature.ptr);
free(this->tbsCertList.ptr);
}
@@ -546,10 +624,13 @@ static private_x509_crl_t* create_empty(void)
},
.get_serial = _get_serial,
.get_authKeyIdentifier = _get_authKeyIdentifier,
+ .is_delta_crl = _is_delta_crl,
+ .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator,
.create_enumerator = _create_enumerator,
},
},
.revoked = linked_list_create(),
+ .crl_uris = linked_list_create(),
.ref = 1,
);
return this;
@@ -618,6 +699,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
private_key_t *key, hash_algorithm_t digest_alg)
{
chunk_t extensions = chunk_empty, certList = chunk_empty, serial;
+ chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty;
enumerator_t *enumerator;
crl_reason_t reason;
time_t date;
@@ -625,7 +707,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
x509 = (x509_t*)cert;
- this->issuer = cert->get_issuer(cert);
+ this->issuer = cert->get_subject(cert);
this->issuer = this->issuer->clone(this->issuer);
this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509));
@@ -660,8 +742,21 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
}
enumerator->destroy(enumerator);
+ crlDistributionPoints = x509_build_crlDistributionPoints(this->crl_uris,
+ OID_FRESHEST_CRL);
+
+ if (this->baseCrlNumber.len)
+ {
+ baseCrlNumber = asn1_wrap(ASN1_SEQUENCE, "mmm",
+ asn1_build_known_oid(OID_DELTA_CRL_INDICATOR),
+ asn1_wrap(ASN1_BOOLEAN, "c",
+ chunk_from_chars(0xFF)),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_integer("c", this->baseCrlNumber)));
+ }
+
extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m",
- asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmm",
asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
asn1_wrap(ASN1_OCTET_STRING, "m",
@@ -671,9 +766,8 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_CRL_NUMBER),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_integer("c", this->crlNumber))
- )
- ));
+ asn1_integer("c", this->crlNumber))),
+ crlDistributionPoints, baseCrlNumber));
this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm",
ASN1_INTEGER_1,
@@ -736,6 +830,29 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args)
case BUILD_REVOKED_ENUMERATOR:
read_revoked(crl, va_arg(args, enumerator_t*));
continue;
+ case BUILD_BASE_CRL:
+ crl->baseCrlNumber = va_arg(args, chunk_t);
+ crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber);
+ break;
+ case BUILD_CRL_DISTRIBUTION_POINTS:
+ {
+ enumerator_t *enumerator;
+ linked_list_t *list;
+ x509_cdp_t *in, *cdp;
+
+ list = va_arg(args, linked_list_t*);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &in))
+ {
+ INIT(cdp,
+ .uri = strdup(in->uri),
+ .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL,
+ );
+ crl->crl_uris->insert_last(crl->crl_uris, cdp);
+ }
+ enumerator->destroy(enumerator);
+ continue;
+ }
case BUILD_END:
break;
default:
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 11a7f023c..d40cc3567 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -36,10 +36,8 @@ struct private_x509_plugin_t {
x509_plugin_t public;
};
-/**
- * Implementation of x509_plugin_t.x509troy
- */
-static void destroy(private_x509_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+ private_x509_plugin_t *this)
{
lib->creds->remove_builder(lib->creds,
(builder_function_t)x509_cert_gen);
@@ -69,9 +67,15 @@ static void destroy(private_x509_plugin_t *this)
*/
plugin_t *x509_plugin_create()
{
- private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t);
+ private_x509_plugin_t *this;
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ INIT(this,
+ .public = {
+ .plugin = {
+ .destroy = _destroy,
+ },
+ },
+ );
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
(builder_function_t)x509_cert_gen);
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index e82e5246f..06d7a2121 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -220,9 +220,7 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
@@ -261,6 +259,8 @@ sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
scripts_plugins = @scripts_plugins@
sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 88156f383..65e88335c 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -19,6 +19,8 @@
#include "xcbc_signer.h"
#include "xcbc_prf.h"
+static const char *plugin_name = "xcbc";
+
typedef struct private_xcbc_plugin_t private_xcbc_plugin_t;
/**
@@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void,
plugin_t *xcbc_plugin_create()
{
private_xcbc_plugin_t *this;
+ crypter_t *crypter;
INIT(this,
.public = {
@@ -57,15 +60,24 @@ plugin_t *xcbc_plugin_create()
},
);
- lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
- (prf_constructor_t)xcbc_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC,
- (prf_constructor_t)xcbc_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
- (signer_constructor_t)xcbc_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96,
- (signer_constructor_t)xcbc_signer_create);
-
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, plugin_name,
+ (prf_constructor_t)xcbc_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, plugin_name,
+ (signer_constructor_t)xcbc_signer_create);
+ }
+ crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16);
+ if (crypter)
+ {
+ crypter->destroy(crypter);
+ lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, plugin_name,
+ (prf_constructor_t)xcbc_prf_create);
+ lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, plugin_name,
+ (signer_constructor_t)xcbc_signer_create);
+ }
return &this->public.plugin;
}