summaryrefslogtreecommitdiff
path: root/src/libstrongswan
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan')
-rw-r--r--src/libstrongswan/Makefile.am19
-rw-r--r--src/libstrongswan/Makefile.in347
-rw-r--r--src/libstrongswan/asn1/asn1.c72
-rw-r--r--src/libstrongswan/asn1/asn1.h13
-rw-r--r--src/libstrongswan/asn1/oid.c440
-rw-r--r--src/libstrongswan/asn1/oid.h245
-rw-r--r--src/libstrongswan/asn1/oid.txt6
-rw-r--r--src/libstrongswan/chunk.c27
-rw-r--r--src/libstrongswan/chunk.h22
-rw-r--r--src/libstrongswan/credentials/credential_factory.c2
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c10
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h2
-rw-r--r--src/libstrongswan/crypto/crypto_factory.c2
-rw-r--r--src/libstrongswan/crypto/crypto_tester.c22
-rw-r--r--src/libstrongswan/crypto/hashers/hasher.c10
-rw-r--r--src/libstrongswan/crypto/hashers/hasher.h8
-rw-r--r--src/libstrongswan/database/database_factory.c2
-rw-r--r--src/libstrongswan/fetcher/fetcher_manager.c2
-rw-r--r--src/libstrongswan/fips/Makefile.am19
-rw-r--r--src/libstrongswan/fips/Makefile.in484
-rw-r--r--src/libstrongswan/fips/fips.c96
-rw-r--r--src/libstrongswan/fips/fips.h44
-rw-r--r--src/libstrongswan/fips/fips_canister_end.c166
-rw-r--r--src/libstrongswan/fips/fips_canister_start.c167
-rw-r--r--src/libstrongswan/fips/fips_signer.c68
-rw-r--r--src/libstrongswan/integrity_checker.c332
-rw-r--r--src/libstrongswan/integrity_checker.h111
-rw-r--r--src/libstrongswan/library.c27
-rw-r--r--src/libstrongswan/library.h23
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/des/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/des/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c3
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c4
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c61
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c14
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c2
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c4
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/mysql/mysql_database.c2
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crypter.c18
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c20
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_hasher.c1
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c8
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_util.c15
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/padlock/padlock_plugin.c2
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c27
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/random/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/random/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sha2/sha2_hasher.c64
-rw-r--r--src/libstrongswan/plugins/sha2/sha2_plugin.c2
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sqlite/sqlite_database.c2
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors.h3
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c35
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.in7
-rw-r--r--src/libstrongswan/utils.c42
-rw-r--r--src/libstrongswan/utils.h23
-rw-r--r--src/libstrongswan/utils/enumerator.c6
-rw-r--r--src/libstrongswan/utils/host.c139
-rw-r--r--src/libstrongswan/utils/identification.c878
-rw-r--r--src/libstrongswan/utils/mutex.c8
-rw-r--r--src/libstrongswan/utils/mutex.h35
103 files changed, 1990 insertions, 2427 deletions
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 212b9547d..ee6996558 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,14 +1,6 @@
lib_LTLIBRARIES = libstrongswan.la
-if USE_INTEGRITY_TEST
- libstrongswan_la_SOURCES = \
- fips/fips_canister_start.c \
- fips/fips.c fips/fips.h
-else
- libstrongswan_la_SOURCES =
-endif
-
-libstrongswan_la_SOURCES += \
+libstrongswan_la_SOURCES = \
library.c library.h \
chunk.c chunk.h \
debug.c debug.h \
@@ -58,7 +50,7 @@ utils/mutex.c utils/mutex.h \
utils/backtrace.c utils/backtrace.h \
plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
-libstrongswan_la_LIBADD = -lpthread $(DLLIB)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = \
@@ -76,8 +68,9 @@ if USE_LOCK_PROFILER
endif
if USE_INTEGRITY_TEST
+ AM_CFLAGS += -DINTEGRITY_TEST
libstrongswan_la_SOURCES += \
- fips/fips_canister_end.c
+ integrity_checker.c integrity_checker.h
endif
if USE_VSTR
@@ -204,7 +197,3 @@ endif
if USE_TEST_VECTORS
SUBDIRS += plugins/test_vectors
endif
-
-if USE_INTEGRITY_TEST
- SUBDIRS += fips
-endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index dd25f0526..ae751c098 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -37,31 +37,34 @@ host_triplet = @host@
@USE_LEAK_DETECTIVE_TRUE@ utils/leak_detective.c utils/leak_detective.h
@USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
-@USE_VSTR_TRUE@am__append_4 = -lvstr
-@USE_AES_TRUE@am__append_5 = plugins/aes
-@USE_DES_TRUE@am__append_6 = plugins/des
-@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish
-@USE_MD4_TRUE@am__append_8 = plugins/md4
-@USE_MD5_TRUE@am__append_9 = plugins/md5
-@USE_SHA1_TRUE@am__append_10 = plugins/sha1
-@USE_SHA2_TRUE@am__append_11 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_13 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_14 = plugins/random
-@USE_HMAC_TRUE@am__append_15 = plugins/hmac
-@USE_XCBC_TRUE@am__append_16 = plugins/xcbc
-@USE_X509_TRUE@am__append_17 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey
-@USE_CURL_TRUE@am__append_19 = plugins/curl
-@USE_LDAP_TRUE@am__append_20 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_21 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl
-@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt
-@USE_AGENT_TRUE@am__append_26 = plugins/agent
-@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors
-@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips
+@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
+@USE_INTEGRITY_TEST_TRUE@am__append_5 = \
+@USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h
+
+@USE_VSTR_TRUE@am__append_6 = -lvstr
+@USE_AES_TRUE@am__append_7 = plugins/aes
+@USE_DES_TRUE@am__append_8 = plugins/des
+@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish
+@USE_MD4_TRUE@am__append_10 = plugins/md4
+@USE_MD5_TRUE@am__append_11 = plugins/md5
+@USE_SHA1_TRUE@am__append_12 = plugins/sha1
+@USE_SHA2_TRUE@am__append_13 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_15 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_16 = plugins/random
+@USE_HMAC_TRUE@am__append_17 = plugins/hmac
+@USE_XCBC_TRUE@am__append_18 = plugins/xcbc
+@USE_X509_TRUE@am__append_19 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey
+@USE_CURL_TRUE@am__append_21 = plugins/curl
+@USE_LDAP_TRUE@am__append_22 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_23 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl
+@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt
+@USE_AGENT_TRUE@am__append_28 = plugins/agent
+@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors
subdir = src/libstrongswan
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -81,6 +84,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(lib_LTLIBRARIES)
am__DEPENDENCIES_1 =
libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1)
am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
@@ -123,51 +127,20 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
utils/backtrace.h plugins/plugin_loader.c \
plugins/plugin_loader.h plugins/plugin.h \
utils/leak_detective.c utils/leak_detective.h \
- fips/fips_canister_start.c fips/fips.c fips/fips.h \
- fips/fips_canister_end.c
+ integrity_checker.c integrity_checker.h
@USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
-@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \
-@USE_INTEGRITY_TEST_FALSE@ chunk.lo debug.lo enum.lo \
-@USE_INTEGRITY_TEST_FALSE@ settings.lo printf_hook.lo asn1.lo \
-@USE_INTEGRITY_TEST_FALSE@ asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_FALSE@ crypter.lo hasher.lo pkcs9.lo \
-@USE_INTEGRITY_TEST_FALSE@ proposal_keywords.lo prf.lo rng.lo \
-@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_FALSE@ crypto_factory.lo crypto_tester.lo \
-@USE_INTEGRITY_TEST_FALSE@ diffie_hellman.lo transform.lo \
-@USE_INTEGRITY_TEST_FALSE@ credential_factory.lo builder.lo \
-@USE_INTEGRITY_TEST_FALSE@ private_key.lo public_key.lo \
-@USE_INTEGRITY_TEST_FALSE@ shared_key.lo certificate.lo x509.lo \
-@USE_INTEGRITY_TEST_FALSE@ crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_FALSE@ database_factory.lo \
-@USE_INTEGRITY_TEST_FALSE@ fetcher_manager.lo pgp.lo utils.lo \
-@USE_INTEGRITY_TEST_FALSE@ host.lo identification.lo \
-@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \
-@USE_INTEGRITY_TEST_FALSE@ hashtable.lo enumerator.lo \
-@USE_INTEGRITY_TEST_FALSE@ optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_FALSE@ plugin_loader.lo $(am__objects_1)
-@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \
-@USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \
-@USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \
-@USE_INTEGRITY_TEST_TRUE@ settings.lo printf_hook.lo asn1.lo \
-@USE_INTEGRITY_TEST_TRUE@ asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_TRUE@ crypter.lo hasher.lo pkcs9.lo \
-@USE_INTEGRITY_TEST_TRUE@ proposal_keywords.lo prf.lo rng.lo \
-@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_TRUE@ crypto_factory.lo crypto_tester.lo \
-@USE_INTEGRITY_TEST_TRUE@ diffie_hellman.lo transform.lo \
-@USE_INTEGRITY_TEST_TRUE@ credential_factory.lo builder.lo \
-@USE_INTEGRITY_TEST_TRUE@ private_key.lo public_key.lo \
-@USE_INTEGRITY_TEST_TRUE@ shared_key.lo certificate.lo x509.lo \
-@USE_INTEGRITY_TEST_TRUE@ crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_TRUE@ database_factory.lo \
-@USE_INTEGRITY_TEST_TRUE@ fetcher_manager.lo pgp.lo utils.lo \
-@USE_INTEGRITY_TEST_TRUE@ host.lo identification.lo \
-@USE_INTEGRITY_TEST_TRUE@ lexparser.lo linked_list.lo \
-@USE_INTEGRITY_TEST_TRUE@ hashtable.lo enumerator.lo \
-@USE_INTEGRITY_TEST_TRUE@ optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_TRUE@ plugin_loader.lo $(am__objects_1) \
-@USE_INTEGRITY_TEST_TRUE@ fips_canister_end.lo
+@USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
+am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
+ settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
+ pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \
+ prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \
+ crypto_tester.lo diffie_hellman.lo transform.lo \
+ credential_factory.lo builder.lo private_key.lo public_key.lo \
+ shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \
+ database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \
+ identification.lo lexparser.lo linked_list.lo hashtable.lo \
+ enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \
+ plugin_loader.lo $(am__objects_1) $(am__objects_2)
libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -199,15 +172,17 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
plugins/gmp plugins/random plugins/hmac plugins/xcbc \
plugins/x509 plugins/pubkey plugins/curl plugins/ldap \
plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
- plugins/gcrypt plugins/agent plugins/test_vectors fips
+ plugins/gcrypt plugins/agent plugins/test_vectors
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -272,6 +247,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -312,7 +288,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -347,154 +325,52 @@ top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
lib_LTLIBRARIES = libstrongswan.la
-@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = library.c \
-@USE_INTEGRITY_TEST_FALSE@ library.h chunk.c chunk.h debug.c \
-@USE_INTEGRITY_TEST_FALSE@ debug.h enum.c enum.h settings.h \
-@USE_INTEGRITY_TEST_FALSE@ settings.c printf_hook.c \
-@USE_INTEGRITY_TEST_FALSE@ printf_hook.h asn1/asn1.c \
-@USE_INTEGRITY_TEST_FALSE@ asn1/asn1.h asn1/asn1_parser.c \
-@USE_INTEGRITY_TEST_FALSE@ asn1/asn1_parser.h asn1/oid.c \
-@USE_INTEGRITY_TEST_FALSE@ asn1/oid.h asn1/pem.c asn1/pem.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs9.c crypto/pkcs9.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/prf.c crypto/prfs/prf.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/rngs/rng.c crypto/rngs/rng.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/prf_plus.h crypto/prf_plus.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/transform.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/transform.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/builder.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/builder.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ac.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_request.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_FALSE@ database/database.h \
-@USE_INTEGRITY_TEST_FALSE@ database/database_factory.h \
-@USE_INTEGRITY_TEST_FALSE@ database/database_factory.c \
-@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.c pgp/pgp.c \
-@USE_INTEGRITY_TEST_FALSE@ pgp/pgp.h utils.h utils.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/host.c utils/host.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/identification.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/identification.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/iterator.h utils/lexparser.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/lexparser.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/hashtable.c utils/hashtable.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/mutex.h utils/backtrace.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/backtrace.h \
-@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.c \
-@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.h \
-@USE_INTEGRITY_TEST_FALSE@ plugins/plugin.h $(am__append_2)
-@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES = \
-@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_start.c \
-@USE_INTEGRITY_TEST_TRUE@ fips/fips.c fips/fips.h library.c \
-@USE_INTEGRITY_TEST_TRUE@ library.h chunk.c chunk.h debug.c \
-@USE_INTEGRITY_TEST_TRUE@ debug.h enum.c enum.h settings.h \
-@USE_INTEGRITY_TEST_TRUE@ settings.c printf_hook.c \
-@USE_INTEGRITY_TEST_TRUE@ printf_hook.h asn1/asn1.c asn1/asn1.h \
-@USE_INTEGRITY_TEST_TRUE@ asn1/asn1_parser.c asn1/asn1_parser.h \
-@USE_INTEGRITY_TEST_TRUE@ asn1/oid.c asn1/oid.h asn1/pem.c \
-@USE_INTEGRITY_TEST_TRUE@ asn1/pem.h crypto/crypters/crypter.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs9.c crypto/pkcs9.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/prf.c crypto/prfs/prf.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/rngs/rng.c crypto/rngs/rng.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/prf_plus.h crypto/prf_plus.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/transform.c crypto/transform.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/builder.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/builder.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ac.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_request.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_TRUE@ database/database.h \
-@USE_INTEGRITY_TEST_TRUE@ database/database_factory.h \
-@USE_INTEGRITY_TEST_TRUE@ database/database_factory.c \
-@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.c pgp/pgp.c \
-@USE_INTEGRITY_TEST_TRUE@ pgp/pgp.h utils.h utils.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/host.c utils/host.h \
-@USE_INTEGRITY_TEST_TRUE@ utils/identification.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/identification.h \
-@USE_INTEGRITY_TEST_TRUE@ utils/iterator.h utils/lexparser.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/lexparser.h utils/linked_list.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.h utils/hashtable.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/hashtable.h utils/enumerator.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/enumerator.h \
-@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/mutex.h utils/backtrace.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/backtrace.h \
-@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.c \
-@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.h \
-@USE_INTEGRITY_TEST_TRUE@ plugins/plugin.h $(am__append_2) \
-@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_end.c
-libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4)
+libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
+ debug.h enum.c enum.h settings.h settings.c printf_hook.c \
+ printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \
+ asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \
+ crypto/crypters/crypter.c crypto/crypters/crypter.h \
+ crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
+ crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
+ crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
+ crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
+ crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
+ crypto/signers/signer.h crypto/crypto_factory.c \
+ crypto/crypto_factory.h crypto/crypto_tester.c \
+ crypto/crypto_tester.h crypto/diffie_hellman.c \
+ crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+ credentials/credential_factory.c \
+ credentials/credential_factory.h credentials/builder.c \
+ credentials/builder.h credentials/keys/private_key.c \
+ credentials/keys/private_key.h credentials/keys/public_key.c \
+ credentials/keys/public_key.h credentials/keys/shared_key.c \
+ credentials/keys/shared_key.h \
+ credentials/certificates/certificate.c \
+ credentials/certificates/certificate.h \
+ credentials/certificates/x509.h \
+ credentials/certificates/x509.c credentials/certificates/ac.h \
+ credentials/certificates/crl.h credentials/certificates/crl.c \
+ credentials/certificates/ocsp_request.h \
+ credentials/certificates/ocsp_response.h \
+ credentials/certificates/ocsp_response.c database/database.h \
+ database/database_factory.h database/database_factory.c \
+ fetcher/fetcher.h fetcher/fetcher_manager.h \
+ fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \
+ utils/host.c utils/host.h utils/identification.c \
+ utils/identification.h utils/iterator.h utils/lexparser.c \
+ utils/lexparser.h utils/linked_list.c utils/linked_list.h \
+ utils/hashtable.c utils/hashtable.h utils/enumerator.c \
+ utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
+ utils/mutex.c utils/mutex.h utils/backtrace.c \
+ utils/backtrace.h plugins/plugin_loader.c \
+ plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
+ $(am__append_5)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \
+ $(am__append_6)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
- $(am__append_3)
+ $(am__append_3) $(am__append_4)
EXTRA_DIST = \
asn1/oid.txt asn1/oid.pl \
crypto/proposal/proposal_keywords.txt
@@ -510,14 +386,14 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
# build plugins with their own Makefile
#######################################
-SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \
- $(am__append_8) $(am__append_9) $(am__append_10) \
- $(am__append_11) $(am__append_12) $(am__append_13) \
- $(am__append_14) $(am__append_15) $(am__append_16) \
- $(am__append_17) $(am__append_18) $(am__append_19) \
- $(am__append_20) $(am__append_21) $(am__append_22) \
- $(am__append_23) $(am__append_24) $(am__append_25) \
- $(am__append_26) $(am__append_27) $(am__append_28)
+SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \
+ $(am__append_10) $(am__append_11) $(am__append_12) \
+ $(am__append_13) $(am__append_14) $(am__append_15) \
+ $(am__append_16) $(am__append_17) $(am__append_18) \
+ $(am__append_19) $(am__append_20) $(am__append_21) \
+ $(am__append_22) $(am__append_23) $(am__append_24) \
+ $(am__append_25) $(am__append_26) $(am__append_27) \
+ $(am__append_28) $(am__append_29)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -605,13 +481,11 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
@@ -932,27 +806,6 @@ leak_detective.lo: utils/leak_detective.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
-fips_canister_start.lo: fips/fips_canister_start.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
-
-fips.lo: fips/fips.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
-
-fips_canister_end.lo: fips/fips_canister_end.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
-
mostlyclean-libtool:
-rm -f *.lo
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index d2078cbbc..ec46b165b 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -260,25 +260,32 @@ size_t asn1_length(chunk_t *blob)
u_char n;
size_t len;
- /* advance from tag field on to length field */
- blob->ptr++;
- blob->len--;
+ if (blob->len < 2)
+ {
+ DBG2("insufficient number of octets to parse ASN.1 length");
+ return ASN1_INVALID_LENGTH;
+ }
- /* read first octet of length field */
- n = *blob->ptr++;
- blob->len--;
+ /* read length field, skip tag and length */
+ n = blob->ptr[1];
+ *blob = chunk_skip(*blob, 2);
if ((n & 0x80) == 0)
- {/* single length octet */
+ { /* single length octet */
+ if (n > blob->len)
+ {
+ DBG2("length is larger than remaining blob size");
+ return ASN1_INVALID_LENGTH;
+ }
return n;
}
/* composite length, determine number of length octets */
n &= 0x7f;
- if (n > blob->len)
+ if (n == 0 || n > blob->len)
{
- DBG2("number of length octets is larger than ASN.1 object");
+ DBG2("number of length octets invalid");
return ASN1_INVALID_LENGTH;
}
@@ -304,6 +311,53 @@ size_t asn1_length(chunk_t *blob)
return len;
}
+/*
+ * See header.
+ */
+int asn1_unwrap(chunk_t *blob, chunk_t *inner)
+{
+ chunk_t res;
+ u_char len;
+ int type;
+
+ if (blob->len < 2)
+ {
+ return ASN1_INVALID;
+ }
+ type = blob->ptr[0];
+ len = blob->ptr[1];
+ *blob = chunk_skip(*blob, 2);
+
+ if ((len & 0x80) == 0)
+ { /* single length octet */
+ res.len = len;
+ }
+ else
+ { /* composite length, determine number of length octets */
+ len &= 0x7f;
+ if (len == 0 || len > sizeof(res.len))
+ {
+ return ASN1_INVALID;
+ }
+ res.len = 0;
+ while (len-- > 0)
+ {
+ res.len = 256 * res.len + blob->ptr[0];
+ *blob = chunk_skip(*blob, 1);
+ }
+ }
+ if (res.len > blob->len)
+ {
+ return ASN1_INVALID;
+ }
+ res.ptr = blob->ptr;
+ *blob = chunk_skip(*blob, res.len);
+ /* updating inner not before we are finished allows a caller to pass
+ * blob = inner */
+ *inner = res;
+ return type;
+}
+
#define TIME_MAX 0x7fffffff
static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 6a2b594c0..8072d62d6 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -74,7 +74,9 @@ typedef enum {
ASN1_CONTEXT_C_2 = 0xA2,
ASN1_CONTEXT_C_3 = 0xA3,
ASN1_CONTEXT_C_4 = 0xA4,
- ASN1_CONTEXT_C_5 = 0xA5
+ ASN1_CONTEXT_C_5 = 0xA5,
+
+ ASN1_INVALID = 0x100,
} asn1_t;
#define ASN1_INVALID_LENGTH 0xffffffff
@@ -123,6 +125,15 @@ chunk_t asn1_build_known_oid(int n);
size_t asn1_length(chunk_t *blob);
/**
+ * Unwrap the inner content of an ASN.1 type/length wrapped object.
+ *
+ * @param blob blob to parse header from, moved behind parsed content
+ * @param content inner content
+ * @return parsed type, ASN1_INVALID if length parsing failed
+ */
+int asn1_unwrap(chunk_t *blob, chunk_t *content);
+
+/**
* Parses an ASN.1 algorithmIdentifier object
*
* @param blob ASN.1 coded blob
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 53657b514..391d65e89 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -62,7 +62,7 @@ const oid_t oid_names[] = {
{ 0x25, 50, 0, 2, "extendedKeyUsage" }, /* 49 */
{ 0x37, 51, 0, 2, "targetInformation" }, /* 50 */
{ 0x38, 0, 0, 2, "noRevAvail" }, /* 51 */
- {0x2A, 143, 1, 0, "" }, /* 52 */
+ {0x2A, 149, 1, 0, "" }, /* 52 */
{ 0x83, 65, 1, 1, "" }, /* 53 */
{ 0x08, 0, 1, 2, "jp" }, /* 54 */
{ 0x8C, 0, 1, 3, "" }, /* 55 */
@@ -77,7 +77,7 @@ const oid_t oid_names[] = {
{ 0x04, 0, 0, 10, "camellia256-cbc" }, /* 64 */
{ 0x86, 0, 1, 1, "" }, /* 65 */
{ 0x48, 0, 1, 2, "us" }, /* 66 */
- { 0x86, 107, 1, 3, "" }, /* 67 */
+ { 0x86, 108, 1, 3, "" }, /* 67 */
{ 0xF6, 73, 1, 4, "" }, /* 68 */
{ 0x7D, 0, 1, 5, "NortelNetworks" }, /* 69 */
{ 0x07, 0, 1, 6, "Entrust" }, /* 70 */
@@ -85,225 +85,231 @@ const oid_t oid_names[] = {
{ 0x00, 0, 0, 8, "entrustVersInfo" }, /* 72 */
{ 0xF7, 0, 1, 4, "" }, /* 73 */
{ 0x0D, 0, 1, 5, "RSADSI" }, /* 74 */
- { 0x01, 102, 1, 6, "PKCS" }, /* 75 */
- { 0x01, 84, 1, 7, "PKCS-1" }, /* 76 */
+ { 0x01, 103, 1, 6, "PKCS" }, /* 75 */
+ { 0x01, 85, 1, 7, "PKCS-1" }, /* 76 */
{ 0x01, 78, 0, 8, "rsaEncryption" }, /* 77 */
{ 0x02, 79, 0, 8, "md2WithRSAEncryption" }, /* 78 */
{ 0x04, 80, 0, 8, "md5WithRSAEncryption" }, /* 79 */
{ 0x05, 81, 0, 8, "sha-1WithRSAEncryption" }, /* 80 */
{ 0x0B, 82, 0, 8, "sha256WithRSAEncryption" }, /* 81 */
{ 0x0C, 83, 0, 8, "sha384WithRSAEncryption" }, /* 82 */
- { 0x0D, 0, 0, 8, "sha512WithRSAEncryption" }, /* 83 */
- { 0x07, 91, 1, 7, "PKCS-7" }, /* 84 */
- { 0x01, 86, 0, 8, "data" }, /* 85 */
- { 0x02, 87, 0, 8, "signedData" }, /* 86 */
- { 0x03, 88, 0, 8, "envelopedData" }, /* 87 */
- { 0x04, 89, 0, 8, "signedAndEnvelopedData" }, /* 88 */
- { 0x05, 90, 0, 8, "digestedData" }, /* 89 */
- { 0x06, 0, 0, 8, "encryptedData" }, /* 90 */
- { 0x09, 0, 1, 7, "PKCS-9" }, /* 91 */
- { 0x01, 93, 0, 8, "E" }, /* 92 */
- { 0x02, 94, 0, 8, "unstructuredName" }, /* 93 */
- { 0x03, 95, 0, 8, "contentType" }, /* 94 */
- { 0x04, 96, 0, 8, "messageDigest" }, /* 95 */
- { 0x05, 97, 0, 8, "signingTime" }, /* 96 */
- { 0x06, 98, 0, 8, "counterSignature" }, /* 97 */
- { 0x07, 99, 0, 8, "challengePassword" }, /* 98 */
- { 0x08, 100, 0, 8, "unstructuredAddress" }, /* 99 */
- { 0x0E, 101, 0, 8, "extensionRequest" }, /* 100 */
- { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 101 */
- { 0x02, 105, 1, 6, "digestAlgorithm" }, /* 102 */
- { 0x02, 104, 0, 7, "md2" }, /* 103 */
- { 0x05, 0, 0, 7, "md5" }, /* 104 */
- { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 105 */
- { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 106 */
- { 0xCE, 0, 1, 3, "" }, /* 107 */
- { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 108 */
- { 0x02, 111, 1, 5, "id-publicKeyType" }, /* 109 */
- { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 110 */
- { 0x03, 141, 1, 5, "ellipticCurve" }, /* 111 */
- { 0x00, 133, 1, 6, "c-TwoCurve" }, /* 112 */
- { 0x01, 114, 0, 7, "c2pnb163v1" }, /* 113 */
- { 0x02, 115, 0, 7, "c2pnb163v2" }, /* 114 */
- { 0x03, 116, 0, 7, "c2pnb163v3" }, /* 115 */
- { 0x04, 117, 0, 7, "c2pnb176w1" }, /* 116 */
- { 0x05, 118, 0, 7, "c2tnb191v1" }, /* 117 */
- { 0x06, 119, 0, 7, "c2tnb191v2" }, /* 118 */
- { 0x07, 120, 0, 7, "c2tnb191v3" }, /* 119 */
- { 0x08, 121, 0, 7, "c2onb191v4" }, /* 120 */
- { 0x09, 122, 0, 7, "c2onb191v5" }, /* 121 */
- { 0x0A, 123, 0, 7, "c2pnb208w1" }, /* 122 */
- { 0x0B, 124, 0, 7, "c2tnb239v1" }, /* 123 */
- { 0x0C, 125, 0, 7, "c2tnb239v2" }, /* 124 */
- { 0x0D, 126, 0, 7, "c2tnb239v3" }, /* 125 */
- { 0x0E, 127, 0, 7, "c2onb239v4" }, /* 126 */
- { 0x0F, 128, 0, 7, "c2onb239v5" }, /* 127 */
- { 0x10, 129, 0, 7, "c2pnb272w1" }, /* 128 */
- { 0x11, 130, 0, 7, "c2pnb304w1" }, /* 129 */
- { 0x12, 131, 0, 7, "c2tnb359v1" }, /* 130 */
- { 0x13, 132, 0, 7, "c2pnb368w1" }, /* 131 */
- { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 132 */
- { 0x01, 0, 1, 6, "primeCurve" }, /* 133 */
- { 0x01, 135, 0, 7, "prime192v1" }, /* 134 */
- { 0x02, 136, 0, 7, "prime192v2" }, /* 135 */
- { 0x03, 137, 0, 7, "prime192v3" }, /* 136 */
- { 0x04, 138, 0, 7, "prime239v1" }, /* 137 */
- { 0x05, 139, 0, 7, "prime239v2" }, /* 138 */
- { 0x06, 140, 0, 7, "prime239v3" }, /* 139 */
- { 0x07, 0, 0, 7, "prime256v1" }, /* 140 */
- { 0x04, 0, 1, 5, "id-ecSigType" }, /* 141 */
- { 0x01, 0, 0, 6, "ecdsa-with-SHA1" }, /* 142 */
- {0x2B, 243, 1, 0, "" }, /* 143 */
- { 0x06, 196, 1, 1, "dod" }, /* 144 */
- { 0x01, 0, 1, 2, "internet" }, /* 145 */
- { 0x04, 164, 1, 3, "private" }, /* 146 */
- { 0x01, 0, 1, 4, "enterprise" }, /* 147 */
- { 0x82, 157, 1, 5, "" }, /* 148 */
- { 0x37, 0, 1, 6, "Microsoft" }, /* 149 */
- { 0x0A, 154, 1, 7, "" }, /* 150 */
- { 0x03, 0, 1, 8, "" }, /* 151 */
- { 0x03, 153, 0, 9, "msSGC" }, /* 152 */
- { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 153 */
- { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 154 */
- { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 155 */
- { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 156 */
- { 0x89, 0, 1, 5, "" }, /* 157 */
- { 0x31, 0, 1, 6, "" }, /* 158 */
- { 0x01, 0, 1, 7, "" }, /* 159 */
- { 0x01, 0, 1, 8, "" }, /* 160 */
- { 0x02, 0, 1, 9, "" }, /* 161 */
- { 0x02, 163, 0, 10, "" }, /* 162 */
- { 0x4B, 0, 0, 10, "TCGID" }, /* 163 */
- { 0x05, 0, 1, 3, "security" }, /* 164 */
- { 0x05, 0, 1, 4, "mechanisms" }, /* 165 */
- { 0x07, 0, 1, 5, "id-pkix" }, /* 166 */
- { 0x01, 169, 1, 6, "id-pe" }, /* 167 */
- { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 168 */
- { 0x03, 179, 1, 6, "id-kp" }, /* 169 */
- { 0x01, 171, 0, 7, "serverAuth" }, /* 170 */
- { 0x02, 172, 0, 7, "clientAuth" }, /* 171 */
- { 0x03, 173, 0, 7, "codeSigning" }, /* 172 */
- { 0x04, 174, 0, 7, "emailProtection" }, /* 173 */
- { 0x05, 175, 0, 7, "ipsecEndSystem" }, /* 174 */
- { 0x06, 176, 0, 7, "ipsecTunnel" }, /* 175 */
- { 0x07, 177, 0, 7, "ipsecUser" }, /* 176 */
- { 0x08, 178, 0, 7, "timeStamping" }, /* 177 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 178 */
- { 0x08, 181, 1, 6, "id-otherNames" }, /* 179 */
- { 0x05, 0, 0, 7, "xmppAddr" }, /* 180 */
- { 0x0A, 186, 1, 6, "id-aca" }, /* 181 */
- { 0x01, 183, 0, 7, "authenticationInfo" }, /* 182 */
- { 0x02, 184, 0, 7, "accessIdentity" }, /* 183 */
- { 0x03, 185, 0, 7, "chargingIdentity" }, /* 184 */
- { 0x04, 0, 0, 7, "group" }, /* 185 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 186 */
- { 0x01, 195, 1, 7, "ocsp" }, /* 187 */
- { 0x01, 189, 0, 8, "basic" }, /* 188 */
- { 0x02, 190, 0, 8, "nonce" }, /* 189 */
- { 0x03, 191, 0, 8, "crl" }, /* 190 */
- { 0x04, 192, 0, 8, "response" }, /* 191 */
- { 0x05, 193, 0, 8, "noCheck" }, /* 192 */
- { 0x06, 194, 0, 8, "archiveCutoff" }, /* 193 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 194 */
- { 0x02, 0, 0, 7, "caIssuers" }, /* 195 */
- { 0x0E, 202, 1, 1, "oiw" }, /* 196 */
- { 0x03, 0, 1, 2, "secsig" }, /* 197 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 198 */
- { 0x07, 200, 0, 4, "des-cbc" }, /* 199 */
- { 0x1A, 201, 0, 4, "sha-1" }, /* 200 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 201 */
- { 0x24, 209, 1, 1, "TeleTrusT" }, /* 202 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 203 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 204 */
- { 0x01, 0, 1, 4, "rsaSignature" }, /* 205 */
- { 0x02, 207, 0, 5, "rsaSigWithripemd160" }, /* 206 */
- { 0x03, 208, 0, 5, "rsaSigWithripemd128" }, /* 207 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 208 */
- { 0x81, 0, 1, 1, "" }, /* 209 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 210 */
- { 0x00, 0, 1, 3, "curve" }, /* 211 */
- { 0x01, 213, 0, 4, "sect163k1" }, /* 212 */
- { 0x02, 214, 0, 4, "sect163r1" }, /* 213 */
- { 0x03, 215, 0, 4, "sect239k1" }, /* 214 */
- { 0x04, 216, 0, 4, "sect113r1" }, /* 215 */
- { 0x05, 217, 0, 4, "sect113r2" }, /* 216 */
- { 0x06, 218, 0, 4, "secp112r1" }, /* 217 */
- { 0x07, 219, 0, 4, "secp112r2" }, /* 218 */
- { 0x08, 220, 0, 4, "secp160r1" }, /* 219 */
- { 0x09, 221, 0, 4, "secp160k1" }, /* 220 */
- { 0x0A, 222, 0, 4, "secp256k1" }, /* 221 */
- { 0x0F, 223, 0, 4, "sect163r2" }, /* 222 */
- { 0x10, 224, 0, 4, "sect283k1" }, /* 223 */
- { 0x11, 225, 0, 4, "sect283r1" }, /* 224 */
- { 0x16, 226, 0, 4, "sect131r1" }, /* 225 */
- { 0x17, 227, 0, 4, "sect131r2" }, /* 226 */
- { 0x18, 228, 0, 4, "sect193r1" }, /* 227 */
- { 0x19, 229, 0, 4, "sect193r2" }, /* 228 */
- { 0x1A, 230, 0, 4, "sect233k1" }, /* 229 */
- { 0x1B, 231, 0, 4, "sect233r1" }, /* 230 */
- { 0x1C, 232, 0, 4, "secp128r1" }, /* 231 */
- { 0x1D, 233, 0, 4, "secp128r2" }, /* 232 */
- { 0x1E, 234, 0, 4, "secp160r2" }, /* 233 */
- { 0x1F, 235, 0, 4, "secp192k1" }, /* 234 */
- { 0x20, 236, 0, 4, "secp224k1" }, /* 235 */
- { 0x21, 237, 0, 4, "secp224r1" }, /* 236 */
- { 0x22, 238, 0, 4, "secp384r1" }, /* 237 */
- { 0x23, 239, 0, 4, "secp521r1" }, /* 238 */
- { 0x24, 240, 0, 4, "sect409k1" }, /* 239 */
- { 0x25, 241, 0, 4, "sect409r1" }, /* 240 */
- { 0x26, 242, 0, 4, "sect571k1" }, /* 241 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 242 */
- {0x60, 0, 1, 0, "" }, /* 243 */
- { 0x86, 0, 1, 1, "" }, /* 244 */
- { 0x48, 0, 1, 2, "" }, /* 245 */
- { 0x01, 289, 1, 3, "organization" }, /* 246 */
- { 0x65, 265, 1, 4, "gov" }, /* 247 */
- { 0x03, 0, 1, 5, "csor" }, /* 248 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 249 */
- { 0x01, 260, 1, 7, "aes" }, /* 250 */
- { 0x02, 252, 0, 8, "id-aes128-CBC" }, /* 251 */
- { 0x06, 253, 0, 8, "id-aes128-GCM" }, /* 252 */
- { 0x07, 254, 0, 8, "id-aes128-CCM" }, /* 253 */
- { 0x16, 255, 0, 8, "id-aes192-CBC" }, /* 254 */
- { 0x1A, 256, 0, 8, "id-aes192-GCM" }, /* 255 */
- { 0x1B, 257, 0, 8, "id-aes192-CCM" }, /* 256 */
- { 0x2A, 258, 0, 8, "id-aes256-CBC" }, /* 257 */
- { 0x2E, 259, 0, 8, "id-aes256-GCM" }, /* 258 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 259 */
- { 0x02, 0, 1, 7, "hashalgs" }, /* 260 */
- { 0x01, 262, 0, 8, "id-SHA-256" }, /* 261 */
- { 0x02, 263, 0, 8, "id-SHA-384" }, /* 262 */
- { 0x03, 264, 0, 8, "id-SHA-512" }, /* 263 */
- { 0x04, 0, 0, 8, "id-SHA-224" }, /* 264 */
- { 0x86, 0, 1, 4, "" }, /* 265 */
- { 0xf8, 0, 1, 5, "" }, /* 266 */
- { 0x42, 279, 1, 6, "netscape" }, /* 267 */
- { 0x01, 274, 1, 7, "" }, /* 268 */
- { 0x01, 270, 0, 8, "nsCertType" }, /* 269 */
- { 0x03, 271, 0, 8, "nsRevocationUrl" }, /* 270 */
- { 0x04, 272, 0, 8, "nsCaRevocationUrl" }, /* 271 */
- { 0x08, 273, 0, 8, "nsCaPolicyUrl" }, /* 272 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 273 */
- { 0x03, 277, 1, 7, "directory" }, /* 274 */
- { 0x01, 0, 1, 8, "" }, /* 275 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 276 */
- { 0x04, 0, 1, 7, "policy" }, /* 277 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 278 */
- { 0x45, 0, 1, 6, "verisign" }, /* 279 */
- { 0x01, 0, 1, 7, "pki" }, /* 280 */
- { 0x09, 0, 1, 8, "attributes" }, /* 281 */
- { 0x02, 283, 0, 9, "messageType" }, /* 282 */
- { 0x03, 284, 0, 9, "pkiStatus" }, /* 283 */
- { 0x04, 285, 0, 9, "failInfo" }, /* 284 */
- { 0x05, 286, 0, 9, "senderNonce" }, /* 285 */
- { 0x06, 287, 0, 9, "recipientNonce" }, /* 286 */
- { 0x07, 288, 0, 9, "transID" }, /* 287 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 288 */
- { 0x86, 0, 1, 3, "old-netscape" }, /* 289 */
- { 0xF7, 0, 1, 4, "" }, /* 290 */
- { 0x0D, 0, 1, 5, "" }, /* 291 */
- { 0x01, 0, 1, 6, "" }, /* 292 */
- { 0x09, 0, 1, 7, "" }, /* 293 */
- { 0x01, 295, 0, 8, "emailAddress" }, /* 294 */
- { 0x02, 0, 0, 8, "unstructuredName" } /* 295 */
+ { 0x0D, 84, 0, 8, "sha512WithRSAEncryption" }, /* 83 */
+ { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 84 */
+ { 0x07, 92, 1, 7, "PKCS-7" }, /* 85 */
+ { 0x01, 87, 0, 8, "data" }, /* 86 */
+ { 0x02, 88, 0, 8, "signedData" }, /* 87 */
+ { 0x03, 89, 0, 8, "envelopedData" }, /* 88 */
+ { 0x04, 90, 0, 8, "signedAndEnvelopedData" }, /* 89 */
+ { 0x05, 91, 0, 8, "digestedData" }, /* 90 */
+ { 0x06, 0, 0, 8, "encryptedData" }, /* 91 */
+ { 0x09, 0, 1, 7, "PKCS-9" }, /* 92 */
+ { 0x01, 94, 0, 8, "E" }, /* 93 */
+ { 0x02, 95, 0, 8, "unstructuredName" }, /* 94 */
+ { 0x03, 96, 0, 8, "contentType" }, /* 95 */
+ { 0x04, 97, 0, 8, "messageDigest" }, /* 96 */
+ { 0x05, 98, 0, 8, "signingTime" }, /* 97 */
+ { 0x06, 99, 0, 8, "counterSignature" }, /* 98 */
+ { 0x07, 100, 0, 8, "challengePassword" }, /* 99 */
+ { 0x08, 101, 0, 8, "unstructuredAddress" }, /* 100 */
+ { 0x0E, 102, 0, 8, "extensionRequest" }, /* 101 */
+ { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 102 */
+ { 0x02, 106, 1, 6, "digestAlgorithm" }, /* 103 */
+ { 0x02, 105, 0, 7, "md2" }, /* 104 */
+ { 0x05, 0, 0, 7, "md5" }, /* 105 */
+ { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 106 */
+ { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 107 */
+ { 0xCE, 0, 1, 3, "" }, /* 108 */
+ { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 109 */
+ { 0x02, 112, 1, 5, "id-publicKeyType" }, /* 110 */
+ { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 111 */
+ { 0x03, 142, 1, 5, "ellipticCurve" }, /* 112 */
+ { 0x00, 134, 1, 6, "c-TwoCurve" }, /* 113 */
+ { 0x01, 115, 0, 7, "c2pnb163v1" }, /* 114 */
+ { 0x02, 116, 0, 7, "c2pnb163v2" }, /* 115 */
+ { 0x03, 117, 0, 7, "c2pnb163v3" }, /* 116 */
+ { 0x04, 118, 0, 7, "c2pnb176w1" }, /* 117 */
+ { 0x05, 119, 0, 7, "c2tnb191v1" }, /* 118 */
+ { 0x06, 120, 0, 7, "c2tnb191v2" }, /* 119 */
+ { 0x07, 121, 0, 7, "c2tnb191v3" }, /* 120 */
+ { 0x08, 122, 0, 7, "c2onb191v4" }, /* 121 */
+ { 0x09, 123, 0, 7, "c2onb191v5" }, /* 122 */
+ { 0x0A, 124, 0, 7, "c2pnb208w1" }, /* 123 */
+ { 0x0B, 125, 0, 7, "c2tnb239v1" }, /* 124 */
+ { 0x0C, 126, 0, 7, "c2tnb239v2" }, /* 125 */
+ { 0x0D, 127, 0, 7, "c2tnb239v3" }, /* 126 */
+ { 0x0E, 128, 0, 7, "c2onb239v4" }, /* 127 */
+ { 0x0F, 129, 0, 7, "c2onb239v5" }, /* 128 */
+ { 0x10, 130, 0, 7, "c2pnb272w1" }, /* 129 */
+ { 0x11, 131, 0, 7, "c2pnb304w1" }, /* 130 */
+ { 0x12, 132, 0, 7, "c2tnb359v1" }, /* 131 */
+ { 0x13, 133, 0, 7, "c2pnb368w1" }, /* 132 */
+ { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 133 */
+ { 0x01, 0, 1, 6, "primeCurve" }, /* 134 */
+ { 0x01, 136, 0, 7, "prime192v1" }, /* 135 */
+ { 0x02, 137, 0, 7, "prime192v2" }, /* 136 */
+ { 0x03, 138, 0, 7, "prime192v3" }, /* 137 */
+ { 0x04, 139, 0, 7, "prime239v1" }, /* 138 */
+ { 0x05, 140, 0, 7, "prime239v2" }, /* 139 */
+ { 0x06, 141, 0, 7, "prime239v3" }, /* 140 */
+ { 0x07, 0, 0, 7, "prime256v1" }, /* 141 */
+ { 0x04, 0, 1, 5, "id-ecSigType" }, /* 142 */
+ { 0x01, 144, 0, 6, "ecdsa-with-SHA1" }, /* 143 */
+ { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 144 */
+ { 0x01, 146, 0, 7, "ecdsa-with-SHA224" }, /* 145 */
+ { 0x02, 147, 0, 7, "ecdsa-with-SHA256" }, /* 146 */
+ { 0x03, 148, 0, 7, "ecdsa-with-SHA384" }, /* 147 */
+ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 148 */
+ {0x2B, 249, 1, 0, "" }, /* 149 */
+ { 0x06, 202, 1, 1, "dod" }, /* 150 */
+ { 0x01, 0, 1, 2, "internet" }, /* 151 */
+ { 0x04, 170, 1, 3, "private" }, /* 152 */
+ { 0x01, 0, 1, 4, "enterprise" }, /* 153 */
+ { 0x82, 163, 1, 5, "" }, /* 154 */
+ { 0x37, 0, 1, 6, "Microsoft" }, /* 155 */
+ { 0x0A, 160, 1, 7, "" }, /* 156 */
+ { 0x03, 0, 1, 8, "" }, /* 157 */
+ { 0x03, 159, 0, 9, "msSGC" }, /* 158 */
+ { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 159 */
+ { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 160 */
+ { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 161 */
+ { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 162 */
+ { 0x89, 0, 1, 5, "" }, /* 163 */
+ { 0x31, 0, 1, 6, "" }, /* 164 */
+ { 0x01, 0, 1, 7, "" }, /* 165 */
+ { 0x01, 0, 1, 8, "" }, /* 166 */
+ { 0x02, 0, 1, 9, "" }, /* 167 */
+ { 0x02, 169, 0, 10, "" }, /* 168 */
+ { 0x4B, 0, 0, 10, "TCGID" }, /* 169 */
+ { 0x05, 0, 1, 3, "security" }, /* 170 */
+ { 0x05, 0, 1, 4, "mechanisms" }, /* 171 */
+ { 0x07, 0, 1, 5, "id-pkix" }, /* 172 */
+ { 0x01, 175, 1, 6, "id-pe" }, /* 173 */
+ { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 174 */
+ { 0x03, 185, 1, 6, "id-kp" }, /* 175 */
+ { 0x01, 177, 0, 7, "serverAuth" }, /* 176 */
+ { 0x02, 178, 0, 7, "clientAuth" }, /* 177 */
+ { 0x03, 179, 0, 7, "codeSigning" }, /* 178 */
+ { 0x04, 180, 0, 7, "emailProtection" }, /* 179 */
+ { 0x05, 181, 0, 7, "ipsecEndSystem" }, /* 180 */
+ { 0x06, 182, 0, 7, "ipsecTunnel" }, /* 181 */
+ { 0x07, 183, 0, 7, "ipsecUser" }, /* 182 */
+ { 0x08, 184, 0, 7, "timeStamping" }, /* 183 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 184 */
+ { 0x08, 187, 1, 6, "id-otherNames" }, /* 185 */
+ { 0x05, 0, 0, 7, "xmppAddr" }, /* 186 */
+ { 0x0A, 192, 1, 6, "id-aca" }, /* 187 */
+ { 0x01, 189, 0, 7, "authenticationInfo" }, /* 188 */
+ { 0x02, 190, 0, 7, "accessIdentity" }, /* 189 */
+ { 0x03, 191, 0, 7, "chargingIdentity" }, /* 190 */
+ { 0x04, 0, 0, 7, "group" }, /* 191 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 192 */
+ { 0x01, 201, 1, 7, "ocsp" }, /* 193 */
+ { 0x01, 195, 0, 8, "basic" }, /* 194 */
+ { 0x02, 196, 0, 8, "nonce" }, /* 195 */
+ { 0x03, 197, 0, 8, "crl" }, /* 196 */
+ { 0x04, 198, 0, 8, "response" }, /* 197 */
+ { 0x05, 199, 0, 8, "noCheck" }, /* 198 */
+ { 0x06, 200, 0, 8, "archiveCutoff" }, /* 199 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 200 */
+ { 0x02, 0, 0, 7, "caIssuers" }, /* 201 */
+ { 0x0E, 208, 1, 1, "oiw" }, /* 202 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 203 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 204 */
+ { 0x07, 206, 0, 4, "des-cbc" }, /* 205 */
+ { 0x1A, 207, 0, 4, "sha-1" }, /* 206 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 207 */
+ { 0x24, 215, 1, 1, "TeleTrusT" }, /* 208 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 209 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 210 */
+ { 0x01, 0, 1, 4, "rsaSignature" }, /* 211 */
+ { 0x02, 213, 0, 5, "rsaSigWithripemd160" }, /* 212 */
+ { 0x03, 214, 0, 5, "rsaSigWithripemd128" }, /* 213 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 214 */
+ { 0x81, 0, 1, 1, "" }, /* 215 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 216 */
+ { 0x00, 0, 1, 3, "curve" }, /* 217 */
+ { 0x01, 219, 0, 4, "sect163k1" }, /* 218 */
+ { 0x02, 220, 0, 4, "sect163r1" }, /* 219 */
+ { 0x03, 221, 0, 4, "sect239k1" }, /* 220 */
+ { 0x04, 222, 0, 4, "sect113r1" }, /* 221 */
+ { 0x05, 223, 0, 4, "sect113r2" }, /* 222 */
+ { 0x06, 224, 0, 4, "secp112r1" }, /* 223 */
+ { 0x07, 225, 0, 4, "secp112r2" }, /* 224 */
+ { 0x08, 226, 0, 4, "secp160r1" }, /* 225 */
+ { 0x09, 227, 0, 4, "secp160k1" }, /* 226 */
+ { 0x0A, 228, 0, 4, "secp256k1" }, /* 227 */
+ { 0x0F, 229, 0, 4, "sect163r2" }, /* 228 */
+ { 0x10, 230, 0, 4, "sect283k1" }, /* 229 */
+ { 0x11, 231, 0, 4, "sect283r1" }, /* 230 */
+ { 0x16, 232, 0, 4, "sect131r1" }, /* 231 */
+ { 0x17, 233, 0, 4, "sect131r2" }, /* 232 */
+ { 0x18, 234, 0, 4, "sect193r1" }, /* 233 */
+ { 0x19, 235, 0, 4, "sect193r2" }, /* 234 */
+ { 0x1A, 236, 0, 4, "sect233k1" }, /* 235 */
+ { 0x1B, 237, 0, 4, "sect233r1" }, /* 236 */
+ { 0x1C, 238, 0, 4, "secp128r1" }, /* 237 */
+ { 0x1D, 239, 0, 4, "secp128r2" }, /* 238 */
+ { 0x1E, 240, 0, 4, "secp160r2" }, /* 239 */
+ { 0x1F, 241, 0, 4, "secp192k1" }, /* 240 */
+ { 0x20, 242, 0, 4, "secp224k1" }, /* 241 */
+ { 0x21, 243, 0, 4, "secp224r1" }, /* 242 */
+ { 0x22, 244, 0, 4, "secp384r1" }, /* 243 */
+ { 0x23, 245, 0, 4, "secp521r1" }, /* 244 */
+ { 0x24, 246, 0, 4, "sect409k1" }, /* 245 */
+ { 0x25, 247, 0, 4, "sect409r1" }, /* 246 */
+ { 0x26, 248, 0, 4, "sect571k1" }, /* 247 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 248 */
+ {0x60, 0, 1, 0, "" }, /* 249 */
+ { 0x86, 0, 1, 1, "" }, /* 250 */
+ { 0x48, 0, 1, 2, "" }, /* 251 */
+ { 0x01, 295, 1, 3, "organization" }, /* 252 */
+ { 0x65, 271, 1, 4, "gov" }, /* 253 */
+ { 0x03, 0, 1, 5, "csor" }, /* 254 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 255 */
+ { 0x01, 266, 1, 7, "aes" }, /* 256 */
+ { 0x02, 258, 0, 8, "id-aes128-CBC" }, /* 257 */
+ { 0x06, 259, 0, 8, "id-aes128-GCM" }, /* 258 */
+ { 0x07, 260, 0, 8, "id-aes128-CCM" }, /* 259 */
+ { 0x16, 261, 0, 8, "id-aes192-CBC" }, /* 260 */
+ { 0x1A, 262, 0, 8, "id-aes192-GCM" }, /* 261 */
+ { 0x1B, 263, 0, 8, "id-aes192-CCM" }, /* 262 */
+ { 0x2A, 264, 0, 8, "id-aes256-CBC" }, /* 263 */
+ { 0x2E, 265, 0, 8, "id-aes256-GCM" }, /* 264 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 265 */
+ { 0x02, 0, 1, 7, "hashalgs" }, /* 266 */
+ { 0x01, 268, 0, 8, "id-SHA-256" }, /* 267 */
+ { 0x02, 269, 0, 8, "id-SHA-384" }, /* 268 */
+ { 0x03, 270, 0, 8, "id-SHA-512" }, /* 269 */
+ { 0x04, 0, 0, 8, "id-SHA-224" }, /* 270 */
+ { 0x86, 0, 1, 4, "" }, /* 271 */
+ { 0xf8, 0, 1, 5, "" }, /* 272 */
+ { 0x42, 285, 1, 6, "netscape" }, /* 273 */
+ { 0x01, 280, 1, 7, "" }, /* 274 */
+ { 0x01, 276, 0, 8, "nsCertType" }, /* 275 */
+ { 0x03, 277, 0, 8, "nsRevocationUrl" }, /* 276 */
+ { 0x04, 278, 0, 8, "nsCaRevocationUrl" }, /* 277 */
+ { 0x08, 279, 0, 8, "nsCaPolicyUrl" }, /* 278 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 279 */
+ { 0x03, 283, 1, 7, "directory" }, /* 280 */
+ { 0x01, 0, 1, 8, "" }, /* 281 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 282 */
+ { 0x04, 0, 1, 7, "policy" }, /* 283 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 284 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 285 */
+ { 0x01, 0, 1, 7, "pki" }, /* 286 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 287 */
+ { 0x02, 289, 0, 9, "messageType" }, /* 288 */
+ { 0x03, 290, 0, 9, "pkiStatus" }, /* 289 */
+ { 0x04, 291, 0, 9, "failInfo" }, /* 290 */
+ { 0x05, 292, 0, 9, "senderNonce" }, /* 291 */
+ { 0x06, 293, 0, 9, "recipientNonce" }, /* 292 */
+ { 0x07, 294, 0, 9, "transID" }, /* 293 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 294 */
+ { 0x86, 0, 1, 3, "old-netscape" }, /* 295 */
+ { 0xF7, 0, 1, 4, "" }, /* 296 */
+ { 0x0D, 0, 1, 5, "" }, /* 297 */
+ { 0x01, 0, 1, 6, "" }, /* 298 */
+ { 0x09, 0, 1, 7, "" }, /* 299 */
+ { 0x01, 301, 0, 8, "emailAddress" }, /* 300 */
+ { 0x02, 0, 0, 8, "unstructuredName" } /* 301 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 477789b62..b7241af8d 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -60,126 +60,131 @@ extern const oid_t oid_names[];
#define OID_SHA256_WITH_RSA 81
#define OID_SHA384_WITH_RSA 82
#define OID_SHA512_WITH_RSA 83
-#define OID_PKCS7_DATA 85
-#define OID_PKCS7_SIGNED_DATA 86
-#define OID_PKCS7_ENVELOPED_DATA 87
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA 88
-#define OID_PKCS7_DIGESTED_DATA 89
-#define OID_PKCS7_ENCRYPTED_DATA 90
-#define OID_PKCS9_EMAIL 92
-#define OID_PKCS9_CONTENT_TYPE 94
-#define OID_PKCS9_MESSAGE_DIGEST 95
-#define OID_PKCS9_SIGNING_TIME 96
-#define OID_MD2 103
-#define OID_MD5 104
-#define OID_3DES_EDE_CBC 106
-#define OID_EC_PUBLICKEY 110
-#define OID_C2PNB163V1 113
-#define OID_C2PNB163V2 114
-#define OID_C2PNB163V3 115
-#define OID_C2PNB176W1 116
-#define OID_C2PNB191V1 117
-#define OID_C2PNB191V2 118
-#define OID_C2PNB191V3 119
-#define OID_C2PNB191V4 120
-#define OID_C2PNB191V5 121
-#define OID_C2PNB208W1 122
-#define OID_C2PNB239V1 123
-#define OID_C2PNB239V2 124
-#define OID_C2PNB239V3 125
-#define OID_C2PNB239V4 126
-#define OID_C2PNB239V5 127
-#define OID_C2PNB272W1 128
-#define OID_C2PNB304W1 129
-#define OID_C2PNB359V1 130
-#define OID_C2PNB368W1 131
-#define OID_C2PNB431R1 132
-#define OID_PRIME192V1 134
-#define OID_PRIME192V2 135
-#define OID_PRIME192V3 136
-#define OID_PRIME239V1 137
-#define OID_PRIME239V2 138
-#define OID_PRIME239V3 139
-#define OID_PRIME256V1 140
-#define OID_ECDSA_WITH_SHA1 142
-#define OID_TCGID 163
-#define OID_AUTHORITY_INFO_ACCESS 168
-#define OID_OCSP_SIGNING 178
-#define OID_XMPP_ADDR 180
-#define OID_AUTHENTICATION_INFO 182
-#define OID_ACCESS_IDENTITY 183
-#define OID_CHARGING_IDENTITY 184
-#define OID_GROUP 185
-#define OID_OCSP 187
-#define OID_BASIC 188
-#define OID_NONCE 189
-#define OID_CRL 190
-#define OID_RESPONSE 191
-#define OID_NO_CHECK 192
-#define OID_ARCHIVE_CUTOFF 193
-#define OID_SERVICE_LOCATOR 194
-#define OID_CA_ISSUERS 195
-#define OID_DES_CBC 199
-#define OID_SHA1 200
-#define OID_SHA1_WITH_RSA_OIW 201
-#define OID_SECT163K1 212
-#define OID_SECT163R1 213
-#define OID_SECT239K1 214
-#define OID_SECT113R1 215
-#define OID_SECT113R2 216
-#define OID_SECT112R1 217
-#define OID_SECT112R2 218
-#define OID_SECT160R1 219
-#define OID_SECT160K1 220
-#define OID_SECT256K1 221
-#define OID_SECT163R2 222
-#define OID_SECT283K1 223
-#define OID_SECT283R1 224
-#define OID_SECT131R1 225
-#define OID_SECT131R2 226
-#define OID_SECT193R1 227
-#define OID_SECT193R2 228
-#define OID_SECT233K1 229
-#define OID_SECT233R1 230
-#define OID_SECT128R1 231
-#define OID_SECT128R2 232
-#define OID_SECT160R2 233
-#define OID_SECT192K1 234
-#define OID_SECT224K1 235
-#define OID_SECT224R1 236
-#define OID_SECT384R1 237
-#define OID_SECT521R1 238
-#define OID_SECT409K1 239
-#define OID_SECT409R1 240
-#define OID_SECT571K1 241
-#define OID_SECT571R1 242
-#define OID_AES128_CBC 251
-#define OID_AES128_GCM 252
-#define OID_AES128_CCM 253
-#define OID_AES192_CBC 254
-#define OID_AES192_GCM 255
-#define OID_AES192_CCM 256
-#define OID_AES256_CBC 257
-#define OID_AES256_GCM 258
-#define OID_AES256_CCM 259
-#define OID_SHA256 261
-#define OID_SHA384 262
-#define OID_SHA512 263
-#define OID_SHA224 264
-#define OID_NS_REVOCATION_URL 270
-#define OID_NS_CA_REVOCATION_URL 271
-#define OID_NS_CA_POLICY_URL 272
-#define OID_NS_COMMENT 273
-#define OID_EMPLOYEE_NUMBER 276
-#define OID_PKI_MESSAGE_TYPE 282
-#define OID_PKI_STATUS 283
-#define OID_PKI_FAIL_INFO 284
-#define OID_PKI_SENDER_NONCE 285
-#define OID_PKI_RECIPIENT_NONCE 286
-#define OID_PKI_TRANS_ID 287
-#define OID_EMAIL_ADDRESS 294
-#define OID_UNSTRUCTURED_NAME 295
+#define OID_SHA224_WITH_RSA 84
+#define OID_PKCS7_DATA 86
+#define OID_PKCS7_SIGNED_DATA 87
+#define OID_PKCS7_ENVELOPED_DATA 88
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA 89
+#define OID_PKCS7_DIGESTED_DATA 90
+#define OID_PKCS7_ENCRYPTED_DATA 91
+#define OID_PKCS9_EMAIL 93
+#define OID_PKCS9_CONTENT_TYPE 95
+#define OID_PKCS9_MESSAGE_DIGEST 96
+#define OID_PKCS9_SIGNING_TIME 97
+#define OID_MD2 104
+#define OID_MD5 105
+#define OID_3DES_EDE_CBC 107
+#define OID_EC_PUBLICKEY 111
+#define OID_C2PNB163V1 114
+#define OID_C2PNB163V2 115
+#define OID_C2PNB163V3 116
+#define OID_C2PNB176W1 117
+#define OID_C2PNB191V1 118
+#define OID_C2PNB191V2 119
+#define OID_C2PNB191V3 120
+#define OID_C2PNB191V4 121
+#define OID_C2PNB191V5 122
+#define OID_C2PNB208W1 123
+#define OID_C2PNB239V1 124
+#define OID_C2PNB239V2 125
+#define OID_C2PNB239V3 126
+#define OID_C2PNB239V4 127
+#define OID_C2PNB239V5 128
+#define OID_C2PNB272W1 129
+#define OID_C2PNB304W1 130
+#define OID_C2PNB359V1 131
+#define OID_C2PNB368W1 132
+#define OID_C2PNB431R1 133
+#define OID_PRIME192V1 135
+#define OID_PRIME192V2 136
+#define OID_PRIME192V3 137
+#define OID_PRIME239V1 138
+#define OID_PRIME239V2 139
+#define OID_PRIME239V3 140
+#define OID_PRIME256V1 141
+#define OID_ECDSA_WITH_SHA1 143
+#define OID_ECDSA_WITH_SHA224 145
+#define OID_ECDSA_WITH_SHA256 146
+#define OID_ECDSA_WITH_SHA384 147
+#define OID_ECDSA_WITH_SHA512 148
+#define OID_TCGID 169
+#define OID_AUTHORITY_INFO_ACCESS 174
+#define OID_OCSP_SIGNING 184
+#define OID_XMPP_ADDR 186
+#define OID_AUTHENTICATION_INFO 188
+#define OID_ACCESS_IDENTITY 189
+#define OID_CHARGING_IDENTITY 190
+#define OID_GROUP 191
+#define OID_OCSP 193
+#define OID_BASIC 194
+#define OID_NONCE 195
+#define OID_CRL 196
+#define OID_RESPONSE 197
+#define OID_NO_CHECK 198
+#define OID_ARCHIVE_CUTOFF 199
+#define OID_SERVICE_LOCATOR 200
+#define OID_CA_ISSUERS 201
+#define OID_DES_CBC 205
+#define OID_SHA1 206
+#define OID_SHA1_WITH_RSA_OIW 207
+#define OID_SECT163K1 218
+#define OID_SECT163R1 219
+#define OID_SECT239K1 220
+#define OID_SECT113R1 221
+#define OID_SECT113R2 222
+#define OID_SECT112R1 223
+#define OID_SECT112R2 224
+#define OID_SECT160R1 225
+#define OID_SECT160K1 226
+#define OID_SECT256K1 227
+#define OID_SECT163R2 228
+#define OID_SECT283K1 229
+#define OID_SECT283R1 230
+#define OID_SECT131R1 231
+#define OID_SECT131R2 232
+#define OID_SECT193R1 233
+#define OID_SECT193R2 234
+#define OID_SECT233K1 235
+#define OID_SECT233R1 236
+#define OID_SECT128R1 237
+#define OID_SECT128R2 238
+#define OID_SECT160R2 239
+#define OID_SECT192K1 240
+#define OID_SECT224K1 241
+#define OID_SECT224R1 242
+#define OID_SECT384R1 243
+#define OID_SECT521R1 244
+#define OID_SECT409K1 245
+#define OID_SECT409R1 246
+#define OID_SECT571K1 247
+#define OID_SECT571R1 248
+#define OID_AES128_CBC 257
+#define OID_AES128_GCM 258
+#define OID_AES128_CCM 259
+#define OID_AES192_CBC 260
+#define OID_AES192_GCM 261
+#define OID_AES192_CCM 262
+#define OID_AES256_CBC 263
+#define OID_AES256_GCM 264
+#define OID_AES256_CCM 265
+#define OID_SHA256 267
+#define OID_SHA384 268
+#define OID_SHA512 269
+#define OID_SHA224 270
+#define OID_NS_REVOCATION_URL 276
+#define OID_NS_CA_REVOCATION_URL 277
+#define OID_NS_CA_POLICY_URL 278
+#define OID_NS_COMMENT 279
+#define OID_EMPLOYEE_NUMBER 282
+#define OID_PKI_MESSAGE_TYPE 288
+#define OID_PKI_STATUS 289
+#define OID_PKI_FAIL_INFO 290
+#define OID_PKI_SENDER_NONCE 291
+#define OID_PKI_RECIPIENT_NONCE 292
+#define OID_PKI_TRANS_ID 293
+#define OID_EMAIL_ADDRESS 300
+#define OID_UNSTRUCTURED_NAME 301
-#define OID_MAX 296
+#define OID_MAX 302
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 1514f179f..5adca6289 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -82,6 +82,7 @@
0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA
0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA
0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA
+ 0x0E "sha224WithRSAEncryption" OID_SHA224_WITH_RSA
0x07 "PKCS-7"
0x01 "data" OID_PKCS7_DATA
0x02 "signedData" OID_PKCS7_SIGNED_DATA
@@ -141,6 +142,11 @@
0x07 "prime256v1" OID_PRIME256V1
0x04 "id-ecSigType"
0x01 "ecdsa-with-SHA1" OID_ECDSA_WITH_SHA1
+ 0x03 "ecdsa-with-Specified"
+ 0x01 "ecdsa-with-SHA224" OID_ECDSA_WITH_SHA224
+ 0x02 "ecdsa-with-SHA256" OID_ECDSA_WITH_SHA256
+ 0x03 "ecdsa-with-SHA384" OID_ECDSA_WITH_SHA384
+ 0x04 "ecdsa-with-SHA512" OID_ECDSA_WITH_SHA512
0x2B ""
0x06 "dod"
0x01 "internet"
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index c9c181f87..40a93e21a 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -19,6 +19,7 @@
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
+#include <ctype.h>
#include "chunk.h"
@@ -442,6 +443,32 @@ int chunk_compare(chunk_t a, chunk_t b)
};
/**
+ * Remove non-printable characters from a chunk.
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
+{
+ bool printable = TRUE;
+ int i;
+
+ if (sane)
+ {
+ *sane = chunk_clone(chunk);
+ }
+ for (i = 0; i < chunk.len; i++)
+ {
+ if (!isprint(chunk.ptr[i]))
+ {
+ if (sane)
+ {
+ sane->ptr[i] = replace;
+ }
+ printable = FALSE;
+ }
+ }
+ return printable;
+}
+
+/**
* Described in header.
*
* The implementation is based on Paul Hsieh's SuperFastHash:
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 3d8c360c5..66c3f26a2 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -26,6 +26,9 @@
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
+#ifdef HAVE_ALLOCA_H
+#include <alloca.h>
+#endif
typedef struct chunk_t chunk_t;
@@ -83,8 +86,9 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
void chunk_split(chunk_t chunk, const char *mode, ...);
/**
- * Write the binary contents of a chunk_t to a file
- *
+ * Write the binary contents of a chunk_t to a file
+ *
+ * @param chunk contents to write to file
* @param path path where file is written to
* @param label label specifying file type
* @param mask file mode creation mask
@@ -99,6 +103,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
* The resulting string is '\\0' terminated, but the chunk does not include
* the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
*
+ * @param chunk data to convert to hex encoding
* @param buf buffer to write to, NULL to malloc
* @param uppercase TRUE to use uppercase letters
* @return chunk of encoded data
@@ -232,6 +237,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
}
/**
+ * Check if a chunk has printable characters only.
+ *
+ * If sane is given, chunk is cloned into sane and all non printable characters
+ * get replaced by "replace".
+ *
+ * @param chunk chunk to check for printability
+ * @param sane pointer where sane version is allocated, or NULL
+ * @param replace character to use for replaceing unprintable characters
+ * @return TRUE if all characters in chunk are printable
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
+
+/**
* Computes a 32 bit hash of the given chunk.
* Note: This hash is only intended for hash tables not for cryptographic purposes.
*/
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 2e9a541d4..e55df0398 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -234,7 +234,7 @@ credential_factory_t *credential_factory_create()
this->constructors = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index c94c27f0a..a5f547038 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -28,6 +28,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
"RSA_EMSA_PKCS1_SHA1",
+ "RSA_EMSA_PKCS1_SHA224",
"RSA_EMSA_PKCS1_SHA256",
"RSA_EMSA_PKCS1_SHA384",
"RSA_EMSA_PKCS1_SHA512",
@@ -51,6 +52,9 @@ signature_scheme_t signature_scheme_from_oid(int oid)
case OID_SHA1_WITH_RSA:
case OID_SHA1:
return SIGN_RSA_EMSA_PKCS1_SHA1;
+ case OID_SHA224_WITH_RSA:
+ case OID_SHA224:
+ return SIGN_RSA_EMSA_PKCS1_SHA224;
case OID_SHA256_WITH_RSA:
case OID_SHA256:
return SIGN_RSA_EMSA_PKCS1_SHA256;
@@ -63,6 +67,12 @@ signature_scheme_t signature_scheme_from_oid(int oid)
case OID_ECDSA_WITH_SHA1:
case OID_EC_PUBLICKEY:
return SIGN_ECDSA_WITH_SHA1;
+ case OID_ECDSA_WITH_SHA256:
+ return SIGN_ECDSA_256;
+ case OID_ECDSA_WITH_SHA384:
+ return SIGN_ECDSA_384;
+ case OID_ECDSA_WITH_SHA512:
+ return SIGN_ECDSA_521;
default:
return SIGN_UNKNOWN;
}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index c58531b73..be5f3bde6 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -66,6 +66,8 @@ enum signature_scheme_t {
SIGN_RSA_EMSA_PKCS1_MD5,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1 */
SIGN_RSA_EMSA_PKCS1_SHA1,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224 */
+ SIGN_RSA_EMSA_PKCS1_SHA224,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256 */
SIGN_RSA_EMSA_PKCS1_SHA256,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384 */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index fea8d0793..e928e8cdf 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -746,7 +746,7 @@ crypto_factory_t *crypto_factory_create()
this->prfs = linked_list_create();
this->rngs = linked_list_create();
this->dhs = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->tester = crypto_tester_create();
this->test_on_add = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.on_add", FALSE);
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index b0b5aa969..4d13474a1 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this,
crypter->destroy(crypter);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
encryption_algorithm_names, alg, tested);
break;
}
@@ -151,7 +151,7 @@ static bool test_crypter(private_crypto_tester_t *this,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
encryption_algorithm_names, alg, tested);
}
return !failed;
@@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this,
signer->destroy(signer);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
integrity_algorithm_names, alg, tested);
break;
}
@@ -255,7 +255,7 @@ static bool test_signer(private_crypto_tester_t *this,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
integrity_algorithm_names, alg, tested);
}
return !failed;
@@ -330,8 +330,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
hasher->destroy(hasher);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
- hash_algorithm_names, alg), tested;
+ DBG1("disabled %N: test vector %u failed",
+ hash_algorithm_names, alg, tested);
break;
}
}
@@ -345,7 +345,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
hash_algorithm_names, alg, tested);
}
return !failed;
@@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this,
prf->destroy(prf);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
pseudo_random_function_names, alg, tested);
break;
}
@@ -446,7 +446,7 @@ static bool test_prf(private_crypto_tester_t *this,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
pseudo_random_function_names, alg, tested);
}
return !failed;
@@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
rng->destroy(rng);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
rng_quality_names, quality, tested);
break;
}
@@ -530,7 +530,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
rng_quality_names, quality, tested);
}
return !failed;
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index c58c2ad42..4d6904e47 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -26,6 +26,7 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
"HASH_MD4",
"HASH_MD5",
"HASH_SHA1",
+ "HASH_SHA224",
"HASH_SHA256",
"HASH_SHA384",
"HASH_SHA512"
@@ -47,6 +48,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
case OID_SHA1:
case OID_SHA1_WITH_RSA:
return HASH_SHA1;
+ case OID_SHA224:
+ case OID_SHA224_WITH_RSA:
+ return HASH_SHA224;
case OID_SHA256:
case OID_SHA256_WITH_RSA:
return HASH_SHA256;
@@ -79,6 +83,9 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
case HASH_SHA1:
oid = OID_SHA1;
break;
+ case HASH_SHA224:
+ oid = OID_SHA224;
+ break;
case HASH_SHA256:
oid = OID_SHA256;
break;
@@ -112,6 +119,9 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg)
case HASH_SHA1:
oid = OID_SHA1_WITH_RSA;
break;
+ case HASH_SHA224:
+ oid = OID_SHA224_WITH_RSA;
+ break;
case HASH_SHA256:
oid = OID_SHA256_WITH_RSA;
break;
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 098739fa3..6deed37ab 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -40,15 +40,17 @@ enum hash_algorithm_t {
HASH_MD4 = 3,
HASH_MD5 = 4,
HASH_SHA1 = 5,
- HASH_SHA256 = 6,
- HASH_SHA384 = 7,
- HASH_SHA512 = 8
+ HASH_SHA224 = 6,
+ HASH_SHA256 = 7,
+ HASH_SHA384 = 8,
+ HASH_SHA512 = 9
};
#define HASH_SIZE_MD2 16
#define HASH_SIZE_MD4 16
#define HASH_SIZE_MD5 16
#define HASH_SIZE_SHA1 20
+#define HASH_SIZE_SHA224 28
#define HASH_SIZE_SHA256 32
#define HASH_SIZE_SHA384 48
#define HASH_SIZE_SHA512 64
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 76e0a4e89..ef6927874 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -110,7 +110,7 @@ database_factory_t *database_factory_create()
this->public.destroy = (void(*)(database_factory_t*))destroy;
this->databases = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index a30012bb1..1f87412c8 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -201,7 +201,7 @@ fetcher_manager_t *fetcher_manager_create()
this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
this->fetchers = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am
deleted file mode 100644
index 22a35701b..000000000
--- a/src/libstrongswan/fips/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-noinst_PROGRAMS = fips_signer
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
- -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\"
-if USE_SHA1
- AM_CFLAGS += -DUSE_SHA1
-endif
-
-if USE_OPENSSL
- AM_CFLAGS += -DUSE_OPENSSL
-endif
-
-fips_signature.h : fips_signer
- ./fips_signer
diff --git a/src/libstrongswan/fips/Makefile.in b/src/libstrongswan/fips/Makefile.in
deleted file mode 100644
index cdced9423..000000000
--- a/src/libstrongswan/fips/Makefile.in
+++ /dev/null
@@ -1,484 +0,0 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-noinst_PROGRAMS = fips_signer$(EXEEXT)
-@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1
-@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL
-subdir = src/libstrongswan/fips
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
- $(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-PROGRAMS = $(noinst_PROGRAMS)
-am_fips_signer_OBJECTS = fips_signer.$(OBJEXT)
-fips_signer_OBJECTS = $(am_fips_signer_OBJECTS)
-fips_signer_DEPENDENCIES = ../libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
- $(LDFLAGS) -o $@
-SOURCES = $(fips_signer_SOURCES)
-DIST_SOURCES = $(fips_signer_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-RANLIB = @RANLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-confdir = @confdir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-piddir = @piddir@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-resolv_conf = @resolv_conf@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-simreader = @simreader@
-srcdir = @srcdir@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
- -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \
- $(am__append_1) $(am__append_2)
-all: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
- @for dep in $?; do \
- case '$(am__configure_deps)' in \
- *$$dep*) \
- ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
- && { if test -f $@; then exit 0; else break; fi; }; \
- exit 1;; \
- esac; \
- done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile'; \
- cd $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- @case '$?' in \
- *config.status*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
- *) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
- esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: $(am__configure_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): $(am__aclocal_m4_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-clean-noinstPROGRAMS:
- @list='$(noinst_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f $$p $$f"; \
- rm -f $$p $$f ; \
- done
-fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES)
- @rm -f fips_signer$(EXEEXT)
- $(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT)
-
-distclean-compile:
- -rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- mkid -fID $$unique
-tags: TAGS
-
-TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
- tags=; \
- here=`pwd`; \
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
- test -n "$$unique" || unique=$$empty_fix; \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$tags $$unique; \
- fi
-ctags: CTAGS
-CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
- tags=; \
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- test -z "$(CTAGS_ARGS)$$tags$$unique" \
- || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$tags $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && cd $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
- @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- list='$(DISTFILES)'; \
- dist_files=`for file in $$list; do echo $$file; done | \
- sed -e "s|^$$srcdirstrip/||;t" \
- -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
- case $$dist_files in \
- */*) $(MKDIR_P) `echo "$$dist_files" | \
- sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
- sort -u` ;; \
- esac; \
- for file in $$dist_files; do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- if test -d $$d/$$file; then \
- dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
- fi; \
- cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
- else \
- test -f $(distdir)/$$file \
- || cp -p $$d/$$file $(distdir)/$$file \
- || exit 1; \
- fi; \
- done
-check-am: all-am
-check: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
-install: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
- -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
- -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
- -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
- mostlyclean-am
-
-distclean: distclean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am:
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
- clean-libtool clean-noinstPROGRAMS ctags distclean \
- distclean-compile distclean-generic distclean-libtool \
- distclean-tags distdir dvi dvi-am html html-am info info-am \
- install install-am install-data install-data-am install-dvi \
- install-dvi-am install-exec install-exec-am install-html \
- install-html-am install-info install-info-am install-man \
- install-pdf install-pdf-am install-ps install-ps-am \
- install-strip installcheck installcheck-am installdirs \
- maintainer-clean maintainer-clean-generic mostlyclean \
- mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
- pdf pdf-am ps ps-am tags uninstall uninstall-am
-
-
-fips_signature.h : fips_signer
- ./fips_signer
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
deleted file mode 100644
index d2296e5e9..000000000
--- a/src/libstrongswan/fips/fips.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <debug.h>
-#include <crypto/signers/signer.h>
-#include "fips.h"
-
-extern const u_char FIPS_rodata_start[];
-extern const u_char FIPS_rodata_end[];
-extern const void *FIPS_text_start();
-extern const void *FIPS_text_end();
-
-/**
- * Described in header
- */
-bool fips_compute_hmac_signature(const char *key, char *signature)
-{
- u_char *text_start = (u_char *)FIPS_text_start();
- u_char *text_end = (u_char *)FIPS_text_end();
- size_t text_len, rodata_len;
- signer_t *signer;
-
- if (text_start > text_end)
- {
- DBG1(" TEXT start (%p) > TEXT end (%p",
- text_start, text_end);
- return FALSE;
- }
- text_len = text_end - text_start;
- DBG1(" TEXT: %p + %6d = %p",
- text_start, (int)text_len, text_end);
-
- if (FIPS_rodata_start > FIPS_rodata_end)
- {
- DBG1(" RODATA start (%p) > RODATA end (%p",
- FIPS_rodata_start, FIPS_rodata_end);
- return FALSE;
- }
- rodata_len = FIPS_rodata_end - FIPS_rodata_start;
- DBG1(" RODATA: %p + %6d = %p",
- FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
-
- signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
- if (signer == NULL)
- {
- DBG1(" SHA-1 HMAC signer could not be created");
- return FALSE;
- }
- else
- {
- chunk_t hmac_key = { (u_char *)key, strlen(key) };
- chunk_t text_chunk = { text_start, text_len };
- chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
- chunk_t signature_chunk = chunk_empty;
-
- signer->set_key(signer, hmac_key);
- signer->allocate_signature(signer, text_chunk, NULL);
- signer->allocate_signature(signer, rodata_chunk, &signature_chunk);
- signer->destroy(signer);
-
- sprintf(signature, "%#B", &signature_chunk);
- DBG1(" SHA-1 HMAC key: %s", key);
- DBG1(" SHA-1 HMAC sig: %s", signature);
- free(signature_chunk.ptr);
- return TRUE;
- }
-}
-
-/**
- * Described in header
- */
-bool fips_verify_hmac_signature(const char *key,
- const char *signature)
-{
- char current_signature[BUF_LEN];
-
- if (!fips_compute_hmac_signature(key, current_signature))
- {
- return FALSE;
- }
- return streq(signature, current_signature);
-}
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
deleted file mode 100644
index aae18e3b2..000000000
--- a/src/libstrongswan/fips/fips.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup fips1 fips
- * @{ @ingroup fips
- */
-
-#ifndef FIPS_H_
-#define FIPS_H_
-
-#include <library.h>
-
-/**
- * compute HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key key used for HMAC signature in ASCII string format
- * @param signature HMAC signature in HEX string format
- * @return TRUE if HMAC signature computation was successful
- */
-bool fips_compute_hmac_signature(const char *key, char *signature);
-
-/**
- * verify HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key key used for HMAC signature in ASCII string format
- * @param signature signature value from fips_signature.h in HEX string format
- * @return TRUE if signatures agree
- */
-bool fips_verify_hmac_signature(const char *key, const char *signature);
-
-#endif /** FIPS_H_ @}*/
diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c
deleted file mode 100644
index 247d48927..000000000
--- a/src/libstrongswan/fips/fips_canister_end.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \
- (defined(__sgi) && (defined(__mips) || defined(mips))) || \
- (defined(__osf__) && defined(__alpha)) || \
- (defined(__linux) && (defined(__arm) || defined(__arm__))) || \
- (defined(__i386) || defined(__i386__)) || \
- (defined(__x86_64) || defined(__x86_64__)) || \
- (defined(vax) || defined(__vax__))
-# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-#define FIPS_ref_point FIPS_text_end
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_end[]=
- { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
- void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif defined(__GNUC__) && __GNUC__>=2
-# if defined(__alpha) || defined(__alpha__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) );
-# elif defined(__i386) || defined(__i386__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif defined(__ia64) || defined(__ia64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "mov %0=ip" : "=r"(ret) );
-# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif defined(__mips) || defined(__mips__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "move %1,$31\n\t" /* save ra */
- "bal .+8; nop\n\t"
- "move %0,$31\n\t"
- "move $31,%1" /* restore ra */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
- defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
- defined(__PPC64__) || defined(__powerpc64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mfspr %1,8\n\t" /* save lr */
- "bl .+4\n\t"
- "mfspr %0,8\n\t" /* mflr ret */
- "mtspr 8,%1" /* restore lr */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mov %%o7,%1\n\t"
- "call .+8; nop\n\t"
- "mov %%o7,%0\n\t"
- "mov %1,%%o7"
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__x86_64) || defined(__x86_64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif defined(__DECC) && defined(__alpha)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif defined(_MSC_VER) && defined(_M_IX86)
-# undef INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- _asm {
- call self
- self: pop eax
- mov scratch,eax
- }
- ret = (void *)((size_t)scratch&~3UL);
-#endif
- return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif defined(_AIX)
- struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_HPUX_SOURCE)
-# if defined(__hppa) || defined(__hppa__)
- struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
- if (sizeof(p) == 8) /* 64-bit */
- return p->i[2];
- else if ((size_t)p & 2)
- { p = (void *)((size_t)p&~3UL);
- return p->i[0];
- }
- else
- return (void *)p;
-# elif defined(__ia64) || defined(__ia64__)
- struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-# endif
-#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
- /* applies to both alpha and ia64 */
- struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-#elif defined(__VOS__)
- /* applies to both pa-risc and ia32 */
- struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_WIN32)
-# if defined(_WIN64) && defined(_M_IA64)
- struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
- return p->ip;
-# else
- return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */
-#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
- return (void *)instruction_pointer;
-#else
- return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c
deleted file mode 100644
index 4a5528a94..000000000
--- a/src/libstrongswan/fips/fips_canister_start.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \
- (defined(__sgi) && (defined(__mips) || defined(mips))) || \
- (defined(__osf__) && defined(__alpha)) || \
- (defined(__linux) && (defined(__arm) || defined(__arm__))) || \
- (defined(__i386) || defined(__i386__)) || \
- (defined(__x86_64) || defined(__x86_64__)) || \
- (defined(vax) || defined(__vax__))
-# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-
-#define FIPS_ref_point FIPS_text_start
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_start[]=
- { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
- void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif defined(__GNUC__) && __GNUC__>=2
-# if defined(__alpha) || defined(__alpha__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) );
-# elif defined(__i386) || defined(__i386__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif defined(__ia64) || defined(__ia64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "mov %0=ip" : "=r"(ret) );
-# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif defined(__mips) || defined(__mips__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "move %1,$31\n\t" /* save ra */
- "bal .+8; nop\n\t"
- "move %0,$31\n\t"
- "move $31,%1" /* restore ra */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
- defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
- defined(__PPC64__) || defined(__powerpc64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mfspr %1,8\n\t" /* save lr */
- "bl .+4\n\t"
- "mfspr %0,8\n\t" /* mflr ret */
- "mtspr 8,%1" /* restore lr */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mov %%o7,%1\n\t"
- "call .+8; nop\n\t"
- "mov %%o7,%0\n\t"
- "mov %1,%%o7"
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__x86_64) || defined(__x86_64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif defined(__DECC) && defined(__alpha)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif defined(_MSC_VER) && defined(_M_IX86)
-# undef INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- _asm {
- call self
- self: pop eax
- mov scratch,eax
- }
- ret = (void *)((size_t)scratch&~3UL);
-#endif
- return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif defined(_AIX)
- struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_HPUX_SOURCE)
-# if defined(__hppa) || defined(__hppa__)
- struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
- if (sizeof(p) == 8) /* 64-bit */
- return p->i[2];
- else if ((size_t)p & 2)
- { p = (void *)((size_t)p&~3UL);
- return p->i[0];
- }
- else
- return (void *)p;
-# elif defined(__ia64) || defined(__ia64__)
- struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-# endif
-#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
- /* applies to both alpha and ia64 */
- struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-#elif defined(__VOS__)
- /* applies to both pa-risc and ia32 */
- struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_WIN32)
-# if defined(_WIN64) && defined(_M_IA64)
- struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
- return p->ip;
-# else
- return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */
-#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
- return (void *)instruction_pointer;
-#else
- return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
deleted file mode 100644
index 6f5fdcecf..000000000
--- a/src/libstrongswan/fips/fips_signer.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <crypto/hashers/hasher.h>
-#include "fips.h"
-
-int main(int argc, char* argv[])
-{
- FILE *f;
- char *hmac_key = "strongSwan Version " VERSION;
- char hmac_signature[BUF_LEN];
-
- /* initialize library */
- library_init(STRONGSWAN_CONF);
-#ifdef USE_SHA1
- lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1");
-#endif
-#ifdef USE_OPENSSL
- lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl");
-#endif
- lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac");
-
- if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
- {
- exit(1);
- }
-
- /**
- * write computed HMAC signature to fips_signature.h
- */
- f = fopen("fips_signature.h", "wt");
-
- if (f == NULL)
- {
- exit(1);
- }
- fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n");
- fprintf(f, " *\n");
- fprintf(f, " * This file has been automatically generated by fips_signer\n");
- fprintf(f, " * Do not edit manually!\n");
- fprintf(f, " */\n");
- fprintf(f, "\n");
- fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n");
- fprintf(f, "#define FIPS_SIGNATURE_H_\n");
- fprintf(f, "\n");
- fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key);
- fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature);
- fprintf(f, "\n");
- fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n");
- fclose(f);
-
- library_deinit();
- exit(0);
-}
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
new file mode 100644
index 000000000..32a296d79
--- /dev/null
+++ b/src/libstrongswan/integrity_checker.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "integrity_checker.h"
+
+#include <dlfcn.h>
+#include <link.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <debug.h>
+#include <library.h>
+
+typedef struct private_integrity_checker_t private_integrity_checker_t;
+
+/**
+ * Private data of an integrity_checker_t object.
+ */
+struct private_integrity_checker_t {
+
+ /**
+ * Public integrity_checker_t interface.
+ */
+ integrity_checker_t public;
+
+ /**
+ * dlopen handle to checksum library
+ */
+ void *handle;
+
+ /**
+ * checksum array
+ */
+ integrity_checksum_t *checksums;
+
+ /**
+ * number of checksums in array
+ */
+ int checksum_count;
+};
+
+/**
+ * Implementation of integrity_checker_t.build_file
+ */
+static u_int32_t build_file(private_integrity_checker_t *this, char *file,
+ size_t *len)
+{
+ u_int32_t checksum;
+ chunk_t contents;
+ struct stat sb;
+ void *addr;
+ int fd;
+
+ fd = open(file, O_RDONLY);
+ if (fd == -1)
+ {
+ DBG1(" opening '%s' failed: %s", file, strerror(errno));
+ return 0;
+ }
+
+ if (fstat(fd, &sb) == -1)
+ {
+ DBG1(" getting file size of '%s' failed: %s", file, strerror(errno));
+ close(fd);
+ return 0;
+ }
+
+ addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (addr == MAP_FAILED)
+ {
+ DBG1(" mapping '%s' failed: %s", file, strerror(errno));
+ close(fd);
+ return 0;
+ }
+
+ *len = sb.st_size;
+ contents = chunk_create(addr, sb.st_size);
+ checksum = chunk_hash(contents);
+
+ munmap(addr, sb.st_size);
+ close(fd);
+
+ return checksum;
+}
+
+/**
+ * dl_iterate_phdr callback function
+ */
+static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
+{
+ /* We are looking for the dlpi_addr matching the address of our dladdr().
+ * dl_iterate_phdr() returns such an address for other (unknown) objects
+ * in very rare cases (e.g. in a chrooted gentoo, but only if
+ * the checksum_builder is invoked by 'make'). As a workaround, we filter
+ * objects by dlpi_name; valid objects have a library name.
+ */
+ if (dli->dli_fbase == (void*)dlpi->dlpi_addr &&
+ dlpi->dlpi_name && *dlpi->dlpi_name)
+ {
+ int i;
+
+ for (i = 0; i < dlpi->dlpi_phnum; i++)
+ {
+ const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
+
+ /* we are interested in the executable LOAD segment */
+ if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
+ {
+ /* safe begin of segment in dli_fbase */
+ dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
+ /* safe end of segment in dli_saddr */
+ dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
+/**
+ * Implementation of integrity_checker_t.build_segment
+ */
+static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
+ size_t *len)
+{
+ chunk_t segment;
+ Dl_info dli;
+
+ if (dladdr(sym, &dli) == 0)
+ {
+ DBG1(" unable to locate symbol: %s", dlerror());
+ return 0;
+ }
+ /* we reuse the Dl_info struct as in/out parameter */
+ if (!dl_iterate_phdr((void*)callback, &dli))
+ {
+ DBG1(" executable section not found");
+ return 0;
+ }
+
+ segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
+ *len = segment.len;
+ return chunk_hash(segment);
+}
+
+/**
+ * Find a checksum by its name
+ */
+static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
+ char *name)
+{
+ int i;
+
+ for (i = 0; i < this->checksum_count; i++)
+ {
+ if (streq(this->checksums[i].name, name))
+ {
+ return &this->checksums[i];
+ }
+ }
+ return NULL;
+}
+
+/**
+ * Implementation of integrity_checker_t.check_file
+ */
+static bool check_file(private_integrity_checker_t *this,
+ char *name, char *file)
+{
+ integrity_checksum_t *cs;
+ u_int32_t sum;
+ size_t len = 0;
+
+ cs = find_checksum(this, name);
+ if (!cs)
+ {
+ DBG1(" '%s' file checksum not found", name);
+ return FALSE;
+ }
+ sum = build_file(this, file, &len);
+ if (!sum)
+ {
+ return FALSE;
+ }
+ if (cs->file_len != len)
+ {
+ DBG1(" invalid '%s' file size: %u bytes, expected %u bytes",
+ name, len, cs->file_len);
+ return FALSE;
+ }
+ if (cs->file != sum)
+ {
+ DBG1(" invalid '%s' file checksum: %08x, expected %08x",
+ name, sum, cs->file);
+ return FALSE;
+ }
+ DBG2(" valid '%s' file checksum: %08x", name, sum);
+ return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.check_segment
+ */
+static bool check_segment(private_integrity_checker_t *this,
+ char *name, void *sym)
+{
+ integrity_checksum_t *cs;
+ u_int32_t sum;
+ size_t len = 0;
+
+ cs = find_checksum(this, name);
+ if (!cs)
+ {
+ DBG1(" '%s' segment checksum not found", name);
+ return FALSE;
+ }
+ sum = build_segment(this, sym, &len);
+ if (!sum)
+ {
+ return FALSE;
+ }
+ if (cs->segment_len != len)
+ {
+ DBG1(" invalid '%s' segment size: %u bytes, expected %u bytes",
+ name, len, cs->segment_len);
+ return FALSE;
+ }
+ if (cs->segment != sum)
+ {
+ DBG1(" invalid '%s' segment checksum: %08x, expected %08x",
+ name, sum, cs->segment);
+ return FALSE;
+ }
+ DBG2(" valid '%s' segment checksum: %08x", name, sum);
+ return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.check
+ */
+static bool check(private_integrity_checker_t *this, char *name, void *sym)
+{
+ Dl_info dli;
+
+ if (dladdr(sym, &dli) == 0)
+ {
+ DBG1("unable to locate symbol: %s", dlerror());
+ return FALSE;
+ }
+ if (!check_file(this, name, (char*)dli.dli_fname))
+ {
+ return FALSE;
+ }
+ if (!check_segment(this, name, sym))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.destroy.
+ */
+static void destroy(private_integrity_checker_t *this)
+{
+ if (this->handle)
+ {
+ dlclose(this->handle);
+ }
+ free(this);
+}
+
+/**
+ * See header
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library)
+{
+ private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
+
+ this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
+ this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file;
+ this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
+ this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment;
+ this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
+ this->public.destroy = (void(*)(integrity_checker_t*))destroy;
+
+ this->checksum_count = 0;
+ this->handle = NULL;
+ if (checksum_library)
+ {
+ this->handle = dlopen(checksum_library, RTLD_LAZY);
+ if (this->handle)
+ {
+ int *checksum_count;
+
+ this->checksums = dlsym(this->handle, "checksums");
+ checksum_count = dlsym(this->handle, "checksum_count");
+ if (this->checksums && checksum_count)
+ {
+ this->checksum_count = *checksum_count;
+ }
+ else
+ {
+ DBG1("checksum library '%s' invalid", checksum_library);
+ }
+ }
+ else
+ {
+ DBG1("loading checksum library '%s' failed", checksum_library);
+ }
+ }
+ return &this->public;
+}
+
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h
new file mode 100644
index 000000000..d078dd6fb
--- /dev/null
+++ b/src/libstrongswan/integrity_checker.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup integrity_checker integrity_checker
+ * @{ @ingroup libstrongswan
+ */
+
+#ifndef INTEGRITY_CHECKER_H_
+#define INTEGRITY_CHECKER_H_
+
+#include <utils.h>
+#include <plugins/plugin.h>
+
+typedef struct integrity_checker_t integrity_checker_t;
+typedef struct integrity_checksum_t integrity_checksum_t;
+
+/**
+ * Struct to hold a precalculated checksum, implemented in the checksum library.
+ */
+struct integrity_checksum_t {
+ /* name of the checksum */
+ char *name;
+ /* size in bytes of the file on disk */
+ size_t file_len;
+ /* checksum of the file on disk */
+ u_int32_t file;
+ /* size in bytes of executable segment in memory */
+ size_t segment_len;
+ /* checksum of the executable segment in memory */
+ u_int32_t segment;
+};
+
+/**
+ * Code integrity checker to detect non-malicious file manipulation.
+ *
+ * The integrity checker reads the checksums from a separate library
+ * libchecksum.so to compare the checksums.
+ */
+struct integrity_checker_t {
+
+ /**
+ * Check the integrity of a file on disk.
+ *
+ * @param name name to lookup checksum
+ * @param file path to file
+ * @return TRUE if integrity tested successfully
+ */
+ bool (*check_file)(integrity_checker_t *this, char *name, char *file);
+
+ /**
+ * Build the integrity checksum of a file on disk.
+ *
+ * @param file path to file
+ * @param len return length in bytes of file
+ * @return checksum, 0 on error
+ */
+ u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
+
+ /**
+ * Check the integrity of the code segment in memory.
+ *
+ * @param name name to lookup checksum
+ * @param sym a symbol in the segment to check
+ * @return TRUE if integrity tested successfully
+ */
+ bool (*check_segment)(integrity_checker_t *this, char *name, void *sym);
+ /**
+ * Build the integrity checksum of a code segment in memory.
+ *
+ * @param sym a symbol in the segment to check
+ * @param len return length in bytes of code segment in memory
+ * @return checksum, 0 on error
+ */
+ u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
+
+ /**
+ * Check both, on disk file integrity and loaded segment.
+ *
+ * @param name name to lookup checksum
+ * @param sym a symbol to look up library and segment
+ * @return TRUE if integrity tested successfully
+ */
+ bool (*check)(integrity_checker_t *this, char *name, void *sym);
+
+ /**
+ * Destroy a integrity_checker_t.
+ */
+ void (*destroy)(integrity_checker_t *this);
+};
+
+/**
+ * Create a integrity_checker instance.
+ *
+ * @param checksum_library library containing checksums
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library);
+
+#endif /* INTEGRITY_CHECKER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 8e5a8a611..832c8b607 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -20,12 +20,15 @@
#include <utils.h>
#include <chunk.h>
+#include <debug.h>
#include <utils/identification.h>
#include <utils/host.h>
#ifdef LEAK_DETECTIVE
#include <utils/leak_detective.h>
#endif
+#define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so"
+
typedef struct private_library_t private_library_t;
/**
@@ -65,6 +68,10 @@ void library_deinit()
this->public.fetcher->destroy(this->public.fetcher);
this->public.db->destroy(this->public.db);
this->public.printf_hook->destroy(this->public.printf_hook);
+ if (this->public.integrity)
+ {
+ this->public.integrity->destroy(this->public.integrity);
+ }
#ifdef LEAK_DETECTIVE
if (this->detective)
@@ -79,7 +86,7 @@ void library_deinit()
/*
* see header file
*/
-void library_init(char *settings)
+bool library_init(char *settings)
{
printf_hook_t *pfh;
private_library_t *this = malloc_thing(private_library_t);
@@ -119,5 +126,23 @@ void library_init(char *settings)
this->public.fetcher = fetcher_manager_create();
this->public.db = database_factory_create();
this->public.plugins = plugin_loader_create();
+ this->public.integrity = NULL;
+
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.integrity_test", FALSE))
+ {
+#ifdef INTEGRITY_TEST
+ this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
+ if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
+ {
+ DBG1("integrity check of libstrongswan failed");
+ return FALSE;
+ }
+#else /* !INTEGRITY_TEST */
+ DBG1("integrity test enabled, but not supported");
+ return FALSE;
+#endif /* INTEGRITY_TEST */
+ }
+ return TRUE;
}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 35c6b686a..df4121803 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -19,6 +19,9 @@
* @defgroup asn1 asn1
* @ingroup libstrongswan
*
+ * @defgroup pgp pgp
+ * @ingroup libstrongswan
+ *
* @defgroup credentials credentials
* @ingroup libstrongswan
*
@@ -30,19 +33,16 @@
*
* @defgroup crypto crypto
* @ingroup libstrongswan
-
+ *
* @defgroup database database
* @ingroup libstrongswan
-
+ *
* @defgroup fetcher fetcher
* @ingroup libstrongswan
-
- * @defgroup fips fips
- * @ingroup libstrongswan
-
+ *
* @defgroup plugins plugins
* @ingroup libstrongswan
-
+ *
* @defgroup utils utils
* @ingroup libstrongswan
*/
@@ -59,6 +59,7 @@
#include <utils.h>
#include <chunk.h>
#include <settings.h>
+#include <integrity_checker.h>
#include <plugins/plugin_loader.h>
#include <crypto/crypto_factory.h>
#include <fetcher/fetcher_manager.h>
@@ -108,6 +109,11 @@ struct library_t {
settings_t *settings;
/**
+ * integrity checker to verify code integrity
+ */
+ integrity_checker_t *integrity;
+
+ /**
* is leak detective running?
*/
bool leak_detective;
@@ -117,8 +123,9 @@ struct library_t {
* Initialize library, creates "lib" instance.
*
* @param settings file to read settings from, may be NULL for none
+ * @return FALSE if integrity check failed
*/
-void library_init(char *settings);
+bool library_init(char *settings);
/**
* Deinitialize library, destroys "lib" instance.
diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
index e73040f27..a3101172f 100644
--- a/src/libstrongswan/plugins/aes/Makefile.am
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-aes.la
libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 19d3249b5..4414b2ede 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-aes.la
libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index bc022aa26..e1000e562 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-agent.la
libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
agent_private_key.c agent_private_key.h
-libstrongswan_agent_la_LDFLAGS = -module
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 5a5202262..a73edb362 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-agent.la
libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
agent_private_key.c agent_private_key.h
-libstrongswan_agent_la_LDFLAGS = -module
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index 6bb82169e..3fbc5893b 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la
libstrongswan_blowfish_la_SOURCES = \
blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
-libstrongswan_blowfish_la_LDFLAGS = -module
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 25cea73df..e536b5fc6 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_blowfish_la_SOURCES = \
blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
-libstrongswan_blowfish_la_LDFLAGS = -module
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
index 1b44516b2..f0a41e4ad 100644
--- a/src/libstrongswan/plugins/curl/Makefile.am
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-curl.la
libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
-libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
libstrongswan_curl_la_LIBADD = -lcurl
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index b413e035e..21d77ac8f 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-curl.la
libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
-libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
libstrongswan_curl_la_LIBADD = -lcurl
all: all-am
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
index ea94eda8a..76cfbc419 100644
--- a/src/libstrongswan/plugins/des/Makefile.am
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-des.la
libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index bbca6a032..19da339fe 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-des.la
libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
index 73f28825a..d9431947e 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.am
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-fips-prf.la
libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 881d7a36e..5dcae7f27 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-fips-prf.la
libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 72cc409fc..7394676e2 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
gcrypt_crypter.h gcrypt_crypter.c \
gcrypt_hasher.h gcrypt_hasher.c
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 49994c593..e3d27f7f8 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
gcrypt_crypter.h gcrypt_crypter.c \
gcrypt_hasher.h gcrypt_hasher.c
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
all: all-am
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 785ebda90..41e17c897 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
case HASH_SHA1:
gcrypt_alg = GCRY_MD_SHA1;
break;
+ case HASH_SHA224:
+ gcrypt_alg = GCRY_MD_SHA224;
+ break;
case HASH_SHA256:
gcrypt_alg = GCRY_MD_SHA256;
break;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 547329dde..939e0886c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t {
*/
static int mutex_init(void **lock)
{
- *lock = mutex_create(MUTEX_DEFAULT);
+ *lock = mutex_create(MUTEX_TYPE_DEFAULT);
return 0;
}
@@ -148,6 +148,8 @@ plugin_t *plugin_create()
(hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_MD5,
(hasher_constructor_t)gcrypt_hasher_create);
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ (hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 611ab2467..e0e8015db 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t {
public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
/**
- * find a token in a S-expression
+ * find a token in a S-expression. If a key is given, its length is used to
+ * pad the output to a given length.
*/
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
{
gcry_sexp_t token;
- chunk_t data = chunk_empty;
+ chunk_t data = chunk_empty, tmp;
+ size_t len = 0;
token = gcry_sexp_find_token(sexp, name, 1);
if (token)
@@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
{
data.len = 0;
}
- data = chunk_clone(data);
+ else
+ {
+ if (key)
+ {
+ /* gcrypt might return more bytes than necessary. Truncate
+ * to key lenght if key given, or prepend zeros if needed */
+ len = gcry_pk_get_nbits(key);
+ len = len / 8 + (len % 8 ? 1 : 0);
+ if (len > data.len)
+ {
+ tmp = chunk_alloc(len);
+ len -= data.len;
+ memset(tmp.ptr, 0, tmp.len - len);
+ memcpy(tmp.ptr + len, data.ptr, data.len);
+ data = tmp;
+ }
+ else if (len < data.len)
+ {
+ data = chunk_clone(chunk_skip(data, data.len - len));
+ }
+ else
+ {
+ data = chunk_clone(data);
+ }
+ }
+ else
+ {
+ data = chunk_clone(data);
+ }
+ }
gcry_sexp_release(token);
}
return data;
@@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
return FALSE;
}
- *signature = gcrypt_rsa_find_token(out, "s");
+ *signature = gcrypt_rsa_find_token(out, "s", this->key);
gcry_sexp_release(out);
return !!signature->len;
}
@@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
return FALSE;
}
- *signature = gcrypt_rsa_find_token(out, "s");
+ *signature = gcrypt_rsa_find_token(out, "s", this->key);
gcry_sexp_release(out);
return !!signature->len;
}
@@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
return sign_raw(this, data, sig);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
gcry_error_t err;
/* p and q are swapped, gcrypt expects p < q */
- cp = gcrypt_rsa_find_token(this->key, "q");
- cq = gcrypt_rsa_find_token(this->key, "p");
- cd = gcrypt_rsa_find_token(this->key, "d");
+ cp = gcrypt_rsa_find_token(this->key, "q", NULL);
+ cq = gcrypt_rsa_find_token(this->key, "p", NULL);
+ cd = gcrypt_rsa_find_token(this->key, "d", NULL);
err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
@@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
}
return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")),
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)),
asn1_integer("m", cd),
asn1_integer("m", cp),
asn1_integer("m", cq),
asn1_integer("m", cexp1),
asn1_integer("m", cexp2),
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "u")));
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL)));
}
/**
@@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
return FALSE;
}
publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_integer("m", gcrypt_rsa_find_token(key, "n")),
- asn1_integer("m", gcrypt_rsa_find_token(key, "e")));
+ asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)),
+ asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL)));
hasher->allocate_hash(hasher, publicKey, &hash);
*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
chunk_free(&hash);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 8024f58a7..4d9c88c6d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t {
/**
* Implemented in gcrypt_rsa_private_key.c
*/
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name);
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key);
bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
identification_t **keyid_info);
@@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err));
return FALSE;
}
- *encrypted = gcrypt_rsa_find_token(out, "a");
+ *encrypted = gcrypt_rsa_find_token(out, "a", this->key);
gcry_sexp_release(out);
return !!encrypted->len;
}
@@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this,
static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this)
{
return asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")));
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)));
}
/**
@@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key)
chunk_t n, e;
this = gcrypt_rsa_public_key_create_empty();
- n = gcrypt_rsa_find_token(key, "n");
- e = gcrypt_rsa_find_token(key, "e");
+ n = gcrypt_rsa_find_token(key, "n", NULL);
+ e = gcrypt_rsa_find_token(key, "e", NULL);
err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
index f073b5d48..1ab358328 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.am
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -10,6 +10,6 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
gmp_rsa_private_key.c gmp_rsa_private_key.h \
gmp_rsa_public_key.c gmp_rsa_public_key.h
-libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
libstrongswan_gmp_la_LIBADD = -lgmp
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index a60cd998c..8d5dff34b 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
gmp_rsa_private_key.c gmp_rsa_private_key.h \
gmp_rsa_public_key.c gmp_rsa_public_key.h
-libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
libstrongswan_gmp_la_LIBADD = -lgmp
all: all-am
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cbc112762..259c8e9ad 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -301,6 +301,8 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 1f3e3072f..c26187c64 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -301,6 +301,8 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -417,7 +419,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this)
/**
* Build the PGP version 3 RSA key identifier from n and e using
- * MD5 hashed modulus and exponent. Also used in rsa_private_key.c.
+ * MD5 hashed modulus and exponent.
*/
static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e)
{
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
index 89e0638f3..1856cad2d 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.am
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
-libstrongswan_hmac_la_LDFLAGS = -module
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index fc36bd9fa..389bde8f9 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
-libstrongswan_hmac_la_LDFLAGS = -module
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
index ac6b4be00..6ad073d97 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.am
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-ldap.la
libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
-libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
libstrongswan_ldap_la_LIBADD = -lldap -llber
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 6eefc8546..93fc9a0c1 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-ldap.la
libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
-libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
libstrongswan_ldap_la_LIBADD = -lldap -llber
all: all-am
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
index f984322a6..a47da2e8e 100644
--- a/src/libstrongswan/plugins/md4/Makefile.am
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md4.la
libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index efdb64e90..7ca6a20cc 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md4.la
libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
index 0a9c5cbf4..ce0611c13 100644
--- a/src/libstrongswan/plugins/md5/Makefile.am
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md5.la
libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 15c98aba4..fb9bc4b4d 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md5.la
libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index ec94b8fda..0daf7655b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la
libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \
mysql_database.h mysql_database.c
-libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 26b514ad6..21fe61923 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la
libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \
mysql_database.h mysql_database.c
-libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
all: all-am
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index d0d5a3d15..341217dd4 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -686,7 +686,7 @@ mysql_database_t *mysql_database_create(char *uri)
free(this);
return NULL;
}
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->pool = linked_list_create();
/* check connectivity */
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index f331a78eb..25cc5aa1d 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -16,6 +16,6 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
openssl_ec_private_key.c openssl_ec_private_key.h \
openssl_ec_public_key.c openssl_ec_public_key.h
-libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = -lcrypto
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 0ebb5acf0..e6d7b479b 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -78,12 +78,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -188,7 +191,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -236,7 +241,7 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
openssl_ec_private_key.c openssl_ec_private_key.h \
openssl_ec_public_key.c openssl_ec_public_key.h
-libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = -lcrypto
all: all-am
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 7f48f1009..424fec60a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -83,6 +83,7 @@ static openssl_algorithm_t encryption_algs[] = {
/* {ENCR_DES_IV32, "***", 0, 0}, */
/* {ENCR_NULL, "***", 0, 0}, */ /* handled separately */
/* {ENCR_AES_CBC, "***", 0, 0}, */ /* handled separately */
+/* {ENCR_CAMELLIA_CBC, "***", 0, 0}, */ /* handled separately */
/* {ENCR_AES_CTR, "***", 0, 0}, */ /* disabled in evp.h */
{END_OF_LIST, NULL, 0, 0},
};
@@ -224,6 +225,23 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
return NULL;
}
break;
+ case ENCR_CAMELLIA_CBC:
+ switch (key_size)
+ {
+ case 16: /* CAMELLIA 128 */
+ this->cipher = EVP_get_cipherbyname("camellia128");
+ break;
+ case 24: /* CAMELLIA 192 */
+ this->cipher = EVP_get_cipherbyname("camellia192");
+ break;
+ case 32: /* CAMELLIA 256 */
+ this->cipher = EVP_get_cipherbyname("camellia256");
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+ break;
case ENCR_DES_ECB:
this->cipher = EVP_des_ecb();
break;
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index c93acb75c..082aed9ca 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -108,7 +108,8 @@ error:
* Convert an EC_POINT to a chunk by concatenating the x and y coordinates of
* the point. This function allocates memory for the chunk.
*/
-static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk)
+static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
+ chunk_t *chunk, bool x_coordinate_only)
{
BN_CTX *ctx;
BIGNUM *x, *y;
@@ -133,6 +134,10 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chu
goto error;
}
+ if (x_coordinate_only)
+ {
+ y = NULL;
+ }
if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk))
{
goto error;
@@ -160,7 +165,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
{
const BIGNUM *priv_key;
EC_POINT *secret = NULL;
- bool ret = FALSE;
+ bool x_coordinate_only, ret = FALSE;
priv_key = EC_KEY_get0_private_key(this->key);
if (!priv_key)
@@ -179,7 +184,14 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
goto error;
}
- if (!ecp2chunk(this->ec_group, secret, shared_secret))
+ /*
+ * The default setting ecp_x_coordinate_only = TRUE
+ * applies the following errata for RFC 4753:
+ * http://www.rfc-editor.org/errata_search.php?eid=9
+ */
+ x_coordinate_only = lib->settings->get_bool(lib->settings,
+ "libstrongswan.ecp_x_coordinate_only", TRUE);
+ if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
{
goto error;
}
@@ -219,7 +231,7 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
*/
static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
{
- ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value);
+ ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
}
/**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index ed3e57957..90a5229d5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -65,6 +65,7 @@ static openssl_algorithm_t integrity_algs[] = {
{HASH_MD2, "md2"},
{HASH_MD5, "md5"},
{HASH_SHA1, "sha1"},
+ {HASH_SHA224, "sha224"},
{HASH_SHA256, "sha256"},
{HASH_SHA384, "sha384"},
{HASH_SHA512, "sha512"},
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index a90dff7f1..ce6716f5a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -84,7 +84,7 @@ static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
struct CRYPTO_dynlock_value *lock;
lock = malloc_thing(struct CRYPTO_dynlock_value);
- lock->mutex = mutex_create(MUTEX_DEFAULT);
+ lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return lock;
}
@@ -140,7 +140,7 @@ static void threading_init()
mutex = malloc(sizeof(mutex_t*) * num_locks);
for (i = 0; i < num_locks; i++)
{
- mutex[i] = mutex_create(MUTEX_DEFAULT);
+ mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
}
}
@@ -212,6 +212,8 @@ plugin_t *plugin_create()
/* crypter */
lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
(crypter_constructor_t)openssl_crypter_create);
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+ (crypter_constructor_t)openssl_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
(crypter_constructor_t)openssl_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_RC5,
@@ -238,6 +240,8 @@ plugin_t *plugin_create()
(hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_MD5,
(hasher_constructor_t)openssl_hasher_create);
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ (hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index c5d4142da..95c0ffdc8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -165,6 +165,8 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return build_emsa_pkcs1_signature(this, NID_sha224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return build_emsa_pkcs1_signature(this, NID_sha256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 89912f24c..bc1ba35b6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -143,6 +143,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index bb0c296e1..c8c453f64 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -71,21 +71,26 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
{
int offset;
- chunk->len = len * 2;
+ chunk->len = len + (b ? len : 0);
chunk->ptr = malloc(chunk->len);
memset(chunk->ptr, 0, chunk->len);
+ /* convert a */
offset = len - BN_num_bytes(a);
if (!BN_bn2bin(a, chunk->ptr + offset))
{
goto error;
}
- offset = len - BN_num_bytes(b);
- if (!BN_bn2bin(b, chunk->ptr + len + offset))
+ /* optionally convert and concatenate b */
+ if (b)
{
- goto error;
- }
+ offset = len - BN_num_bytes(b);
+ if (!BN_bn2bin(b, chunk->ptr + len + offset))
+ {
+ goto error;
+ }
+ }
return TRUE;
error:
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index e7c3ba486..b2b1f9d85 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
padlock_aes_crypter.c padlock_aes_crypter.h \
padlock_sha1_hasher.c padlock_sha1_hasher.h \
padlock_rng.c padlock_rng.h
-libstrongswan_padlock_la_LDFLAGS = -module
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 7fe0cc198..44f533744 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
padlock_sha1_hasher.c padlock_sha1_hasher.h \
padlock_rng.c padlock_rng.h
-libstrongswan_padlock_la_LDFLAGS = -module
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index dddb73551..e241b59be 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features()
return d;
}
}
- DBG1("Padlock not found, CPU is %s\n", vendor);
+ DBG1("Padlock not found, CPU is %s", vendor);
return 0;
}
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index ad5a9e240..459ba9ba9 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -22,6 +22,7 @@
#include <stdio.h>
#include <debug.h>
+#include <integrity_checker.h>
#include <utils/linked_list.h>
#include <plugins/plugin.h>
@@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
+ if (lib->integrity)
+ {
+ if (!lib->integrity->check_file(lib->integrity, name, file))
+ {
+ DBG1("plugin '%s': failed file integrity test of '%s'", name, file);
+ return NULL;
+ }
+ }
handle = dlopen(file, RTLD_LAZY);
if (handle == NULL)
{
- DBG1("loading plugin '%s' failed: %s", name, dlerror());
+ DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror());
return NULL;
}
constructor = dlsym(handle, "plugin_create");
if (constructor == NULL)
{
- DBG1("loading plugin '%s' failed: no plugin_create() function", name);
+ DBG1("plugin '%s': failed to load - no plugin_create() function", name);
dlclose(handle);
return NULL;
}
+ if (lib->integrity)
+ {
+ if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+ {
+ DBG1("plugin '%s': failed segment integrity test", name);
+ dlclose(handle);
+ return NULL;
+ }
+ DBG1("plugin '%s': passed file and segment integrity tests", name);
+ }
plugin = constructor();
if (plugin == NULL)
{
- DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name);
+ DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name);
dlclose(handle);
return NULL;
}
- DBG2("plugin '%s' loaded successfully", name);
+ DBG2("plugin '%s': loaded successfully", name);
/* we do not store or free dlopen() handles, leak_detective requires
* the modules to keep loaded until leak report */
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index 3b512614f..9423e6689 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
pubkey_cert.h pubkey_cert.c\
pubkey_public_key.h pubkey_public_key.c
-libstrongswan_pubkey_la_LDFLAGS = -module
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 4514424f2..a672e2ea8 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
pubkey_cert.h pubkey_cert.c\
pubkey_public_key.h pubkey_public_key.c
-libstrongswan_pubkey_la_LDFLAGS = -module
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 8b61d7094..9a11b8567 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-random.la
libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
random_rng.c random_rng.h
-libstrongswan_random_la_LDFLAGS = -module
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 0bed27468..a2869fb51 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-random.la
libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
random_rng.c random_rng.h
-libstrongswan_random_la_LDFLAGS = -module
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index 5de45e4e8..ead51a45a 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la
libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
-libstrongswan_sha1_la_LDFLAGS = -module
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index c8b8905bb..f1f5807ab 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la
libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
-libstrongswan_sha1_la_LDFLAGS = -module
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
index 066e49476..5422e1d4e 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.am
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-sha2.la
libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index f37c93502..b34286813 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-sha2.la
libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
index 0e8811cca..645f4d786 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.c
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -58,6 +58,11 @@ struct private_sha256_hasher_t {
};
+static const u_int32_t sha224_hashInit[8] = {
+ 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511,
+ 0x64f98fa7, 0xbefa4fa4
+};
+
static const u_int32_t sha256_hashInit[8] = {
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
0x1f83d9ab, 0x5be0cd19
@@ -422,6 +427,21 @@ static void sha512_final(private_sha512_hasher_t *ctx)
}
/**
+ * Implementation of hasher_t.get_hash for SHA224.
+ */
+static void get_hash224(private_sha256_hasher_t *this,
+ chunk_t chunk, u_int8_t *buffer)
+{
+ sha256_write(this, chunk.ptr, chunk.len);
+ if (buffer != NULL)
+ {
+ sha256_final(this);
+ memcpy(buffer, this->sha_out, HASH_SIZE_SHA224);
+ this->public.hasher_interface.reset(&(this->public.hasher_interface));
+ }
+}
+
+/**
* Implementation of hasher_t.get_hash for SHA256.
*/
static void get_hash256(private_sha256_hasher_t *this,
@@ -467,6 +487,25 @@ static void get_hash512(private_sha512_hasher_t *this,
}
/**
+ * Implementation of hasher_t.allocate_hash for SHA224.
+ */
+static void allocate_hash224(private_sha256_hasher_t *this,
+ chunk_t chunk, chunk_t *hash)
+{
+ chunk_t allocated_hash;
+
+ sha256_write(this, chunk.ptr, chunk.len);
+ if (hash != NULL)
+ {
+ sha256_final(this);
+ allocated_hash = chunk_alloc(HASH_SIZE_SHA224);
+ memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA224);
+ this->public.hasher_interface.reset(&(this->public.hasher_interface));
+ *hash = allocated_hash;
+ }
+}
+
+/**
* Implementation of hasher_t.allocate_hash for SHA256.
*/
static void allocate_hash256(private_sha256_hasher_t *this,
@@ -524,6 +563,14 @@ static void allocate_hash512(private_sha512_hasher_t *this,
}
/**
+ * Implementation of hasher_t.get_hash_size for SHA224.
+ */
+static size_t get_hash_size224(private_sha256_hasher_t *this)
+{
+ return HASH_SIZE_SHA224;
+}
+
+/**
* Implementation of hasher_t.get_hash_size for SHA256.
*/
static size_t get_hash_size256(private_sha256_hasher_t *this)
@@ -548,6 +595,16 @@ static size_t get_hash_size512(private_sha512_hasher_t *this)
}
/**
+ * Implementation of hasher_t.reset for SHA224
+ */
+static void reset224(private_sha256_hasher_t *ctx)
+{
+ memcpy(&ctx->sha_H[0], &sha224_hashInit[0], sizeof(ctx->sha_H));
+ ctx->sha_blocks = 0;
+ ctx->sha_bufCnt = 0;
+}
+
+/**
* Implementation of hasher_t.reset for SHA256
*/
static void reset256(private_sha256_hasher_t *ctx)
@@ -596,6 +653,13 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
switch (algorithm)
{
+ case HASH_SHA224:
+ this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
+ this->hasher_interface.reset = (void(*)(hasher_t*))reset224;
+ this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size224;
+ this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash224;
+ this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash224;
+ break;
case HASH_SHA256:
this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
this->hasher_interface.reset = (void(*)(hasher_t*))reset256;
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 21bc592dc..0743f7b1a 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -50,6 +50,8 @@ plugin_t *plugin_create()
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ (hasher_constructor_t)sha2_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)sha2_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
index 7c3017abf..f26e31294 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.am
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la
libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \
sqlite_database.h sqlite_database.c
-libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
libstrongswan_sqlite_la_LIBADD = -lsqlite3
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 547548bd7..b59a1c343 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -225,7 +230,7 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la
libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \
sqlite_database.h sqlite_database.c
-libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
libstrongswan_sqlite_la_LIBADD = -lsqlite3
all: all-am
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index ce873b714..6e4951f2d 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -333,7 +333,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
this->public.db.destroy = (void(*)(database_t*))destroy;
- this->mutex = mutex_create(MUTEX_RECURSIVE);
+ this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
if (sqlite3_open(file, &this->db) != SQLITE_OK)
{
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 27d17c084..6028805c4 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -29,5 +29,5 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/sha2_hmac.c \
test_vectors/fips_prf.c \
test_vectors/rng.c
-libstrongswan_test_vectors_la_LDFLAGS = -module
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index bb877620c..0e408ba7e 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -251,7 +256,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/fips_prf.c \
test_vectors/rng.c
-libstrongswan_test_vectors_la_LDFLAGS = -module
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index df5a9c9a8..b182dd829 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -98,6 +98,9 @@ TEST_VECTOR_HASHER(md5_7)
TEST_VECTOR_HASHER(sha1_1)
TEST_VECTOR_HASHER(sha1_2)
TEST_VECTOR_HASHER(sha1_3)
+TEST_VECTOR_HASHER(sha224_1)
+TEST_VECTOR_HASHER(sha224_2)
+TEST_VECTOR_HASHER(sha224_3)
TEST_VECTOR_HASHER(sha256_1)
TEST_VECTOR_HASHER(sha256_2)
TEST_VECTOR_HASHER(sha256_3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
index e2bd42240..4679c26b3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
@@ -16,6 +16,41 @@
#include <crypto/crypto_tester.h>
/**
+ * SHA-224 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha224_1 = {
+ .alg = HASH_SHA224, .len = 1,
+ .data = "\x07",
+ .hash = "\x00\xec\xd5\xf1\x38\x42\x2b\x8a\xd7\x4c\x97\x99\xfd\x82\x6c\x53"
+ "\x1b\xad\x2f\xca\xbc\x74\x50\xbe\xe2\xaa\x8c\x2a"
+
+};
+
+hasher_test_vector_t sha224_2 = {
+ .alg = HASH_SHA224, .len = 16,
+ .data = "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62",
+ .hash = "\xdf\x90\xd7\x8a\xa7\x88\x21\xc9\x9b\x40\xba\x4c\x96\x69\x21\xac"
+ "\xcd\x8f\xfb\x1e\x98\xac\x38\x8e\x56\x19\x1d\xb1"
+};
+
+hasher_test_vector_t sha224_3 = {
+ .alg = HASH_SHA224, .len = 163,
+ .data = "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5"
+ "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab"
+ "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37"
+ "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a"
+ "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74"
+ "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47"
+ "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14"
+ "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b"
+ "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d"
+ "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c"
+ "\x87\x82\x73",
+ .hash = "\x0b\x31\x89\x4e\xc8\x93\x7a\xd9\xb9\x1b\xdf\xbc\xba\x29\x4d\x9a"
+ "\xde\xfa\xa1\x8e\x09\x30\x5e\x9f\x20\xd5\xc3\xa4"
+};
+
+/**
* SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
*/
hasher_test_vector_t sha256_1 = {
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index 3f9f85c36..e9668b4e4 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -12,5 +12,5 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
x509_ocsp_request.h x509_ocsp_request.c \
x509_ocsp_response.h x509_ocsp_response.c \
ietf_attr_list.h ietf_attr_list.c
-libstrongswan_x509_la_LDFLAGS = -module
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 0c62ad3b3..56cb04769 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -230,7 +235,7 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
x509_ocsp_response.h x509_ocsp_response.c \
ietf_attr_list.h ietf_attr_list.c
-libstrongswan_x509_la_LDFLAGS = -module
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
index 1b10d21f8..515b75031 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.am
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
-libstrongswan_xcbc_la_LDFLAGS = -module
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 82ef55bd5..1d4e39586 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
-libstrongswan_xcbc_la_LDFLAGS = -module
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 4a0eff45f..305841172 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -20,6 +20,7 @@
#include <string.h>
#include <stdio.h>
#include <unistd.h>
+#include <stdint.h>
#include <limits.h>
#include <dirent.h>
#include <time.h>
@@ -58,20 +59,43 @@ void *clalloc(void * pointer, size_t size)
/**
* Described in header.
*/
-void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
+void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
{
- int i = 0, m;
+ int m, i;
- m = n - sizeof(long);
- while (i < m)
+ /* byte wise XOR until dst aligned */
+ for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++)
{
- *(long*)(dest + i) ^= *(long*)(src + i);
- i += sizeof(long);
+ dst[i] ^= src[i];
}
- while (i < n)
+ /* try to use words if src shares an aligment with dst */
+ switch (((uintptr_t)&src[i] % sizeof(long)))
{
- dest[i] ^= src[i];
- i++;
+ case 0:
+ for (m = n - sizeof(long); i <= m; i += sizeof(long))
+ {
+ *(long*)&dst[i] ^= *(long*)&src[i];
+ }
+ break;
+ case sizeof(int):
+ for (m = n - sizeof(int); i <= m; i += sizeof(int))
+ {
+ *(int*)&dst[i] ^= *(int*)&src[i];
+ }
+ break;
+ case sizeof(short):
+ for (m = n - sizeof(short); i <= m; i += sizeof(short))
+ {
+ *(short*)&dst[i] ^= *(short*)&src[i];
+ }
+ break;
+ default:
+ break;
+ }
+ /* byte wise XOR of the rest */
+ for (; i < n; i++)
+ {
+ dst[i] ^= src[i];
}
}
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index debd0145b..5d273d272 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -29,6 +29,16 @@
#include <enum.h>
/**
+ * strongSwan program return codes
+ */
+#define SS_RC_LIBSTRONGSWAN_INTEGRITY 64
+#define SS_RC_DAEMON_INTEGRITY 65
+#define SS_RC_INITIALIZATION_FAILED 66
+
+#define SS_RC_FIRST SS_RC_LIBSTRONGSWAN_INTEGRITY
+#define SS_RC_LAST SS_RC_INITIALIZATION_FAILED
+
+/**
* Number of bits in a byte
*/
#define BITS_PER_BYTE 8
@@ -134,6 +144,19 @@
# define TRUE true
#endif /* TRUE */
+/**
+ * define some missing fixed width int types on OpenSolaris.
+ * TODO: since the uintXX_t types are defined by the C99 standard we should
+ * probably use those anyway
+ */
+#ifdef __sun
+ #include <stdint.h>
+ typedef uint8_t u_int8_t;
+ typedef uint16_t u_int16_t;
+ typedef uint32_t u_int32_t;
+ typedef uint64_t u_int64_t;
+#endif
+
typedef enum status_t status_t;
/**
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index 24bafe66a..08522b8d5 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -408,7 +408,7 @@ typedef struct {
/**
* Implementation of enumerator_create_filter().destroy
*/
-void destroy_filter(filter_enumerator_t *this)
+static void destroy_filter(filter_enumerator_t *this)
{
if (this->destructor)
{
@@ -421,8 +421,8 @@ void destroy_filter(filter_enumerator_t *this)
/**
* Implementation of enumerator_create_filter().enumerate
*/
-bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
- void *o3, void *o4, void *o5)
+static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
+ void *o3, void *o4, void *o5)
{
void *i1, *i2, *i3, *i4, *i5;
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 484de5e54..661bec315 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -17,6 +17,7 @@
*/
#define _GNU_SOURCE
+#include <sys/socket.h>
#include <netdb.h>
#include <string.h>
@@ -433,16 +434,40 @@ host_t *host_create_from_string(char *string, u_int16_t port)
/*
* Described in header.
*/
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+ private_host_t *this = host_create_empty();
+
+ switch (sockaddr->sa_family)
+ {
+ case AF_INET:
+ {
+ memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
+ this->socklen = sizeof(struct sockaddr_in);
+ return &this->public;
+ }
+ case AF_INET6:
+ {
+ memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
+ this->socklen = sizeof(struct sockaddr_in6);
+ return &this->public;
+ }
+ default:
+ break;
+ }
+ free(this);
+ return NULL;
+}
+
+/*
+ * Described in header.
+ */
host_t *host_create_from_dns(char *string, int af, u_int16_t port)
{
private_host_t *this;
- struct hostent *ptr;
- int ret = 0, err;
-#ifdef HAVE_GETHOSTBYNAME_R
- struct hostent host;
- char buf[512];
-#endif
-
+ struct addrinfo hints, *result;
+ int error;
+
if (streq(string, "%any"))
{
return host_create_any_port(af ? af : AF_INET, port);
@@ -451,62 +476,32 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
{
return host_create_any_port(af ? af : AF_INET6, port);
}
- else if (strchr(string, ':'))
- {
- /* gethostbyname does not like IPv6 addresses - fallback */
- return host_create_from_string(string, port);
- }
-
-#ifdef HAVE_GETHOSTBYNAME_R
- if (af)
- {
- ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err);
- }
- else
- {
- ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err);
- }
-#else
- /* Some systems (e.g. Mac OS X) do not support gethostbyname_r */
- if (af)
- {
- ptr = gethostbyname2(string, af);
- }
- else
- {
- ptr = gethostbyname(string);
- }
- if (ptr == NULL)
- {
- err = h_errno;
- }
-#endif
- if (ret != 0 || ptr == NULL)
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = af;
+ error = getaddrinfo(string, NULL, &hints, &result);
+ if (error != 0)
{
- DBG1("resolving '%s' failed: %s", string, hstrerror(err));
+ DBG1("resolving '%s' failed: %s", string, gai_strerror(error));
return NULL;
}
- this = host_create_empty();
- this->address.sa_family = ptr->h_addrtype;
- switch (this->address.sa_family)
+ /* result is a linked list, but we use only the first address */
+ this = (private_host_t*)host_create_from_sockaddr(result->ai_addr);
+ freeaddrinfo(result);
+ if (this)
{
- case AF_INET:
- memcpy(&this->address4.sin_addr.s_addr,
- ptr->h_addr_list[0], ptr->h_length);
- this->address4.sin_port = htons(port);
- this->socklen = sizeof(struct sockaddr_in);
- break;
- case AF_INET6:
- memcpy(&this->address6.sin6_addr.s6_addr,
- ptr->h_addr_list[0], ptr->h_length);
- this->address6.sin6_port = htons(port);
- this->socklen = sizeof(struct sockaddr_in6);
- break;
- default:
- free(this);
- return NULL;
+ switch (this->address.sa_family)
+ {
+ case AF_INET:
+ this->address4.sin_port = htons(port);
+ break;
+ case AF_INET6:
+ this->address6.sin6_port = htons(port);
+ break;
+ }
+ return &this->public;
}
- return &this->public;
+ return NULL;
}
/*
@@ -569,34 +564,6 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
/*
* Described in header.
*/
-host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
-{
- private_host_t *this = host_create_empty();
-
- switch (sockaddr->sa_family)
- {
- case AF_INET:
- {
- memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
- this->socklen = sizeof(struct sockaddr_in);
- return &this->public;
- }
- case AF_INET6:
- {
- memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
- this->socklen = sizeof(struct sockaddr_in6);
- return &this->public;
- }
- default:
- break;
- }
- free(this);
- return NULL;
-}
-
-/*
- * Described in header.
- */
host_t *host_create_any(int family)
{
private_host_t *this = host_create_empty();
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 1c04c97ef..10daf4679 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -21,7 +21,6 @@
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
-#include <ctype.h>
#include "identification.h"
@@ -122,365 +121,216 @@ struct private_identification_t {
id_type_t type;
};
-static private_identification_t *identification_create(void);
-
/**
- * updates a chunk (!????)
- * TODO: We should reconsider this stuff, its not really clear
+ * Enumerator over RDNs
*/
-static void update_chunk(chunk_t *ch, int n)
-{
- n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
- ch->ptr += n; ch->len -= n;
-}
+typedef struct {
+ /* implements enumerator interface */
+ enumerator_t public;
+ /* next set to parse, if any */
+ chunk_t sets;
+ /* next sequence in set, if any */
+ chunk_t seqs;
+} rdn_enumerator_t;
/**
- * Remove any malicious characters from a chunk. We are very restrictive, but
- * whe use these strings only to present it to the user.
+ * Implementation of rdn_enumerator_t.enumerate
*/
-static bool sanitize_chunk(chunk_t chunk, chunk_t *clone)
+static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid,
+ u_char *type, chunk_t *data)
{
- char *pos;
- bool all_printable = TRUE;
-
- *clone = chunk_clone(chunk);
+ chunk_t rdn;
- for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++)
+ /* a DN contains one or more SET, each containing one or more SEQUENCES,
+ * each containing a OID/value RDN */
+ if (!this->seqs.len)
{
- if (!isprint(*pos))
+ /* no SEQUENCEs in current SET, parse next SET */
+ if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET)
{
- *pos = '?';
- all_printable = FALSE;
+ return FALSE;
+ }
+ }
+ if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE &&
+ asn1_unwrap(&rdn, oid) == ASN1_OID)
+ {
+ int t = asn1_unwrap(&rdn, data);
+
+ if (t != ASN1_INVALID)
+ {
+ *type = t;
+ return TRUE;
}
}
- return all_printable;
+ return FALSE;
}
/**
- * Pointer is set to the first RDN in a DN
+ * Create an enumerator over all RDNs (oid, string type, data) of a DN
*/
-static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+static enumerator_t* create_rdn_enumerator(chunk_t dn)
{
- *rdn = chunk_empty;
- *attribute = chunk_empty;
+ rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
- /* a DN is a SEQUENCE OF RDNs */
- if (*dn.ptr != ASN1_SEQUENCE)
- {
- /* DN is not a SEQUENCE */
- return FALSE;
- }
+ e->public.enumerate = (void*)rdn_enumerate;
+ e->public.destroy = (void*)free;
- rdn->len = asn1_length(&dn);
-
- if (rdn->len == ASN1_INVALID_LENGTH)
+ /* a DN is a SEQUENCE, get the first SET of it */
+ if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE)
{
- /* Invalid RDN length */
- return FALSE;
+ e->seqs = chunk_empty;
+ return &e->public;
}
-
- rdn->ptr = dn.ptr;
-
- /* are there any RDNs ? */
- *next = rdn->len > 0;
-
- return TRUE;
+ free(e);
+ return enumerator_create_empty();
}
/**
- * Fetches the next RDN in a DN
+ * Part enumerator over RDNs
+ */
+typedef struct {
+ /* implements enumerator interface */
+ enumerator_t public;
+ /* inner RDN enumerator */
+ enumerator_t *inner;
+} rdn_part_enumerator_t;
+
+/**
+ * Implementation of rdn_part_enumerator_t.enumerate().
*/
-static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
- chunk_t *value, asn1_t *type, bool *next)
+static bool rdn_part_enumerate(rdn_part_enumerator_t *this,
+ id_part_t *type, chunk_t *data)
{
- chunk_t body;
+ int i, known_oid, strtype;
+ chunk_t oid, inner_data;
+ static const struct {
+ int oid;
+ id_part_t type;
+ } oid2part[] = {
+ {OID_COMMON_NAME, ID_PART_RDN_CN},
+ {OID_SURNAME, ID_PART_RDN_S},
+ {OID_SERIAL_NUMBER, ID_PART_RDN_SN},
+ {OID_COUNTRY, ID_PART_RDN_C},
+ {OID_LOCALITY, ID_PART_RDN_L},
+ {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST},
+ {OID_ORGANIZATION, ID_PART_RDN_O},
+ {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU},
+ {OID_TITLE, ID_PART_RDN_T},
+ {OID_DESCRIPTION, ID_PART_RDN_D},
+ {OID_NAME, ID_PART_RDN_N},
+ {OID_GIVEN_NAME, ID_PART_RDN_G},
+ {OID_INITIALS, ID_PART_RDN_I},
+ {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID},
+ {OID_EMAIL_ADDRESS, ID_PART_RDN_E},
+ {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN},
+ };
- /* initialize return values */
- *oid = chunk_empty;
- *value = chunk_empty;
-
- /* if all attributes have been parsed, get next rdn */
- if (attribute->len <= 0)
+ while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data))
{
- /* an RDN is a SET OF attributeTypeAndValue */
- if (*rdn->ptr != ASN1_SET)
+ known_oid = asn1_known_oid(oid);
+ for (i = 0; i < countof(oid2part); i++)
{
- /* RDN is not a SET */
- return FALSE;
- }
- attribute->len = asn1_length(rdn);
- if (attribute->len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute length */
- return FALSE;
+ if (oid2part[i].oid == known_oid)
+ {
+ *type = oid2part[i].type;
+ *data = inner_data;
+ return TRUE;
+ }
}
- attribute->ptr = rdn->ptr;
- /* advance to start of next RDN */
- rdn->ptr += attribute->len;
- rdn->len -= attribute->len;
- }
-
- /* an attributeTypeAndValue is a SEQUENCE */
- if (*attribute->ptr != ASN1_SEQUENCE)
- {
- /* attributeTypeAndValue is not a SEQUENCE */
- return FALSE;
}
-
- /* extract the attribute body */
- body.len = asn1_length(attribute);
-
- if (body.len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute body length */
- return FALSE;
- }
-
- body.ptr = attribute->ptr;
-
- /* advance to start of next attribute */
- attribute->ptr += body.len;
- attribute->len -= body.len;
-
- /* attribute type is an OID */
- if (*body.ptr != ASN1_OID)
- {
- /* attributeType is not an OID */
- return FALSE;
- }
- /* extract OID */
- oid->len = asn1_length(&body);
-
- if (oid->len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute OID length */
- return FALSE;
- }
- oid->ptr = body.ptr;
-
- /* advance to the attribute value */
- body.ptr += oid->len;
- body.len -= oid->len;
-
- /* extract string type */
- *type = *body.ptr;
-
- /* extract string value */
- value->len = asn1_length(&body);
-
- if (value->len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute string length */
- return FALSE;
- }
- value->ptr = body.ptr;
-
- /* are there any RDNs left? */
- *next = rdn->len > 0 || attribute->len > 0;
- return TRUE;
+ return FALSE;
}
/**
- * Parses an ASN.1 distinguished name int its OID/value pairs
+ * Implementation of rdn_part_enumerator_t.destroy().
*/
-static bool dntoa(chunk_t dn, chunk_t *str)
+static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this)
{
- chunk_t rdn, oid, attribute, value, proper;
- asn1_t type;
- int oid_code;
- bool next;
- bool first = TRUE;
-
- if (!init_rdn(dn, &rdn, &attribute, &next))
- {
- return FALSE;
- }
-
- while (next)
- {
- if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
- {
- return FALSE;
- }
-
- if (first)
- { /* first OID/value pair */
- first = FALSE;
- }
- else
- { /* separate OID/value pair by a comma */
- update_chunk(str, snprintf(str->ptr,str->len,", "));
- }
-
- /* print OID */
- oid_code = asn1_known_oid(oid);
- if (oid_code == OID_UNKNOWN)
- {
- update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid));
- }
- else
- {
- update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
- }
- /* print value */
- sanitize_chunk(value, &proper);
- update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
- chunk_free(&proper);
- }
- return TRUE;
+ this->inner->destroy(this->inner);
+ free(this);
}
/**
- * compare two distinguished names by
- * comparing the individual RDNs
+ * Implementation of identification_t.create_part_enumerator
*/
-static bool same_dn(chunk_t a, chunk_t b)
+static enumerator_t* create_part_enumerator(private_identification_t *this)
{
- chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
- chunk_t oid_a, oid_b, value_a, value_b;
- asn1_t type_a, type_b;
- bool next_a, next_b;
-
- /* same lengths for the DNs */
- if (a.len != b.len)
- {
- return FALSE;
- }
- /* try a binary comparison first */
- if (memeq(a.ptr, b.ptr, b.len))
- {
- return TRUE;
- }
- /* initialize DN parsing */
- if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
- !init_rdn(b, &rdn_b, &attribute_b, &next_b))
- {
- return FALSE;
- }
-
- /* fetch next RDN pair */
- while (next_a && next_b)
+ switch (this->type)
{
- /* parse next RDNs and check for errors */
- if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) ||
- !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b))
- {
- return FALSE;
- }
-
- /* OIDs must agree */
- if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len))
- {
- return FALSE;
- }
-
- /* same lengths for values */
- if (value_a.len != value_b.len)
- {
- return FALSE;
- }
-
- /* printableStrings and email RDNs require uppercase comparison */
- if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
- (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
- {
- if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
- {
- return FALSE;
- }
- }
- else
+ case ID_DER_ASN1_DN:
{
- if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
- {
- return FALSE;
- }
+ rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t);
+
+ e->inner = create_rdn_enumerator(this->encoded);
+ e->public.enumerate = (void*)rdn_part_enumerate;
+ e->public.destroy = (void*)rdn_part_enumerator_destroy;
+
+ return &e->public;
}
+ case ID_RFC822_ADDR:
+ /* TODO */
+ case ID_FQDN:
+ /* TODO */
+ default:
+ return enumerator_create_empty();
}
- /* both DNs must have same number of RDNs */
- if (next_a || next_b)
- {
- return FALSE;
- }
- /* the two DNs are equal! */
- return TRUE;
}
-
/**
- * compare two distinguished names by comparing the individual RDNs.
- * A single'*' character designates a wildcard RDN in DN b.
- * TODO: Add support for different RDN order in DN !!
+ * Print a DN with all its RDN in a buffer to present it to the user
*/
-bool match_dn(chunk_t a, chunk_t b, int *wildcards)
+static void dntoa(chunk_t dn, char *buf, size_t len)
{
- chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
- chunk_t oid_a, oid_b, value_a, value_b;
- asn1_t type_a, type_b;
- bool next_a, next_b;
-
- /* initialize wildcard counter */
- *wildcards = 0;
-
- /* initialize DN parsing */
- if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
- !init_rdn(b, &rdn_b, &attribute_b, &next_b))
- {
- return FALSE;
- }
+ enumerator_t *e;
+ chunk_t oid_data, data;
+ u_char type;
+ int oid, written;
+ bool finished = FALSE;
- /* fetch next RDN pair */
- while (next_a && next_b)
+ e = create_rdn_enumerator(dn);
+ while (e->enumerate(e, &oid_data, &type, &data))
{
- /* parse next RDNs and check for errors */
- if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) ||
- !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b))
+ oid = asn1_known_oid(oid_data);
+
+ if (oid == OID_UNKNOWN)
{
- return FALSE;
+ written = snprintf(buf, len, "%#B=", &oid_data);
}
- /* OIDs must agree */
- if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+ else
{
- return FALSE;
+ written = snprintf(buf, len,"%s=", oid_names[oid].name);
}
+ buf += written;
+ len -= written;
- /* does rdn_b contain a wildcard? */
- if (value_b.len == 1 && *value_b.ptr == '*')
+ if (chunk_printable(data, NULL, '?'))
{
- (*wildcards)++;
- continue;
+ written = snprintf(buf, len, "%.*s", data.len, data.ptr);
}
- /* same lengths for values */
- if (value_a.len != value_b.len)
+ else
{
- return FALSE;
+ written = snprintf(buf, len, "%#B", &data);
}
+ buf += written;
+ len -= written;
- /* printableStrings and email RDNs require uppercase comparison */
- if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
- (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
+ if (data.ptr + data.len != dn.ptr + dn.len)
{
- if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
- {
- return FALSE;
- }
+ written = snprintf(buf, len, ", ");
+ buf += written;
+ len -= written;
}
else
{
- if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
- {
- return FALSE;
- }
+ finished = TRUE;
+ break;
}
}
- /* both DNs must have same number of RDNs */
- if (next_a || next_b)
+ if (!finished)
{
- return FALSE;
+ snprintf(buf, len, "(invalid ID_DER_ASN1_DN)");
}
- /* the two DNs match! */
- *wildcards = min(*wildcards, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
- return TRUE;
+ e->destroy(e);
}
/**
@@ -648,53 +498,34 @@ static id_type_t get_type(private_identification_t *this)
}
/**
- * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN.
+ * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN.
*/
static bool contains_wildcards_dn(private_identification_t *this)
{
- chunk_t rdn, attribute;
- chunk_t oid, value;
- asn1_t type;
- bool next;
+ enumerator_t *enumerator;
+ bool contains = FALSE;
+ id_part_t type;
+ chunk_t data;
- if (!init_rdn(this->encoded, &rdn, &attribute, &next))
- {
- return FALSE;
- }
- /* fetch next RDN */
- while (next)
+ enumerator = create_part_enumerator(this);
+ while (enumerator->enumerate(enumerator, &type, &data))
{
- /* parse next RDN and check for errors */
- if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
- {
- return FALSE;
- }
- /* check if RDN is a wildcard */
- if (value.len == 1 && *value.ptr == '*')
+ if (data.len == 1 && data.ptr[0] == '*')
{
- return TRUE;
+ contains = TRUE;
+ break;
}
}
- return FALSE;
+ enumerator->destroy(enumerator);
+ return contains;
}
/**
- * Implementation of identification_t.contains_wildcards.
+ * Implementation of identification_t.contains_wildcards using memchr(*).
*/
-static bool contains_wildcards(private_identification_t *this)
+static bool contains_wildcards_memchr(private_identification_t *this)
{
- switch (this->type)
- {
- case ID_ANY:
- return TRUE;
- case ID_FQDN:
- case ID_RFC822_ADDR:
- return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
- case ID_DER_ASN1_DN:
- return contains_wildcards_dn(this);
- default:
- return FALSE;
- }
+ return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
}
/**
@@ -711,7 +542,96 @@ static bool equals_binary(private_identification_t *this, private_identification
}
return chunk_equals(this->encoded, other->encoded);
}
- return FALSE;
+ return FALSE;
+}
+
+/**
+ * Compare to DNs, for equality if wc == NULL, for match otherwise
+ */
+static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
+{
+ enumerator_t *t, *o;
+ chunk_t t_oid, o_oid, t_data, o_data;
+ u_char t_type, o_type;
+ bool t_next, o_next, finished = FALSE;
+
+ if (wc)
+ {
+ *wc = 0;
+ }
+ else
+ {
+ if (t_dn.len != o_dn.len)
+ {
+ return FALSE;
+ }
+ }
+ /* try a binary compare */
+ if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len))
+ {
+ return TRUE;
+ }
+
+ t = create_rdn_enumerator(t_dn);
+ o = create_rdn_enumerator(o_dn);
+ while (TRUE)
+ {
+ t_next = t->enumerate(t, &t_oid, &t_type, &t_data);
+ o_next = o->enumerate(o, &o_oid, &o_type, &o_data);
+
+ if (!o_next && !t_next)
+ {
+ break;
+ }
+ finished = FALSE;
+ if (o_next != t_next)
+ {
+ break;
+ }
+ if (!chunk_equals(t_oid, o_oid))
+ {
+ break;
+ }
+ if (wc && o_data.len == 1 && o_data.ptr[0] == '*')
+ {
+ (*wc)++;
+ }
+ else
+ {
+ if (t_data.len != o_data.len)
+ {
+ break;
+ }
+ if (t_type == o_type &&
+ (t_type == ASN1_PRINTABLESTRING ||
+ (t_type == ASN1_IA5STRING &&
+ (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL ||
+ asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS))))
+ { /* ignore case for printableStrings and email RDNs */
+ if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0)
+ {
+ break;
+ }
+ }
+ else
+ { /* respect case and length for everything else */
+ if (!memeq(t_data.ptr, o_data.ptr, t_data.len))
+ {
+ break;
+ }
+ }
+ }
+ /* the enumerator returns FALSE on parse error, we are finished
+ * if we have reached the end of the DN only */
+ if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) &&
+ (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len))
+ {
+ finished = TRUE;
+ }
+ }
+ t->destroy(t);
+ o->destroy(o);
+ return finished;
}
/**
@@ -720,7 +640,7 @@ static bool equals_binary(private_identification_t *this, private_identification
static bool equals_dn(private_identification_t *this,
private_identification_t *other)
{
- return same_dn(this->encoded, other->encoded);
+ return compare_dn(this->encoded, other->encoded, NULL);
}
/**
@@ -764,7 +684,7 @@ static id_match_t matches_binary(private_identification_t *this,
* Checks for a wildcard in other-string, and compares it against this-string.
*/
static id_match_t matches_string(private_identification_t *this,
- private_identification_t *other)
+ private_identification_t *other)
{
u_int len = other->encoded.len;
@@ -824,7 +744,7 @@ static id_match_t matches_dn(private_identification_t *this,
private_identification_t *other)
{
int wc;
-
+
if (other->type == ID_ANY)
{
return ID_MATCH_ANY;
@@ -832,8 +752,9 @@ static id_match_t matches_dn(private_identification_t *this,
if (this->type == other->type)
{
- if (match_dn(this->encoded, other->encoded, &wc))
+ if (compare_dn(this->encoded, other->encoded, &wc))
{
+ wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
return ID_MATCH_PERFECT - wc;
}
}
@@ -847,8 +768,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
const void *const *args)
{
private_identification_t *this = *((private_identification_t**)(args[0]));
- char buf[BUF_LEN];
- chunk_t proper, buf_chunk = chunk_from_buf(buf);
+ chunk_t proper;
+ char buf[512];
if (this == NULL)
{
@@ -878,29 +799,26 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
case ID_RFC822_ADDR:
case ID_DER_ASN1_GN_URI:
case ID_IETF_ATTR_STRING:
- sanitize_chunk(this->encoded, &proper);
+ chunk_printable(this->encoded, &proper, '?');
snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
chunk_free(&proper);
break;
case ID_DER_ASN1_DN:
- if (!dntoa(this->encoded, &buf_chunk))
- {
- snprintf(buf, sizeof(buf), "(invalid ID_DER_ASN1_DN)");
- }
+ dntoa(this->encoded, buf, sizeof(buf));
break;
case ID_DER_ASN1_GN:
snprintf(buf, sizeof(buf), "(ASN.1 general Name");
break;
case ID_KEY_ID:
- if (sanitize_chunk(this->encoded, &proper))
+ if (chunk_printable(this->encoded, NULL, '?'))
{ /* fully printable, use ascii version */
- snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
+ snprintf(buf, sizeof(buf), "%.*s",
+ this->encoded.len, this->encoded.ptr);
}
else
{ /* not printable, hex dump */
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
}
- chunk_free(&proper);
break;
case ID_PUBKEY_INFO_SHA1:
case ID_PUBKEY_SHA1:
@@ -917,140 +835,18 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
}
return print_in_hook(dst, len, "%*s", spec->width, buf);
}
-
-/**
- * Enumerator over RDNs
- */
-typedef struct {
- /* implements enumerator interface */
- enumerator_t public;
- /* current RDN */
- chunk_t rdn;
- /* current attribute */
- chunk_t attr;
- /** have another RDN? */
- bool next;
-} rdn_enumerator_t;
-
-/**
- * Implementation of rdn_enumerator_t.enumerate
- */
-static bool rdn_enumerate(rdn_enumerator_t *this,
- id_part_t *type, chunk_t *data)
-{
- chunk_t oid, value;
- asn1_t asn1_type;
-
- while (this->next)
- {
- if (!get_next_rdn(&this->rdn, &this->attr, &oid,
- &value, &asn1_type, &this->next))
- {
- return FALSE;
- }
- switch (asn1_known_oid(oid))
- {
- case OID_COMMON_NAME:
- *type = ID_PART_RDN_CN;
- break;
- case OID_SURNAME:
- *type = ID_PART_RDN_S;
- break;
- case OID_SERIAL_NUMBER:
- *type = ID_PART_RDN_SN;
- break;
- case OID_COUNTRY:
- *type = ID_PART_RDN_C;
- break;
- case OID_LOCALITY:
- *type = ID_PART_RDN_L;
- break;
- case OID_STATE_OR_PROVINCE:
- *type = ID_PART_RDN_ST;
- break;
- case OID_ORGANIZATION:
- *type = ID_PART_RDN_O;
- break;
- case OID_ORGANIZATION_UNIT:
- *type = ID_PART_RDN_OU;
- break;
- case OID_TITLE:
- *type = ID_PART_RDN_T;
- break;
- case OID_DESCRIPTION:
- *type = ID_PART_RDN_D;
- break;
- case OID_NAME:
- *type = ID_PART_RDN_N;
- break;
- case OID_GIVEN_NAME:
- *type = ID_PART_RDN_G;
- break;
- case OID_INITIALS:
- *type = ID_PART_RDN_I;
- break;
- case OID_UNIQUE_IDENTIFIER:
- *type = ID_PART_RDN_ID;
- break;
- case OID_EMAIL_ADDRESS:
- *type = ID_PART_RDN_E;
- break;
- case OID_EMPLOYEE_NUMBER:
- *type = ID_PART_RDN_EN;
- break;
- default:
- continue;
- }
- *data = value;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * Implementation of identification_t.create_part_enumerator
- */
-static enumerator_t* create_part_enumerator(private_identification_t *this)
-{
- switch (this->type)
- {
- case ID_DER_ASN1_DN:
- {
- rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
-
- e->public.enumerate = (void*)rdn_enumerate;
- e->public.destroy = (void*)free;
- if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next))
- {
- return &e->public;
- }
- free(e);
- /* FALL */
- }
- case ID_RFC822_ADDR:
- /* TODO */
- case ID_FQDN:
- /* TODO */
- default:
- return enumerator_create_empty();
- }
-}
-
/**
* Implementation of identification_t.clone.
*/
static identification_t *clone_(private_identification_t *this)
{
- private_identification_t *clone = identification_create();
+ private_identification_t *clone = malloc_thing(private_identification_t);
- clone->type = this->type;
+ memcpy(clone, this, sizeof(private_identification_t));
if (this->encoded.len)
{
clone->encoded = chunk_clone(this->encoded);
}
- clone->public.equals = this->public.equals;
- clone->public.matches = this->public.matches;
-
return &clone->public;
}
@@ -1066,20 +862,42 @@ static void destroy(private_identification_t *this)
/**
* Generic constructor used for the other constructors.
*/
-static private_identification_t *identification_create(void)
+static private_identification_t *identification_create(id_type_t type)
{
private_identification_t *this = malloc_thing(private_identification_t);
this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
this->public.get_type = (id_type_t (*) (identification_t*))get_type;
- this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator;
this->public.clone = (identification_t* (*) (identification_t*))clone_;
this->public.destroy = (void (*) (identification_t*))destroy;
- /* we use these as defaults, the may be overloaded for special ID types */
- this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
- this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
+ switch (type)
+ {
+ case ID_ANY:
+ this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any;
+ this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))return_true;
+ break;
+ case ID_FQDN:
+ case ID_RFC822_ADDR:
+ this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string;
+ this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr;
+ break;
+ case ID_DER_ASN1_DN:
+ this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn;
+ this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn;
+ break;
+ default:
+ this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+ this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))return_false;
+ break;
+ }
+
+ this->type = type;
this->encoded = chunk_empty;
return this;
@@ -1090,8 +908,9 @@ static private_identification_t *identification_create(void)
*/
identification_t *identification_create_from_string(char *string)
{
- private_identification_t *this = identification_create();
-
+ private_identification_t *this;
+ chunk_t encoded;
+
if (string == NULL)
{
string = "%any";
@@ -1101,15 +920,16 @@ identification_t *identification_create_from_string(char *string)
/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
*/
- if (atodn(string, &this->encoded) != SUCCESS)
+ if (atodn(string, &encoded) == SUCCESS)
+ {
+ this = identification_create(ID_DER_ASN1_DN);
+ this->encoded = encoded;
+ }
+ else
{
- this->type = ID_KEY_ID;
+ this = identification_create(ID_KEY_ID);
this->encoded = chunk_clone(chunk_create(string, strlen(string)));
- return &this->public;
}
- this->type = ID_DER_ASN1_DN;
- this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
- this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_dn;
return &this->public;
}
else if (strchr(string, '@') == NULL)
@@ -1122,50 +942,43 @@ identification_t *identification_create_from_string(char *string)
|| streq(string, "0::0"))
{
/* any ID will be accepted */
- this->type = ID_ANY;
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_any;
+ this = identification_create(ID_ANY);
return &this->public;
}
else
{
if (strchr(string, ':') == NULL)
{
- /* try IPv4 */
struct in_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
- if (inet_pton(AF_INET, string, &address) <= 0)
- {
- /* not IPv4, mostly FQDN */
- this->type = ID_FQDN;
- this->encoded.ptr = strdup(string);
- this->encoded.len = strlen(string);
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
- return &this->public;
+ if (inet_pton(AF_INET, string, &address) > 0)
+ { /* is IPv4 */
+ this = identification_create(ID_IPV4_ADDR);
+ this->encoded = chunk_clone(chunk);
+ }
+ else
+ { /* not IPv4, mostly FQDN */
+ this = identification_create(ID_FQDN);
+ this->encoded = chunk_create(strdup(string), strlen(string));
}
- this->encoded = chunk_clone(chunk);
- this->type = ID_IPV4_ADDR;
return &this->public;
}
else
{
- /* try IPv6 */
struct in6_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
- if (inet_pton(AF_INET6, string, &address) <= 0)
- {
- this->type = ID_KEY_ID;
- this->encoded = chunk_clone(chunk_create(string,
- strlen(string)));
- return &this->public;
+ if (inet_pton(AF_INET6, string, &address) > 0)
+ { /* is IPv6 */
+ this = identification_create(ID_IPV6_ADDR);
+ this->encoded = chunk_clone(chunk);
+ }
+ else
+ { /* not IPv4/6 fallback to KEY_ID */
+ this = identification_create(ID_KEY_ID);
+ this->encoded = chunk_create(strdup(string), strlen(string));
}
- this->encoded = chunk_clone(chunk);
- this->type = ID_IPV6_ADDR;
return &this->public;
}
}
@@ -1176,33 +989,24 @@ identification_t *identification_create_from_string(char *string)
{
if (*(string + 1) == '#')
{
+ this = identification_create(ID_KEY_ID);
string += 2;
- this->type = ID_KEY_ID;
this->encoded = chunk_from_hex(
chunk_create(string, strlen(string)), NULL);
return &this->public;
}
else
{
- this->type = ID_FQDN;
- this->encoded.ptr = strdup(string + 1);
- this->encoded.len = strlen(string + 1);
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
+ this = identification_create(ID_FQDN);
+ string += 1;
+ this->encoded = chunk_create(strdup(string), strlen(string));
return &this->public;
}
}
else
{
- this->type = ID_RFC822_ADDR;
- this->encoded.ptr = strdup(string);
- this->encoded.len = strlen(string);
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
+ this = identification_create(ID_RFC822_ADDR);
+ this->encoded = chunk_create(strdup(string), strlen(string));
return &this->public;
}
}
@@ -1211,42 +1015,10 @@ identification_t *identification_create_from_string(char *string)
/*
* Described in header.
*/
-identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
+identification_t *identification_create_from_encoding(id_type_t type,
+ chunk_t encoded)
{
- private_identification_t *this = identification_create();
-
- this->type = type;
- switch (type)
- {
- case ID_ANY:
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_any;
- break;
- case ID_FQDN:
- case ID_RFC822_ADDR:
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
- break;
- case ID_DER_ASN1_DN:
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_dn;
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_dn;
- break;
- case ID_IPV4_ADDR:
- case ID_IPV6_ADDR:
- case ID_DER_ASN1_GN:
- case ID_KEY_ID:
- case ID_DER_ASN1_GN_URI:
- case ID_PUBKEY_INFO_SHA1:
- case ID_PUBKEY_SHA1:
- case ID_CERT_DER_SHA1:
- case ID_IETF_ATTR_STRING:
- default:
- break;
- }
+ private_identification_t *this = identification_create(type);
/* apply encoded chunk */
if (type != ID_ANY)
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
index 8b3a25201..a6c39e94c 100644
--- a/src/libstrongswan/utils/mutex.c
+++ b/src/libstrongswan/utils/mutex.c
@@ -276,7 +276,7 @@ mutex_t *mutex_create(mutex_type_t type)
{
switch (type)
{
- case MUTEX_RECURSIVE:
+ case MUTEX_TYPE_RECURSIVE:
{
private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
@@ -292,7 +292,7 @@ mutex_t *mutex_create(mutex_type_t type)
return &this->generic.public;
}
- case MUTEX_DEFAULT:
+ case MUTEX_TYPE_DEFAULT:
default:
{
private_mutex_t *this = malloc_thing(private_mutex_t);
@@ -416,7 +416,7 @@ condvar_t *condvar_create(condvar_type_t type)
{
switch (type)
{
- case CONDVAR_DEFAULT:
+ case CONDVAR_TYPE_DEFAULT:
default:
{
private_condvar_t *this = malloc_thing(private_condvar_t);
@@ -488,7 +488,7 @@ rwlock_t *rwlock_create(rwlock_type_t type)
{
switch (type)
{
- case RWLOCK_DEFAULT:
+ case RWLOCK_TYPE_DEFAULT:
default:
{
private_rwlock_t *this = malloc_thing(private_rwlock_t);
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index c5c667992..273f56b47 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -31,14 +31,41 @@ typedef enum rwlock_type_t rwlock_type_t;
#include <library.h>
+#ifdef __APPLE__
+/* on Mac OS X 10.5 several system calls we use are no cancellation points.
+ * fortunately, select isn't one of them, so we wrap some of the others with
+ * calls to select(2).
+ */
+#include <sys/socket.h>
+#include <sys/select.h>
+
+#define WRAP_WITH_SELECT(func, socket, ...)\
+ fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
+ if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
+ return func(socket, __VA_ARGS__)
+
+static inline int cancellable_accept(int socket, struct sockaddr *address,
+ socklen_t *address_len)
+{
+ WRAP_WITH_SELECT(accept, socket, address, address_len);
+}
+#define accept cancellable_accept
+static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
+ int flags, struct sockaddr *address, socklen_t *address_len)
+{
+ WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
+}
+#define recvfrom cancellable_recvfrom
+#endif /* __APPLE__ */
+
/**
* Type of mutex.
*/
enum mutex_type_t {
/** default mutex */
- MUTEX_DEFAULT = 0,
+ MUTEX_TYPE_DEFAULT = 0,
/** allow recursive locking of the mutex */
- MUTEX_RECURSIVE = 1,
+ MUTEX_TYPE_RECURSIVE = 1,
};
/**
@@ -46,7 +73,7 @@ enum mutex_type_t {
*/
enum condvar_type_t {
/** default condvar */
- CONDVAR_DEFAULT = 0,
+ CONDVAR_TYPE_DEFAULT = 0,
};
/**
@@ -54,7 +81,7 @@ enum condvar_type_t {
*/
enum rwlock_type_t {
/** default condvar */
- RWLOCK_DEFAULT = 0,
+ RWLOCK_TYPE_DEFAULT = 0,
};
/**